This one day fraud symposium, sponsored by Baker Tilly’s Global Forensic, Compliance and Integrity Services and Solutions Practice Group and hosted by the Institute of Internal Auditors, Philadelphia Chapter, will include topics such as:
Jonathan is the firm leader of the global fraud and forensic investigations and compliance practice. He has more than 30 years of experience working closely with his clients, their board, senior management and law firms on global and cross-border fraud and misconduct investigations, including bribery, corruption and compliance matters. He is a well-regarded author and speaker, who has gained international recognition for developing thought leadership that has enhanced the profession.
Niki A. den Nieuwenboer, Assistant Professor of Organizational Behavior and Business Ethics, The University of Kansas School of Business
“Tone in the Middle”
We know that leadership matters in fostering ethical conduct at work. However, the focus is often on top level managers and their “tone at the top.” The role of middle managers has remained somewhat of a mystery until now. Niki den Nieuwenboer will discuss her recent study that examined a case where middle managers, in response to upper management pressures, coerced front-line employees to deceive upper management about their performance. She will spotlight the creative role that middle managers played in finding ways to cheat, and discuss implications for ethics management and fraud prevention.
The new DOJ guidance on effective compliance programs is full of requirements to assess risk and manage the compliance program through a risk-based method. Culture is also of importance, and ensuring a culture of compliance is emphasized in the guidance. Having a compliance risk methodology that incorporates compliance, ethics, and culture to identify areas of risk is key to ensuring limited resources get directed to the right place.
“Investigations: Strategies to avoid common pitfalls”
Conducting an effective and thorough investigation into alleged wrongdoing has always been a hallmark of an effective compliance program. Unfortunately, many of the investigations fail to achieve their intended results.
Ed Broecker will address some of the common pitfalls to avoid in conducting an internal investigation. The session will discuss initial intake and appropriately triaging the allegation and developing the correct team and work plan to conducting interviews. The discussion will also address report writing and determining the root cause. This session will highlight many of the shortcomings in an investigation and offer practical suggestions for addressing them including issues around bias, privilege, confidentiality/privacy and reporting back to the complainant.
“The Code of Conduct – Effective Policy Development and Management”
The Code of Conduct sets the tone and reinforces the importance of conducting business within the framework of professional standards, laws, and regulations, together with policies, values, and standards. It outlines the values and behaviours that define how organizations do business. It holds people accountable to be open-minded and responsive and to give their best.
Policies & procedures must be in place to safeguard and educate staff, to protect the organization against unnecessary risk, ensure the consistent operation of the business, uphold ethical values of the organization, and to defend the organization should it land in turbulent legal waters.
However, effectively developing and managing policies is easier said than done.
Good policies generally are –
Written in clear, concise, simple language.
Policy statements address what is the rule rather than how to implement the
Policy statements are readily available to the campus community and their
authority is clear.
Designated “policy experts” (identified in each document) are readily
available to interpret policies and resolve problems.
As a body, they represent a consistent, logical framework for organizational action.
in practice, we know that ad hoc or passive approaches mean that key policies are outdated, scattered across the business, and not consistent– resulting in confusion for recipients; and an insufficient level of governance and reporting for auditors and regulators.
It is no longer enough to simply make policies available. Organizations need to guarantee receipt, affirmation AND understanding of policies across the business.
To consistently manage and communicate policies, organizations are turning toward defined processes and technologies to manage the Policy lifecycle. The continual growth of regulatory requirements, complex business operations, and global expansion demand a well thought-out and implemented approach to policy management.
Attendees will be guided through a discussion on how to develop and implement an effective policy management process within their organization.
“Whistleblower Activity: What’s Good, What’s Real, What Matters”
Compliance and audit professionals all talk about the need for a strong culture of whistleblower encouragement and protection. This session will review what some new data tells us about whistleblowing and corporate culture, and how risk assurance functions can develop a healthy appreciation for internal reporting.
How do levels of internal reporting correlate to corporate performance?
What types of whistleblower allegations are most likely to be true?
How should boards and risk assurance functions handle whistleblowing, based on what the data tells us?
This session will explore some of the data that professor Kyle Welch has been crunching, and some of the counter-intuitive findings he’s dug up. Then talk about how those findings would color what compliance, audit, and anti-fraud people do for investigations and working with senior leaders to cultivate a strong internal speakup culture.
Location Exelon Hall – Just enter the building lobby at 23rd and Market Street and follow the signs down the stairs to Exelon Hall. No building access is needed for access to the hall.
Continuing Professional Education Credits – The Philadelphia Chapter of the Institute of Internal Auditors is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.learningmarket.org.
*Speakers and Topics may change due to a variety of factors. We will do our best to adhere to the agenda.
On November 20th, 2019, The Department of Justice (“DOJ”) announced updates to its Foreign Corrupt Practices Act (“FCPA”) Corporate Enforcement Policy. While the changes were relatively minor, the modifications underscored important principles surrounding the FCPA Corporate Enforcement Policy.
