Ethics & Compliance

Our survey results show that not only are the number of economic crime risks increasing, so too are the complexity of those risks and the role that technology plays. This is hardly a surprise in a business environment characterised by growing globalisation, increasingly vigilant enforcement and greater demand for public accountability.

That’s why your ability to identify and mitigate compliance risks needs to evolve at a rapid pace. A risk-based approach to ethics and compliance – one that begins with a holistic understanding of your economic crime risk, and an understanding of where your compliance weaknesses are – is a must-have. From that position of clarity, you can create an effective programme that mitigates those risks, and positions you for reaching your business goals. Yet a worrying 22% of organisations have not carried out a fraud risk assessment in the past 24 months.

While the number of organisations reporting fraud overall has, at 36%, remained fairly consistent in recent years, a closer reading of the data reveals important nuances. Most “traditional” frauds (such as asset misappropriation, accounting fraud, and bribery and corruption) have fallen somewhat from their 2014 levels. Other crimes – notably cybercrime, money laundering and insider trading – have either stayed at the same level or increased, with cybercrime jumping by a third (32% vs 24%) in just two years...


Tracey Groves and David Andersen
PwC Partners - Ethics & Compliance
LinkedIn View Tracey's LinkedIn profile
LinkedIn View David's LinkedIn profile

People & culture: Your first line of defence

At the heart of any economic crime is a poor decision driven by human behaviour. So it stands to reason that the answer should start with people. That means not only instilling clear processes and principles for your employees, but also creating a culture where compliance is hard-wired to values – and to the overarching strategy of the organisation.

Our respondents told us that the greatest organisational damage they experienced as a result of economic crime was not to their share price or even in relations with regulators. It was reflected in damaged employee morale – with 44% of respondents experiencing medium or high impact. Reputational damage was also cited by 32% of respondents as having significant impact. In both cases, the nature of how a business is perceived – from the inside as well as the outside – was the area of greatest concern. This underscores the key role played by values in a successful business strategy.

Mind & measure the (perception) gaps

Nearly all survey respondents agreed that their organisation had clearly stated and well-understood organisational values (86%), with CEOs and CFOs expressing this particularly strongly. But our survey identified areas where senior management and boards were not perceiving the same realities as those in the middle. While 90% of CEOs felt values were clear and understood, this had reduced to 84% at the level of managers.

In our experience this is a statistically significant gap – between what senior leaders think and say and what middle management perceive – which can potentially create a vacuum within which, despite the best of intentions, unethical activities can spring.

Aligning roles & responsibilities: Who’s in charge here?

Our survey revealed that approximately one in five (18%) of all respondents told us they knew of no formal ethics and compliance programme in place in their companies. Interestingly, the percentage of CEOs, board members and COOs that stated not knowing of a formal ethics and compliance programme was higher, at 23%.

82% of organisations have established a formal business ethics and compliance programme, but responsibility for that programme is widely dispersed among roles.

Organisations with fewer than 1,000 employees are generally less likely to have a formal ethics and compliance programme. Although they may be focusing on the actual needs of the business rather than taking a “bells and whistles” approach, this can pose a challenge as many of them face a similar risk landscape to their larger peers.

Opportunity outweighs the other two elements of the opportunity triangle, which are incentive/pressure to perform and rationalisation of the crime.

Opportunity (for crime) knocks. But who’s listening?

A large majority seem to favour stronger control environments as a means of reducing this opportunity, but our top-line results show corporate control environments are 7% less effective in detecting and preventing economic crime than two years ago. Over three quarters (76%) of respondents told us they are relying on their internal audit function to assess the effectiveness of their compliance programmes.

While internal audit is an important piece of the framework for assessing a compliance programme’s effectiveness, it is not by itself a sufficient means of assuring compliance, due to the fact that its interventions are both periodic and historical. Moreover, the fraud risk profile has changed (for example an increase in new frauds such as cybercrime), and incidence of some fraud types is rising or persistent in certain types of organisation.

