At the gatehouse, the security guard passed me a Novartis visitor’s badge, and I turned to walk down Fabrikstrasse – the campus’ central boulevard. Two thoughts popped into my head: I think I’m too early (I was) and I hope these people are friendly (they were).
I had been invited to Novartis HQ in Basel, Switzerland by Klaus Moosmayer, Novartis’ Chief Ethics, Risk & Compliance Officer and a compliance don, to spend three days with the global leaders of the Novartis Ethics, Risk, and Compliance (ERC) team.
I was greeted first by Klaus’ assistant, Simon. After brief introductions, a small group of us headed out for a tour of the Novartis Pavilion and other campus buildings.
By coincidence, the week before my visit, the Novartis campus was opened to the public for the first time in its history. An associate (every Novartis employee is called an “associate”) explained that the company is trying to improve its relationship with the Basel townspeople.
“The locals looked at us like, ‘What are the Novartis guys doing behind all these walls?'” he said.
Every company is a black box, but perhaps none more than a world-renowned pharmaceutical company with underground vaults and reports of questionable business practices. Novartis is now putting on a friendlier face, or “building trust with society,” as another associate put it.
After a tour of the Novartis Pavilion (which is lovely), we headed back to Fabrikstrasse 18 — the ERC building — and settled into a first-floor conference room.
That moment when an introduction and light chit-chat turn into a substantive meeting can be tricky, full of tension, and possibly coloring the whole experience.
In Novartis’ ERC conference room, however, the vibe was immediately good.
We jumped into an overview of ERC – now over 600 associates worldwide.
* * *
Klaus joined Novartis from Siemens at the end of 2018, the same year Novartis established its new ERC function. After Klaus joined, Novartis rolled out the global ERC model, which aims to consolidate several previously fractured roles.
ERC’s initial consolidation happened fast – lightning fast by corporate standards. Disparate and disjointed teams were brought together to form what’s essentially a new department with global standards and worldwide reach.
At times, associates speaking about the sheer amount of change had trouble putting into words just how different things are now.
And to be sure, it’s still a work in progress, and some associates, although proud of the result so far, talked about the size and difficulty of the tasks ahead.
The scale of ERC’s new mission and mandate is hard to grasp. Policy management is now part of the team. Not just management of compliance policies and controls but every policy, company-wide.
Conversely, ERC is not the legal department. Of the nearly twenty ERC leaders I met, only four had law degrees.
“Sometimes it’s tempting to see things as either black or white from a legal point of view” Brett Hudson said in his quiet but commanding voice. He’s the global head of corporate ethics, compliance, and ERC governance. “The legal side of things is very important but handing down a legal rulebook isn’t sufficient to address ethical dilemmas and biases.”
Hudson has worked at Novartis (or affiliates) for over fifteen years and comes from the business side. He was general manager for three Southeast Asian countries before joining ERC.
A defining characteristic of Novartis ERC is its deep integration. Even with organizational charts and graphics, it is a tall order to understand just how extensive ERC’s coverage is. That breadth of coverage shows in the way the ERC group talk about their roles.
If the topic under discussion starts with the code of ethics, it will quickly move to surveys, behavioral science, communication, auditing, reporting, training, re-surveying, etc.
* * *
The “R” in ERC is not just compliance risk. It’s enterprise-wide risk. The function was moved from audit to ERC as part of the consolidation.
Barbara Badoino, global head of risk and resilience, is the person with the plans. She had just come from a meeting on Ukraine. Specifically, how to support associates who were in danger or displaced. Her job, however, is not merely to react as events happen (though her team does that, too) but to build strategic plans for a plethora of unpleasant hypothetical situations.
It’s a heavy job. Yet Badoino, a chemist by training, talks optimistically about strategy improvements and support from the Board and its risk committee.
She still needs to sell strategic changes to the business side but presenting them as “volatility reduction” has been well received. “It’s a concept they understand,” Badoino said.
What keeps her up at night? “A catastrophic loss of IT,” she says, adding that Novartis has a plan if such an outage lasts for weeks. She details some of the intricacies of what needs to be considered in a situation like that, from mundane things like building access to critical operational concerns like payroll.
Badoino said that exercising is key for ensuring emergency readiness, such as a recently simulated catastrophic loss of IT in their treasury department. The plan involved authorized external bankers activating a manual workaround to release the company payroll to its over 100,000 associates.
* * *
Every branch of ERC seems to occupy its own unique space within the wider ecosystem, but somehow all the parts work together.