This latest update followsextensive revisions made in March of this yearand the announcement that the FCPA Policy will apply as non-binding guidance for all criminal cases; all reflect DOJ’s continued efforts to promote self-disclosures and provide clarity on DOJ’s approach for companies deciding whether to self-disclose.
There is little doubt the DOJ has landed on a Corporate Enforcement Policy that took years to develop. The FCPA Corporate Enforcement Policy now applies to all corporate criminal prosecutions except Antirust Division criminal prosecutions that are guided by the Leniency Program. The DOJ is consistently applying the principles and appears to be very comfortable with the results.
At the same time, DOJ has increased transparency in its resolution of corporate enforcement actions. DOJ now publishes declination letters and provides specific descriptions of how factors are applied to a corporate resolution. Note: At the time of this writing there were six (6) corporate resolutions.
The Policy is intended to encourage corporations to self-report, cooperate and remediate – in exchange for a possible declination or significant reductions in penalties. The updated Policy tilts in favor of prosecution of responsible individuals and part of the DOJ’s commitment to seek out and punish wrongdoers.
The Policy now states that a company must disclose “all relevant facts known to it at the time of the disclosure.” DOJ added a footnote, stating that it “recognizes that a company may not be in a position to know all relevant facts at the time of a voluntary self-disclosure.” A company that makes a disclosure while continuing its investigation should make this fact known to DOJ.
Further, to encourage companies to make an early disclosure, the Policy now requires companies to disclose facts “as to any individuals” who played a substantial part in the “misconduct at issue.”
The previous Policy required companies to disclose “all relevant facts” regarding individuals substantially involved in a “violation of law.” A company making a disclosure no longer has to reach a determination (and inform DOJ) that a “violation” occurred at the beginning of an investigation.
Similarly, companies now need only alert DOJ of evidence of the misconduct when they become aware of it. Previously, in order to gain credit, where the company was or should have been aware of relevant evidence outside of its possession, the company had to identify such evidence to DOJ. The Policy has been updated to remove the conditional language, which should ease the burden on companies seeking to comply with the Policy.
Accordingly to Mike Volkov, the updates to the Policy highlight DOJ’s desire for self-disclosures that are both substantive and made at an early stage. They are also practical, in particular removing the requirement that a company identify evidence of which it “should be” aware. The changes are in line with other recent DOJ policy changes, seeking to recognize practical realities of the policies.
With the recent changes to the policy, companies now are obligated only to disclose relevant facts known “at the time of the disclosure” and to provide information regarding any — not all — “individuals substantially involved in or responsible for the misconduct at issue.”
Importantly, companies need not wait to determine that a violation of law has occurred and may report suspected misconduct. As stated in a footnote, this modification reflects the DOJ’s recognition that disclosing companies “may not be in a position to know all relevant facts at the time of a voluntary self-disclosure.” In that case, companies are urged to fully disclose suspected misconduct “based upon a preliminary investigation or assessment of information.”
Volkov further stated, these changes are important because DOJ has clarified the precise information that a self-disclosing company must provide to trigger the potential benefits possible under the policy. From a practical standpoint, companies faced a difficult choice — disclose a potential violation based on a cursory investigation subject to DOJ’s determination that the company failed to disclose “within a reasonably prompt time.”
The DOJ’s modification directs companies to report what they know upon discovery of a suspected violation, while making clear to the DOJ that the disclosure is based on a preliminary findings.
Under the recent revisions, companies are no longer expected to identify every piece of evidence of which they should have been aware or potential collection by the DOJ. Instead, companies now are obligated only to identify relevant evidence not in their possession of which they actually are aware.
The modifications eliminates some of the risk that DOJ could determine that a company was not entitled to cooperation credit when DOJ identifies evidence that a companyshould have known about.
DOJ’s recent revisions indicate that it is satisfied with its Policy and want to make it work even better. By addressing some theoretical concerns that may have caused companies not to disclose potential violations, DOJ is taking steps to encourage companies to step forward and disclose potential violations.
Since its introduction as a pilot program and subsequent adoption into the Justice Manual a few years back, the DOJ has continuously honed its FCPA Policy—each time encouraging prompt but thorough self-disclosures.
Boards of Directors and Senior Leadership should take notice of DOJ’s policy changes and DOJ’s attempts to encourage such disclosures and adjust their tactics and strategy accordingly.
Specifically, it becomes even more important to have experienced investigators that can “ring fence” issues early! This will help in deciding whether or not to self-disclose in order to maximize the potential benefits of the FCPA Policy.
Welcome to my site. I have spoken and been the keynote speaker for many conferences, including the ABA, ACC, ACFE, IIA, and IMA to name a few. I have designed customized training for the board, senior leadership, legal, compliance, internal audit, and others for some of the world’s largest organizations.
