Spotting the bad ‘penny’
Can a company predict where it may face compliance weaknesses, and act ahead to address them? Eugene Soltes, a professor at Harvard Business School and author of a top-selling book on white collar crime, has spent much of his career trying to understand why outwardly successful employees are tempted by ‘the dark side’ and into fraud. Based on his experience, including visiting convicted white-collar criminals in prison, he has looked at corporate ‘integrity gaps’ to create predictive models for identifying potential weak spots and to develop a methodology and training for corporates to minimise them.
“The challenge today in compliance is that a lot of initiatives are deployed in generic ways across everyone in the organisation, rather than in more targeted ways”, he explains. “However, risks within an organisation differ among employee groups and subcultures. So ‘carpet bombing’ with one-size-fits-all compliance is not only costly, but often ineffective.”
Soltes explained his work at last year’s Deloitte Swiss Investigation Forum in Zurich. He aims to design tailor-made compliance programs for risk areas, along with fine-tuning existing schemes.
The first step is to gather data that many organisations already have, but typically do not aggregate to understand culture. Ideally, this involves gathering information about past allegations of misconduct, along with additional HR and performance data, and internal survey findings about job satisfaction. Based on this information, and aided by sophisticated machine learning technology, Soltes has created models highlighting potential danger points. Notably, such analytics have the potential to allow firms to peer into the future of what misconduct is likely to arise and where, not simply what has already happened.
“Organisations habitually focus on the past. We aim to look to the future; to try to make compliance more predictive by analysing where and how things might go wrong.”
As an example, his research has demonstrated that the chances of an employee compliance violation are six-and-a-half times greater when the employee’s manager has had a personal misconduct issue. Similarly, past allegations can predict future misconduct. ‘Bad Penny’ whose records contain a substantiated or unsubstantiated misconduct allegation are significantly more likely to behave badly again.
Soltes has built analytic ‘dashboards’, which identifies different risks by area, their possible causes, and potentially vulnerable groups or ‘pockets’ of employees. Based on these findings, companies can better identify where there are emerging risks.
But identifying these groups is only half the work. The next stage is to devise compliance initiatives to more impactfully influence employee conduct and monitor the success of such efforts. That’s where Soltes is now with his research. “You shouldn’t get credit for an effective compliance programs unless you can really see and measure the changes in behaviour.”
Tools like policies, training, and monitoring are a nature place to start. However, the trick is to identify the right mix for each group of individuals in order to obtain the appropriately results. “After one does the analysis, it becomes very clear some groups need far more compliance and integrity attention, while others need relatively less.”
Already the research demonstrates that certain novel and appropriately tailored approaches can change people’s conduct significantly – to the extent of localised differentiation producing different results. “That’s a long way from the one-size-fits-all box-ticking of group-wide compliance training schemes”, stresses Soltes.
Deloitte's own experience in assisting corporates to protect themselves against economic crime supports Soltes’ hypothesis. In spite of ever-larger and more costly corporate compliance programs being put in place, compliance shortfalls continue to occur. Finding the balance between spiraling costs and securing actual benefits continues to be elusive, and more targeted, data driven approaches certainly seem able to deliver much better results and protection. ‘Tick-the-box’ procedures are certainly not the answer for effective compliance programs. Meaningful fraud risk assessment and mitigation needs to focus on why people do what they do, and to try to understand risk exposures on a targeted individual level, harnessing all of the power that 'big data' can bring.