On July 16, the New York Times published a special minute-by-minute analysis of events during the April 15 fire in Notre-Dame Cathedral in Paris. That analysis, which includes interactive 3D diagrams of Notre-Dame and the response by firefighters, is worth reading because it indicates how close Notre-Dame came to collapse and how much firefighters risked their lives to reach critical areas of the fire and prevent that collapse.
Although French authorities are now conducting an investigation to determine how the fire started and who was at fault, the information in the Times’s analysis also contains lessons for compliance officers in how to address risk and compliance considerations in any compliance program.
The analysis identified a number of key factors in the progress of the fire:
1. Management Insistence on Maintaining High-Risk Condition: One precondition for the fire was the insistence by the cathedral’s “contemporary custodians — its architects, priests and caretakers” on preserving its “medieval essence,” which included “the famed latticework of ancient timbers known as ‘the forest’.” To preserve that latticework of dried wooden beams, some dating back to the 13th century, “no sprinklers or fire walls had been added.” Moreover, in the early 2000s the custodians heightened the risk of fire by deciding to electrify the cathedral’s two sets of bells (one in the spire and one in “the forest”), even though Notre-Dame’s architect at the time had warned “against installing lights amid the beams because of the area’s ‘combustion potential’ and the ‘fire risk’ such lights posed . . . .”
2. Ineffective Detection: The first critical defect in spotting a fire in the cathedral, according to the Times, was a fire warning system that
took dozens of experts six years to put together, and in the end involved thousands of pages of diagrams, maps, spreadsheets and contracts . . . .The result was a system so arcane that when it was called upon to do the one thing that mattered — warn “fire!” and say where — it produced instead a nearly indecipherable message.
That message consisted of several components: a red light denoting “Feu (Fire),” and a scrolling message that provided “a shorthand description” of the zone in which the smoke detector had alerted, a string of alphanumeric characters (“ZDA-110-3-15-1”), and the words “aspirating framework” (translated), which referred to a detector in the attic.
3. Inexperienced Security Employee: On the evening of April 15, the fire-alert control panel — located in the cathedral’s presbytery, a separate building on the south side of the cathedral — was manned by a security employee who “had been working at Notre-Dame just three days” and was working the second leg of a double shift because a replacement was absent. The Times indicated that it was not clear which components of the warning data the employee understood or conveyed when he radioed to a church guard standing near the altar to check for fire. In any event, the guard then went to the wrong building, the sacristy, which was also located outside the cathedral on the south side.
4. Inefficient Communications and Response Process: In addition, the security employee, rather than calling the fire department immediately, tried to call his supervisor but did not reach him. The supervisor then called back, recognized the mistake in sending the guard to the sacristy, and told the guard to leave the sacristy “and run to the main attic.” By that time, however, the fire had been underway for 25 minutes, so that “by the time the guard climbed 300 narrow steps to the attic, the fire was burning out of control.” When the guard radioed the security employee to call the fire department, 30 minutes had gone by since the red “Feu” signal.
* * *
Each of these flaws translates into issues to which compliance officers in any enterprise must pay attention. First, if senior management appears to be undertaking or maintaining a high-risk relationship or situation, the compliance officer accountable for that type of risk must advocate vigorously for specific measures to eliminate or mitigate that risk.
Second, for any compliance program — whether bribery or other crimes or civil violations — the first step in guarding against potential legal violations is effective detection. A monitoring system that generates incomplete or misleading data, or that generates too many false positives or false negatives, is a critical weakness that can result in substantial regulatory fines and penalties.
Third, as the Department of Justice’s updated “Evaluation of Corporate Compliance Program” plainly states, compliance and control personnel must “have the appropriate experience and qualifications for their roles and responsibilities.” Even the most state-of-the-art monitoring system will be of little value to a company unless its risk and compliance teams have the knowledge and expertise to review and interpret data and report anomalous activity promptly.
Fourth, every enterprise needs an efficient process for timely escalation of concerning information to supervisors who can decide what response is in order. A 2019 survey by North Carolina State University and Protiviti observed that escalation risk remains a “top ten” risk for surveyed board members and C-level officials, and that 65 percent of those surveyed rated it a “Significant Impact” risk.
A final compliance consideration, not addressed in the Times analysis, is remediation after a catastrophic event. Despite the initial outpouring of pledges by leading French families and companies to fund Notre-Dame’s reconstruction, political controversy, pledging donors’ second thoughts about how they want their funds to be used, and the complexities of assessing fire damage completely before firming up reconstruction plans have set remediation and reconstruction plans for the cathedral on an extended timeline.
A company that faces potentially large enforcement penalties, however, does not have the luxury of time. As the “Evaluation” document makes clear, its remediation will need to be both timely and thorough if it is to have any hope of persuading prosecutors that its compliance program was effective at the time of the misconduct. In compliance remediation, as in fire response, time is of the essence.
Jonathan J. Rusch, pictured above, is Principal of DTG Risk & Compliance, and former Head of Anti-Bribery & Corruption Governance at Wells Fargo. The views expressed are his own. He can be contacted here.