For example, large organisations with more than 1,000 employees remain more susceptible to procurement fraud and bribery and corruption (5% higher and 2% higher, respectively, than the global average) as fraud schemes find a way around established control frameworks. In effect, hackers and fraudsters have worked out how to circumvent some of the more common control frameworks.

Since prevention must ideally occur at the point of decision making, internal audit mechanisms should be integrated with management reporting and real-time monitoring in the business so that issues are detected and prevented in time. Our financial sector respondents in particular point to management reporting as key to ensuring the effectiveness of compliance programmes, with 60% using this tool. Currently only 8% of of all respondents say they are using other, more promising internal monitoring approaches – such as data or predictive analytics – which are more difficult to circumvent.

See more...

Implementing in high-risk areas: The devil is in the details

Embedding ethical behaviour within a global organisation requires better training, consistent communication and management reporting. But it should also include an understanding that country risks are not created equal (even across high-risk areas) – and that a sophisticated global compliance programme must be finely tuned to the specific realities on the ground.

Having a recognised code of conduct is a starting point, but if employees do not know how to use it in their day-to-day decision-making this does little to mitigate compliance risks. The code and other polices need to be embedded through training, regular communications, reward and recognition of where good decisions are made, and disciplinary procedures where bad decisions are made.

While appropriate training (and on-going communication with farther-flung divisions) costs money and time, it is nonetheless critical to the task of embedding the code of conduct across all business practices and locations – especially in geographic markets and divisions where risks of a breach are higher.

Although 86% of organisations globally agreed that their organisation had a code of conduct in place, only 64% of respondents said that training was provided regularly and supported by regular communication and advice. The discrepancy was particularly sharp for respondents from Africa, Western Europe and the Middle East.

Throwing money at a problem doesn’t, however, always fix the underlying issue. Companies need to ensure that they are using the right tools, technologies and techniques to get the most bang for their buck.

See more...

Technology: Not a panacea, but a powerful tool

Forward-thinking organisations are always exploring ways to increase the efficiency and effectiveness of their work. Today there are several sophisticated tools – including big-data analytics capable of much more effective monitoring – that can help bring compliance closer to operations by handling a variety of types of structured and unstructured data.

Yet outside of transaction monitoring systems (which are used primarily by financial-sector clients), very few organisations are using these kinds of technologies to help detect and prevent economic crime. Currently only 8% of respondents referred to use of other internal monitoring approaches such as data analytics.

That is not necessarily a bad thing. We have observed that the best place to start is not in the “big data” space of transaction monitoring, but rather in the “small data” of risk assessments. What matters most is collecting consistent comparable data – an act that sounds straightforward, but isn’t.

See more...

Data for data’s sake?

Organisations can fall prey to technology-related missteps. Driven by a disconnected risk assessment process, some engage in too much monitoring in some places, and none in others. Others unknowingly duplicate their expenditures on different tools. Still others follow a tick-the-box approach to compliance – and don’t always gather or use the right data.

Some organisations use data more strategically ¬– seeing it as a link to crucial insight on trends and behaviours, as well as an early-warning systems of hot spots and other signs of potential trouble, such as patterns of absenteeism.

Some are using data dashboards that connect into the appropriate management structure, where it is interpreted, then fed back into the business. These companies then spend time looking at how decisions are made, and are able to fine-tune their programmes appropriately.

Ultimately, the focus should be not on technology per se, but rather on what it enables. Data will never be a panacea. But used effectively, it can offer companies additional power to stay ahead of their compliance risks.

See more...

Contact us

Mark Anderson
Partner, United Kingdom
Tel: +44(0) 20 7804 2564

Manny Alas
Partner, United States
Tel: +1 (646) 471 3242

Martin Whitehead
Partner, Brazil
Tel: +55 11 3674 2141

Follow us

Twitter LinkedIn Facebook Youtube Google+