I have a writing problem that’s giving me fits. I’m knee-deep into fraud – that is, describing how to prevent it. Unfortunately, the subject doesn’t involve using fun, energetic words like transformative change and market domination.
Instead, I must become jazzed about ideas that are antithetical in our caffeinated, exponential growth-obsessed business culture: constancy and stability. I must double down on the Zen we supposedly derive from mom-and-apple pie values like honesty, transparency, and trustworthiness. What – no market disruption? I’d rather watch reruns of regular-season baseball games.
Please don’t take this as whining. I’m game for a new expository challenge. Fraud prevention . . . let’s see . . . I know! What’s the ROI of thwarting a nascent scam before it obliterates a company, its leaders, or both? What’s the value of slaying a scandal before it causes customers injury, death, or financial ruin? Now this gets me going! I can write about corporate managers and auditors as champions, armed with sharp ears and ready eyes. Finely-tuned algorithms able to detect the subtlest transactional anomalies. Deceit – headed off at the pass! Energy, baby!
Lead gen, content creation, and predictive analytics might nudge the revenue needle northward, but they won’t save a company from cataclysmic self-destruction. That’s a primary purpose of fraud prevention. There are cases to prove it. Oh, have I got your attention now?
Expect wretched outcomes when these are present in a company:
1. Ethical hypocrisy: senior managers model poor ethical behavior; e.g. The “Code of Conduct” or “Values Statement” – if they exist – are regularly violated or ignored by staff
2. Lame internal governance, oversight, and audit controls: revenue-generation processes that are disconnected from other departments; prevalent attitude that ‘what happens in Sales, stays in Sales’
3. Weak channels for staff to report unethical or illegal activity: no documentation provided to sales force regarding how to report problems; no formal process for mediation
4. Penalties for whistleblowing: sales personnel describe being harassed or intimidated after reporting issues to supervisors, or being castigated as ‘not a team player’
5. Dissonant strategic and tactical goals: corporate strategy champions growing long-term value of customers, while tactical goals are centered on achieving high monthly revenue targets
6. Sales incentives and compensation substantially skewed toward revenue attainment: low base salary, and commissions based exclusively on percentage of sales
7. Sales culture that glorifies achieving objectives unrelated to customer success: prominent recognition for quantity of new customer accounts opened, or number of appointments held
8. Unrealistic or supremely difficult sales performance goals, accompanied by stringent penalties for non-achievement: termination of employment for underachieving “stretch” targets
9. Arrogance: believing “fraud could never happen here . . .”; accepting the delusion that the company hires only “honest” sales candidates and managers
10. Lackadaisical or perfunctory mediation and redress for customer complaints: unabated customer difficulties with selling tactics and allegations of product misrepresentations
Preventing systemic bad behavior begins with the company’s board, whose members must recognize that executing strategy inevitably carries the possibility of doing harm to customers, employees, suppliers, and shareholders. “. . . the full board is ultimately responsible for taking ownership of risk oversight and making sure strategic risks to the business are regularly discussed,” writes Maureen Bujno, Managing Director for Deloitte’s Center for Board Effectiveness.
Soul-searching questions for boards to answer:
1. How might the activities of this company cause harm to its stakeholders?
2. Could our executive and sales pay plans / incentives create conditions that compromise or damage trust or safety for customers, employees, vendors, or contractors?
3. How confident are we that the senior management of this company will become aware of unethical or illegal activity when it occurs?
4. Does this company have adequate mechanisms to communicate and enforce its legal and ethical standards?
5. Has this company taken sufficient steps to reduce the possibility that its stakeholders will be harmed?
When it comes to preventing fraud and ethical abuses, boards should avoid becoming enmeshed in tactical details and operating minutia. One prominent exception: board members must be open to holding direct conversations with employees who want to report fraud. The risks to a company are simply too great for board members not to know when risky behavior or activity takes place. And as the Wells Fargo case has demonstrated, there is no certainty that the established channels for reporting problems will work, or that employees will feel safe using them.
Board-sanctioned risk committees as an elixir. Day-to-day operating risks can be addressed by a cross-departmental risk committee. Openness and transparency are useful antidotes for fraud risk, and companies can develop these capabilities in-house through a team dedicated to monitoring, identifying, and reporting conditions that might be unethical and illegal. The good news: establishing a risk committee doesn’t demand staffing it with specialized talent. And now the bad: risk committees succeed only when boards care about risk prevention, and management responses to the issues the committee exposes are both timely and adequately considered.
Some recommendations for getting started:
Step 1: If the name Risk Committee doesn’t sound catchy, or fails to entice people to join, give the committee a different name.
Step 2: Decide how to recruit and appoint members. Sales and Marketing must be represented, but make sure other departments are, too.
Step 3: Select a capable leader – or ensure that one can be chosen.
Step 4: Write a committee charter to establish the purpose, objectives, goals, and authority. For example, “The purpose of the Committee is to provide oversight to ensure that marketing and sales strategies, tactics, policies, and procedures do not conflict with laws and regulations, and that they comply with the ethical guidelines of the company. The committee is entrusted with identifying and communicating all matters of concern to senior management, and when necessary, to members of the corporate board.”
Step 5: Establish the scope of what the committee will be able to do, examine, review, and report, along with expectations and guidelines for preserving confidentiality.
Step 6: Determine how often the committee will meet, the role and obligations for committee members, and the duration they will be asked to serve.
Step 7: Create a template for how the Committee’s findings will be communicated. At a minimum, that includes how to document or record incidents, determining who should be told, describing how they should be told, and guidelines for assessing and reporting the magnitude of the threat.
Step 8: Plan a kick-off event, and make sure senior managers are involved.
Step 9: Document the Committee’s activities and the actions taken in response to situations it has identified and shared with senior management.
What signals should Risk Committee members listen for? What conditions should trigger concern? For starters, any artifacts of the ten fraud-risk elements I described. In addition, whenever opacity, process silos, limited access to customer-facing personnel, reluctance to answer questions or provide information about customer complaints or regulatory compliance occur, risk indicator lights glow red. These situations should be considered for committee oversight.
Boards must recognize that companies face new risks when executives assume fraud and abuse problems can’t be controlled, when they claim that mitigation is too expensive, or when they dismiss oversight as a distraction for the business.
Foiled business scams rarely make it into news feeds. The activities that lead to their demise hardly seem remarkable. Often, an employee – or employees – shares information with a manager or board member who cares enough to act. Then, established prevention mechanisms kick in, and perform as designed. Routine – as it should be. No matter the size, industry, or leadership, an organization is never immune from causing harm through unethical behavior, misguided strategy, and sketchy tactics. Risk committees perform a vital role that no company can afford to overlook: oversight that reduces the probability a company will cause financial and physical harm through systemic bad behavior.