Internal Controls in a Culture of Fear

… rendered ineffective by socio-psychologically savvy fraudsters – are at the core of my forthcoming talk at the ACFE Conference in Frankfurt a.M. The invitation to hold a session has prompted me to focus on Germany’s “hidden champions”, its famed Mittelstand.

Those over 3 million Small and Medium Enterprises (short SMEs) have come under increasing and severe pressure from foreign direct investment (FDI), mainly from China but also in the form of European and North-American mergers and acquisitions (M&As).

Frequently marked by hierarchical and even patriarchal structures, sceptical of progressive whistleblowing and informant practices and approaches thanks to its history, Germany’s SMEs have suffered substantial losses and remain fairly resistant to lessons-learned, resulting from fraud committed by social engineers (Business Email Compromise or BEC, also CEO-Fraud or ChefTrick) that continues to balloon.

Fraud, frequently conceptually misunderstood as an exclusively external phenomenon urgently requires more attention and a better grasp in terms of scope and depth (i.e. covering holistically the aspects of Wirtschaftskriminalität, Betrug and Missbrauch of resources, data etc.). It finds fertile ground in an organizational culture of fear in particular where:

  • speaking up and speaking out are equated with insubordination,
  • creativity is the privilige of certain departments, functions, individuals or hierarchy levels (or even demographics) and
  • social compliance dominates every action in the organizational routine.

These unhealthy parameters provide the perfect conditions for fraudsters who understand to read the obscure and subtle signs (or absence of such) of victim organizations.

Mitigating this fraud risk (and related reputation risk) and effectively tackling this wide-spread and potentially existency-threatening dilemma is not what most SMEs believe it to be: the current dominant knee-jerk response of staff firing and shame-driven hiding of failed (or barely existent) risk cultures is only adding power to fraudsters – thereby benefitting foreign investors and competitors.

Instead, smart empowering and effective risk strategies can leverage existing functions but require radical rethinking and a thorough understanding of the socio-psychological factors that cannot be engineered on paper into Germany’s SMEs.

Overcoming fear and building trust across functions are central to this type of progressive and sustainable immunization. Transparency and non-authoritarian leadership styles are key pillars in building this type of risk resiliency.

Conference attendees will have full access to my paper including appendix and references and the slides.

Do Codes of Conduct work? Misconduct, Fraud and Ethics.

In a recent interview, I talked about internal controls and ethics and referred to Wells Fargo as an example of the implementation of a Code of Conduct which did not result in the desired ethical behavior.

The reasons, as far as I have been able to observe and analyze are complex, far from obvious and even counter-intuitive. I believe we require a much better and more holistic understanding of the power dynamics, the collective unconscious and the interplay between individual-peer-community dynamics and pressures, sector and industry practices and the national society as well as the global.  This applies especially to transnational corporations and cross-border operations where cultural aspects further add to the complexity and potential failure of a Code of Conduct.

The main reasons why an Ethics Code or Code of Conduct, even if fully embedded, rolled out and vigorously communicated, fails to bring the desired change, center strongly around the following:

Corporate predicaments:

  • Tone at the top (set by CEO or the entire C-suite) mismatches tone at the middle – long-serving middle management has its own practices;
  • Expectations at the top (C-suite, Board but also shareholders) remain profit-focused, no shift towards a greater paradigm shift gets underway;
  • Ethical behavior is mainly valued as reducing litigation risk (and costs) but not valued as profit-generating;
  • Compliance and risk departments are seen as non-profit generating, no counter-narrative from the C-suite is offered/communicated;
  • Weak internal controls including weak HR division are impacting internal whistleblowing and act as a deterrent (rather than deterring misconduct).

