The Weakest Links

The Weakest Links

We communicate frequently about the ethics and compliance risks employees and managers face, and what can be done to reduce those risks. Most of our emphasis is on our own actions.

However, some of the greatest risks we face are caused by the actions of those who are not company employees. Suppliers, agents, consultants and contract employees can all expose companies to risk.  In the last few years, for example, the following has been alleged:

  • The recent horsemeat scandal in Europe occurred as a result of decisions made by suppliers.
  • A Mattel supplier changed subcontractors without Mattel’s knowledge. The new subcontractor changed a production process to use paint with lead in it.
  • Agents hired by a joint venture between a Halliburton subsidiary and a local company in Nigeria paid bribes. Halliburton faced penalties of more than $500M USD.
  • Allegations of child labor and poor working conditions have increased scrutiny on dozens of companies sourcing apparel and electronics in Asia.

Examples don’t have to be so dramatic, either.  Shoddy and shady practices of all kinds can come back and haunt us. One thing is clear: no one ever remembers the name of the supplier, agent or subcontractor who got the big-name company into trouble. It is always the big company—us—who is negatively identified with these events.

What can you do about this?

  1. First, of course, is to follow any review or due diligence policies that apply to your relationships with third parties.
  2. Make sure the third parties you deal with are under contract, have been trained and otherwise know our expectations of ethical conduct.
  3. Continue to exercise oversight toward our third parties. Know the third parties you work with. Look for signs of change, and let the appropriate people know if changes in process, quality, ownership or anything else raise questions in your mind.
  4. Be aware of specific requests or actions that could suggest problems. For example, if you are asked for payment outside of normal channels, or if you sense nervousness or antagonism toward our auditing or quality processes, these could be red flags.

Is it really worth it?

As a small business owner, you probably question the cost of preventing potential fraud in your organization. It makes perfect sense today to balance the cost of risk mitigation versus just absorbing that risk. However, when it comes to preventing fraud, the potential risks cannot be ignored. One single incident can cost your organization tens of thousands of dollars or more, can destroy employee morale, and can leave a lingering feeling of distrust among your customers and vendors. Taking the steps to protect your business does not have to be cost prohibitive. A simple Fraud Risk Checkup can take the temperature of your business as it relates to vulnerability to fraud. The Fraud Risk Checkup takes about 30 minutes and can provide a snapshot of what areas of your business are ripe for fraud.

Your March Madness compliance bracket!

The first order of business after Spring Break and St. Patrick’s Day is to email your co-workers about the annual NCAA basketball tournament bracket. Company employees will take five minutes to fill out their bracket, playing for a cash prize or bragging rights, and then spend countless hours during the work day watching basketball streaming on their work computers. This year, as companies are revising their compliance programs to try to ensure a risk-based approach to compliance, the NCAA tournament presents a monumental opportunity. Instead of hiring some costly third party to assist in this effort, the NCAA tournament presents a free way to conduct an internal compliance assessment by creating a compliance risk assessment bracket in the style of the ones used leading up to the Final Four.

Here is an example:

The complexity of your bracket will vary depending upon the size of your operations and type of business. The model above is just a starting point, and you may consider including some non-risk areas for the business just to see how they perform. For instance, if your company is a U.S. business with no foreign operations, include the Foreign Corrupt Practices Act in your bracket to see how far it goes.

You also need some instructions to go with your compliance bracket. These can be modified and adjusted to conform to the company. A good place to start might go something like this (subject to state law governing gambling, company policies, and the like):

  1. Announce that the company has officially sanctioned an NCAA tournament bracket this year. The employee who wins the tournament will receive a $10,000 cash prize. (Having an official, company-sanctioned tournament will make it harder for that guy in accounting to prey on employees with little knowledge of college sports by encouraging them to pick teams based on the school colors.)
  2. But here’s the catch: In order to participate in the NCAA tournament bracket this year and be eligible for the $10,000 prize, you also must complete the compliance risk assessment bracket by choosing which compliance areas in your operation/country/business unit pose the greatest risk, generating the Final Four Compliance Risks.
  3. Completing the compliance bracket entitles you to watch one NCAA tournament game on company time—unless Ole Miss goes undefeated in the first three rounds, then each employee who completes the compliance bracket can watch three games. (Employees will do this anyway, so with this admonition, you can try to limit them to one game instead of watching the entire tournament.)
  4. You must submit both the compliance bracket and the tournament bracket before the first tournament game begins. You must choose a compliance subject matter and NCAA basketball winner for each bracket. The winner of the NCAA bracket will be decided by multiplying the number of correct predictions of winning teams in each round by a weighting formula for each round (here those accounting guys come in handy). But note that with the compliance bracket there are no right or wrong choices—we are all winners for filling out the compliance bracket and bringing these issues into sharper focus.

