1 Introduction

When it comes to corporate crime, recent studies show that bribe givers are usually high-ranking, well-educated, and well-paid managers, which undertake risks in the name of the company and generally orientated toward growing and achieving results as a unit with the company. Until there is some sort of accountability, illegal actions are seen as useful to the organization and themselves (Pohlmann et al., 2016; Klinkhammer, 2015). Corporate Crime encompasses the supply-side of corruption, which is associated with a firm’s interaction with the public sector, with cases of grand corruption, in contrast to petty corruption, being the most commonly studied, given its high-profile (Mahmud et al., 2022).

There are several approaches to analyzing corporate crime, or more generally, organizational wrongdoing, given the multi-level complex phenomena that it is, which has a reflection on the compliance policy suggestions that are made. If the focus is on individual rationality and greed, an effective web of accountability (monitoring—investigating—sanctioning), ethical formal standard setting, and moral training are presented as viable courses of action (Root, 2019; Soltes, 2020; Valentine et al., 2019). If the organization has a bigger role in the criminological genesis of corruption, then structural prevention should be considered alongside measures that target accountability and ethical training, such as an opening up the career system for outsiders, job rotation between company units, diversity management, whistleblower protection, prolonged bonus terms, detach the ombudsman from management, among others (Tanner et al., 2019; Van Erp, 2018; Yagmur, 2020). Although anticorruption research benefits largely from macro-level analysis, both industry and country wide, it has less of an influence into compliance research due to it being largely out of the hands or extremely demanding for organizations to focus and lobby for collective action at that level. So moving from the decision-makers to the private sector seems to be present an efficient strategy in combating corruption (Mahmud et al., 2022), due to the need for active cooperation and participation from the supply-side at its organizational level.

In order to understand compliance system’s features and implementation challenges, this chapter aims to use a particular case study, in which the company suffered previous prosecution for wrongdoings, and present its findings considering the timeline of implementation. This will allow us to understand, in this particular context, how are anticorruption practices integrated into processes and structures and how is it handled and perceived by management, highlighting important factors for a successful system implementation.

After this brief introduction we will first explain our research methodology and data collection process (Sect. 2), the concept and structure of compliance standards and of Compliance Management Systems (Sect. 3), go over the case study (Sect. 4) considering the timeline of the standards before investigations started (Sect. 4.1), the agreements and deals with law enforcement (Sect. 4.2), the implementation of compliance measures (Sect. 4.3) and a discussion over our findings (Sect. 5).

2 Methodology and Data Collection

As mentioned before, corruption is a complex multi-faceted phenomenon, where quantitative analysis fails to grasp the particularities of each case (Cardoni et al., 2020). A qualitative single-case study provides a more “hands-on” practical depiction of how a multinational business handles and experiences the issue (Bhattacherjee, 2012). Odebrecht S.A., now rebranded as Novonor S.A., fits the purpose of this chapter, being the most high-profile prosecution of corporate crime in the history of Brazil, where the rate of corruption is particularly high (rank 96/180 Transparency International CPI, 2021), with repercussions in several other countries where it had business. Additionally, the construction sector is one of the most prone to corruption in the world (Risk Advisory’s Corruption Challenges Index, 2020).

Odebrecht S.A., the holding company, parent to several companies in the construction, oil, gas, and chemical industries, has its headquarters in Salvador, Brazil and had hundreds of projects across more than 27 countries. According to its case files from Car Wash Operation and the FCPA investigation, between 2001 and 2016 Odebrecht made approximately $788 million in corrupt payments to foreign political parties, foreign officials, and their representatives in 14 countries around Latin America and Africa, in order to secure an improper advantage to obtain and retain business, generating more than $3.3 billion of profit to the company as a result of these corrupt payments. These were possible, among other factors, due to inadequate controls, dysfunctional leadership and incentive structures and an inexistent compliance program during the period of the criminal conduct.

Legal proceedings against Odebrecht S.A. arising from allegations of bribery were concluded in 2016 in the USA, as well as allegations including money laundering in Brazil reached 1st degree verdicts in 2016 and the following years, having the company agree to pay more than $3.5 billion in penalties and executives being criminally liable. The Odebrecht case is unique in Latin America given the magnitude of the case, sum of payments and key public politicians involved, resulting in more than three presidents or ex-presidents being arrested. It has also changed the compliance landscape in Brazil, kickstarting the practice of leniency agreements and monitorships, influencing how law enforcement and other companies handle and evaluate internal controls and budget allocation for integrity programs. Nowadays, executives from companies of all sizes have to be aware that noncompliance can lead to criminal liability as well as put the existence of the company in risk. Also, prosecutors, regulators and monitors now have deeper knowledge of corruption structures, making compliance standards rise even in the absence of official action.

Odebrecht has been implementing its compliance program in the years since their leniency agreements and we will review the past and present context surrounding measures taken, bringing organizational features into the spotlight. Odebrecht publishes annually a report that summarizes the business performance of the organization in the previous year. It provides consolidated economic-financial results, presents the main achievements and most significant performance indicators, besides updated information about the macro structure of the organization.

For this chapter our dataset consists of the annual public reports published by Odebrecht between 2016–2020, the Code of Conduct, previously published research into Odebrecht’s compliance management system implementation, the case files from Operation Car Wash and the Odebrecht bankruptcy filing, news agency reports, and lastly several (undisclosed due to anonymity requests) semi-structured interviews conducted with current and former company employees pertaining to key leadership positions and the compliance department, former monitors and investigative authorities. Triangulation of data sources helps diminish the risk of data unreliability.

3 Compliance Standards and Management Systems

A compliance program is the means by which an organization can prevent and detect illegal conduct, and also promote behavior that encourages compliance with regulations and ethical standards. The institution of compliance management systems (CMS) and integrity programs in general are part of a set of macro-institutional changes in the anti-fraud and corruption landscape worldwide (Cherepanova, 2021). These trends are commonly kickstarted by a general international agreement regarding fairer business practices, economic development, and governance (e. g. the Organization for Economic Cooperation and Development’s Anti Bribery Convention, 1997, see Tourinho, 2018; Spahn, 2013), alongside a reaction to an impactful event. The Enron fraud scandal and company collapse in the early 2000s, for example, affected thousands of stakeholders and gave way to several compliance demands. With fake holdings and off-the-book accounting, by means of special purpose entities (SPEs), they hid huge amounts of debt from investors, creditors, and regulators (Segal, 2021). Consequentially, in order to promote accurate financial reports and punish corporate fraud, the Sarbanes–Oxley ActFootnote 1 was enacted, alongside higher levels of ethical scrutiny from the Financial Accounting Standards Board (FASB). To avoid a similar disaster (Enron’s shares plummeted from $90.75 to $0.26),Footnote 2 company boards of directors became more aware of the importance of independent monitoring and auditing.