“I have had the pleasure to hear Jonathan Marks speak on a number of occasions. …most recently at a Fraud conference sponsored by the Long Island Institute of Internal Audit. Jonathan gave a dynamic and engaging half day presentation on fraud in financial reporting. He engages his audience with his expertise and knowledge of risk management, fraud and internal audit. His ability to share his experiences in fraud investigations over the past thirty years coupled with his interactive approach with his audience made for a compelling and memorable presentation.” Chief Audit Executive
If you are interested in booking me for your next event or need customized training, please email me with the date or dates, location and address of presentation, the audience make-up, the subjects you would like covered, and the duration of the talk or training.
I have provided you with some Selected Training Programs (See below) and please peruse my blog posts for some additional topics and ideas. Keep in mind I speak and provide training on most anything related to governance, risk, and compliance, with a focus on fraud and forensics.
I will do my best to get back to you quickly.
Jonathan T. Marks, CPA, CFF, CITP, CGMA, CFE and NACD Board Fellow
Selected Training Programs
Management Override of Internal Controls
The risk of management override of internal controls to commit fraud exists in any organization. When the opportunity to override internal controls is combined with powerful incentives to meet accounting objectives, senior management might engage in fraudulent financial reporting. This session will examine management override, focusing on the differences between the override of existing controls versus other, more prevalent breakdowns. It will also explore actions to help mitigate the threat of management override, approaches to auditing for management override and the psychology behind management’s override of controls. You Will Learn How To:
Identify red flags of management overriding controls
Ascertain an approach to auditing for management override
Assess the latest trends and research regarding management override of controls
Develop a better fraud risk assessment that highlights areas and gatekeepers that might have a greater chance of overriding controls.
Operationalizing Compliance – Master Class with Tom Fox, Esquire
The Master Class developed by Tom Fox, provides a unique opportunity for any level of FCPA compliance practitioner, from the seasoned Chief Compliance Officer (CCO) and Chief Audit Executive (CAE), Chief Legal Counsel (CLO), to the practitioner who is new to the compliance profession.
If you are looking for a training class to turbocharge your knowledge on the nuts and bolts of a best practices compliance program going forward, this is the class for you to attend. Moreover, as I limit the class to 20 attendees, you will have an intensive focus group of like-minded compliance practitioners with which you can share best practices. It allows us to tailor the discussion to your needs. Mary Shirley, an attendee at the recent Boston Master Class said, “This is a great two-day course for getting new folks up to speed on what matters in Compliance programs.”
Tom Fox is one of the leading commentators in the compliance space partners with Jonathan T. Marks to bring a unique insight of what many companies have done right and many have done not so well over the years. This professional experience has enabled him to put together a unique educational opportunity for any person interested in anti-corruption compliance. Simply stated, there is no other compliance training on the market quite like it. Armed with this information, at the conclusion of the Doing Compliance Master Class, you will be able to implement or enhance your compliance program, with many ideas at little or no cost.
The Doing Compliance Master Class will move from the theory of the FCPA into the doing of compliance and how you must document this work to create a best practices compliance program. Building from the Ten Hallmarks of an Effective Compliance, using the questions posed from the Evaluation of Corporate Compliance Programs and the FCPA Corporate Enforcement Policy as a guide, you will learn the intricacies of risk assessments; what should be included in your policies and procedures; the five-step life cycle of third-party risk evaluation and management; tone throughout your organization; training and using other corporate functions to facilitate cost-effective compliance programs.
Highlights of the training include:
Understanding the underlying legal basis for the law, what is required for a violation and how that information should be baked into your compliance program;
What are the best practices of an effective compliance program;
Why internal controls are the compliance practitioners best friend;
How you can use transaction monitoring to not only make your compliance program more robust but as a self-funding mechanism;
Your ethical requirements as a compliance practitioner;
How to document what you have accomplished;
Risk assessments – what they are and how you can perform one each year.
You will be able to walk away from the class with a clear understanding of what anti-corruption compliance is and what it requires; an overview of international corruption initiatives and how they all relate to FCPA compliance; how to deal with third parties, from initial introduction through contracting and managing the relationship, what should be included in your gifts, travel, entertainment (GTE) and hospitality policies; the conundrum of facilitation payments; charitable donations and political contributions, and trends in compliance. You will also learn about the importance of internal controls and how to meet the strict liability burden present around this requirement of FCPA compliance.
Ethics and Governance Training
This session will cover how ethics is key to good governance and how governance fits into your anti-fraud program. Moreover, we will explore the components of a Sample Code of Ethics, the cost of ethical lapses, organizational situations that encourage bad behavior, the new ethics paradigm, and how to spot a moral meltdown.
Corporate Governance During a Crisis
We also discuss leading practices in crisis management and present several scenarios allow the participant(s) to work though mock crisis scenarios. For example, in your first week at your company, you just received information about an alleged massive fraud and you are now in a crisis. In this session, members of the audience will play different roles within the company (members of the board, legal department, managers, etc.) to have a discussion, including:
What type of crisis plan do you have, if any?
