Why would a Whistleblowing Policy help your organization in your Fraud Risk management Efforts?
Over the past couple of decades, well publicized corporate troubles and collapses such as Enron, Worldcom, NKF, Olympus, UBS, HSBC and NSA scandals just to name a few have highlighted the key role of whistle blowers in bringing to the surface these frauds. Indeed researchers agree that about 70 to 80% of fraud losses are usually committed by the internal staff of an organization and that in most of the cases, they were eventually detected because somebody from the inside or outside blew the whistle.
Indeed it is not far-fetched to assume that when someone is involved in a fraud or any kind of misconduct, there will most likely be somebody else inside or outside the organization who knows about it or at the very least suspect it. Hence when looking to uncover possible frauds in your organization, one of the key source of information could therefore be your own staff and other key relevant stakeholders such as suppliers for example. Regrettably organizations too often fail to capitalize effectivelly on their employees as a potential essential resource in their fraud detection and control mechanisms.
The sad reality illustrated by the many stories making the news headlines is that if they had used this resource properly with an effective whistle blowing policy in place, those organizations could have stopped the fraud they were the victim of much earlier and possibly saved themselves a lot of troubles and even ensured their survival.
What will happen if your organization do not have a Whistle Blowing Policy or if the Policy is improperly designed, implemented and communicated?
In such cases, people will usually NOT report spontaneously about what they see or know. They will likely keep quiet about it for a number of reasons I will explore later in this post one of them is the fear of getting themselves into troubles. This in turn will prevent the organization from identifying and hence addressing the issues until it is unfortunately too late for effective corrective actions to be taken and to avoid painful consequences..
Those who do dare to report something will usually prefer to do it anonymously often by-passing the ‘official’ reporting procedure set by the organization in order to avoid exposing themselves. Although this kind of random anonymous disclosures might be considered as better than nothing, it is in fact a real problem for organizations as it means that if the management decide to act upon it, they may have to go on “a wild goose chase” based on often too limited or even dubious information. It is also important to keep in mind that in some cases of anonymous allegations, the whistleblowers can also have malicious intentions making partially or totally incorrect allegations to promote their own agendas. If not managed carefully, those malicious allegations could destroy the reputation of the wrongly accused employee, severely affect the morale of the rest of the staff and damage the credibility of the management who mishandled the situation.
On the other side, if the management decide to do nothing about the anonymous disclosures, there possibly missing an opportunity for early detection and action on a real fraud situation leaving it as a time bomb that will inevitably explode sooner or later. Furthermore if the management is perceived to do nothing or move too slowly in its investigations by the whistle blower, the situation can get worse on that front as he/she may contact the media and/or the regulatory authorities and /or the police. Any suspicions of fraud or corruption that are brought to the attention of the media have the potential to blow off into a major public scandals creating tremendous damages to the reputation of an organization and even in some cases, possibly threatening its survival.
Why people will often not want to blow the whistle openly using official channels set by the organization?
There are a number of reasons for that and I will now review them in more details:
1 – Fear of Retaliation: The main reason is the same everywhere! FEAR! While many regulations have been enacted all around the world to provide some protection for whistleblowers such as for example the Sarbanes-Oxley Act in the United States and despite reassurance from the management in many organizations that retaliation against whistle blowers will not be tolerated, many employees arround the world strongly fear they will likely suffer from “blowing the whistle”. Indeed for those people who do blow the whistle, the consequences can be disastrous! It is an unfortunate fact to stress that far from being celebrated as corporate heroes saving their organizations from potential destruction, the data from many documented cases with my own experience as a whistleblower included shows that most whistleblowers are somewhat “punished” and often have their careers ruined by their honest actions. Many publicized cases have highlighted how whistleblowers are ostracized, bullied, over-looked for promotion, or treated so badly that they have to leave a job that has become untenable. In worse case scenario, they can even end up in prison or face life-threatening situations. Furthermore considering that the current volatile economic climate reinforces the general feeling of insecurity among employees, whether it is true or not, that their jobs are always potentially at risk, many employees fear that they will increase the likelihood of losing their jobs if they make noise and rock the boat by raising their concerns!