Another key event in the history of compliance was the 9/11 terrorist attack in 2001, which made stricter money laundering and KYC (know your client) legislation a key focus, in order to undermine the financing of terrorism. AML (anti-money laundering) tactics fulfill the state’s primary goal of counter-financing terrorism (CFT) and not to allow the proceeds of crime (dirty money) into the legal economy, an agenda shared by the International Monetary Fund (IMF) and the FATF (Financial Action Task Force), institutions formed by multiple countries meant to care about the damages financial crimes can have on the integrity and stability of the financial sector and the broader economy. More objectively, AML tactics serve to make sure the corporation is compliant with regulations that require them to monitor and subsequently report suspicious activity and allows them to achieve corporate goals such as protecting shareholder value, avoid penalties due to noncompliance or negligence and reduce costs and capital reserved for risk exposure (FATF, 2012–2022).

So, there are major political, social, procedural, and economic facts, as well as previous major fraud and corruption cases, that gave rise to the anti-corruption laws and frameworks, respectively being enforced, or promoted. These frameworks, or “international accountability standards”, are soft law regulations, and constitute “a large institutional infrastructure designed to address the transparency expectations of society towards business” (Cherepanova, p. 224). Globalization, of course, is also one of the catalysts for the emergence of these standards, i.e. global policymaking, due to the fragmentation of regulative authorities on the global markets. That is not to say there aren’t problems that arise from the number of standards in existence, such as overlapping requirements, confusion as to which should be implemented, management overload, increased costs, and a dilution of focus and impact. Despite these issues, standards such as the ISO 37001 were developed by over 80 experts with the involvement of 59 participating or observer countries and 8 liaison organizations, giving this multi-stakeholder approach its due legitimacy and credibility regarding its effectiveness, a global collaboration between public and private actors (ibid, p. 234).

These factors lead to the understanding of why companies feel compelled to invest in integrity programs not only to comply with the law—and gain legal and reputational protection against wrongdoing, but also to have a competitive edge—against companies that don’t. A common problem, however, is “window dressing”. The adoption of these practices as a brand improvement strategy, formally creating positions and requirements on paper without practical or encompassing implementation of these internal controls (Scherer et al., 2013). Another is the “check-off’ approach, where hotlines, codes of conduct and training are also perceived as very formal technical tools, which could lead to their depreciation over time if not bounded into the mindset of executives, managers, and employees, not independent from the company’s system and also not only to imbue legitimacy, but as effective tools for change (Cardoni et al., 2020).

By current standards, compliance lies under the umbrella of corporate governance, which itself is one of the three main aspects behind ESG (Environment, Social and Governance). In the investment world, an ESG investment is one that incorporates environmental, social, and governance issues as criteria in the analysis, going beyond the traditional economic-financial metrics and thus allowing for a holistic evaluation of companies.

The standard of compliance requirements in each country is set by its anti-corruption laws and international soft laws. There are the starting point principle-based standards (such as the OECD Good Practice Guidance on Internal Controls and the Transparency International Business Principles); certification standards that require external validity through independent audits (e.g. TRACE certification); reporting standards for disclosure of impact on the economy, environment and society (e.g. Global Reporting Initiative standards); and process standards, which have more practical directives into how to achieve the previous standards checklists and aspirations (e.g. ISO 19600:2014 CMS). There are also relevant aspects of how compliance programs are interpreted by different regulatory agencies.

In general, however, the Compliance Management Systems’ success in Brazil depends on the following key issues, based on the Brazilian legislation (Law 12.846/2013 and Decree 8.420/2015), and Integrity Guidelines from, among others, the Comptroller General’s Office (CGU, 2015), the Brazilian Institute of Corporate Governance (IBGC, 2015) and the International Organization for Standardization (ISO 37001—Anti Bribery Management Systems, ISO 19600 Compliance and ISO 31000 Risk Management):

  1. a)

    Companies’ top management: the balance between compliance demands and the company’s operation creates dilemmas for the leadership to solve, they have to correctly allocate financial and intangible resources, promote management commitment and independence, etc.

  2. b)

    department management: the profile of professionals, functional competence, interaction with other areas, headcounts, use of third-party service providers and budget.

  3. c)

    risk assessment: based on a thorough evaluation of the risks inherent to the business related to violations of policies and controls, fraud, and corruption. Assessment should be conducted regularly, considering its ecosystem, the size of the company, the partners, third parties, and suppliers, measuring the likelihood and severity of potential violations, identifying mitigation actions, an effective timeline, and a responsible area/employee.

  4. d)

    policies and internal controls: development of a code of conduct and policies according to the reality of the company.

  5. e)

    communication and training: the Compliance program needs visibility and to be absorbed into everyday practice and operation of the company.

  6. f)

    criminal compliance: alongside risk assessment and knowledge of the business, the company needs the know-how of interacting in crisis situations, such as search and seizures, internal investigations, etc.

  7. g)

    labor compliance: must ensure that the flow of employees and the internal management of Human Resources and Corporate do not violate labor regulations and protect the company from possible liabilities.

  8. h)

    digital compliance: internal controls surrounding data privacy and transparency, adapting to the technological evolution and the demands from legislation such as the Personal Data Protection Law (LGPD).

  9. i)

    auditing and monitoring: measuring the capacity of the controls and processes, promoting positive changes. Audits also allow the company to carry out the procedural verification of facts that could generate contingencies.

  10. j)

    investigation and reporting: enveloping labor, criminal, environmental and civil issues, developing a good investigation plan, using the right tools, delivering the adequate reporting to the authorities, based on the existing legislation.

  11. k)

    due diligence: anti-corruption due diligence in Mergers and Acquisition (M&A) transactions and the status of suppliers and third parties.

  12. l)

    compliance in public tenders/biddings: with the enactment of Law 12.846/2013, private companies have a strong incentive to adopt integrity programs, aimed at the prevention, detection, and remediation of harmful practices against the public administration, such as bribery and fraud.

Firms specialized in Compliance or professionals from the field, when asked to create a CMS for a particular company, will do so according to a masterplan and follow particular integrity pillars. The objective is to implement effective integrity management, where there are enough prevention measures, but if infractions do occur, they can be detected and corrective actions can be taken immediately: prevention, detection, and correction. Implementation could be staged, e.g., in three phases:

  1. 1)

    Diagnostics: mapping integrity risks, evaluating whistleblowing networks, surveying employees about integrity perception, reporting on monitoring activities.

