Over this week I have been blogging about fraud issues in 2021 and beyond with Joanne Taylor, a Managing Director at K2 Integrity and Ray Dookhie, a Managing Director in K2 Integrity’s Investigations and Risk Advisory practice. We considered some of the top fraud trends you might expect to see in 2021, what the regulatory landscape may well look like in 2021 and how best to detect and prevent fraud. Today, I want consider how to remediate if fraud is discovered.
We are seeing a renewed focus by the regulators on compliance program effectiveness. One of the key elements of program effectiveness is how well an organization identifies, investigates and remediates potential compliance issues. The same principal holds true in the fraud risk management process. Dookhie noted that the Securities and Exchange Commission (SEC) had yet another record-breaking year in whistleblower awards. He believes this puts additional pressure on organizations to have a protocol in place to prevent, detect and then remediate any fraud claim which may arise.
Dookhie cautioned it is more than knowing “how to report and where to report”. It is also about “how to actually conduct the investigation and the root cause analysis.” For instance, does your organization have a triage process? He explained that in the fraud space, just as in the medical arena, “we need to be able to triage fraud issues or compliance issues as they’re coming in the door”. Such questions as “What’s the issue here? What are the underlying compliance issues? What are the underlying fraud issues and who to best deal with this issue, which specialist, or which compliance expert should be dealing with this type of issue?”
He also believes that a root cause analysis is both critical for a company to determine how a fraud event may have occurred but, more importantly, how to remediate the violation. This will be of great interest to the regulators, whether the SEC or lawyers at the Department of Justice (DOJ). An organization must be able to show that it “had all of these issues and we have now fixed them.” Or in short, “What went wrong? How did it actually go wrong?”
Questions such as “Was it a policy issue? Was it an internal control issue? Was it a lack of understanding of the responsibility on behalf of the employee? Did we hire a wrong person?” Dookhie stated, “I think under all of these scenarios, understanding the root cause problems when you are sitting across the table from regulators, is critical.” You are able to answer the questions of what happened, how it happened, when it happened. Equally important, “here is how we are going to fix it, going forward. And I think that to me, is a key concept there that root cause analysis key concepts in identifying and correcting issues in your organization.”
The next step, after investigation and root cause analysis is remediation. Here Dookhie said you need to be able to demonstrate the effectiveness of your compliance program after you have sustained a failure. “One aspect is that you want to be able to say that we have fixed the problem.” The second aspect is applying fair and equal penalties or sanctions against those individuals who committed the fraud or the misconduct. It does an organization no good with the regulators when executives who commit fraud and receive a simple “slap on the wrist. Yet when an employee commits fraud, they are terminated immediately.” Dookhie believes “a fair remediation to the issue at hand” is critical.
The next step would be a decision to self-disclose or not. What are your organization’s protocols for disclosing. This includes some of the topics we previously discussed such as a “thorough and complete investigation so that the decision makers understand the magnitude of the problem.” You need to make sure that the right people are sitting at the table if it is time to disclose. From there a reasonable decision can be made.
Dookhie concluded that with the change in the regulatory landscape in 2021, under the Biden Administration, there may well be added exposure for compliance officers and organizations. In the area of fraud risk management, he suggested companies “dust off the anti-fraud program, dust off the compliance program, do a risk assessment, understand the gaps in their potential controls, where were areas where they may not be as strong, and think about whether or not you need to enhance the compliance controls.”
The three prongs of every compliance program are prevention, detection and remediation. The same three criteria apply to a fraud risk management solution. In light of the changes brought by the Covid 19 pandemic and attendant economic fallout, businesses need to be ready for new fraud schemes. Prevention, detection and remediation are key elements to your overall risk management portfolio.