What to do and how to formulate a plan of action?
Who to call first, how to prioritize tasks, and where to prioritize resources?
Who (internal and external players) to get involved and when to get them involved
What data is needed when a crisis hits?
How to prepare for the media and when to reach out?
How to communicate with customers, vendors and suppliers, regulatory agencies, and other parties?
Fraud Risk Assessment Process and Guidance
Many professionals struggle with developing a fraud risk assessment that is meaningful. We discuss the objectives of a fraud risk assessment, the components of a fraud, and key considerations for developing an effective assessment. Then we explore the sources of risk, the fraud risk universe, and some of the key components of the assessment. Lastly, we walk through the key steps in the assessment process and walk through a sample fraud risk assessment that considers COSO’s Principle 8, which contains considerably more discussion on fraud and considers the potential of fraud as a principle of internal control.
FCPA (Bribery and Corruption): Building a Culture of Compliance
This session covers why compliance is important and the new guidance issues by the DOJ. We also explore current regulatory enforcement trends, whistleblowers Under Dodd-Frank, the U.S. Federal Sentencing Guidelines, risk-based third-party due diligence, way to thwart an investigation, differences and similarities between the FCPA and the U.K. Bribery Act, successor liability, and provides the participant with a proven 13-Step Action Plan.
Knowing what to do when an allegation of fraud is presented is critical. Failing to understand the process could jeopardize the ability to prosecute wrongdoers. This session discusses why investigations are important, inherent risk and exposures, the types of investigations: internal and independent, board considerations, triaging an allegation, investigative challenges, and keys to running a successful investigation, and why root cause analysis should be considered after completing the investigation.
Third Party Risk Management and Oversight
Third party risk is the biggest nemesis when it comes to FCPA violations. This session discusses the key components of a compliance program and why it needs to be evolving to meet the business and compliance challenges, which are constantly occurring across the globe. We explore the latest DOJ guidance on the evaluation of corporate compliance programs. We build our discussion on the foundation of the key steps to be included in a third-party risk management program and cover some of the red flags of agents and consultants.
Putting the Freud in Fraud: The Mind Behind the White Collar Criminal
To properly fight corporate fraud we need to understand how a fraudster’s normal differs, so executives, managers and board members can develop more effective anti-fraud programs that take into account the behavioral and environmental factors that are common in cases of white-collar crime. By establishing an environment in which ethical behavior is expected — and by understanding how white-collar criminals look at the world differently — it is possible to begin closing the gaps in internal controls, develop a proactive fraud risk assessment and response program and significantly reduce the financial and reputational risks associated with fraud.
In this session, we take a closer look at the personality traits of individual perpetrators of massive fraud.
Discuss the basics of profiling and identifying elements of behavior common among white-collar criminals.
Discover what role company culture plays in the commission of fraud.
Hear cutting-edge ideas and methods to help detect and deter fraud.
This session is a “nuts and bolts” discussion about fraud and responding to fraud in an effort to reduce the incidence of fraud and white-collar crime. We go into the characteristics of fraud, who commits fraud, the fraud triangle and Pentagon™, the components of fraud, the regulatory environment & the focus on increased personal responsibility, internal controls to deter and detect fraud, and anti-fraud programs.
Triaging a Whistleblower Allegation
As corporations continue to adopt whistleblower programs, many find themselves struggling to manage burgeoning caseloads. As a result, serious internal fraud investigations can be delayed (with mounting losses) while less consequential complaints are being investigated. The lack of a timely, systematic and repeatable process for evaluating and prioritizing whistleblower tips, which can also expose an organization to increased regulatory risk. While there is no single, “right” method for following up on whistleblower complaints, this session discusses Why Investigating allegations or tips are important, why timeliness matters, investigation challenges, and provides the participant with a sample approach.
Skepticism: A Primary Weapon in the Fight Against Fraud
What happens when we don’t ask why? Professional skepticism occurs when those responsible for fighting fraud take nothing for granted, continuously question what they hear and see and critically assess all evidence and statements. This session we discuss the role of independent reviewer or inspector, particularly of your own assumptions, whether you are placing undue weight on prior risk assessments or discounting evidence inconsistent with your expectations, and pressures placed on you to truncate procedures or make unwarranted assumptions to beat time constraints.
Root Cause Analysis
The regulators are expecting more today and want to know that your remediation efforts are not treating the symptoms), but rather the root cause(s).
Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. This analysis is a key element of a fraud risk management program and is now a best practice or hallmark of an organizations compliance program. When able to determine why an event or failure occurred, it is then possible to recommend workable corrective measures that deter future fraud events of the type observed. It is important that those conducting the root cause analysis are thinking critically by asking the right questions (sometimes probing), applying the proper level of skepticism, and when appropriate examining the information (evidence) from multiple perspectives.