  2. 2)

    Preparation: grouping the necessities and vulnerabilities by integrity dimension, consolidating thematic guidelines.

  3. 3)

    Planning: defining initiatives, indicators, and goals for each area. These initiatives are linked, respectively, to one of the thematic guidelines, in order to create a final Action Plan.

There is no single formula for a compliance program, being fundamental that it be developed and adapted so as to properly and proportionally address the level of risk and the peculiarities of each line of business and each jurisdiction in which the company operates, as well as other factors unique to each organization. This flexibility also implies less completeness and comparability possibilities. There is also the caveat about empirical evidence regarding specific compliance measures or the general effectiveness of compliance programs being contested. In that regard, the literature and research in this field is still being developed and it is also complex to prove a negative, i.e., that something that never happened would have happened without compliance measures. Additionally, given the costs of organizational change and the true incorporation of these standards into daily operations, it is not surprising that many companies may prefer a formal “paper program” (Cherepanova, p. 241). Only certification standards are audited, meaning that companies will mostly only face accountability regarding this implementation if faced by market demands (such as during due diligence controls, funding rounds, etc.) or ex post while being prosecuted.

Nonetheless, compliance, being the creation of an incentive field towards business ethics and accountability, should receive political support for implementation from parties in all sides of the spectrum. For those who believe in alternative means of control for crime, or that we rush to jail, compliance provides for ways to reach agreements and focuses on prevention, rather than repression. On the other hand, to protect the free and fair market competition, to avoid monopolies and cartels from forming, to prevent slave or children labor, to make sure merchants and suppliers haven’t been corrupted or have a conflict of interest, compliance provides mechanisms for control and monitoring. Regarding mainly anticorruption measures, given that corruption encompasses “hard-to-observe” illicit activities in complex degrees and ways, Davis (2019) argues that evidence-based regulation might not bring us further than judgement based regulation, if some conditions are present: difficulty to collect data on interventions or outcomes, causal inferences are difficult to draw, there is no reason to believe that same causal relationships will apply in a new context, and/or decision-makers lack the capacity to perform one of these tasks. He writes that “In these settings, feasible types of research on the impact of past interventions will tend to be of limited value in predicting the impact of future interventions. As a result, careful thought is required about whether and how to use research as opposed to judgement in making decisions about regulation, assuming the goal is to maximize regulatory effectiveness” (p. 50). This is certainly not an incentive to abandon evidence-based regulation, but an argument in favor of multi-stakeholder developed international accountability standards as the more pragmatical approach in dealing with such a complex problem (see also Almond & Van Erp, 2020). Until evidence-based research is further developed, these seem to be indeed the “best practices” possible. Current research into compliance focuses on firm level analysis (which is why this chapter will attempt to bring multi-level elements of analysis into the spotlight) and research into corruption focuses and is limited by the polarization between bad apples and bad barrel metaphors as well as by putting different phenomena all under the same umbrella of organizational wrongdoing (Chaves & Raufflet, 2022).

With the knowledge of how Compliance Management Systems work and are implemented, we will now analyze the compliance landscape inside Odebrecht S.A. before Car Wash Operation and their judicial prosecution.

4 The Odebrecht Corruption Scandal and the Previous Compliance Standards

In the company’s 2014 report there is no mention of the words “compliance”, “integrity” or “transparency”, although it presents a set of guidelines in the form of Odebrecht Entrepreneurial Technology (TEO) and a Code of Conduct. According to the report, TEO is the basis of a corporate culture created by the founder, Norberto Odebrecht, focused on education, work and on humanistic values. Its principles, concepts and criteria provide to the members of the organization the ethical, moral, and conceptual foundations which allow them to act with unity of thought, common strategic direction, and coherence of action (Odebrecht, 2014, p. 10). The Code of Conduct had additional concepts and guidelines, which incorporated the legislative evolution, albeit being vague.

While there is a brief mention of public and privates’ relations being the object of public scrutiny, the 2015 report follows the pattern of the previous year and the company stood its ground affirming their business exchanges were nothing but legitimate (Odebrecht, 2015, p. 11), even after investigations started. A message from the former President of the Board, Emilio Odebrecht, gives a description of the companies’ self-image at the time: “For all this, we have had the discernment to make decisions guided, always, by the public interest, convinced that only what serves society serves shareholders. Based on the two forces that have brought us this far and will lead us to perpetuity—Trust in People and the Spirit of Serving—, we seek the convergence of tangible and intangible results, working with simplicity, humility, detachment and willingness to share, as conscientious businessmen, who do not abandon their social and environmental commitments and seek to act as partners of the State in building solutions that enable the development of the countries where we are” (p. 18). The company had, however, deeper, and illicit ties to the State.

This relationship, according to Carazza (2020), is not particular to Odebrecht, as Brazilian companies have profited from and developed relationships with government officials in order to expand and subsidize their business (in more detail, Campos, 2012). Construction companies around the world, but especially in Brazil, given its demand for infra-structure projects, became highly dependent on public contracts and only a smaller part of its revenue came from private projects. Odebrecht, even in 2018, still had 81% of its revenue derived from government contracts.Footnote 3 The previous internationalization of the company also reflects this, since Odebrecht turned to Latin America and African countries, where public–private partnerships along with the same characteristics as the ones in Brazil were possible: “closing the market against international competition, exclusivity contracts with state-owned companies, and subsidized credit lines in public banks, in addition to rigged bidding documents, cartels with would-be competitors, and tax benefits” (Carazza, 2020, p. 2).

Published in 2018, Fernandes also related events in Brazil’s political scandals with data from Carazza’s doctorate thesis: “the sectors that contributed most to campaign financing were, in descending order, construction, food and beverages, financial, steel and metallurgy, mining, and pharmaceutical”.Footnote 4 However, the weight of the donors holds no relation to their participation in the GDP and the construction sector, for example, contributes less than 8% of national wealth and was responsible for 28% of campaign donations. She continues: “the discrepancy is therefore largely attributed to the impact of regulation and taxation on these sectors. The intermediation of congressmen in these activities justifies the funding and explains the frequency with which leading companies in these segments have appeared in recent years in operations such as Car Wash and Zelotes, which investigated the sale of decisions in the Administrative Council of Tax Appeals (Carf)”.Footnote 5

