Opportunity (for crime) knocks. But who’s listening?
A large majority seem to favour stronger control environments as a means of reducing this opportunity, but our top-line results show corporate control environments are 7% less effective in detecting and preventing economic crime than two years ago. Over three quarters (76%) of respondents told us they are relying on their internal audit function to assess the effectiveness of their compliance programmes.
While internal audit is an important piece of the framework for assessing a compliance programme’s effectiveness, it is not by itself a sufficient means of assuring compliance, due to the fact that its interventions are both periodic and historical. Moreover, the fraud risk profile has changed (for example an increase in new frauds such as cybercrime), and incidence of some fraud types is rising or persistent in certain types of organisation.
For example, large organisations with more than 1,000 employees remain more susceptible to procurement fraud and bribery and corruption (5% higher and 2% higher, respectively, than the global average) as fraud schemes find a way around established control frameworks. In effect, hackers and fraudsters have worked out how to circumvent some of the more common control frameworks.
Since prevention must ideally occur at the point of decision making, internal audit mechanisms should be integrated with management reporting and real-time monitoring in the business so that issues are detected and prevented in time. Our financial sector respondents in particular point to management reporting as key to ensuring the effectiveness of compliance programmes, with 60% using this tool. Currently only 8% of of all respondents say they are using other, more promising internal monitoring approaches – such as data or predictive analytics – which are more difficult to circumvent.
Implementing in high-risk areas: The devil is in the details
Embedding ethical behaviour within a global organisation requires better training, consistent communication and management reporting. But it should also include an understanding that country risks are not created equal (even across high-risk areas) – and that a sophisticated global compliance programme must be finely tuned to the specific realities on the ground.
Having a recognised code of conduct is a starting point, but if employees do not know how to use it in their day-to-day decision-making this does little to mitigate compliance risks. The code and other polices need to be embedded through training, regular communications, reward and recognition of where good decisions are made, and disciplinary procedures where bad decisions are made.
While appropriate training (and on-going communication with farther-flung divisions) costs money and time, it is nonetheless critical to the task of embedding the code of conduct across all business practices and locations – especially in geographic markets and divisions where risks of a breach are higher.
Although 86% of organisations globally agreed that their organisation had a code of conduct in place, only 64% of respondents said that training was provided regularly and supported by regular communication and advice. The discrepancy was particularly sharp for respondents from Africa, Western Europe and the Middle East.
Throwing money at a problem doesn’t, however, always fix the underlying issue. Companies need to ensure that they are using the right tools, technologies and techniques to get the most bang for their buck.
Technology: Not a panacea, but a powerful tool
Forward-thinking organisations are always exploring ways to increase the efficiency and effectiveness of their work. Today there are several sophisticated tools – including big-data analytics capable of much more effective monitoring – that can help bring compliance closer to operations by handling a variety of types of structured and unstructured data.
Yet outside of transaction monitoring systems (which are used primarily by financial-sector clients), very few organisations are using these kinds of technologies to help detect and prevent economic crime. Currently only 8% of respondents referred to use of other internal monitoring approaches such as data analytics.
That is not necessarily a bad thing. We have observed that the best place to start is not in the “big data” space of transaction monitoring, but rather in the “small data” of risk assessments. What matters most is collecting consistent comparable data – an act that sounds straightforward, but isn’t.
Data for data’s sake?
Organisations can fall prey to technology-related missteps. Driven by a disconnected risk assessment process, some engage in too much monitoring in some places, and none in others. Others unknowingly duplicate their expenditures on different tools. Still others follow a tick-the-box approach to compliance – and don’t always gather or use the right data.
Some organisations use data more strategically ¬– seeing it as a link to crucial insight on trends and behaviours, as well as an early-warning systems of hot spots and other signs of potential trouble, such as patterns of absenteeism.
Some are using data dashboards that connect into the appropriate management structure, where it is interpreted, then fed back into the business. These companies then spend time looking at how decisions are made, and are able to fine-tune their programmes appropriately.
Ultimately, the focus should be not on technology per se, but rather on what it enables. Data will never be a panacea. But used effectively, it can offer companies additional power to stay ahead of their compliance risks.