The Misconduct Resilient Organisation
Disentangling the web of rules, controls and audits
The internet and a hyper connected society accelerate reputational risk which requires organisations to respond adequately and rapidly. How can your organisation survive and thrive in this new era?
Society is disruptive. Not only during elections, the bankruptcy of large multinationals and the rise of start-ups, it also holds true for incidents related to Financial Crime including fraud, corruption or Anti-Money Laundering. When the Panama Papers hit the news, most organisations had difficulty identifying if and to what extent they were affected by the revelations. Exactly the same is true if your organisation is one of the organisations allegedly involved in -for example- the Dieselgate scandal. The internet and a hyper connected society accelerate reputational risk which requires organisations to respond adequately and rapidly. How can your organisation survive and thrive in this new era?
Internal control paradox
In 2002, Donald Rumsfeld stated:
“… there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know“.
How do you protect your organisation against misconduct? You can assume it will happen, but the type and extent is unknown. Is misconduct a known unknown or an unknown unknown?
Traditionally, organisations protect themselves against misconduct by way of strengthening their internal framework. When incidents occur, the natural response is to implement more controls, setting up new standards and internal rules. Unfortunately, in a changing world where risks are amplified and unknown unknowns rapidly become known incidents, this approach is proving to be less and less effective. Moreover, in the long run this approach can be counterproductive. In 2016, fraud was two times more likely to be detected by a whistle-blower than as a result of internal audit activities1.
This web of rules, controls and audits complicates the way organisations do business. It also results in more bureaucracy and increases the risk of mistakes. Bureaucracy and the growing intricacy of the web of rules, in their nature, increase the risk of misconduct as they limit the possibilities to detect misconduct. In this situation creative employees may find ways to circumvent the internal controls. A third consequence of this inextricable web is that it gives an implicit signal to employees that they are not to be trusted. This may push a well-intentioned employee over the tipping point to become a fraudulent employee.
A new approach is imperative. An approach that is aimed to set organisations free of the web of controls. An approach that increases the organisation’s agility and that helps organisations to balance on the thin line of having regular cumbersome incidents and being burdened with many costly preventive controls for incidents that probably will not happen. This approach needs to be vigilant to risks and breaches, but also resilient when incidents do occur.
We call these organisations ‘Misconduct Resilient Organisations’ (MROs). MROs use advanced technologies and analytical capabilities to focus on real-time monitoring and just-in-time intervention. They use a combination of systems, processes and culture that allows them to detect misconduct and to swiftly respond before the organisation is adversely affected. We see leading organisations use data analytical capabilities such as machine learning methods to predict the likeliness of misconduct. The premise of this approach is trust: the intentions of the majority of employees, citizens and organisations are good.
Much more effective
The approach used by MROs can easily be applied to less advanced organisations that want to become vigilant towards internal or external misconduct in an early stage. From expense reports to unusual payments and insurance requests, using data analytics to predict and detect irregularities is far more effective than checking samples and applying a large set of controls.
In our work, we see many organisations that are tired of the paralysing effect of the internal control layers, but do not know how to change this. To become a MRO, organisations must rethink policies and procedures that cater to the needs of the business process instead of trying to change employees into ‘paralegals’. Employees can then focus on daily business instead of continuously taking into account the legal consequences of their actions.
1Association of Certified Fraud Examiners, ACFE’s 2016 Global Fraud Study, Report to the Nations on Occupational Fraud and Abuse (2016)
Would you like more information on becoming a Misconduct Resilient Organisation? Please consult our brochure or contact Frank Cederhout via +31882887283 or Laura Klapwijk via +31882886049