According to the confession statement of a former Institutional Relations executive from Odebrecht,Footnote 6 his area supported institutional agendas of critical interest with public entities and agencies, including the National Congress. He declares “it was common knowledge that the legislative support offered by political agents to companies happened, in practice, at least in exchange for contributions in election periods, when not in exchange for more immediate financial arrangements. Because of this, several political agents tried to approach me, and I selected certain agents with political relevance, who preferably exercised strong leadership in their party and in their peers, and who would have better conditions to generate positive results for the company. Odebrecht had an interest in the permanence of these parliamentarians in Congress and in the preservation of the relationship, since historically they supported projects of their interest and had the ability to influence others. To do that, they maintained a financial relationship with these politicians. Additionally, I sought to identify and support promising politicians, who, besides defending converging interests, demonstrate the capacity to exercise leadership in Congress and in their respective parties, thus becoming part of the list of strategic politicians. The payments I indicated based on this list were approved by Marcelo Odebrecht, by the presidents or directors of the respective businesses. The political agents knew the weight of my favorable opinion within the company, and I used this in my favor. Still, without wanting to evade my responsibilities, I think it is important, just for contextualization, to point out that, inside my company, other people kept their own agenda in the National Congress.”. He goes on to declare that he preferred to avoid discussions in the House of Representatives because of the number of agents and interests, which made negotiations difficult, the Senate being much more preferable for his negotiations. When, eventually, he needed to deal with some deputy, he went directly to his contact person within the company, since there were many involved in this networking process.

All this was possible through sophisticated financial engineering in order to generate billions of dollars in slush funds and by distributing it to authorities, which made bribery the standard operating procedure from Odebrecht S.A. and the corruption schemes were not restricted to certain businesses from the Group, but pervaded the whole company (Braskem, Odebrecht Ambiental, etc.).

The investigations also discovered a specialized area inside Odebrecht, the Department of Structured Operations (DSO), which was responsible for keeping the “parallel” accounting, moving the money and processing illicit payments. During the period before the prosecution, compliance also popped up in some events, but as something to be circumvented instead of applied, one of them reported by Bloomberg Businessweek with the captivating title of: No One Has Ever Made a Corruption Machine Like This One (2017): the Antiguas Overseas Bank was used to funnel money, via a shell company called Klienfeld Selvices Ltd. When the bank’s account was frozen due to near bankruptcy, Klienfeld and his partners tried to acquire it, but the transaction failed due to an already filed report from the bank’s compliance office about suspicious activity. The solution found by DSO was to acquire 51% of the Antiguan branch of the Meinl Bank, which was turned into their facilitator for corrupt transactions. According to Odebrecht’s Plea Bargain (p. 11), they utilized banks with features like strict bank secrecy and that weren’t cooperative with international law enforcement, paying high remuneration fees and rates to the institutions and percentages of transactions to the bank executives. To bypass compliance inquiries and backstop the transactions, they would use fictitious contracts. At another instance, Odebrecht used an intermediary in order to open an offshore account at the Swiss Julius Bar Bank, having a Brazilian state-executive, a politically exposed person (PEP), as it’s beneficiary. The same intermediary, with his European connections, managed to acquire an authorization from the bank after compliance flagged the beneficiary (Indictment N. 5036528–23.2015.4.04.7000/PR, pp. 55, 92).

During the interrogation of one of Odebrecht’s main executives, it was asked if the company pursued any internal investigations about the facts that came to light while the scandal was breaking out. The executive answered that “as soon as the first notes that mentioned Odebrecht in the industrial engineering case were published in the media, we set up a totally autonomous and independent investigation committee for this purpose” (Case File n. 5036528–23.2015.404.7000, Deposition R.A., p. 36). However, this did not correspond to the reality presented by other company members. Compliance, at the time, was defended as a new company policy, in order to turn the company more professional and respected abroad, but good practices never should reach the top floor (Cabral & Oliveira, 2017, p. 11). Due to the involvement of the senior management, there was only a paper structure “ready” to prevent corruption. Cabral & Oliveira (2017, p. 154) documented the aforementioned internal investigation: after the accusations of irregularities in contracts came to light, the internal audit was triggered to start investigative work, but it was initiated by the same executives being investigated. The chief compliance officer and the internal committee would have their independence, but a very limited scope of investigation was set, and investigators would report their findings directly to those involved in the larger scandal in the first place. The executives encouraged that the audit be done only on the basis of public data alone, so nothing but what was known could come to light.

A recent survey-based study (PWC, 2020) shows that the corporate crime rate in Brazil declined slightly over the last two years, now with 46% of respondents alleging at least one case, very close to the global average of 47%. From the respondent enterprises, 43% (compared to 40% around the world) intend to expand their budget for their compliance programs, which indicates a consolidation of international tendencies of law enforcement in Brazil. The most common corporate crimes at Brazilian enterprises are bribery and corruption (41%), accounting fraud (40%) and asset theft (24%). Worryingly, however, is that about a third of respondents (36% compared to 29% globally) informed having received some form of bribery request and 48% believe they have lost a contract or deal due to bribery from other companies. This goes to show how early it was in 2014 for any sort of compliance framework to be present, for all companies in Brazil across all sectors, but also how needed some form of internal control was, and how the landscape at Odebrecht was especially malicious, given its combativeness when faced with the investigation, its structure to process illicit payments and its modus operandi centered around influence networks within the government.

From the interviews, we were able to extract some main takeaways about the state of compliance before and during implementation. According to more than one interviewee, the company did not create a compliance structure from the ground up, but from an even deeper starting point since the company had a previous negative attitude towards any regulatory implementations. Project managers, Directors, and other executives at Odebrecht thought the Code of Conduct was sufficient to address their needs and did not want to make changes. In the 2010s there were multiple engineering business units, without process unification, which was supposed to “preserve egos” and “avoid conflict”. In this way, decision-makers had each their own space to handle business as they willed it, and those who tried to change or contest how things were done were seen as troublemakers or non-trusting, losing space and projection. It was fundamental not to create an ill situation among peers and to foster relationships. Those who actively knew about wrongdoing or suspected it, had all the incentives to leave or stay silent. Their systems were seen as self-sufficient, where external input was not desired. Odebrecht had a culture based on decentralization, trust (especially among leader and team), and favoring client’s interests—based on the founding family’s influence. One interviewee argues these pillars were misinterpreted, leading project managers to be able to act without supervision—also an attempt to shield executives from liability—, auditing initiatives to be seen as lack of trust and client’s interests being attended even through illegal means.

Up until 2014 there was no hierarchy structure and compliance demands had to go over several positions before—if even—reaching anyone from top management. When the scandal broke out and the company took a defensive posture, top management alienated employees themselves into thinking the company was a victim being politically targeted by authorities. Odebrecht paid approximately $788 million in illegal bribes while securing benevolent treatment and securing public contracts, across more than a dozen countries and undetected for at least a decade. Given the proportions of the scandal, strengthening preventive measures, which includes a structural and mindset change, is fundamental, especially if those involved have a low risk of suffering legal consequences, due to the complexity of white-collar crimes, investigation deficits or prosecutorial leniency.