This program is designed to introduce the common methods used for conducting root cause analysis and to develop an understanding of how to identify root causes (not just causal factors) using proven techniques. In addition, we will demonstrate how to initiate a root cause analysis incident exercise and work with senior management, legal, compliance, and internal audit on an appropriate resolution. We also introduce the “spheres” acting around the “meta model of fraud” and how to use those “spheres” in the root cause process. Finally, this program will present the “three lines of defense”, which provides the audit committee and senior management with a better understanding where the break downs occurred.
What is wanted is not the will to believe, but the will to find out, which is the exact opposite.” – Bertrand Russell, “Skeptical Essays,” 1928
Questions about professional skepticism – how to define it, how much is enough, what policies support it, and what practices diminish it – are perennial topics of concern among auditors and accountants. These topics also should be of concern to all stakeholders, including a company’s management, board of directors, and audit committee.
In any discussion of fraud detection and prevention, the phrase “trust but verify” is almost certain to come up. Regardless of how apt that concept might have been in the context of Cold War diplomacy, it could be argued that “trust but verify” is actually bad advice when it comes to deterring fraud in general.
In fact, “trust but verify” could be a downright dangerous approach when applied to audit procedures in particular. A much better slogan for fraud deterrence would be, “Trust is a professional hazard.”
Skepticism: It’s Everyone’s Job
Recently, the necessity of professional skepticism has been emphasized repeatedly. For example, in August 2013, Jeanette M. Franzel, board member of the PublicCompany Accounting Oversight Board (PCAOB), said, “Our inspection results all too often show that substantial progress is needed in order to more consistently achieve the appropriate application of professional skepticism throughout the audit process and across audits. Additional efforts are needed to better understand how the framework of professional skepticism applies across varying audit situations.”
Months earlier, the PCAOB issued a staff audit practice alert on the topic, which included this cautionary note: “Observations from the PCAOB’s oversight activities continue to raise concerns about whether auditors consistently and diligently apply professional skepticism. Certain circumstances can impede the appropriate application of professional skepticism and allow unconscious biases to prevail, including incentives and pressures resulting from certain conditions inherent in the audit environment, scheduling and workload demands, or an inappropriate level of confidence or trust in management. Audit firms and individual auditors should be alert for these impediments and take appropriate measures to assure that professional skepticism is applied appropriately throughout all audits performed under PCAOB standards.”
It is not just auditors who must be concerned with maintaining appropriate professional skepticism. This point was stressed during a roundtable convened in April 2013 by the Anti-Fraud Collaboration, which comprises the Center for Audit Quality (CAQ), FinancialExecutives International (FEI), The Institute of Internal Auditors (IIA), and the NationalAssociation of Corporate Directors (NACD). The author participated in this program, which had the objective of bringing together some key players – corporate directors, financial executives, external auditors, and internal auditors – from all along the financial reporting supply chain to discuss each group’s expectations and understanding of the various players’ roles in deterring and detecting financial reporting fraud.
Boards, particularly audit committee members, must take care to exercise a skeptical approach to financial reports and supporting information.
A portion of the discussion focused on an initial survey of the four organizations’ members, which produced a number of surprising findings about the attitudes and opinions of the various stakeholders. The roundtable’s summary concluded, “A large majority of survey respondents believe that financial management has primary responsibility in deterring financial reporting fraud, with a smaller majority believing financial management is responsible for detecting financial statement reporting fraud.”
The implication is that because financial management plays a leading role in detecting financial fraud, it is incumbent on executives – not just auditors – to exercise appropriate levels of professional skepticism. Board members and particularly audit committee members also must take care to exercise a skeptical approach to financial reports and supporting information.
Tellingly, 42 percent of the internal auditors said that their organization exhibits more trust than skepticism. This is a particularly troubling admission considering the paramount role that professional skepticism – not trust – must play in auditors’ performance of duties.The Anti-Fraud Collaboration’s survey also revealed that the various stakeholders’ expectations and opinions about their organizations’ effectiveness in deterring and detecting fraud vary widely. When asked to rate his or her organization’s overall performance, an internal auditor was much less likely to say that his or her organization exhibits the appropriate balance between trust and skepticism. As shown in Exhibit 1, only 46 percent of those affiliated with the IIA said that their organization exhibits the appropriate balance of trust versus skepticism, compared to 58 percent of the financial executives (members of FEI), 70 percent of the external auditors (CAQ members), and 79 percent of the board members (affiliates of NACD) who responded.
Defining the Issue
An obvious early step in helping executives, boards, and auditors decide the appropriate balance between trust and skepticism in their organizations is to come to a general agreement on what professional skepticism really means. The auditing profession, as one might expect, has devoted considerable effort to defining the term.
