Disentangling the web of rules, controls and audits
Becoming a Misconduct Resilient Organisation
The Association of Certified Fraud Examiners (the “ACFE”) estimates that financial crime – including bribery, corruption, and misappropriation of assets, tax evasion, and cyber-crime – costs organisations five percent or more of their revenues per annum(1) . That amounts to roughly € 15 billion in the Netherlands alone, so besides reputational losses, there is significant value to be recovered by managing the risk of fraud and misconduct.
- Internal Control Paradox
- Future of financial crime
- Misconduct Resilient Organization
- Paradigm Shift
The Internal Control Paradox
Many organisations protect themselves against misconduct by way of their internal control frameworks. This approach focusses on policies, procedures, internal and external audit activities, and other forms of monitoring.
Layer upon layer of internal controls have been compounded by new regulations which impose additional compliance burdens and increase internal bureaucracy. When an incident is identified, the typical response is to understand what has gone wrong and implement more controls to mitigate the newly identified risks one by one. Herewith creating an inextricable web of rules, procedures and audits.
Due to this web of rules, procedures and audits, employees encounter difficulties completing their work. Because of the complex processes, mistakes occur more frequently. Second, employees will find creative ways to circumvent the web because detection decreases as the layers of the web grow. Finally, this web of rules and procedures creates a negative impact on the rationalization of employees; it indicates that the organisation is full of unethical employees. This may push a law-abiding employee over the tipping point to become a fraudulent employee.
In 2016, fraud was two times more likely to be detected by a whistle-blower than internal audit activities!
The question arises whether 100% prevention of misconduct is possible. A smart and more balanced approach will make the organisation more resilient and better equipped to protect itself against misconduct. A new approach is imperative.
Due to legislative pressure, the hyper-connected world we live in, and the focus on reputation, companies need to change the way they manage the risk of fraud and misconduct. In order to understand these new requirements, one should understand the future of financial crime.
The future of financial crime
- New technologies will allow outsiders, like hackers and criminal organisations, to realise financial gains or disrupt organisations.
- Modern financial systems combined with hyper-connectivity will change the nature of financial transactions: volume will increase and average value will decrease.
- Financial crime fraud schemes will increasingly become facilitated through collusion with people inside the organisation circumventing the internal control environment.
- Reputational risk will be heightened and accelerated due to regulatory requirements, public pressure, and the connectivity between organisations.
- Regulation is driving individual accountability for corporate wrongdoing forcing management to provide all relevant facts about individuals involved in corporate misconduct. Analytical procedures, as well as investigative procedures, need to be defined to determine this information.
The Misconduct Resilient Organisation
As the prevalence of technology is increasing, the risks of fraud and misconduct are increasing by placing powerful tools in the hands of potential fraudsters. However, technology also allows organisations to take action in advance to reduce the threat of misconduct and the impact on the business. With advances in technology, efforts can switch from preventive controls, which are limited in their effectiveness, to real time monitoring and pro-active intervention. By creating misconduct awareness capabilities and methodologies to rapidly respond to risk events, organisations are better equipped to manage the risk of fraud and misconduct.
A misconduct resilient organisation uses this insight supported by technology to become vigilant to risks and potential breaches and thus, becomes resilient when they occur.
Vigilance is a combination of systems, processes and cultures which allows organisations to detect misconduct before it has affected the business and to respond timely to limit the impact. But this is only effective if an organisation looks at the right data and applies appropriate data analysis rules to detect patterns and possible fraudulent behaviour. Vigilance involves being on constant alert; focusing on behaviours and the digital footprint of potential wrongdoers; and acting before any misconduct can occur.
Resilience: misconduct resilient organizations accept that in our highly regulated and connected world, compliance breaches and misconduct will happen. Therefore, they need to be resilient which involves fixing breaches when they occur; communicating quickly and convincingly with their stakeholders; and constantly learning from experiences. Speed and effectiveness are the key measures of resilience. To become resilient, organisations need to understand their data and build response capabilities.
In our experience there are a variety of barriers that organisations face as they embark on the journey to become a misconduct resilient organisation including:
- Natural resistance to change a misguided faith in the effectiveness of preventive controls (the inextricable web) or fear of setting the organisation free (reducing the preventive controls to the minimum necessary).
- Cost vs. reward. This can be complicated especially when the impact of misconduct is felt in one part of a business, but the cost of rectifying it lies elsewhere.
- Data quality. Data privacy and security regulations which limit the ability to access personal data or data in databases sitting in different parts of the business.
- Technology lock in. Insistence on quality rather than accepting mistakes and learning from them. No organisation has perfect data quality or has tried to implement vigilance solutions across the whole organisation in one go. For those who have embarked on the misconduct resilient organisation journey, pragmatism prevails. Like start-ups, they start small and evolve: vigilance solutions are susceptible to the “minimal viable product” model.
None of these barriers are insurmountable. The biggest challenge is changing the organisation’s culture.
The Paradigm Shift
Moving from prevent, detect, and respond to vigilance and resilience requires a cultural change. From the top down, the organisation has to accept and make sure their employees understand that:
- They are all responsible for vigilance;
- They should speak up if they observe patterns of behaviour that suggest misconduct; and
- They should apply professional scepticism rather than assuming that the control framework or someone else is alert so they don’t need to be.
Trusting everyone in the organisation and sharing the responsibility to be vigilant as well as transparency is so important.
The integrity of an organisation and its behaviour is not the sum of the individual members, employees or citizens. It is secured through buy-in to shared objectives, the common purpose, and the organisation’s “why”.
1 Association of Certified Fraud Examiners, ACFE’s 2016 Global Fraud Study, Report to the Nations on Occupational Fraud and Abuse (2016).