4.1 The Agreements and Enforcement Guidelines

Odebrecht and Braskem settled in 2016 with the Brazilian Federal Prosecutors Office, the US Department of Justice and Switzerland’s Prosecutors Office to pay a combined total penalty of at least $3.5 billion.Footnote 7 In 2018, they settled a deal with CGU and AGU to pay R$ 2,72 billion over 22 years. Beyond these, another seven agreements have been settled with authorities from governments of Brazil, Equator, United States, Guatemala, Panama, Dominican Republic and Switzerland.Footnote 8 Deals with the World Bank, authorities in Peru and CADE (Brazil’s Antitrust authority) have been settled only recently, in early 2019.

Collaboration agreements were also concluded with 78 of their executives. At the time, the DOJ classified the agreements as “the largest foreign bribery case in history” for violation of the FCPA (ibid.). In Brazil, the agreements became known as the “end of the world whistleblowing” (Rossi, 2016) for its national and international reach and for the implications to the political system. For its collaboration with American authorities, Odebrecht received a 25% reduction of the bottom to the applicable U.S. Sentencing Guidelines fine range.

To understand why Odebrecht was also and fundamentally prosecuted by American authorities, one needs to understand that faced with the need to seek capitalization alternatives, without resorting to loans, many companies find in the stock market a low-cost form of capitalization. This option entails that companies whose shares are listed on the stock exchange adapt to Corporate Governance standards and codes, adapting their ethical posture to be consistent with international standards, and in the case of Odebrecht it meant that by having their shares exchanged in the NY Exchange, they were also under the jurisdiction of the American justice system. U.S. federal prosecutors enjoy broad discretion, including being able to halt or defer prosecution, if the defendant complies with their agreement demands, which could entail compliance and self-reporting obligations, as was the case for Odebrecht (Scollo & Winkler, 2017).

As Brazilian prosecutorial authorities also came to the last rites of their leniency agreement with the company, Odebrecht S.A. signed an FCPA Plea Bargain with the Department of Justice (DOJ), in 2016. For the deal, the DOJ considered Odebrecht’s “failure to voluntarily disclose the conduct that triggered the investigation; the lack of an effective compliance and ethics program at the time of the conduct” (DOJ FCPA Plea Bargain, Attachment C Details the Corporate Compliance Program, pp. 56–74) and required Odebrecht to commit to a series of obligations under the agreement, the ones most important in the context of compliance being:

  • to implement a compliance and ethics program or expand the existing one throughout its operations, including those of its affiliates, joint ventures, contractors and subcontractors, to ensure that it maintains effective internal accounting controls and rigorous anti-corruption compliance policies;

  • high level commitment, making sure its directors and senior management provide strong, explicit and visible support to its compliance guidelines;

  • oversight and independence, with the appointment of one or more senior corporate executives for the implementation and oversight anti-corruption compliance policies, reporting to independent monitoring bodies and the board of directors;

  • periodic annual risk-based reviews to ensure effectiveness of said policies;

  • training and guidance, providing an internal training program and communication channel;

  • developing procedures for internal reporting, investigation and eventual sanctioning;

  • allocation of the necessary resources for the implementation of these procedures;

  • risk-based due diligence and compliance program towards third parties, including M&A targets;

An independent monitor was appointed to overview Odebrecht’s compliance with the terms of the deal over a temporary period of time, having the company guarantee his access to all documents and resources that may be needed for said assessment, reporting directly to the DOJ and taking into account the commitment of the board of directors and senior management, what can be described as a very broad set of powers, especially since the company waived certain legal rights and signed a “muzzle clause”, preventing the company from contradicting the Statement of facts from the agreement (Scollo & Winkler, 2017).

The leniency agreement with Brazilian authorities, for its own worth and given the instrument’s novelty in Brazil, consolidated it to serve multiple functions. Particularly, public interest is prioritized, beyond provisions on effectiveness and broadening investigations, to preserve the existence of the company and the continuity of its activities to make sure reparations are met and to ensure the effectiveness of the company’s integrity practices (Pimenta, 2020).

Furthermore, from the 78 executives who entered the individual plea bargains, 51 had their employment terminated and 26 received a demotion to non-managerial positions besides anti-corruption and business ethics training (Odebrecht Annual Reports, 20182019).

4.2 The Implementation of Compliance Programs

Compliance areas, which take care to prevent companies from breaking laws and regulations, are no longer a novelty in the corporate world. The question is to how to make sure that they are actually infused into the fabric of the business model. Bureaucratic demands aren’t always adequate or fair and need to be revised on a constant basis. It is understandable if long term insiders think some bureaucratic hurdles are excessive, but not something to be skipped or overcome in order to preserve their business. At Odebrecht, both soft law and binding legislation were seen as a nuisance, and illustrates the corporate culture that the monitors appointed by the US Department of Justice (DOJ) and the Federal Public Prosecutor’s Office (MPF) came across when they arrived at the company four years ago. Later, however, the monitor appointed by the Public Prosecutor’s Office, Otavio Yazbek, a lawyer and former director of the Securities and Exchange Commission, CVM, presented his report to prosecutors and gave a statement that Odebrecht no longer is the same and that its systems and rules are ready to detect criminal operations. According to his report, the company centralized previously loose processes, created compliance and internal audit departments, and unified purchasing systems. It hired independent advisors for the companies, dismissed almost all whistleblowers and members of the old guard, alongside removing owners Marcelo and Emílio Odebrecht. Over these four years, Odebrecht spent 68 million USD to make the changes required by the agreement deals (Goulart, 2020).