The IIA, representing the internal audit profession with approximately 180,000 members worldwide, defines professional skepticism as “the state of mind in which internal auditors take nothing for granted; they continuously question what they hear and see and critically assess audit evidence.” PCAOB standards define professional skepticism as “an attitude that includes a questioning mind and a critical assessment of audit evidence.” It requires an emphasis on the importance of maintaining the proper state of mind throughout the audit.
Over the past 10 years, researchers have developed a theoretical model that views professional skepticism as a function of six fundamental characteristics, including a recognition that individuals might have different perceptions of the same information.
Defining skepticism and identifying its primary traits have also been the subjects of considerable academic and professional research in recent years. In November 2013, the Standards Working Group of the Global Public Policy Committee (GPPC), a consortium of large accounting firms, published a research paper on the topic. The publication, “Enhancing Auditor Professional Skepticism,” was written by professors Steven M. Glover and Douglas F. Prawitt of Brigham Young University. The paper’s stated purpose was to develop “a shared understanding of what professional skepticism is, how it should be applied, the threats to professional skepticism and the safeguards that may be cost effective.”
The authors noted at the outset that “the term ‘professional skepticism’ is widely used but may mean different things to different organizations and individuals.” The writers went on to suggest that “to move the dialogue on improving the consistent appropriate application of professional skepticism forward, it is important that a shared understanding be developed regarding what professional skepticism is, how it should be applied and documented in various situations, and how threats to professional skepticism manifest themselves at different structural levels.”
The GPPC research, like many other efforts, draws partly from academic work by Kathy Hurtt, Martha Eining, and R. David Plumlee. In a series of papers over the past 10 years, these researchers developed a theoretical model that views professional skepticism as a function of six fundamental characteristics:
A questioning mind: Not accepting information at face value but instead looking for evidence or proof to justify the information
Suspension of judgment: A propensity to withhold acceptance or rejection until all information has been found and considered
A search for knowledge: As evidenced by genuine curiosity and enjoyment of learning
Interpersonal understanding: Recognizing that individuals might have different perceptions of the same information
Self-confidence: Valuing one’s own insights and being willing to challenge the assumptions of others
Self-determination: The personal initiative to take action based on the evidence
This multidimensional view and a related 30-question survey the authors developed to provide an empirical measure of individual auditors’ relative skepticism have formed the basis of much of the academic research on professional skepticism over the past decade. This view also provides a useful explanation of characteristics and behavior that can be inherently difficult to measure objectively.
Ninety-four percent of board members were confident or highly confident that they exercise sufficient skepticism
An objective of all this research on professional skepticism is to help identify factors that prevent or discourage auditors – and others in the financial reporting supply chain – from developing and maintaining the appropriate level of skepticism. One of the most prevalent factors is simple complacency – as demonstrated by another response to the Anti-Fraud Collaboration’s survey.
As shown in Exhibit 2, survey respondents were asked to assess their confidence that the various groups responsible for deterring and detecting fraud in their organization were exercising a sufficient level of skepticism.
Of all the groups, board members (NACD members) were most complacent about the performance of responsible parties in their organization. They were almost unanimous (98 percent) in expressing confidence that their company’s internal and external auditors exercise sufficient skepticism. Ninety-four percent of board members were confident or highly confident that they exercise sufficient skepticism themselves.
On the other hand, external auditors (CAQ members) were much less confident in others’ performance. Only 73 percent of the CAQ’s respondents were confident or highly confident that financial executives exercise sufficient skepticism of financial results. External auditors viewed board members and audit committees almost identically to executives.
Internal auditors (IIA members) had roughly the same view of financial executives and even less confidence that board members and audit committees demonstrate appropriate skepticism in reviewing financial information. In other words, the views of internal and external auditors differ significantly from the views of executives and board members.
Other Impediments to Appropriate Skepticism
Complacency is only one attitude that could cause an executive, board member, or auditor to exercise insufficient skepticism when considering financial information. The GPPC’s research paper points out several natural tendencies that can lead to faulty judgment or weakened skepticism:
Overconfidence. Decision-makers must be careful not to overestimate their abilities and understanding of issues. Overconfidence can lead them to challenge statements, assumptions, and procedures insufficiently.
Confirmation bias. It’s natural to give more weight to information that confirms our opinions. This inclination can bias a wide variety of auditor judgments and cause executives and board members to see what they expect to see.
Anchoring. Anchoring is the tendency to start with initial values and data that are familiar. An auditor can be influenced inappropriately by the previous year’s account details, for example.
Availability. Information that is easily accessible (or available from memory) is often considered less relevant to a decision than information from alternative sources. As a result, auditors unconsciously might not apply the most relevant information to the audit.
In addition to personal biases, other challenges can inhibit skepticism. For example, an external auditor’s conflicts of interest and less-than-thorough understanding of the business are areas of legitimate concern.