Each team also has a distinct personality. The human rights team was chipper, light-hearted, and scrappy. The third-party risk management team was more serious and technical. But every encounter I had with any team, both formal and informal, was peppered with goodwill and humor. In corporate life, it’s common to see long-faced, heavily burdened compliance professionals, but not in the hallways of the ERC building.
After my first day on campus, about sixteen of us went to dinner, a short walk to a restaurant just past the Novartis side gate. Sitting around the table felt, well, strangely un-corporate. The rapport between the ERC colleagues was easy and light, more so considering the mammoth tasks they face daily.
Their common goal goes beyond technical compliance. The target they have set for themselves is an enterprise-wide shift from rules-based compliance to values-based compliance.
While discussing training programs with Elke Baumann, the global ERC head of training, she told me about a Novartis training video about a romantic relationship between a manager and associate. However, the video subjects were unmarried, which caused strong negative feedback from associates in Islamic countries. There are always someone’s toes to step on.
Training is a big topic at Novartis. Baumann, who leads the group, utilizes a wide range of sub-specialties like behavioral and data science. The mandatory ERC training is risk-based and changes each year depending on the analysis of both the previous year’s results and forecasted areas of importance.
Baumann went through one of their most popular initiatives called Fit to Commit. In essence, it’s an internal Novartis gamified global online course that uses a sports analogy to train associates on various commitments made within the code of ethics. Fit to Commit has been so popular that Baumann said her group regularly receives requests from other departments looking to develop something similar.
In addition to nuts-and-bolts compliance training, ERC staff use a module called Influence Skills, which teaches compliance folks how to “sell” compliance to the business leaders and promote ethical decision-making using influencing techniques.
“People need to see the value of ethics for their role,” Baumann said. “Teaching people how to better influence multiplies the effectiveness.”
Compliance trainers aren’t limited to the ERC department either. Anyone can become a compliance trainer by volunteering to take a “train the trainer” course and committing to perform scheduled training on top of their regular work responsibilities.
Why would someone in an unrelated field commit to becoming an ERC trainer? The reason seems to be a mix of passion for ethics and status that comes with being a trainer.
The ERC team’s status within Novartis is atypical. Compliance teams don’t always rank high on the corporate ladder of respect. In the eyes of some, they get in the way, slow things down, and cost a lot while bringing in no revenue.
At Novartis, though, things are different. Klaus is a member of the executive committee. A powerful appointment within any organization.
When I casually asked associates how ERC has been able to consolidate and implement so much change so quickly, without fail, whoever was speaking simply said, “Klaus.”
The support continues even higher. “Vas really cares about this stuff. We feel support right from the very top,” one associate said.
Vasant Narasimhan, the Novartis CEO, has received mononym status within the company.
Vas, an American, was just 41 when he became CEO. Promoted from within, he was previously the head of development and chief medical officer. He’s known for his casual style. Jeans seem to be a de facto uniform. He also promotes openness and engagement with the world outside of Novartis.
Before Vas, Novartis endured a string of scandals that included widespread FCPA offenses and hiring Donald Trump’s one-time lawyer and fixer, Michael Cohen, as a consultant.
Klaus joined Novartis a few months after Vas become CEO in 2018, with the mandate to turn the ship around – to make Novartis the most ethical company in the world (my words).
* * *
“Novartis has made mistakes,” Klaus said as we walked down Fabrikstrasse, “We are under a DPA.” He was referring to their $347 million FCPA settlement in 2020 and deferred prosecution agreement.
With the fresh sting of past mistakes, Novartis is a company that has been humbled.
Trudy Tan, head of ERC for the Innovative Medicines International business said, “Every month at our leadership meeting, we reserve fifteen minutes for people to talk about an ethical dilemma they’ve experienced in the past month. It’s mutual learning to educate and inform.”
Tan comes from a finance and audit background. She explained that sometimes people outside ERC expect those from ERC to have all the answers. “We don’t,” she said.
Talking about ERC’s past mistakes, difficult situations, and ethical dilemmas is an example of the way leaders can help build bridges among associates. When I asked Tan if any legal issues have arisen from openly discussing these dilemmas, she said there’s a difference between an honest mistake and one with intent, and openly sharing them increases trust and accountability on the team.
This open approach to imperfection extends to third parties. Dr. Christof Stolla, global head of review, monitoring and remediation for ERC, explained that after an audit, nearly all third parties require some form of remedial action. Novartis encourages them to implement the changes, while applying a “working at arm’s length” principle. Novartis also provides codes of conduct templates, training, and other materials and advice.