Cultural issues:

  • Ethics and the Code of Conduct are being mocked by (long-serving) middle-management as something that will pass as so many initiatives before;
  • Code of Ethics is coupled with zero tolerance – correctly interpreted as unrealistic;
  • Acting ethically may be deemed “nice” and interpreted as weakness rather than a strength (by both gender) – this is usually even more so in industries with fierce competition and a glass ceiling;
  • Morality is not seen as in line with the Code of Conduct – ethics are understood as more abstract and deemed over the top;
  • Morality has been mainly lived and practiced by a (corporate and societal) culture of naming & shaming and scapegoating rather than embracing the messenger who delivers bad news before the event – shooting the messenger has been the norm.

Mechanisms and knowledge missing:

  • No, or no sound, internal crowd-sourcing platform or system to gather issues and reward those who point them out and provide potential solutions are in place – promised anonymity communicates inherent threats/risks to those who wish to protect the organization and name problems versus transparency of issues, discussed in open forums beyond the confines of a department which would indicate openness to fix rather than to blame;
  • Morality and ethics are wrongly deemed as inherent – they are not understood as learned, negotiated, agreed and practiced concepts, rather there is a lack of knowledge that they change in socio-historical contexts and are not universal per se;
  • Lack of respect and integration of experts in behavioral collective change – business consultants rather than social scientists shape the strategy and communication, resulting in a sense of rhetorical unrealistic exercise;
  • Lack of understanding that ethics cannot be imposed but need to be owned by the community of all staff at all levels – which is why crowd-sourcing can be such a powerful approach and which is why Volkswagen’s hierarchical structure played such a central role in the emissions scandal.

Broader factors:

  • A history of severe misconduct with inability to replace all those previously involved (due to size of organization or else) may result in a Code of Conduct being circumvented by creatively finding loopholes (the role of legal professionals in this context is another issue);
  • Other main players in the industry are not embracing a Code of Conduct as strongly, resulting in a competitive disadvantage.

I believe this question is incredibly important and we need a deeper discussion as to why the implementation of Codes of Conduct continue to fail and/or don’t bring the changes we want and need to see as widely and sustainably embedded and practiced as they should. I also believe that ownership (at all levels) of any Code of Conduct plays an extremely important role but is often hugely undervalued and misunderstood.

Translated: my interview in an Icelandic newspaper

As an expert in the field, Britta Bohlinger is interested in fraud and risk. She focuses on finance, politics and business. Britta, who previously worked for investment banks and a broker dealer in London, is now settling down here in Iceland. She blogs about Icelandic society and wants to connect with the academic and political areas of the population, with a view to providing benefit to the community.

“There is no particular romantic reason for coming to Iceland. I wasn’t in love with one of the common pull factors or anything like that”, says fraud and risk expert Britta Bohlinger.

We are in a cafe in Reykjavik, surrounded by the headquarters and high rise buildings of the Icelandic financial district. Britta was born in Germany, not far from the border with both Switzerland and France, but after graduating from university in the UK and eight years of working in the fast-paced investment banking sector in London, she no longer wanted to be part of this particular environment.

“Some say, one year in this business equals seven normal years”, she says smilingly. “It’s an intense and demanding world that I entered while still doing my social sciences post-graduate degree, not being from a family of bankers. It has undoubtedly given me a different and critical view of the financial sector, certainly very different from what tends to be the norm, in places such as the City of London.”

Not very long ago, Britta lost both her parents shortly after they had reached retirement age, and she says it has affected her way of looking at things.

“I wondered what I wanted to do and achieve in life, and how I could make an impact. After I left the bank I travelled and visited various countries, including Iceland. I could see myself here, and now this is my second winter here.  What’s more, I did see that Iceland responded relatively quickly to legal proceedings related to the collapse, a number of bankers went to prison. I know well that the outside world has taken note of these issues and sometimes with admiration, but it doesn’t always quite match the experience Icelanders themselves had. I do try to see it realistically, not in a rosy light.”

The strength of the Icelandic society lies in its small size, but it also results in certain risks. Short lines of communication are often a good thing, but a close-knit society can also create gray areas.