The difference between the annual reports from 2014–2015 and those published from 2016–2020, when they adopted the Global Reporting Initiative (GRI) directives is notable. GRI is an international organization that has developed one of the most widely used sustainability reporting models in the world, to confer organizational transparency and enable companies to measure and communicate their performance in the economic, environmental, and social dimensions. While there were zero mentions about “transparency” in the 2014 report, the 2016 report finds the term being mentioned 26 times. There are also 34 mentions of “ethics”, 17 about “integrity” and 20 about “governance”. The annual reports from 2016 forward demonstrate how the company applied the mandatory changes:

2016

2017

2018

2019

Update of internal policies

Meetings with subject matter experts

More than 500 communication actions

Capacity building and communication

Public Commitment

CMS implementation with 10 measuresFootnote 9

Area budget of 72 million, 12% increase over 2016

Review and pre-selection of the supplier base

Board of Directors changed its composition to 20% independent

Organizational restructuring of the company with new Business Leaders and review of the role of the holding company

Approved in 2017 the policies on corporate governance, on people, on sustainability and risk management

November 2018 RepTrack Deep Dive methodology survey for stakeholders, 69% feel the company is more transparent and 72.5% perceive evolution in commitment to acting ethically

Joined the UN Global Compact

Creation of the Global Advisory Council

Creation of the Compliance Committee for classification as a Pro-Ethical Company

At the end of 2016, there were 9 CCOs + 40 employees in the Compliance System

Internal audits were structured

Ethics Line Channel had 3014 reports in 2015

Ethics Channel 2016: 3121 reports (dismissal of 30 members, removal of 4 suppliers)

Now 81 professionals at the Compliance Department

Creation of Due Dilligence Guidelines

Removal of political contributions

Training Seminar for 170 Leaders

Another notable difference, Odebrecht had climbed 47 positions in the ranking of best practices in transparency of the information disclosed, according to the Transparency in Corporate Reporting report presented by Transparency International, moving from 97th position in 2013 to 50th in 2016. The study, which was based on 2015 data, and evaluated the disclosure information of the 100 largest multinationals in 15 emerging countries. Specifically in anti-corruption programs, Odebrecht went from 0 to 77%, ranking 22nd, well above the overall industry average of 43%. The study also highlighted the points in which Odebrecht needs to improve, such as adopting policies that explicitly prohibit facilitation payments and prohibit political contributions in all countries in which it operates. According to the company, the Policy on Compliance with Acting Ethically with Integrity and Transparent Actions, approved in 2016, was created to addresses these two aspects, among others.

Additionally, Silva and Monteiro (2019) published a study about Odebrecht which had three objectives, namely: to present the history of corporate governance and critically analyze the compliance structures created (sufficient autonomy, resources, etc.); to verify which were the actions of the top management for sponsoring/reinforcing the implementation of the compliance program (tone at the top); to identify the risk methodology used by the organization (risk assessment). They used internal policies, external documents and interviews with employees to make their evaluation.Footnote 10 The study found the compliance structures to be sufficient, having “verified the support of the management in providing a compliance structure, with professionals of the appropriate hierarchical level, resources, and direct access to the highest governance levels of the company” (p. 431), with the exception of the quota for independent advisor seats, which weren’t filled according to the statute. Top management support was also stated to be present and acting. For risk assessment, Odebrecht’s policy was based on Enterprise Risk Management Framework of COSO, and on ISO 31000:2009, considering each business has a different risk profile, although there is an inherent risk to all of them: violating anti-corruption laws. The risk portfolio for the holding company will tend to be more simplified since it does not have any operations. At the time of the study, both the tools and the controls that would evidence the risk management process would still be defined and implemented by the organization and couldn’t be analyzed, leading to the obvious conclusion that they were still insufficient.

According to De Araujo (2020), in 2017 the Department of Justice issued the Evaluation of Corporate Compliance Programs (ECCP), soft law guidance to help authorities to evaluate the effectiveness of compliance programs, considering the Justice Manual’s three question-pillars for remedial actions: “1. Is the corporation’s compliance program well designed? 2. Is the program being applied earnestly and in good faith?; 3. Does the corporation’s compliance program work in practice?” (p. 9). Odebrecht was assigned an independent monitor by the DOJ and was also monitored directly by Brazilian authorities (CGU). The U.S. monitorship was set to end Feb. 2020 but was extended for another 9 months given that Odebrecht had not settled its financial dues to the monitors and could possibly have failed to fulfill obligations under the plea agreement (Sun, 2020). On the Brazilian side, CGU recommended several—publicly undisclosed—improvements and required an action plan, including ISO 37001 certification. Remarkably, due to Odebrecht’s 22–year payment plan, CGU will perform continued monitorship for the whole period. In general, however, the author—a public prosecutor—mentions “it is possible to perceive how corporations have improved its compliance programs, from cosmetic compliance in the first years to sophisticated programs within the last two years”.

Farias et al. (2019) published a similar case study in order to analyze the process of restructuring compliance in a construction company involved in a corruption scandal. Although not disclosed, it selected Odebrecht S.A. for its evaluation. The research concluded that the actions taken by the company have proven to be adherent to the guidelines established by Federal Decree 8420/2015, and by ISO 19600/2014 and ISO 37001/2016 standards, although it was not yet certified by these standards. The points not met by the company were the performance of audits to verify the adherence of the practices developed, the non-identification of treatment of eventual non-conformities identified, and the approach and critical analysis performed by top management regarding compliance. Risk management also presented deficiencies to be highlighted, such as lack of methodology and the non-application of the due diligence when hiring specific professionals. A limitation of this study is the fact that the data collection was carried out in an intermediate phase of the implementation of the Compliance Management System.

Our data from the interviews showed further development in the day-to-day operations, certification requirements and risk management practices, although some critical factors still need be addressed. Since the agreements with the authorities and the start of the monitorships, Odebrecht also had a high turnover in leadership, going through seven different administration council compositions and different conformity committee leaders. By 2021 a lot of the prejudice against the compliance department had disappeared—the dismissals helped—and the implementation of the compliance program was taken seriously to the point of being able to be verified by U.S. and Brazilian authorities. In 2020 the DOJ certified that Odebrecht had a robust program and now the Brazilian Public Prosecutors Office (MPF), which was an important achievement. Odebrecht, now rebranded as Novonor, was also able to receive the ISO 37001 anti-bribery certification, having implemented all of its main requirements.Footnote 11

According to interviewees, some old timers, which could represent resistance, are now a minority and don’t have the means to oppose an overwhelmingly compliant culture, which is corroborated by internal surveys conducted by the monitors. Another contributing factor is the fact that currently 50% of the companies’ employees joined after Car Wash Operation started and around 45% are under 35 years old, i.e. less accustomed to the “old ways” of doing business.Footnote 12 From that minority, however, some are still in leadership positions and have been through the process of normalization, rationalization of wrongful behavior, and socialization inside the company for many years, still presenting different forms of resistance, such as asking for a dismissal of new implemented tools or questioning their need. Another form of influence from top tenured leadership is cutting down on communication processed between teams and opening discussions for outside input. One of the interviewees narrates: “Do you think he will invite you to a meeting that he knows may have a potential conflict? No, because he knows what you are going to say and he doesn’t want to hear it. And I say that compliance is a structure that should not exist, because compliance is in day-to-day life. It is in your capacity to make decisions, in your capacity to perceive a dilemma. We should exist in a transitory way, you know, until that is absorbed by people. For them to be able to perceive the dilemma, for them to perceive how much they are rationalizing, for them to perceive how much the group is influencing them”. A key insight into how different it is to implement a checklist and absorb compliance into corporate culture.

