Sign in Subscribe
By Zahn Alimbay in Program Effectiveness

The Case for Prevention

The Case for Prevention

Transparency International estimates that the annual cost of corruption, in the form of bribery and stolen money, amounts to a staggering $3.6 trillion[i]. According to UK Finance’s 2024 Fraud Report, £1.17 billion was lost to fraud in 2023[ii]. It’s fair to ask why, with all the modern-day RegTech, AI-driven detection, and billions of dollars (or pounds) invested in elaborate controls and monitoring every year, corporate crime keeps going up.

Let’s have a closer look at it.

What’s the issue?

Let’s start with two examples of misconduct dominating enforcement agendas: off-channel communication and fraud.

Since December 2021, the US SEC has charged 60+ firms and imposed more than $1.7 billion in fines for record-keeping violations (off-channel communication). Earlier this year, the SEC’s enforcement chief made it clear that the purpose of those penalties is to deter others and incentivize companies to invest in compliance. So far, this has not changed the landscape, and the enforcement agencies continue their quest to bring integrity to financial markets.

Fraud has existed for over twenty centuries—the first case (insurance fraud, by the way) was recorded in 300 BC in ancient Greece. Since then, there has been an ongoing attempt to eradicate it. With fraud continuing to occupy the number one spot among all other crimes, it’s obvious we are not very successful in our pursuit to stop it.  

The same is true for other types of corporate crime, from bribery and corruption to sanctions violations.

And it’s not because of a lack of effort or investment. For example, the global RegTech market is projected to reach US$85.92 billion by 2032, with a compound annual growth rate of 23.6%.[iii] It’s hard to find any serious market player who would not have a set of (adequate) policies and controls targeting corporate crime. On an annual basis, boards and executives certify the effectiveness of the companies’ internal controls and compliance frameworks. A lot of effort goes into the detection of crime.

It's fair to ask why neither governments with their effectively endless pockets and access to resources nor organisations with access to the latest technology are able to put a break on corporate crime.

The problem might lie in the way we approach the issue.

Why is detection only a part of the puzzle?  

Detection is fundamentally reactive. Technology evolves fast, and detection tools will always play catch-up.

The problem of off-channel communication is not going away anytime soon. The use of messages that disappear upon receipt and coded language for prohibited communication is just the latest frontier. Many of those methods, like coded language, are not new and have been seen in other fields, too. Go no further than sanctions and export control evasion.

Not all fraud can be detected and stopped. Traditional scams are being replaced by cyber fraud, which has opened endless opportunities to fraudsters. Often, we can only detect fraudulent activities when fraudsters get so comfortable that they become complacent and think they are invincible, not because our controls are so good.

Notwithstanding how well your detection control operates, someone can always find a way to game it. Being inventive is a part of human nature. And let’s be honest—we will never eradicate corporate crime completely. But we can fight it and reduce it.

Proper policies and procedures and smart detection tools are essential, no doubt. However, my 20+ years in this field have taught me that detection alone will not eradicate corporate crime. It’s just part of the puzzle.

Why does prevention matter, and how to get the most out of it?

While it is obvious that prevention is an essential factor in fighting corporate crime, organisations rarely go beyond the policies, procedures and training. Unsurprisingly, this does not add much to the equation.

Instead, we, compliance professionals, should ask ourselves - what do we need to do to change individual behaviours and create an environment where individuals will be discouraged from plotting misconduct? Our objective is to create a corporate environment that is non-conducive to misconduct.

One thing I learned from working for different organisations across different industries is that there are no “one-size-fits-all” solutions or unique approaches that can guarantee outcomes. It is about understanding the organisation, how it operates, its processes and outcomes, individual drivers and internal culture, and, more often than not, a “try-and-fail” approach.

Internal (preventive) controls

Every public company has an internal control framework. Those controls are usually preventive. But do they just add bureaucracy (I once saw a 37-step invoice payment “control” process) and are a “tick-the-box” exercise, or are they actually capable of preventing wrongdoing? System-enabled controls are more effective than manual ones. Control testing and speak-up investigations can tell you how effective those are. But these controls are only “entry-level” barriers.