2 – Cultural Impediments: There are also a number of cultural factors that discourage employees from reporting the acts of misconduct they are aware of. These factors and their importance may differ from one cultural environment to the other and hence as such adding a significant level of complexity for multinational organizations to learn to manage effectively. Examples of cultural factors include the issues of Divided Loyalties and Submission to Authorities that play an important role in influencing people behaviors in many societies. The problem can be particularly acute in certain Asia countries first due to the essential importance of families and personal ties in business relationships and second because of the hierarchical nature and the importance of power distance in those societies as defined by Geert Hofstede in his research study on “cultural dimensions theory”. For example in Korea and Japan, a strict seniority system is dictating that employees must show unbounded loyalty to their superior and co-workers. This kind of environment will discourage those employees from questioning management decisions even when facing life or death situations. The Historical background of a country can also exacerbate an existing bias against whistleblowing policies as it can bring back negative memories to employees such as the horrors of the Nazi surveillance system in Germany, the denunciations of the Cultural Revolution in China, the apartheid-era informants in South-Africa and so on. All these factors are making it very difficult to make whistleblowing procedures acceptable in those countries.
3 – System & Processes issues: Corporate whistleblowing resources are often under utilized simply because from a practical point of view, they are often insufficient, badly designed and improperly communicated to the employees who are then confused about what to do with them. There is also often a basic problem of trust in the reliability and effectiveness of the system put in place especially when influencial and powerful figures are the subject of the disclosure. Potential whistle blowers who have concerns that they want to report must feel the whistleblowing policy and system can be relied on. They may feel, it is often not the case.
How to connect effectively with the people who might be aware of possible wrongdoings?
The earlier an organization can detect a fraud, the faster they can deal with it appropriately. Early detection may save the organization by allowing them to take the appropriate actions diminishing the damage to its operations, reputation and business. When the whistleblowers can be identified, the organization will be able to obtain more complete and accurate information about the allegations raised and eliminate incorrect or malicious allegations while clearly identifying the areas that need further investigations. Hence organizations should encourage whistleblowers to come forward and report suspicions of fraud and misconduct in a formalised manner through a well-designed whistle blowing policy.
The policy should be designed to really encourage employees including former employees, customers and suppliers – to raise concerns to the management using properly defined channels, rather than keeping quiet about the problem or throwing out through various means random anonymous allegations. To achieve that, it is essential to understand the issues from the whistle blower’s perspective i.e. fear of retaliation and cultural impediments and address them appropriately. This means sending a clear message to potential whistleblowers that unambiguously responds to the concerns that would otherwise stop them from coming forward. Questions potential whistleblowers will ask include: What sort of concerns I am right to raise? What evidence do I have to provide? What will you do about my disclosure? How are you going to investigate? What will happen to me? How are you going to protect me?
The organisation should be seen as responding positively to concerns raised, and acting both to protect the whistleblower and fix the issue raised. Therefore the objective of an effective whistleblowing policy should be to create an environment where people feel safe and confortable raise the concerns about possible fraud and misconduct issues they may have observed within the organisation.
With that in mind, implementing a whistle blowing policy should involve the following key steps:
The Whistleblowing policy should include the following key elements:
This last point is very important. Indeed while having a robust whistle blowing policy in place is an essential best practice for the management of any organization, in addition, to be really effective, organizations need to nurture a culture in which employees will do the right thing knowing that their concerns will be taken seriously, and that the protection provided by both the law and internal corporate policies is real and effective.
To conclude, a whistleblowing policy is at the heart of a strong culture & system of corporate ethics and compliance. By promoting a strong whistleblowing policy, your organisation sends a clear message to all staff and others that compliance with certain principles and values is fundamental to the long-term success of the organisation and by this potentially discouraging some would-be fraudsters from taking actions while encouraging other employees to report concerns appropriately.
I was invited to speak and share my views on “How to Encourage Whislteblowing as an effective tool to prevent and detect fraud” during the 2013 ASLI Internal Fraud Conference in Kuala Lumpur and I thought it would helpful to share the presentation I gave at that conference. Therefore I have attached it in this post below. Enjoy and if you have any questions do not hesitate to contact me.
IRONICALLY, equity-based compensation systems and in particular Stock Options were initially devised as a form of risk control to resolve the conflict of interests inherent in the agency problem in organizations i.e. the possibility of opportunistic, self-interested behaviour on the part of the Management (i.e. the AGENT) that could work against the welfare of the Shareholders (i.e. the PRINCIPAL). How do Stock Options work? In simple terms, the stock options mechanism allows the recipient to purchase stock in the future at the price it is valued today (i.e. option price). It means that if the share price rises above the option price, the recipient will be able to pocket the difference when he/she exercises the options after a certain required period (i.e. the vesting period).
To its advocates, stock options were seen as the “magic carrot and stick”, an ideal and cheap incentive designed to foster great management performance by encouraging optimal risk-taking and management simply because it was supposed to ALIGN smartly an organisation top management interests with those of the shareholders.