Another crucial complaint made was that due to the speed with which the leniency agreements were handled, leaders with conflict of interest were still plenty, leading to a company to make deals with executives in order for them to collaborate with the justice department. A company which later downsized from almost 200 thousand employees to less than 40 thousand and declared Chap. 11 Bankruptcy was until recently still paying hefty sums to crooked former executives.

Additionally, but more successfully, we heard reports about how where previously there was no control, but an incentive to informal institutional relationships, now there is a three way sector of controlling the interaction between public and private sector: the demands and meetings are set as a group, represented by the representative entity in the construction sector; there are new policies in place regarding illicit payments; and most importantly, there is strict financial control into expenditure and diminished possibility for project leaders or managers to find financial sources to make any type of facilitation payments. The cultural shift is also related to the Action Plan from employees, not only communication and training measures adopted by compliance policy. The Action Plan is tied to the macro and micro qualitative and quantitative goals of employees, which are modeled by their career plan and financial bonifications, leading the implementation of the compliance measures—included as goals—to be discussed, evaluated, and absorbed by all on a constant basis.

4.3 Discussion

Odebrecht filed for Chap. 11 Bankruptcy or rehabilitation bankruptcy to reorganize its debts in June 2019.Footnote 13 According to the suit, Odebrecht’s involvement in the corruption scandal uncovered by Car Wash operation brought several economic setbacks to the company, including the lack of access to sources of financing and the possibility to pitch and secure new projects in Brazil and abroad. Moreover, several contracts have been suspended or rescinded and assets blocked. Furthermore, the group’s investment in remedial measures and Compliance have also taken a toll on their budget but have been improving given the successful creditor negotiations.Footnote 14

Rebranded to Novonor, Odebrecht could be considered a rehabilitation success case. In light of the agreement, Odebrecht agreed to terminate the employment of 51 individuals who participated in the misconduct, to discipline and train further 26 individuals (suspensions, penalties, demotions) involved, to create a Chief Compliance Officer (CCO) position that answer straight to the administrative council, adopt heightened controls and anti-corruption compliance protocols, to allow double independent monitoring and increase the budged and human resources for compliance, amongst other more specific measures, all of which happened.Footnote 15 In 2018 the holding company replaced most of its board of directors and Emilio Odebrecht stepped down as chairman after almost 20 years on the board. During this move, it has also been established that members of the Odebrecht family will no longer be eligible for the position. Odebrecht’s 2018 compliance budget was $20.45 million, compared to $3.19 million previously (Russo, 2018). Among compliance and governance measures, Odebrecht has implemented or started implementing all of the DOJ’s 10 hallmarks and Brazil’s Transparency Ministry 17 recommended initiatives, as well as a global advisory council with national and international members. One of the boldest initiatives is that up to 30% of executives bonus payments are now conditioned to reaching compliance targets (Estadão, 2019). Each business unit now should have its own board of directors while the holding provides uniform governance and guidelines. At least a fifth of board members will be independent and hired by external consultants. Other promising initiatives are outsourcing whistleblower hotlines and strengthening due diligence checks of suppliers. If Odebrecht manages to rehabilitate itself economically, it could be well on track to change its previous incentive system that fostered deviance.

One could argue that corporations previously involved in scandals and who had to go through monitorship periods and pay hefty fines might now be mostly dealing with the reputational damage and stigma than with a need for cultural change. After Siemens Scandal had its offices raided in 2006, by 2009 the company had invested a heavy amount into the compliance department and ensuing investigation and changed its compliance systems. Around 1750 interviews with Siemens employees were conducted and more than 14 million documents reviewed. The company employed more than 500 compliance officers in their global operations, renewed their policies, created internal reporting lines, a compliance hotline, etc. For their main concern, to deal with scrutiny into potential partners, they developed the IT-based Business Partner Tool (BPT).

Although strengthened and better prepared to deal with illicit conduct, the company did not become impervious to it. Recently, the monitoring reports commissioned between 2009–2012 were disclosed and show that US and German authorities found $1 billion of bribes paid to foreign government officials in return for business. According to the report “Siemens was allowing some business partners to sidestep vetting through the BPT, thus allowing what were, according to Siemens’s own definition, “high-risk” entities to conduct the company’s business in China without proper due diligence”. The employee responsible for pointing out the compliance issues in China was fired in 2010 (Knight, 2021, based on a report made by 100R.org).

Coming back to Odebrecht and the characteristics of what is an effective compliance system, we could review some of the points raised during the previously published works and the interviews:

  1. a)

    Institutional Relationships and Borderline Positions

Borderline positions lie between the organization and the environment, which makes them susceptible to disruption. They are considered “semi-external institutions” (Luhmann, 1995, 229; Bergmann, 2016, p. 14). In the company they structure make it possible to undermine formal rules and exploit control gaps because of the vague definition of their tasks (acquire new business, handle relations with government representatives or customers) and because of their relative distance from internal organizational processes (third-party collaborators, intermediaries, different offices around the world). Bergmann (2016, p. 16) cites a Siemens executive who reported even after the scandal that in sales in particular it was still hardly possible hardly possible to create global standards of behavior, because in the treatment of business partners they had to be differentiated according to country and custom (Lamparter, 2007).

In January 2019, when Jair Bolsonaro’s government arrived in Brasília, Odebrecht hired a new director of institutional relations, thus reopening the Brasília office (in the capital) that had been closed at the height of the Operation Lava Jato process. Having an office in Brasília is fundamental for a large company, especially when it is a construction company that thrives on public works, which cannot give up having dialogue with governments or politicians. According to the magazine Veja (Goulart, 2020), one of the reasons that weighed in favor of hiring the new director was that he had good relationships with army men, which are now in key positions in the government. All in all, hiring someone thinking about their ease to push an agenda is not uncommon, but it reminds us of Odebrecht’s old culture of keeping themselves close and having access to power.

Of the 77 executives who turned collaborators, most of them are either institutional relations directors or company/sector leaders, such as CEOs or Project Directors, since Odebrecht had a very decentralized operating structure regarding their projects. The answer to the dilemma of institutional relations and borderline positions at Odebrecht is by control of the cashflow, accounting and financial aspects of the company. If employees can’t find, hide, scatter or produce the money, they can’t make facilitation payments. This brings up another aspect of compliance management systems and very discussed in the field of organizational deviance, structural incentives.