Business Processes

It is fair to say that business processes frame individual conduct. They tell employees what to do, set the process around the activities, and define expected results and how they must be achieved. This would be my first point of call. Ensure that organisational processes are adequately designed with compliance “gates” embedded. Do a walkthrough with management, understand and map roles and responsibilities. Assess governance, reporting and oversight. Yes, it is true that this is outside of the “traditional” compliance remit, but it is too important to ignore it.

Leadership and middle management

We all know how important the Tone from the Top is. But research and practice show that the direct supervisor plays the most crucial role in defining employees' conduct. It’s not only about the message but also about leaders' behaviour and how they respond to challenges and achieve results. And it can go either way. What I learned from talking to line managers is the clearest indicator of the strength of internal controls – would they deter and prevent misconduct or facilitate it? They are your front-line ambassadors, whether they know it or not.

Competence

We often discuss competencies in the context of business performance. We expect employees to be competent in their jobs. However, this is equally important when we talk about misconduct prevention. Are employees able to recognise misconduct and know how to prevent it? This is where situational training helps a lot. It's not about the standards and policies but how to recognise the issue, deal with ethical dilemmas, appropriately respond to challenges, and make the right choices. It’s helping employees do the right thing under pressure. It’s more about a growth mindset than anything else.

Transparency

Many organisations tend to deal with compliance issues quietly and not to advertise detected misconduct, fearing this can negatively affect their reputation. The opposite is true.

To be clear, I am not suggesting publicising all incoming speak-ups or having a “wrong-doer” of the week award.

Instead, it is about being open about the issues the organisation faces and, importantly, what the organisation has done about those, the actions it took to remedy them, and the accountability it applied. It builds trust within the organisation that internal controls work, can be trusted, and consequences are inevitable. It is also about controlling the narrative rather than leaving it to the grapevine.

Transparency is an important tool in your prevention toolkit.

Culture

If you are a recurring reader of my newsletters or LinkedIn posts, you will know that I strongly believe in the importance of the “right” corporate culture.

The five pillars below are critical to fostering a culture that will not tolerate misconduct.

  • Moral Attentiveness. Can employees recognise the situation representing a concern? Can they recognise what’s right or wrong? Help them to make the right choices.
  • Moral Engagement. Do employees believe that the organisation is driven by its declared values? Are they motivated to follow those and speak up if something is wrong?
  • Clarity of Expectations. Does the organisation clearly state what standards of conduct are expected from employees? Does it explain the “what” and “why” and support the right thing?
  • Organisational Justice. Do employees believe the organisation will apply a fair process? Will leadership act upon a report? Are there consequences for misconduct? Lead by example.
  • Psychological safety. Do employees feel psychologically safe doing the right thing under pressure, raising concerns, and speaking up? Will their leaders listen and act?

Thank you for reading, and enjoy the rest of the weekend. See you next time!

If you are embarking on your own compliance transformational journey and need help designing and enhancing your compliance program, get in touch with us. We are here to help!

Comhla Intelligent Compliance

At Comhla, we are driven by a mission to revolutionise the way organisations approach compliance and misconduct prevention. By leveraging our in-depth governance, compliance and internal control expertise, actionable data insights and cutting-edge applied research in organisational science, we help our customers build effective regulatory and compliance management to safeguard their license to operate, protect the bottom line and enhance reputation as responsible businesses.

Follow us on LinkedIn: https://www.linkedin.com/company/comhlaic 

Learn More https://comhla.co

We aim to publish weekly.  The information provided in this newsletter is not intended to and does not render legal, accounting, tax, or other professional advice or services.

[i] Corruption Statistics | Transparency International UK (https://www.transparency.org.uk/corruption-statistics)

[ii] Annual Fraud Report 2024 | Policy and Guidance | UK Finance (https://www.ukfinance.org.uk/policy-and-guidance/reports-and-publications/annual-fraud-report-2024)

[iii] Regtech Market Size, Share & Industry Analysis, By Deployment (Cloud and On-premises), By Enterprise Type (Large Enterprises and Small & Medium Enterprises), By Application (Risk Management, Regulatory Compliance, and Governance), By End-user (BFSI, Manufacturing, IT & Telecom, Healthcare, Government, and Others), and Regional Forecast, 2024 – 2032,  Source: https://www.fortunebusinessinsights.com/regtech-market-108305

Subscribe to Breaking the Mould

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe