PwC study finds a disconnect exists between strategy and practice in Malaysian companies, contributing to a persistent rise in economic crime risks

Bribery and corruption are unacceptable practices, according to top level management. 
Yet the sharp rise in reported incidences suggests that the message may not be getting through.     

• Companies in Malaysia continue to underestimate the threat of bribery and corruption as reported incidences increase from 19% in 2014 to 30% this year.
• Almost half of Malaysian organisations (42%) see an increased risk of cyber threats yet their approach to risk mitigation is reactive at best.
• 1 in 3 companies have never carried out a fraud risk assessment in the past 24 months.
• Less than half of businesses have controls around payments to prevent money laundering.

Malaysian organisations are not doing enough to protect themselves from the risks of economic crime. This is evidenced by prevalent economic crimes like bribery and corruption, asset misappropriation and cybercrime which continue to evolve in size and complexity, according to PwC Malaysia’s cut of the Global Economic Crime Survey 2016.

For bribery and corruption in particular, the fact that almost all the Malaysian respondents (98%) feel that their top level management are sending a clear message that they don’t condone such crimes indicates a disconnect between the tone at the top and the reality on the ground.

Cybersecurity is another nagging issue with 42% of Malaysian organisations seeing an increased risk of cyber threats. Yet despite various high profile cybersecurity incidents being prominently discussed on social media over the past two years, 54% of organisations are unsure of whether or not they are at risk. Only 35% of respondents say that they have a fully operational incident response plan to cybercrime. Three in ten have no plan at all, and of these, nearly half don’t think they need one.

“As the pace of technological advancements and globalisation increases, so does the complexity of these economic crime risks driven by cyber threats and regulatory pressures. However, too few companies are adapting their risk assessments and control frameworks fast enough. The increasing trend of ‘leaving it to chance’ when it comes to fraud detection will be harmful to a business’ resilience in the long run, if left unchecked,” said Alex Tan, Senior Executive Director and Forensics Lead, PwC Consulting Associates (M) Sdn Bhd.

“In terms of anti-money laundering for instance, many organisations are not aware that as long as they facilitate financial transactions of some form, they would likely come under the scope of anti-money laundering (AML) legislation worldwide. Because of this lack of awareness, many organisations are not up to speed on AML requirements or the compliance programmes they need. What’s worrying is the apparent ambivalence of Malaysian companies towards such economic crime risks. Some of our respondents indicate that they are reducing their spending on anti-money laundering/countering the financing of terrorism (AML/CFT) controls by as much as 20% over the next two years.

“On the surface level, this can be attributed to increasing regulatory requirements which some believe are onerous and costly. But we must also look deeper and question whether Boards are fully engaged about the threats their organisations face or the tools they can use to mitigate these risks.”

Combating economic crime: Whose responsibility is it? 

In terms of managing cyber threats, senior management and board members may not be technologically savvy or able to appreciate the intricacies of new technology being developed to counter cybercrime. 

Also, too many organisations are missing an important part of the puzzle – their employees. Even the most thorough fraud risk assessments will not be able to uncover all the red flags if employees are not empowered to report issues. Fear of retribution is usually the main reason holding them back, and this can be an opening easily exploited by would-be criminals who target disempowered employees.

“At the speed with which the risk landscape is evolving, combating rampant economic crimes can no longer be the sole responsibility of a person or team; it must be embedded within the whole organisational culture. An approach that only dictates responsibility around job functions clearly won’t work, for instance viewing cybercrime as an IT issue or AML as a Risk & Compliance issue,” added Alex.  

“You can come up with the most robust of policies or training programmes on ethics and use of detection tools. But without clear and consistent engagement across the organisation, you’ll be hard pressed to fully get the buy-in of your people for what you stand for as a business in fighting economic crime.   

“To weed out fraudsters and others that are looking to commit fraud against you, ensure that your people properly understand the risks (and associated costs) of non-compliance and its impact to the organisation. Demonstrate how employees can make a difference in speaking up and taking action if they spot fraudulent or questionable practices in the organisation. However, be mindful that too much emphasis on enforcement or rules may be counterproductive. Ensure that compliance is adequately incentivised, and that rewards are fair and consistent regardless of their level or role within the organisation.”

ENDS