  1. b)

    Structural Incentives

Google was famous for having the motto “Don’t be evil” in the preface of its Code of Conduct. However, instead of believing in free-will or pursuing ethical standards or expecting moral behavior from employees, one of the possible solutions is to take the choice away from them. Instead of “don’t”, we move to a system of “can’t be evil”. And that is what the financial scrutiny put in place by Odebrecht could achieve.

Again, using Siemens as an example, even though all the changes had been made internally and the CMS implemented, the company still had very aggressive growth and expansion goals. This resulted in pressure to perform, increasing internal competition and heightened expectations of economic efficiency (Bergmann, p. 15). This pressure creates a conflict, because it can be hard to achieve the economic goals without resorting to “alternative” methods, making compliance concerns go out the window. For Siemens, illegal bribery of public officials for the purpose of acquiring contracts was regarded within the Group as an efficient response to this conflicting incentive constellation (ibid).

Odebrecht’s idea to include compliance targets into executives’ bonus payments (up to 30%) and adding macro (to be achieved by all) and micro (to be achieved individually or by sector) compliance goals into everyone’s Action Plans leads to a general and specific positive incentive to follow through with all measures and policies implemented, be it related to communication and training or risk assessment.

  1. c)

    Power Struggles and Corporate Governance

Corporate Governance relates to the allocation of power among the owners, board, management and shareholders, and encompasses actions taken by management from the most senior levels to all administrative instances (IBGC, 2015). The objective is to create an efficient set of mechanisms, internal and external (incentives and monitoring) that aim to harmonize the relationship between ownership (shareholders) and management. One of the ways to do is to create an administrative council.

This type of structure arose from the need to reconcile the interests of company partners and those responsible for corporate management. Boards are the consequence of the professionalization of business management. The shares of a company, when traded on the stock exchange, mean that an organization has many owners, and the management of operations is in the hands of other executives. When it comes to family businesses, decision-making can be complicated, as it is difficult to separate personal intimacy and interests from what is best for the company.

Therefore, the administrative council is the organizational structure that serves to act in the alignment of interests between the executive management and the owners of the company, being the link between them all. Odebrecht is a family company. It turned multinational in the 1980s and later an open company with shares in the stock market. Marcelo Odebrecht was a third generation CEO. Odebrecht’s former struggles are related to the complete dominance of the Odebrecht family over the families’ business practices, their ties to power and the lack of supervision over their actions, choosing to grow “by any means”. Having removed Emilio and Marcelo Odebrecht from key positions, diminishing their influence and voting power, as well as introducing independent positions in the administration council are all favorable marks of a more professional direction and conformity orientated company.

  1. d)

    Effective Communication and Cross-Functional Collaboration

According to some of the interviewees on our dataset, an important factor in any organization is transparent communication, allowing access between sectors and information flow without penalties for divergence, creating an environment in which employees will feel comfortable raising their hands and saying “Look, there’s something strange here” and not be rejected by the group. A facilitating factor allowing for this environment to foster and communication to take place is an integrated approach into CMS supervision and implementation (Cardoni et al., 2020). Multitasking teams dealing with internal and external stakeholders also demand a multi-competent leadership (Stiles & Uhl, 2012). “Process owners (marketing department, CFO, production department, etc.) are no longer the unique parties responsible for the risks affecting their areas because today world complexity makes it difficult for process owners to identify all the risks. That is why companies must enable synergies between process owners and the anticorruption supervisor (FN1). Together they can define the key risks and response strategies. The anticorruption supervisor establishes the best types of control tools for monitoring the risks in the process owner field and shares the risks with the process owners; they become not only a controller but also a co-owner of the risks” (Cardoni et al., p. 1182). If an anticorruption mindset is to take place and a corporate cultural shift happen, a cross-functional integration would benefit this movement greatly. At least where top management is concerned, Odebrecht does not seem to have adopted this approach yet, with lack of communication and division of competencies being some of the issues raised.

5 Conclusion

This chapter presents a case study approach to understand compliance system’s features and implementation challenges inside a company which has previously been prosecuted for wrongdoings. Our results provide some theoretical and practical insights to the literature of the field. This allows us to explain, in this particular context, how anticorruption practices are integrated into processes and structures and how is it handled and perceived by management, highlighting important factors for a successful system implementation.

Rebranded to Novonor, Odebrecht could be considered a partial rehabilitation success case. In light of the agreement, Odebrecht agreed to terminate the employment of 51 individuals who participated in the misconduct, to discipline and train further 26 individuals (suspensions, penalties, demotions) involved, to create a Chief Compliance Officer (CCO) position that answer straight to the administrative council, adopt heightened controls and anti-corruption compliance protocols, to allow double independent monitoring and increase the budged and human resources for compliance, amongst other more specific measures, all of which happened. In 2018 the holding company replaced most of its board of directors and Emilio Odebrecht stepped down as chairman after almost 20 years on the board. During this move, it has also been established that members of the Odebrecht family will no longer be eligible for the position. Odebrecht’s 2018 compliance budget was $20.45 million, compared to $3.19 million previously. Among compliance and governance measures, Odebrecht has implemented or started implementing all of the DOJ’s 10 hallmarks and Brazil’s Transparency Ministry 17 recommended initiatives, as well as a global advisory council with national and international members. One of the boldest initiatives is that up to 30% of executives bonus payments are now conditioned to reaching compliance targets. Each business unit now should have its own board of directors while the holding provides uniform governance and guidelines. At least a fifth of board members will be independent and hired by external consultants. Other promising initiatives are outsourcing whistleblower hotlines and strengthening due diligence checks of suppliers. If Odebrecht manages to rehabilitate itself economically, it could be on track to change its previous incentive system that fostered deviance. A worrying factor will still be incentives arising from the public sector and the characteristics of the construction industry (handling bidding competition). It is possible that in the future, taking the state-of-the-art approaches recommendations that also take sustainability into account (Asif et al., 2011; Cardoni et al., 2020), compliance implementation will be further developed from the check-off formal approach into a more integrated seamless system. Other than cross-functional collaboration, transparent communication, structural incentives and the handling of borderline positions and power struggles, technology will also play a huge role in allowing for system transparency. Monitoring around the world should change from quarterly or annual controls into an ongoing continuous tool, by the use of IT tech and Big Data, meaning that sampling methods could be a thing of the past, allowing us to “question the underlying assumptions and governing principles of the current anticorruption model, thus leading to its modification” (ibid, p. 1183). A system capable of adapting to particularities of the business, sector and country will always be preferable and have more chances of lasting.