Disentangle the web of rules, controls and audits
Becoming a Misconduct Resilient Organization
The Association of Certified Fraud Examiners (the “ACFE”) estimates that financial crime – including bribery, corruption, and misappropriation of assets, tax evasion, and cyber-crime – costs organizations five percent or more of their revenues per annum. That amounts to roughly € 15 billion in the Netherlands alone, so besides reputational losses, there is significant value to be recovered by managing the risk of fraud and misconduct.
- Internal Control Paradox
- Future of financial crime
- Misconduct Resilient Organization
- Paradigm Shift
The Internal Control Paradox
Many organizations protect themselves against misconduct by way of their internal control frameworks. This approach focusses on policies, procedures, internal and external audit activities and other forms of monitoring.
Layer upon layer of internal controls have been compounded by new regulations which impose additional compliance burdens and increase internal bureaucracy. When an incident is identified, the typical response is to understand what has gone wrong and implement more controls to mitigate the newly identified risks one by one. Herewith creating an inextricable web of rules, procedures and audits.
Due to this web of rules, procedures and audits, employees are having difficulties doing their work. Because of the complex processes, mistakes occur more frequently. Second, employees will find creative ways to circumvent the web because detection decreases as the layers of the web grow. Finally, this web of rules and procedures have a negative impact on the rationalization of employees; it indicates that the organization is full of unethical employees. This may push a law-abiding employee over the tipping point to become a fraudulent employee.
In 2016, fraud was two times more likely to be detected by a whistle-blower than internal audit activities!
The question arises whether 100% prevention of misconduct is possible. A smart and more balanced approach will make the organization more resilient and better equipped to protect itself against misconduct. A new approach is imperative.
Due to legislative pressure, the hyper-connected world we live in and the focus on reputation, companies need to change the way they manage the risk of fraud and misconduct. In order to understand these new requirements, one should understand the future of financial crime.
The future of financial crime
- New technologies will allow outsiders, like hackers and criminal organisations, to realise financial gain or disrupt organisations.
- Modern financial systems combined with hyper-connectivity will change the nature of financial transactions: volume will increase and average value will decrease.
- Financial crime fraud schemes will increasingly become facilitated through collusion with people inside the organisation to circumvent the internal control environment.
- Reputational risk will be heightened and accelerated due to regulatory requirements, public pressure, and the connectivity between organizations.
- Regulation is driving individual accountability for corporate wrongdoing forcing management to provide all relevant facts about individuals involved in corporate misconduct. Analytical procedures, as well as investigative procedures, need to be defined to determine this information.
The Misconduct Resilient Organization
As the prevalence of technology is increasing, the risk of fraud and misconduct is increasing by placing powerful tools in the hands of potential fraudsters. However, technology also allows organizations to take action in advance to reduce the threat of misconduct and his impact on the business. With advances in technology, efforts can switch from preventive controls which are limited in their effectiveness, to real time monitoring and (pro) active intervention. By creating misconduct awareness capabilities and methodologies to rapidly response to risk events, organizations are better equipped to manage the risk of fraud and misconduct.
A misconduct resilient organization uses this insight supported by technology to become vigilant to risks and breaches and becomes resilient when they occur.
Vigilance is a combination of systems, processes and cultures which allow organizations to detect misconduct before it has affected the business and to respond timely to limit the impact. But this is only effective if an organization looks at the right data and applies analyses to detect patterns and possible fraudulent behavior. Vigilance involves being on constant alert, focusing on behaviors and the digital footprint of potential wrongdoers and acting before any misconduct can occur.
Resilience: misconduct resilient organizations accept that in our highly regulated and connected world, compliance breaches and misconduct will happen. Therefore, they need to be resilient which involves: fixing breaches when they occur, communicating quickly and convincingly with their stakeholders and constantly learning from experiences. Speed and effectiveness are the key measures of resilience. To become resilient, organizations need to understand their data and build response capabilities.
In our experience there are a variety of barriers organizations face as they embark on the journey to becoming a misconduct resilient organization including:
- Natural resistance to change a misguided faith in the effectiveness of preventive controls (the inextricable web) or fear of setting the organization free (reducing the preventive controls to the minimum necessary).
- Cost vs. reward. This can be complicated especially when the impact of misconduct is felt in one part of a business, but the cost of rectifying it lies elsewhere.
- Data quality. Data privacy and security regulations which limit the ability to access personal data or data in databases sitting in different parts of the business.
- Technology lock in. Insistence on quality rather than accepting mistakes and learning from them. No organization has perfect data quality or tried to implement vigilance solutions across the whole organization in one go. For those who have embarked on the misconduct resilient organization journey, pragmatism prevails. Like start-ups, they start small and evolve: vigilance solutions are susceptible to the “minimal viable product” model.
None of these barriers are insurmountable. The biggest challenge is changing the organization culture.
The Paradigm Shift
Moving from prevent, detect, and respond to vigilance and resilience requires a cultural change. From the top down the organization has to accept and make sure their employees understand that:
- They are all responsible for vigilance,
- They should speak up if they observe patterns of behavior that suggest misconduct,
- They should apply professional skepticism rather than assuming that the control framework or someone else is alert so they don’t need to be.
Trusting everyone in the organization and sharing the responsibility to be vigilant as well as transparency is so important.
The integrity of an organization and its behavior is not the sum of the individual members, employees or citizens. It is secured through buy-in to shared objectives, the common purpose, and the organization’s “why”.
Fraude Film Festival 2017
As one of the founding partners of the Fraude Film Festival, Deloitte will get the opportunity to sponsor a main stage theme during the festival. This year our theme will be the Misconduct Resilient Organization. October 5th is an invitation only event, on October 6th the film festival will be open for public as well! For more information about the event click here.