“This is a small community with relatively high equality, which I consider extremely significant pillars, especially after living in London where inequality has been strikingly high, with a shrinking middle. With the economic balance comes a certain pressure and political willingness to take on certain issues. This crucial feature of the Icelandic society has been demonstrated since the collapse and is likely to continue.

Iceland, however, is part of a globalized world where crime occurs across borders. The situation in distant countries can affect us here in Iceland, with immigration impacting the economy, and other areas.”

German native Britta Bohlinger does not appear particularly impressed with the Icelandic common phrase “Þetta reddast – It will work out.”. She says it is important to try to anticipate which areas of the society may become exposed to the risk of fraud, tax evasion and corruption and how it can preferably be prevented or at least mitigated. It is always better to act before the damage is done.

“Risk and fraud both carry negative meaning, it is therefore vital that those who work in the financial and political sector realize the consequences resulting from a failure of mapping the risk of fraud”, says Britta.

She left work within the internal controls divisions of large investment banks with limited confidence in this side of the operation. Major scandals, such as the recent case of Wells Fargo bank accounts debacle in the US, support this impression.

Ethics and moral values blend into this debate and how we grow the essential characteristics within the school system and society.

“If we take the financial sector as an example, the discussion of ethics is often very abstract, rarely embedded within the daily work of those who work in the sector. It is key though, to link the activity of the individual to any consequences it may entail. We live in a society based on ethics and trust, but perhaps we do little to think about how these aspects color our daily lives and how central they are in glueing and keeping the community together.

Another problem in this respect is the supervisory challenge the government faces. The revolving door and related brain-drain which impact regulatory bodies, tend to go in one direction, with experts in regulation moving over to the corporations that the regulator is supposed to supervise. Banks usually offer significantly higher financial incentives than the financial supervisory entities. “

A new yet familiar image of Icelanders celebrating the boom with champagne may evoke a similar fury as it did before the crisis in 2007. Tourism is fueling this new economic boom, paralleled by rising property prices and housing costs, many people are asking themselves whether Iceland has established a new bubble.

“I, like others, see that there are certain warning signs – red flags,” says Britta. “There is great pressure on the Icelandic society, these challenges require that Icelanders remain vigilant: rising property prices and rents, the large numbers of travelers, for example, impact the working conditions and terms of employment. Awareness of the risk of corruption has increased here after the collapse, yet the debate has been limited, it seems to me. Pressures related to tourism contribute also to a risk of unhealthy trading practices, tax evasion, illegal employment and a potentially overall weakening of the legal status of workers, in certain sectors. This is well known abroad [for instance London and New York where human trafficking presents a severe and growing issue], and it is critical for Iceland to increase awareness of these risks, in particular in times when such drastic and fast changes occur.”

This profile feature interview Vill finna glufurnar í íslensku samfélagi (Will find cracks in the Icelandic society) was published in Icelandic on Fréttatíminn (Newstime) of 17/18th February 2017 and was available at the time of publishing here  (see also Interview PDF) and is still available on the newspaper’s Facebook page. Fréttatíminn became defunct in April 2017, its chief editor created a new political party.

Data, the politics of risk, and botox

If you work in or experience bystander exposure to, an organizational or corporate zero-error environment you may quickly pull the dots together. Data, spanning from KLIs* over KPIs* and KCIs* to KRIs* and beyond, i.e. the whole spectrum of performance metrics may be fear-inducing per se: whenever the thresholds, balanced scorecard objectives, or plain old deadlines are at risk of not being met.
*KI=key indicator, C, L, M, P, R=control, lead, management, performance, risk

When the engines which are supposed to be crunching figures and producing the desired metrics and reports, fail to deliver on time, then, well then, breaking into a sweat and feeling the heat is probably the most natural response a human being may be experiencing in such a situation.  Not surprisingly, the quest for means to cover up such visible signs of weakness (functional would be calm caring, expected may be dysfunctional detached cool) has resulted in a significant increase of requests for Botox (a form of paralysis-inducing toxic botulinum).

