This is part 5 of the five-part series “Business and Financial Fraud: Yesterday, Today, and Tomorrow” with Tom Fox and the FCPA Compliance Report. During the series, Tom was joined by K2 Integrity experts Joanne Taylor and Ray Dookhie for a discussion of how organizations can identify and mitigate fraud risk.
We are seeing a renewed focus by regulators on compliance program effectiveness. One of the key elements of program effectiveness is how well an organization identifies, investigates, and remediates potential compliance issues. The same principle holds true in the fraud risk management process. This puts additional pressure on organizations to have a protocol in place to prevent, detect, and then remediate any fraud claim that may arise.
But there is more involved than knowing how and where to report issues. Organizations must also have procedures in place for how to conduct fraud investigations and the accompanying root-cause analyses. For instance, does the organization have a triage process? In the fraud space, just as in the medical arena, compliance staff needs to be able to triage fraud or compliance issues as they are coming in the door. Faced with a report of fraud, questions like the following should be asked: What is the issue here? What are the underlying compliance issues? What are the underlying fraud issues? Which specialist, or which compliance expert, should be dealing with this type of issue?
In addition to conducting an investigation, performing a root-cause analysis is critical for a company to determine both how a fraud event may have occurred and, more importantly, how to remediate it. This will be of greater interest to regulators, whether the Securities and Exchange Commission (SEC) or lawyers at the Department of Justice (DOJ). Organizations must be able to show not only that it had certain issues but that it has now fixed them. Or, in short, be able to answer the questions: “What went wrong? How did it actually go wrong?”
In addition, organizations must be able to answer questions such as: “Was it a policy issue? Was it an internal control issue? Was it a lack of understanding of the responsibility on behalf of the employee? Was the wrong person hired?” Under all scenarios, understanding the root cause of a problem is critical when being questioned by regulators. This enables the organization to show what happened, how it happened, and when it happened. Equally important, it enables the company to show what is being done to fix the problem going forward. Root-cause analysis is key to identifying and correcting issues in the organization.
The next step, after investigation and root-cause analysis, is remediation. An organization needs to be able to demonstrate the effectiveness of its compliance program after it has sustained a failure. First, the organization wants to be able to say that it has fixed the problem. The second aspect is applying fair and equal penalties or sanctions against those individuals who committed the fraud or the misconduct. It does an organization no good with the regulators when executives who commit fraud receive a simple slap on the wrist, while employees who commits fraud are terminated immediately. A fair remediation to the issue at hand is critical.
The final step would be a decision to self-disclose or not. What are the organization’s protocols for disclosing? Key to that decision is a thorough and complete investigation so that the decision makers understand the magnitude of the problem. You need to make sure that the right people are sitting at the table if it is time to disclose. From there a reasonable decision can be made.
With the change in the regulatory landscape in 2021 under the Biden administration, there may well be added exposure for compliance officers and organizations. In the area of fraud risk management, companies need to dust off the anti-fraud program, dust off the compliance program, do a risk assessment, understand the gaps in their potential controls, identify areas where they may not be as strong, and think about whether or not the firm’s compliance controls need to be enhanced.