Stolla, a Ph.D. in biochemistry, also mentioned casually, when I asked about his background, that he discovered a human gene during his research years. “And there aren’t many of those,” he said, not as a boast, but as a statement of fact.
* * *
At Novartis, internal ERC tools and processes go through a sort of trial by fire. While describing the Risk Assessment & Management (RAM) platform, Brett Hudson paused on a slide and said, “With data analytics, it took a lot of trial and error to get here.”
Hudson explained that in 2019, compliance-related dashboards were all the rage. “Everything was a dashboard,” he said.
Novartis had mountains of compliance data, but no one was quite sure how to use it. Ultimately, they hired an outside firm to build a comprehensive ERC dashboard. The result was an expensive failure. The data on the platform was so overwhelming that using it was difficult to figure out.
“We went back to spreadsheets,” Hudson said.
Since then, the ERC team designed and developed their own dashboard, they call it the Control Room. It’s streamlined and simplified. “It only shows us the data we actually need,” said Antoine Ferrere, global head of behavioral and data science, as we browsed through the various views and data.
Conversations at Novartis about ERC can be dizzying because they are so wide-ranging. No matter how small, every function or decision is intertwined with the whole of ERC. For example, the Control Room was developed, in part, with behavioral science in mind. The language of the auto-generated reports is sparse but extremely intentional to reinforce core ethical values, even when performing data-focused tasks.
Ferrere explained how the overall structures of things like training, communications, and the Control Room are designed with behavioral science in mind, to the extent that nearly every word is poured over.
The result of the written material I saw from ERC is a feeling of crisp interaction. There are no run-on sentences and few superfluous words. Typical corporate jargon has been eliminated; the language feels casual but precise.
* * *
Not content with Novartis’ present state of compliance, ERC casts its thoughts ahead.
Franziska Janorschke just moved from being the head of the Novartis SpeakUp Office at ERC, which receives all whistleblower reports and coordinates the internal investigations, to a new role within ERC. Her team covers data privacy but also AI (artificial intelligence) and digital compliance, among other topics, and they’re also setting a path for what’s next.
“We’ve come up with eight principles for responsible AI use,” Janorschke said.
Today, AI is not regulated, making compliance a philosophical challenge, not a technical one. It’s the kind of big, ethical dilemma Janorschke and the entire ERC team seem to relish.
* * *
Over my three days with ERC at Novartis HQ in Basel, the conference room sometimes felt like a sports team’s locker room, a start-up’s water cooler, a neighborhood potluck, and NASA’s control room.
Near the close of my time there, alone in the conference room and looking out at the beautiful autumn leaves, I tried to wrap my head around the complexities of ERC at the third largest healthcare company worldwide. I’m still working on it.
But for me, there are three not-so-secret ingredients in the Novartis ERC sauce: Genuine support from CEO and Board, a clearly articulated grand vision and roadmap, and exceptionally talented and passionate people.
Is this a once-in-a-lifetime alignment of mandate, mission, and manpower? Could Novartis-style ERC be replicated in other companies? I don’t know the answer to that question.
But at Novartis, today’s ERC was built with lightning speed. If there is a change in leadership or political will, could the changes just as quickly be undone?
One associate told me the story of another healthcare company he was familiar with. It also had a past FCPA settlement and allocated considerable resources to its compliance team post-settlement.
After a few years, however, support waned. The corporate leaders who championed the post-settlement changes left and weren’t replaced. “They are almost back to where they were before,” he said.
At Novartis, perhaps the plan is to imbed ERC into the core business deep enough to prevent reversing course, thus fixing ethical and compliant behavior as the status quo for the future, even in the event of personnel and organizational changes.
Whatever the future holds for Novartis, for now ERC is developing ideas and adopting practices that push the company forward and, I believe, will have a profound knock-on effect for the entire compliance industry.
After turning in my visitor’s badge at the security gatehouse, as I walked down Fabrikstrasse for the last time, I was left with a simple thought.
This is what a full commitment to compliance looks like.
Neither my trip to Basel and stay there nor this post were sponsored by Novartis or anyone else.
I’d like to thank everyone at Novartis who took time to talk with me and extend so much hospitality — those mentioned in this post and the many others who are not mentioned.
Thank you, Klaus, for being open to the idea of my visiting Novartis and seeing (and writing about) ERC from the inside.