One of the most significant challenges is deadline pressure. An auditor is naturally under substantial pressure to complete the work and issue the report promptly. A cunning fraudster can take advantage of the situation by initially diverting the auditor’s time and attention to areas that are unlikely to raise concerns and saving problematic areas until the engagement’s end, when time is short. Recognizing and resisting this tactic requires the application of professional skepticism – not only on the part of the external auditor but by the others involved in the process as well.
Beyond Audit: What Other Stakeholders Can Do
Although the GPPC’s research focused on auditors, the same observations – and the same potential weaknesses – apply to everyone in an organization who has the responsibility to detect or deter fraud, from executives with financial reporting responsibilities to the board of directors in general and members of the audit committee in particular. Ultimately, all these individuals have a direct interest in detecting fraud or misstatement and a responsibility to be on guard against complacency or other impediments.
The GPPC study’s authors noted, “While auditors can and must do better in their central role, we believe that a complete solution to the problem of enhancing auditor professional skepticism requires an approach that addresses threats at all structural levels and that involves all of the key stakeholders that share responsibility in enhancing the reliability of the financial reporting process.”
It is essential for all organizations to encourage clear, open communication among all parties concerned. The Anti-Fraud Collaboration’s report noted, “For the roles to operate well together, communication is critical.” The authors went on to advocate “open and candid conversation among the internal and external audit functions, financial management, and the audit committee, allowing for audit committees to perform their governance role with necessary transparency and realistic expectations.”
Beyond this general effort, all stakeholders can take a number of specific steps to encourage appropriate levels of professional skepticism, including the following –
Self-criticize each significant judgment. Make it a point to play the role of the independent reviewer or inspector, particularly of your own A professional skeptic continuously challenges his or her beliefs and belief-based risk assessments. Critical self-assessment is necessary to demonstrate to others why and how beliefs and assessments are justified.
Make an effort to resist complacency and other natural tendencies such as confirmation bias. Question whether you are placing undue weight on prior risk assessments or discounting evidence inconsistent with your with your expectations.
Be alert to Pressure. Pay particular attention to pressure to truncate risk assessment procedures or make unwarranted assumptions to beat time constraints. This step is especially important as deadlines approach.
Understand the sources of evidence. Identify and assess audit risks from multiple perspectives, using multiple sources of evidence,
Be aware of the relative reliability of various types of evidence. In general, documentation from internally generated documents – particularly those that are generated manually or not linked to other reporting systems – is less reliable as evidence than documents generated by external sources such as banks or suppliers. See graphic below.
If, as asserted at the outset, trust is indeed a professional hazard for auditors, then it follows that informed, knowledgeable skepticism is a professional asset. That principle applies not only to auditors but also to the board members and financial executives responsible for detecting and deterring fraud of all types, specifically financial reporting fraud. By challenging their own assumptions – and creating an environment in which such challenges are encouraged and supported – companies will not just deter fraud but make its detection more likely.
We just confirmed our first awesome speaker Niki A. den Nieuwenboer, Assistant Professor of Organizational Behavior and Business Ethics at The University of Kansas School of Business.
You all should know that leadership matters in fostering ethical conduct at work. However, the focus is often on top level managers and their “tone at the top.” The role of middle managers has remained somewhat of a mystery until now.
Niki den Nieuwenboer will lead a robust and enlightening discussion on her recent study that examined a case where middle managers, in response to upper management pressures, coerced front-line employees to deceive upper management about their performance.
She plans on spotlighting the creative role that middle managers played in finding ways to cheat, and discuss implications for ethics management and fraud prevention.
Stay tuned for more announcements about the symposium line-up and registration information as we round out the day!
As the use of whistleblower programs continues to grow, many organizations find themselves struggling to manage burgeoning caseloads. As a result, serious fraud investigations can be delayed (with mounting losses) while less consequential complaints are being investigated. The lack of a timely, systematic and repeatable process for evaluating and prioritizing whistleblower tips that contain allegations of ethical breaches can also expose an organization to increased regulatory risk. While there is no single, “right” method for following up on whistleblower complaints, the most effective approaches often resemble the medical triage programs that hospitals and first responders use to allocate limited resources during emergencies, or a crisis situation. Here are some useful guidelines for designing and implementing a fraud triage system.
The Growing Use of Whistleblower Programs
Despite extensive fraud detection measures, closer management scrutiny, and increasingly sophisticated technology, the most common fraud detection method is still the simplest: somebody notices something suspicious and decides to speak up. According to the Association of Certified Fraud Examiners’ (ACFE) 2018 Report to the Nations on Occupational Fraud and Abuse, 40.0% of the cases reported in their study were uncovered as the result of tips (usually from an employee, supplier, or customer) —more than internal audit 15% and management review 13% combined. The ACFE study also demonstrates that dedicated reporting hotlines are particularly effective. In organizations where such hotlines were in place, 46.0 % of the cases reported were uncovered through tips, compared with only 30.0% percent of the cases in organizations without hotlines. These results are consistent with patterns that have been recorded in the ACFE’s biennial survey since its inception 20 years ago. On a broader scale, as a matter of best practice, the COSO Internal Control–Integrated Framework, along with various other enterprise risk management (ERM) frameworks and guidance from Institute of Internal Auditors (IIA), also emphasize the importance of establishing and maintaining effective whistleblower programs.
