Viktor Josefsson, Director, Forensic Risk Alliance

The requirements for organisations to ensure proper and effective regulatory compliance have become increasingly complex in today’s globalised world. The use of data in everyday business is growing exponentially, throwing up many complexities for corporates to manage, as is the profusion of cyber-attacks both from outside and inside organisations.  Throughout the world, governments, regulators, and other industry bodies are scrambling to keep up with the rate of financial crime (including corruption and fraud) and are continually introducing harsher penalties and more stringent regulation to provide a stronger deterrent.

But why is data usage increasing so rapidly?  Partly it’s down to regulation and disclosure requirements but also it can be attributed to storage capacity.  Computers are vastly more powerful than, say, a decade ago, with data being stored in the cloud. There is structured data including ERP and CRM systems, invoicing and product databases as well as unstructured data, often used for applications involving communications, such as video or audio files, WhatsApp messages or emails.

What is at stake from a company’s perspective is not just financial loss, but reputation.  Companies that fail to prevent irregularities from occurring risk suffering significant damage, such as fines and possible loss of licences or even imprisonment of culpable individuals. The financial penalties can become considerably higher when operating on the international stage. For example, the Information Commissioner’s Office has the power to impose a fine worth 4% of a company’s total worldwide annual turnover if they have cause to believe a business made fundamental errors and did not follow due process. There is also the reputational damage, caused by negative publicity, which can affect brand loyalty as well as hit the company’s share price and valuation.

It is important to act quickly and decisively if irregularities occur and to build up internal competences and procedures in order to secure resilience and achieve growth.

Given this context, companies particularly working across international markets, simply have no choice but to invest in more preventative measures.  Some companies are clearly more advanced than others in terms of having the right data analytics and system alerts, which are essentially tools that can be used to get meaning from data.

The point about data should not be confused. Yes, the sheer volume is growing exponentially and the complexity of data transfers, data management and data privacy gets more and more dense but if managed properly it can also be used advantageously through analytics, system driven alerts and notifications, and dashboards to identify and prevent incidents of corruption or fraud.

There is no “one-size-fits-all” in terms of compliance programs or solutions, as each company is different. What our many years of expertise and cross-sector experience assisting companies with various compliance needs has taught us is that the approach needs to be tailored, risk-based and technology-adapted to each company to ensure that it stands up to international best practice.

So, what are the actionable practical steps which companies can take? First and foremost, it is vital to create an environment of trust, connecting compliance officers and teams to the rest of the organisation. The tone and the sincerity from the top and the middle of the pyramid is incredibly important.  Compliance should not be viewed as a process or an afterthought; it should be part of the organisation’s DNA.

Training should be used as a measure for anything surrounding compliance and specific areas, if applicable, such as insider dealing within investment banks.  It should be embedded on a continuous basis, covering policies and procedures, codes of conduct but also be tailored to the organisation so that it is meaningful for all employees.  There should be training also in relation to ethics as well as whistleblowing.  There must be an avenue for employees where they can comfortably and securely raise any potential concerns. Around the world, there is new legislation around whistleblower protection, but it is not well known or understood.

One of the most prevalent and recurring incidents that arise is when companies get unstuck by not having a proper handle on what external parties in their value and supply chain are doing, such as agents, distributors, resellers, or suppliers.  Third-party due diligence is key in a rapidly shifting supply chain landscape and is an area where most corporates need to improve in order to manage their risks. It includes vetting third parties through the lens of ESG. There are platforms and systems available that can help organisations in the screening process, providing background checks and identifying any red flags that should be interrogated. Third party monitoring should be an ongoing process not just at the onboarding stage.

Risk assessments are also important. Companies need to understand their risks and any potential red flags. This is still the building block and cornerstone of a compliance programme.  With increased and changing business pressures, ensuring ongoing monitoring of the risks of corruption and fraud must be key to being able to demonstrate to stakeholders an institution’s robust response to changing circumstances. It’s surprising how many companies don’t conduct them or do them so ineffectively as to render them futile. Businesses should endeavour to understand their corporate risk profile based on the industry they are in, the customers or governments they are dealing with and so on.  The internal controls need to then reflect what their internal assessment finds.

It is the regulators’ expectation that risk assessments are conducted at least annually.

One of the additional areas that would help from a preventative standpoint is moving away from operating within siloes. Companies that act like this and don’t have integrated systems and functions cause challenges that might lead to incidents slipping through the net.

Since the start of Covid and global lockdowns, remote working has become the ‘new normal’. One unfortunate consequence of this has been a significant increase in the number of social engineering attempts, exposing financial services companies in particular to both internal and external fraud risk. Monitoring and compliance became far more challenging with a dispersed workforce.  Many businesses advocate the positives but certainly there’s a higher level of disconnectedness between bosses and employees following the rise of remote working.

Finally, in the event of any allegations or indeed charges of corruption or fraud, it is vital that organisations investigate thoroughly and based on any findings and learnings, put in place remedial actions to prevent recurrences.