Let’s now take a closer look at how stock options were supposed to resolve the inherent conflict of interests between the management and the shareholders. The rationale was that shareholders are essentially interested to see an increase of the share price of the companies they have invested into. So, it means that share price movements upward…
On the contrary, if the share price stagnates or worse goes down, the stock options are worthless penalising the management for its poor performance. It means that options would pay off ONLY if the company’s share price went up.
Hence share price movements seemed at first glance to be a fair and reasonable way to:
Based on that understanding, from the late 80’s, stock options started to be widely granted to the seniors management and senior traders quickly becoming an essential part on their compensation packages.
Unfortunately, it did not work as it was initially intended to (Here is another example of the law of ‘Unintended Effects’).. Data about corporate failures/troubles over the past 2 decades have showed that Stock Options FAILED to resolve the Agency Problem. In fact, they made the problem worse by the exacerbating the the moral hazard issue in senior management behaviour.
Obviously, something went wrong.. painfully wrong! Let’s try to find out what happened… I would now like to elaborate on the following 2 key reasons that will shed light and explain the ineffectiveness and dangers of using Stock Options as a top executives performance management tool:
1- Perversion of the Stock Options mechanism
In many public-listed organizations, stock options became an additional form of compensation that was often just added up on the top of already very generous packages. Furthermore the stock options system was quickly perverted by the management through the use of various techniques that essentially aimed to ensure that the management would get ‘their huge bonuses’ no matter what was their individual performance and the performance of their organizations.
I have listed below some of the most popular techniques used for that purpose:
Many organizations distributed options to their senior management teams like candies in ever-growing numbers and it ended up to generate the biggest bonanza yet for top executives leading to exponential growth in their compensation packages.
Advocates of options compensation, postulate that options mechanisms shouldn’t be judged on the basis of the perverted use made of them in some organizations, that the issues highlighted can be corrected with proper controls (i.e. better oversight, longer vesting periods, etc) ensuring that organisations will benefit from the option mechanism. They also claim that exponentially rising senior executives compensation is not the result of the use of options but is rather due to the intense competition for top experienced managers in a globalised world. They finally claim that stock options have helped to foster business innovation, by giving young and promising but cash-poor start ups a bait with which to attract the human capital talents necessary to engineer their growth. Let’s now explore this issue.
2 – Share Price is NOT well-suited as a Performance Management Metric
Can stock options really help align the interests the management with those of the shareholders and provide a fair and reasonable basis for executive compensation?
In order to be able to answer that question, we must realise that the validity of the stock options mechanism is based on a very important hidden assumption.. It goes as follows: “If the share price is going up, it MUST mean that the management team has done a good job!”… Is this assumption realistic and reasonable?
A primary school child should be able to figure out that this kind of reasoning is not just simple, it is simplistic! As a matter of fact, the assumption it is based on, proved over time to be highly questionable and incidentally highlights one key ROOT Cause of Management’s Problems in organizations.
This root cause of management’s problems is that… People and Organizations are typically evaluated on OUTCOMES i.e. Results (often financial) Metrics/Indicators such as revenue, earnings, share price, turnover, etc.
Why are Results Metrics PROBLEMATIC?
It is because they work like ‘thermometers’. These ‘temperature indicators’ aim to tell you if you are healthy or not! For example, when the share price goes up, it is supposed to indicate that the organisation is doing well. On the contrary, if it goes down, it is a sign of troubles!
However one essential limitation of those kind of metrics is that it will NOT tell you HOW you achieved the Results!
This limitation is easily overlooked as people are naturally inclined to assume that the positive movement of a result metric (in our example the share price) must indicate that there is a very effective leader doing a great job.
Unfortunately the reality is that, beside somebody doing a good job, there are many other problematic reasons that can lead to GOOD RESULTS on the short to medium term. Results could LOOK good because of:
As Warren Buffett once declared: ‘Risk comes from not knowing what you’re doing’.
The disconnect between Results on one side and decision/actions on the other side is a so-called unintended “side effect” of the focus on metrics such share price and will inevitably lead to the creation of black boxes in organizations… And black boxes will open the door for all kind of abuses by the managers in charge who can do whatever they want with no proper scrutiny of they decisions and activities as long as they operate within the perimeter of the black boxes.
I trust I have highlighted both the ineffectiveness and dangers of stock options schemes. Do keep in mind that from a risk management perspective, if you evaluate performance using indicators that are not clearly related the critical success factors of your business model, it means that you do not understand what you are doing, and that you are actually GAMBLING away the assets of your organization.