The email announcing the twin tourneys should preferably be sent by someone in operations—an executive would be terrific. (Warning: If the email is sent by the chief compliance officer or general counsel, employees will think it’s a trick and not respond)

At the end of the tournament, the CCO will appear to be less of a killjoy for facilitating the tournament—and as a bonus, the underground NCAA tournament (with competing brackets and formulations) will end. Employees will be happier, as will be the chief compliance officer and general counsel, who will know that everyone is more aware of compliance concerns and can help make the company compliance program more effective.

Business Ethics: Actions lagging behind proclamations

While more organizations are voicing a committment to ethical standards, their proclamations do not appear to be matched by their actions-an alarming disconnect that is emerging as financial professionals are facing more pressure to act unethically. The continuing down economy may have something to do with the divide. Challenging competetive and economic conditions have meant that executives are often focusing on more immediate concerns such as cost-cutting. A survey conducted by the AICPA and Chartered Institute of Management Accountants revealed that about 10% to 15% more organizations are providing statements of ethical values and a code of ethics as well as related training, hotlines and incentives such as performance based rewards. However, corporate leadership seems to be less engaged. There was a reported decline in the number of corporate leaders who held formal responsibility for ethics. Respondents to the survey said they felt more pressure to act unethically during an economic downturn. Of the respondents who reported ethical misconduct, only half were satisfied with how their ethical concerns were handled. Among those who did not report misconduct, the main reason was the perception that reporting the misconduct would not make a difference. Clearly, their needs to be an attitudinal adjustment with those held responsible for reporting unethical behavior.

Contract and Procurement Fraud

The 12 Red Flags of Contract and Procurement Fraud

  1. Repeated awards to the same company.
  2. Competitive bidder complaints and protests.
  3. Complaints about quality and quantity.
  4. Multiple contracts awarded below the competitive threshold.
  5. Abnormal bid patterns.
  6. Agent fees.
  7. Questionable bidders.
  8. Awards to non-lowest bidder.
  9. Contract scope changes.
  10. Numerous post-award contract change orders.
  11. Urgent need or sole source.
  12. Questionable minority or disabled ownership.

Behavioral Red Flags of Fraud Perpetrators

Below are the top behavioral red flags of fraud perpetrators, ranked from highest to lowest:

  1. Living beyond means
  2. Having financial difficulties
  3. Having an unusually close relationship with a vendor or customer
  4. Having control issues and an unwillingness to share duties
  5. Having divorce or family issues
  6. Having a wheeler-dealer attitude
  7. Being irritable, suspicious or having  a defensive attitude
  8. Having addiction problems
  9. Having a history of employment problems
  10. Constant complaints of inadequate pay
  11. Refusing to take vacations
  12. Having a history of legal problems
  13. Experiencing excessive pressure for success


That will never happen to us!

As we are already well into 2013, I look back and reflect upon the experiences that I had in 2012. I think what continues to surprise me the most, is the cavalier attitude that so many organizations have when the subject of fraud is broached. You would think that, with as much media attention that fraud and embezzlement get, businesses, organizations, and those charged with fiduciary duties would “get it”, but in many cases, far too many cases, they do not. I still hear, over and over, “that would never happen to us”. It almost sounds like a cliche to me anymore and I almost come to expect it. I almost want to respond by saying, “what would it take for you to see it differently, somebody stealing hundreds of thousands of dollars from your organization”? In any case, I continue to forge on, preaching the gospel that “fraud happens”. Maybe I should get bumper stickers and t-shirts with that slogan. Now that is a novel idea!