Internal Controls in a Culture of Fear

… rendered ineffective by socio-psychologically savvy fraudsters – are at the core of my forthcoming talk at the ACFE Conference in Frankfurt a.M. The invitation to hold a session has prompted me to focus on Germany’s “hidden champions”, its famed Mittelstand.

Those over 3 million Small and Medium Enterprises (short SMEs) have come under increasing and severe pressure from foreign direct investment (FDI), mainly from China but also in the form of European and North-American mergers and acquisitions (M&As).

Frequently marked by hierarchical and even patriarchal structures, sceptical of progressive whistleblowing and informant practices and approaches thanks to its history, Germany’s SMEs have suffered substantial losses and remain fairly resistant to lessons-learned, resulting from fraud committed by social engineers (Business Email Compromise or BEC, also CEO-Fraud or ChefTrick) that continues to balloon.

Fraud, frequently conceptually misunderstood as an exclusively external phenomenon urgently requires more attention and a better grasp in terms of scope and depth (i.e. covering holistically the aspects of Wirtschaftskriminalität, Betrug and Missbrauch of resources, data etc.). It finds fertile ground in an organizational culture of fear in particular where:

  • speaking up and speaking out are equated with insubordination,
  • creativity is the privilige of certain departments, functions, individuals or hierarchy levels (or even demographics) and
  • social compliance dominates every action in the organizational routine.

These unhealthy parameters provide the perfect conditions for fraudsters who understand to read the obscure and subtle signs (or absence of such) of victim organizations.

Mitigating this fraud risk (and related reputation risk) and effectively tackling this wide-spread and potentially existency-threatening dilemma is not what most SMEs believe it to be: the current dominant knee-jerk response of staff firing and shame-driven hiding of failed (or barely existent) risk cultures is only adding power to fraudsters – thereby benefitting foreign investors and competitors.

Instead, smart empowering and effective risk strategies can leverage existing functions but require radical rethinking and a thorough understanding of the socio-psychological factors that cannot be engineered on paper into Germany’s SMEs.

Overcoming fear and building trust across functions are central to this type of progressive and sustainable immunization. Transparency and non-authoritarian leadership styles are key pillars in building this type of risk resiliency.

Conference attendees will have full access to my paper including appendix and references and the slides.

Complex Risk: due diligence, conflict of interest, ultimate beneficial ownership

Recent headlines covered Brexit and Britain’s subsequent repeal of laws, Germany’s private bank Hauck & Aufhäuser, dissolved Welling & Partners in the British Virgin Islands (IcelandReviewruv.is), and Fashion brand founder Karen Millen’s bankruptcy. Unrelated, at first glance, they also entailed various fraud-related issues and bring a pressing need for effective due diligence back into the focus of public attention.

National and international aspects:
The headlines and underlying cases are indicative of the complexity of cross-border transactions in a globalized world where legislation, regulation, and enforcement still remain largely a national matter.  Further significance has been added by the recent conflict of interest breach at the Bank of England, resulting in the Deputy Governor’s resignation.  The ongoing prolific debate around conflicts of interest in the current US White House (visualized web ) has additionally furthered public appetite for scrutiny and clarity byeond national confines and territories.

Spanning Britain, Germany, Iceland, the European Union (EU) and EEA (European Economic Area), as well as off-shore tax havens in the British overseas territories, taking a birdseye view helps to understand and illustrate the challenges resulting from a broad network of anti-money laundering regulatory provisions and policies.

Risk perspectives:

“EU legislation requires that institutions adequately manage and mitigate operational risk, which is defined as the risk of losses stemming from inadequate or failed internal processes, people and systems or from external events.

Operational risk includes legal risks but excludes reputational risk and is embedded in all banking products and activities. It has always existed in banking, and non-banking organizations but it has acquired a greater relevance given the increased complexity and globalization of the financial system and the recent materialization of unprecedented extremely large losses.”

Source: European Banking Authority (EBA)

Conducting required checks and ongoing monitoring and registry maintenance sufficiently, requires both, the buyer’s and seller’s concerted efforts in order to mitigate and manage risk emanating from improper or inadequate due diligence.

 

The complex landscape of regulations and guidelines:

  • Britain‘s exit from the EU will leave its leading role in anti-money laundering (AML), anti-corruption (and anti-bribery and sanctions compliance) mostly intact thanks to the UK Bribery Act which is independent of EU regulations.  Of greater concern is the stricter control of offshore territories, mainly in former colonies, as well as compliance regulation, applicable to financial firms, which is predominantly derived from EU legislation (OECD concern).
  • Iceland, as a member of the European Economic Area (EEA), has to comply with the EU regulations and its interpretations of the Financial Action Task Force (FATF) standards (Iceland in FATF). This scenario could also apply to Britain, depending on the outcome of future negotiations, for now, Britain remains a member of the FATF.
  • The European Union’s 4th Anti-Money Laundering Directive (4AMLD – summary) was adopted in May-2015, became effective in Jun-2015, and its national transposition is required by 26-Jun-2017.This will entail central registers of beneficial ownership as already set up in Ireland but currently not yet in place in Germany (see the Beneficial Ownership Transparency – Country report, 2015 – for in-depth analysis).

 

Knowing which rule, regulation, and watchlist apply:

Conducting checks is time-consuming, resource-intense and it may be costly.  However, failing to thoroughly substantiate the identity of a customer or UBO (buyer, seller, business or other transaction-partner alike) may be significantly more costly and damaging to the reputation and funds.

