In Part 1 of this series, the author probed the assertion by many companies they have “zero tolerance for unethical or illegal behavior.”
In Part 2 he asks why, if most large businesses have fraud, risk and corruption-related policies in place, are there still so many cases of fraud and corruption?
* * *
Based on my experience, the mistakes that companies make fall into 3 main categories:
1. Extended span of control or lack of management oversight. With companies operating multiple offices in a variety of locations around the globe, the head office is often far removed from the actual day-to-day operations of those entities. As a result, management and staff at such locations are largely free to operate autonomously, knowing the Internal Audit team might visit them every 12 months and possibly only conduct a cursory review of the business, relying on local management to explain the intricacies of their operations.
Add to this the concept of “management by exception” in which senior management “empower their people” to do their jobs with minimal oversight.
One thing I learned early on in my days in the police force is that you can delegate authority, but you cannot delegate responsibility. In other words, while it might be nice to trust your people to follow company policies and processes, organizations must still have control mechanisms allowing them to monitor errant behavior and deteing themselves addressing the media, analysts and in some instances, regulators and lawyers for the plaintiff.
2. Failure to implement controls/learn from previous instances. Over the years, I have conducted dozens of fraud and corruption risk assessments of private and public sector organizations. This reviews often identify a number of significant fraud and corruption-related risks that pose significant problems for the organizations in terms of damage to reputation, financial loss and potential regulatory and legal action.
In many instances, when I go back to those organizations two to three years later for a follow-up review, the controls that have been recommended to mitigate those risks have not been implemented, and the organization remains vulnerable to the same risks previously identified.
Of even more concern is when organizations experience a fraud or corruption-related event and fail to implement controls to prevent that type of event occurring in the future. In every fraud or corruption investigation I have undertaken, there are always a range of factors that have allowed that event to occur — control weaknesses, failure by staff to follow process, lack of fraud detection tools, etc.
It would seem to make sense for an organization to address those issues to prevent a reoccurrence in the future. But, as appears to be the case with GlaxoSmithKline, many organizations find themselves victims to that same type of behavior that got them into trouble in the past. They failed to learn to address the underlying issues that allowed that type of behavior to occur.
3. Short-term focus on KPIs at the expense of good corporate citizenship. In the majority of fraud and corrupt events occurring at the corporate level, the reason behind the conduct is largely due to management or staff undertaking illegal or unethical actions to meet Key Performance Indicators. These KPIs can be such Sales Targets, Revenue Growth, Share Price or Increased Market Share.
Given that commissions, bonuses and promotions are largely linked to achieving these corporate and sometimes personal objectives, it is no wonder that corporations and those charged with their governance will engage in fraudulent or corrupt conduct.
When a company finds itself in the spotlight for having engaged in fraudulent or corrupt, the media reports that certain staff members or management have been dismissed, but little is mentioned in relation to whether they were allowed to keep their windfalls from engaging in this type of behavior.
Additionally, when the companies themselves are the subject of sanctions, including the payment of fines to regulators, there is little analysis of how much that organization made from acting corruptly compared to the size of the fine. Indeed, it can be argued that in some instances, the fines may be considered a cost of doing business as opposed to a deterrent.
In Part 3, I will detail some of the strategies that organizations should consider when developing their Fraud and Corruption Control Frameworks, or when measuring the effectiveness of those frameworks, post-implementation.
Guy Underwood is the executive chairman and founder of the RISQ Group, one of APAC’s leading providers of risk management and employment screening services. He can be reached here.