Hence it is time to recognise that stock options should never be used on their own as a performance management and reward mechanism. In fact, don’t waste your time trying to improve something that is inherently flawed. The best solution is probably to drop or at least limit drastically your stock options compensation scheme and reward primarily your staff based on metrics that put the spotlight on their real risk-adjusted performance. I know it will not be easy … indeed why would senior executives who are, by their human nature, primarily self-interested, agree to change a flawed system that is so skewed in their favors? How we can make that happen will be the subject of another post..
A CRISIS can be defined as an event/situation that results in a:
Which, as a consequence of the direct impact and of the stakeholders’ negative responses, may dramatically impact an organisation’s profitability, reputation and hence long-term operational sustainability potential.
Crises can occur at any time and hence the challenge of identifying, preventing, and managing crisis events has become a critical concern for many organisations.
The HR function has a key role to play not only in protecting the welfare and safety of affected employees but also in supporting organizational sustainability. Why? The simple and obvious reason is that there is always a human side to a crisis as people are likely to get hurt physically and/or psychologically. Unfortunately, one of the critical errors in crisis management planning is the strong tendency to focus the attention and efforts on reinforcing systems, operations, infrastructure and public relations, with people issues coming in last on the list of concerns and as a result often ending up neglected. Organizations should not wait for something terrible to happen to find out just how unprepared they and their employees are. This neglect is a serious problem as organizations really need to pay greater attention to the impact of critical events on their employees, their families and the community as a whole as effective crisis management, business survival and recovery cannot happen without well-prepared, safe and motivated employees.
For organisations with inadequate HR crisis plan in place, the effects of any crisis will be catastrophic and may include:
Looking at the Human Side of Crisis Management Is Essential For Business Sustainability
Today’s business environment requires a robust, enterprise-wide plan to deal with risks and crises. Company reputation and brand, as well as the trust and loyalty of stakeholders, are all critical assets at stake during a crisis. It should beobvious to everybody that a Crisis and its Management has a lot to DO with PEOPLE:
Hence based on the abovementioned reasons, the Human Resources function should be play a strategic and proactive role in Risk, Crisis & Business Continuity Management because they are the primary caretaker of an organization’s human capital welfare and motivation. HR is in the best position to ensure that an organization’s human capital can be prepared, preserved and can continue to create value under any adverse circumstances.
Defining HR’s Role in Crisis Management
In today’s Information & Knowledge Economy, Organizations increasingly rely more on Human Capital (knowledge workers) to build competitive advantages and generate their profits, rather than just on equipment, technology and systems. Hence no matter their size, durability and successes, organizations are very VULNERABLE when something go wrong with their people. At the same time, people are the solution too!
HR leaders have a strategic role and responsibility to ensure their organizations are aware of internal vulnerabilities on the human side to different types of crises and to ensure their crisis management plan covers all potential risks and concerns.
To be included as a strategic partner in crisis management, with other functions such as risk management and business continuity management, HR professionals have to understand and speak the “lingo” of crisis management.
HR has the opportunity to ascertain that the human capital is taken care of in all crisis management and business continuity plans. HR can offer real value protection or enhancement through deliverables such as crisis communication plans, crisis resource planning, safety and security training, talent management and succession planning to help reassure and prepare employees.
In partnership with other organizational leaders, HR can develop an infrastructure for crisis management by motivating the company’s human capital to support what need to be done. The support and commitment that an organization will need from its employees during and after a crisis can be facilitated by HR professionals who can understand both the business and employees’ perspectives.
Preparing an Organization & its Human Capital For Crisis
HR professionals can influence the organizational culture and capabilities to provide effective preparation and capacity building before the crisis and effective management and leadership during and after a crisis. Effective crisis response requires an understanding of what people need from management, and how to provide it. Some recommended strategic and practical steps regarding crisis management planning are as follows:
Additionally, a number of other activities may be necessary such as to protect and backup HR records, to identify and reserve emergency office space and to provide sufficient manpower for business recovery and so on.
In summary, HR should take responsibility to :
To be most effective, HR leaders should work collaboratively with other key organizational functions involved in crisis management such as risk management and business continuity management, build the business case and obtain top management commitment to support the development of enterprise-wide crisis readiness plans that fully integrate the human side of crisis.
I was invited to speak and share my views on the “Role of HR in Crisis Management & Organisational Sustainability Preparedness” during the 2013 HRM summit in Singapore and I thought it would helpful to share the presentation I gave at that conference. Therefore I have attached it in this post below. Enjoy and if you have any questions do not hesitate to contact me.