“Risk, I had learned, was a commodity itself. It could be canned and sold like tomatoes.  Different investors place different prices on risk. ”

(Michael Lewis, Liar’s Poker, 1989)

Outsourcing the checks may be one option but ultimate responsibility may remain with the outsourcing party – as the case of Karen Millen’s tax evasion scheme around-the-world (see EU Parliament Library note on corporate tax avoidance) demonstrated.  A list of significant failures of duty of care in this regard is available on the UK’s Financial Conduct Authority site (FCA).

Knowing when to conduct checks:
Certain types of risk cannot be insulated, transferred, or legally sold.  Due Diligence (and Enhanced DD: EDD), Know Your Customer (KYC), Conflict of Interest (COI), and Ultimate Beneficial Ownership (UBO) regulations and rules are neither effective nor meaningful past the event, which does not render them obsolete but makes their use all the more valuable as a set of preventive instruments throughout the interaction. Compliance programs and efforts have become increasingly sophisticated, however, human factors such as misplaced bias, trust, unquestioned routines, and practices may enhance the operational risk.

“Let me put it this way: I’m standing in front of a burning house, and I’m offering you fire insurance on it.”

(Jared Vennett explains Credit Default Swaps (CDS) in M. Lewis’ The Big Short: Inside the Doomsday Machine, 2010/2015)

Latent reputation risk and litigation risk may arise instantly, at a very early stage during negotiations.  This may apply irrespective of the nature of a transaction, whether an acquisition, a merger or a sale of a specific stake.

It requires due consideration and pro-active mitigation at a time when there is neither smoke nor fire, a long-term approach that may be deemed a challenge in environments where accounting for long-terms risk conflicts with short-term objectives. Adhering to ethics codes voluntarily may be one way to address the issue, voluntarily applying EDD can be yet another.

Overall, it can be argued that transparency of data, consolidation of watchlists, regulations, and enforcement efforts are increasing and increasingly streamlined, consolidated, and subject to public awareness and debate.

Do Codes of Conduct work? Misconduct, Fraud and Ethics.

In a recent interview, I talked about internal controls and ethics and referred to Wells Fargo as an example of the implementation of a Code of Conduct which did not result in the desired ethical behavior.

The reasons, as far as I have been able to observe and analyze are complex, far from obvious and even counter-intuitive. I believe we require a much better and more holistic understanding of the power dynamics, the collective unconscious and the interplay between individual-peer-community dynamics and pressures, sector and industry practices and the national society as well as the global.  This applies especially to transnational corporations and cross-border operations where cultural aspects further add to the complexity and potential failure of a Code of Conduct.

The main reasons why an Ethics Code or Code of Conduct, even if fully embedded, rolled out and vigorously communicated, fails to bring the desired change, center strongly around the following:

Corporate predicaments:

  • Tone at the top (set by CEO or the entire C-suite) mismatches tone at the middle – long-serving middle management has its own practices;
  • Expectations at the top (C-suite, Board but also shareholders) remain profit-focused, no shift towards a greater paradigm shift gets underway;
  • Ethical behavior is mainly valued as reducing litigation risk (and costs) but not valued as profit-generating;
  • Compliance and risk departments are seen as non-profit generating, no counter-narrative from the C-suite is offered/communicated;
  • Weak internal controls including weak HR division are impacting internal whistleblowing and act as a deterrent (rather than deterring misconduct).

Cultural issues:

  • Ethics and the Code of Conduct are being mocked by (long-serving) middle-management as something that will pass as so many initiatives before;
  • Code of Ethics is coupled with zero tolerance – correctly interpreted as unrealistic;
  • Acting ethically may be deemed “nice” and interpreted as weakness rather than a strength (by both gender) – this is usually even more so in industries with fierce competition and a glass ceiling;
  • Morality is not seen as in line with the Code of Conduct – ethics are understood as more abstract and deemed over the top;
  • Morality has been mainly lived and practiced by a (corporate and societal) culture of naming & shaming and scapegoating rather than embracing the messenger who delivers bad news before the event – shooting the messenger has been the norm.

Mechanisms and knowledge missing:

  • No, or no sound, internal crowd-sourcing platform or system to gather issues and reward those who point them out and provide potential solutions are in place – promised anonymity communicates inherent threats/risks to those who wish to protect the organization and name problems versus transparency of issues, discussed in open forums beyond the confines of a department which would indicate openness to fix rather than to blame;
  • Morality and ethics are wrongly deemed as inherent – they are not understood as learned, negotiated, agreed and practiced concepts, rather there is a lack of knowledge that they change in socio-historical contexts and are not universal per se;
  • Lack of respect and integration of experts in behavioral collective change – business consultants rather than social scientists shape the strategy and communication, resulting in a sense of rhetorical unrealistic exercise;
  • Lack of understanding that ethics cannot be imposed but need to be owned by the community of all staff at all levels – which is why crowd-sourcing can be such a powerful approach and which is why Volkswagen’s hierarchical structure played such a central role in the emissions scandal.

Broader factors:

  • A history of severe misconduct with inability to replace all those previously involved (due to size of organization or else) may result in a Code of Conduct being circumvented by creatively finding loopholes (the role of legal professionals in this context is another issue);
  • Other main players in the industry are not embracing a Code of Conduct as strongly, resulting in a competitive disadvantage.

I believe this question is incredibly important and we need a deeper discussion as to why the implementation of Codes of Conduct continue to fail and/or don’t bring the changes we want and need to see as widely and sustainably embedded and practiced as they should. I also believe that ownership (at all levels) of any Code of Conduct plays an extremely important role but is often hugely undervalued and misunderstood.