Legal compliance in the corporate world is, in some ways, similar to earthquake preparedness in the layman’s world. On 11 March 2011, few people had an earthquake kit prepared. On 12 March, most everyone had their earthquake kit and you could see the sidewalks filled with people wearing hardhats. Such is human behaviour. We reach our most heightened state of preparedness after a crisis takes place.
Corporate compliance is not dissimilar. Only after the media hears of an incident of large-scale internal fraud—a “lone” rogue banker gone awry or an executive caught embezzling—do many corporations pause to more than superficially examine their compliance and internal controls.
An organisation can write a manual on ethical behaviour, as an exercise, but it does little to change the behaviour of employees. Without robust internal policies and control mechanisms in place, an organisation is vulnerable.
Twenty-three years of conducting internal fraud investigations, as well as helping to design and implement policies and procedures to protect against these attacks, has afforded me the advantage of seeing disingenuous fraudsters’ tricks, which can then be applied to proactive preventive measures to make corporations more resilient.
The problem is human behaviour. People and corporations put more time, energy and money into reacting to, than preventing, crises. Some things, such as natural disasters, cannot be prevented. Illegal and unethical behaviour, with adequate corporate compliance policies, can be quickly identified and mitigated.
What a compliance programme should comprise:
• Standards, policies and procedures specific to your organisation that do not unreasonably impede your employees from carrying out their respective jobs.
• Standards, policies and procedures specific to your organisation that protect, prevent and detect criminal/ civil abuse as defined by the applicable jurisdictions in which the organisation conducts business.
• Employee training that clearly defines corporate policy and unethical or illegal behaviour.
• Whistleblower policy that protects from retaliation any employees who report unethical or illegal activity.
Whistleblower protection is both a key to, and missing component of, many compliance programmes. Examination of historical cases of fraud and unethical corporate behaviour reveal a large majority involve cooperation of, or collusion, by employees.
As we also know, they still fall victim to cases of large-scale internal fraud. A well-communicated whistleblower policy should be a component of an effective compliance program.
Take cases involving Mitsubishi Motors Corporation (faulty break systems), Snow Brand Inc. (food poisoning, mislabelling and selling old milk) and Livedoor (manipulation of stock price). In none of these cases was it possible for the culprits to act alone, and this is where a robust compliance and whistleblower programme could have saved the firm from embarrassing media coverage, consumer backlash, and jail sentences for the firm’s executives, not to mention millions of dollars in fines and lost profit.
If, during the course of an internal investigation, abuse or illegal activity is detected, voluntary disclosure is always encouraged. In addition, installing a legal counsel (external) to protect the findings of your internal investigation, such as employee confessions and testimonials under attorney-client privilege, is strongly advised.
A corporation or individual guilty of wrongdoing may destroy incriminating evidence, as may have occurred recently when a government agency announced they were preparing to raid a corporate head office as part of a large and infamous case of corporate fraud in Tokyo. Did they destroy evidence? If so, will the authorities be able to detect it?
A preferred method would be to work with a private firm, such as 360 RMG, which can facilitate a search warrant. The warrant will allow (with oversight) forced entry to seize incriminating evidence which might otherwise be destroyed. Resistance in these types of seizures is unwise but not uncommon.