In a world where there is no clear moral compass to guide leaders through dilemmas about what is right or wrong when managing Risks and Opportunities. This module explores the complex ethical and social dimensions of business and provides a framework that will help participants make and justify difficult decisions. It further explores how to build a Business Model based on CSR to create shared-value through a positive impact of an organization's activities on the environment, consumers, employees and other stakeholders.
This information-packed module covers the fundamentals of project risk management. You will learn how to establish and implement a structured approach to forecast, monitor and manage risk factors for projects, large and small. You will also learn how you can communicate effectively and share the responsibility of managing project risks with your team members, customers and management.
Modern organisations are now confronted to an increased level of volatility and complexity in today's global business environment. And to make effective decisions, you will need to conduct a proper diagnostic of the risk profile of your organization. This module will introduce our Value and Risk mapping model, highlights the benefits, and summarizes the method of identifying, analysing risks and developing risk maps. It will also describe several applications, some pretty unconventional, for risk mapping in an organisation.
This module provides the techniques and training in developing people who can master the art and science of communicating about risks with the various groups of internal and external stakeholders. Thus, proactively anticipates on risk issues and prevent crises or if a crisis is inevitable, to limit and overcome the damage it creates.
This module provides an understanding on the types of ERM Models that can be designed to deal effectively with the risk issues an organization is exposed to. Participants wil learn the Key Risk Controls to Protect your Tangible and Intangible Assets. This module will guide you through a wide range of risk management strategies/interventions, explains how they work and suggests when they are most appropriate.
The module provides a detailed understanding on the wide range and types of losses an organisation is exposed to and the potential financial impacts of those losses. Participants wil learn the Key Risk Financing Techniques to protect the Tangible and Intangible Assets. How and when to select and apply the right financing Techniques and how to analyze carefully the pros and cons associated with the financing techniques of transfer, retention and insurance.
Without proper risk metrics, there cannot be any risk management. This module will explore the two dynamic processes of strategic/operational response and continuous change learning that are critical for an effective risk control system. It also explains how they can be explicitly structured and monitored, using a series of reports and Key Risk Indicators (KRIs) and distributed timely to the people who need them to make the right decisions.
This module provides a comprehensive framework to design an ERM system and policies adapted to your organization's business needs and maturity, allowing you to address business issues, stakeholders concerns and new regulatory in an efficient and integrated manner. ERM can yield tremendous potential competitive advantage for an organization through an integrated, enterprise-wide perspective on its risk profile aligned with its business model.
This thought provoking and practical module will give participants an insight into the various ERM change methodologies and models, and their implications for corporate systems and culture transformation. You will learn a project implementation roadmap on how to nurture the type of risk-aware culture able to learn and adapt to continuous changes in the environment, and thus creating sustainable value for your organization.
This module emphasizes on the importance of ERM to build the organizational capability for contnuous learning and business renewal. It provides a roadmap to deal with change and crises with a practical problem-solving approach and a focus on the importance of system resilience, stakeholders' perceptions management, effective crisis communication and preparedness in preventing or controlling crisis situations.
In today’s volatile and competitive world, the value of corporate reputation is a key component of business and organizational performance. This module provides participants with a road map on how to manage Reputation as a strategic asset to create competitive advantage in the marketplace. It covers how to manage communication with key stakeholders to build a strong relationship and a survival guide on how to preserve reputation through a crisis.
Corporate collapses and the financial crisis have highlighted the weaknesses of existing internal controls and risk management systems and the need for a higher level of corporate governance to better align and protect the diverging interests of the various stakeholders in the corporate “game”. This module will guide you through a comprehensive plan on how to strengthen corporate governance by promoting transparency, accountability and effectiveness in management practices.
This practical module will provide you with the most updated current methodologies and best practices to protect your organization against fraud with strong corporate ethics, effective prevention and detection systems. Participants will also understand the extent to which organizations are exposed to the ever-increasing regulatory environment, how to identify the risk and compliance issues that have most significance and how to integrate and leverage a compliance management program within the ERM system of your organization.
This module provides a practical roadmap on how to conduct effective Risk-Based Internal Audit (RBIA). You will learn how you can employ risk-based methodologies in planning and conducting audits to provide assurance on the adequacy of integrated risk management practices and management control frameworks.
This module presents a methodology that maps the human relationships in organizations to identify where and how they affect organization performance. You will learn how you can influence your people and nurture the type of behavior & culture that supports sustainable value creation for your organization. This module will also teach you how to develop and use the right risk-adjusted Key Performance Indicators to drive your people’s behavior and support your business performance. By linking unambiguously the results and decision-making processes with appropriate metrics, considering all the risks involved, you will ensure that your staff’s behavior will be aligned with your organization objectives and interests.