While diversity policies and strategies have been implemented and celebrated widely, homogeneity at recruitment stage is surreptitiously reproducing monocultures which offer little if any space for thinking outside-the-box.  In light of popular quick fixes in challenging times, most prevalently applied are drastic downsizing, restructuring, and right-shoring (a euphemism that hints at prior attempts of off- and on-shoring) which are all adding to the malaise. All of which have resulted in the opposite of genuine zero-error cultures. Rather, these factors in combination may explain why major errors such as a neglected server at JP Morgan’s could happen. We see such failures and negligence (including pervasive data massaging) frequently, although differences in forms, shape, and dimension can be observed, entailing various degrees of active or passive neglect and manipulation.

Restructuring workloads and task areas often result in fewer individuals doing more work. Permanent staff may have been laid off in favor of newly hired contractors and temps. Overall, the [permanent] headcount appears reduced and shareholders are pleased. In times of downsizing and cost cutting, coupled with key decision-makers being keen on maintaining their budget rather than investing in smarter technology and revising processes and procedures with a view to efficiency, remaining staff often are crippled by fear of what will happen next. Add the typical lack of clear communication, direction and reliable visionary stances from the top that marks these situations, the sheer overload induced by the additional work becomes even more of a botox-requiring sweat factor. Who will be axed next? Which department evaporates entirely in the next round?

In industries where particular aspects of corporate sub-culture add a layer of misuse of power onto those who are charged with tasks beyond their meaningful boundaries and structure of responsibilities (see discussion of the 100 hours workweek), the error rate is further multiplied.  Stakeholders and shareholders should feel alarmed as such incidents reveal only the tip of the iceberg of operational risks.

Responsible and dedicated management (not to be confused with micro-management that creates more of the above-mentioned issues) and meaningful staff development go hand in hand with sustainable risk management. It cannot be “happily de-coupled”, rather it needs to remain consciously intertwined and run within a wider framework of ethical values and legal requirements.  For instance, operating with rest times and sensible breaks keeps the human error rate down and contributes to maintaining high levels of morale, creative problem-solving and energy levels.  This will also facilitate retention and maintenance of trust in order to ensure the organization finds its position at the front of the competing pack when it comes to lasting long-term success.

In an interconnected and highly interdependent global economy, such contradictions and irrational sub-cultural aspects can have vast and potentially hugely damaging ripple effects: risk of human error, on the one hand, severe retention issues on the other.  Where zero-error policies are still in place and staff fear showing weakness or admitting to gaps (take the “fat finger” trade at Deutsche Bank for instance) they cause havoc with sensible risk mitigation strategies as the instant knee jerk response of firing will shift blame to those who were at the receiving end of failing policies rather than focusing on those who devised them in the first place.

Smart risk governance will embrace and harness the power of information, the knowledge of potential weaknesses and incidents that need to be addressed.  The aim has to be prevention and mitigation policies, methodologies and mechanisms that need to be devised in order to avoid losses and costs related to reputational risks entailing them. Providing a safe environment (World Bank case) in which to disclose potential or occurring risk events without fear of censorship and scapegoating gagging those who are mindful of their work and environment is key to sustainable leadership and a leading position of the organization – it requires much higher priority in strategic considerations than currently recognized.

Acknowledging the possibility of human error in a heavily competitive, excessive hours-environment would be the intelligent thing to do.  After all, it’s a strength to know your weaknesses (see this SWOT discussion)– and not push them under the rug.  It is a strength to acknowledge the flows and dynamics of power but your policies, processes, and framework need to be more than reflections of realpolitik.  Intelligently avoiding being in the eye of the storm of the next big conduct and reputational risk case can be achieved by methodological triangulation.  That would entail incorporating realistic ethics and enhancing the governance framework by insights and data gained from disciplines outside the narrow confines of your subject matter experts’ realm.  In the course of this, you might actually discover some entirely new strengths.