In addition to their demonstrated effectiveness, whistleblower programs have also been promoted through recent regulatory actions. For example, one section of the Dodd-Frank Wall Street Reform and Consumer Protection Act directs the Securities and Exchange Commission to make monetary awards to individuals who voluntarily provide information leading to successful enforcement actions that result in monetary sanctions over $1 million. A few years earlier, the Sarbanes-Oxley Act of 2002 required the audit committees of publicly traded companies to establish procedures to enable employees to submit confidential, anonymous information regarding fraudulent financial reporting activities. Dodd-Frank and Sarbanes-Oxley are only two examples out of a broad range of laws that encourage – and often mandate – whistleblower programs. A 2013 study by the Congressional Research Service found no fewer than 40 federal whistleblower and anti-retaliation laws, designed to protect employees who report misconduct. Eleven of those 40 laws were enacted after 1999. On February 21, 2018, the U.S. Supreme Court issued an opinion in Digital Realty Trust, Inc. v. Somers, a long-anticipated case that clarifies who is protected as a “whistleblower” under the Dodd-Frank Act’s anti-retaliation provisions. It states that to qualify as a “whistleblower” under Dodd-Frank, individuals now have a clear incentive to report all sorts of observations to the SEC before reporting those observations through their company’s internal reporting infrastructure. Now under Dodd-Frank an individual is only protected from retaliation if he or she has reported a potential violations to the SEC before he or she separates from the company. Such laws not only make whistleblower programs more common, they also make the timely resolution of tips even more critical, as we are about to explain.
There is momentum today to correct Dodd-Frank.
On July 9, 2019, the U.S. House of Representatives passed H.R. 2515, also known as the Whistleblower Protection Reform Act of 2019 (“WPRA”). The WPRA is designed to address a gap in the whistleblower protections afforded under the Dodd-Frank Consumer Protection and Wall Street Reform Act of 2010 (“Dodd-Frank”), as interpreted by the Supreme Court in Digital Realty Tr., Inc. v. Somers, 138 S. Ct. 767 (2018). Specifically, the Supreme Court in Digital Realty Trust ruled that the anti-retaliation provision of Dodd-Frank does not extend to protect employees who only make reports concerning violations of securities laws internally, as opposed to individuals who made a report to the U.S. Securities and Exchange Commission (“SEC”). The WPRA is designed to amend Dodd-Frank to ensure the statute’s protections extend to individuals who make internal reports of securities violations.
Responding to Tips – Why Timeliness Matters Dodd-Frank, Sarbanes-Oxley, and the various regulatory structures that were established to implement them are helping to mold a corporate environment where undervalued and underappreciated compliance professionals and in-house counsel are incentivized to “blow the whistle.” Such incentives can be helpful in creating a self-regulating environment, but they also make it essential that corporations establish a timely and effective process for remediating complaints. For example, to carry out its mandate under Dodd-Frank, the SEC established a separate Office of the Whistleblower, which has paid out more than $160 million to 46 whistleblowers in connection with 37 covered actions, as well as in connection with several related actions since it was founded in 2011. Three of the ten largest whistleblower awards were made by the SEC during FY 2017.
Under this program, there are exceptions if at least 120 days have passed either since the auditor (excluding external auditors who obtained the information during the audit of an issuer) or accountant properly disclosed the information internally (to their supervisor or to another person in the organization who is responsible for remedying the violation (i.e., the audit committee, chief legal officer, chief compliance officer, or their equivalents), or since they obtained the information under circumstances indicating that the entity’s officers already knew of the information. Then they can report the lapse directly to the SEC and be eligible for a sizable whistleblower award – from 10 percent to 30 percent of any fines or sanctions that are collected. The program’s website prominently features headlines such as “SEC Issues $17 Million Whistleblower Award” and “SEC Awards More Than $5 Million to Whistleblower,” to cite only two of many recent examples.Since the program’s inception, the SEC has ordered wrongdoers in enforcement matters involving whistleblower information to pay over $975 million in total monetary sanctions, including more than $671 million in disgorgement of ill-gotten gains and interest, the majority of which has been, or is scheduled to be, returned to harmed investors .With incentives like that, it should be no surprise that whistleblower complaints are on the rise. Yet in most cases, such awards would not have been available if the companies involved had resolved the initial fraud complaints within 120 days.Unfortunately, our experience indicates that, while many companies invest in tips hotlines and similar whistleblower programs, a large portion of them fail to invest adequately in an allegation review process for promptly evaluating, prioritizing, and responding to the whistleblowers’ tips in a systematic, repeatable, and defensible manner. As the number of tips grows and investigators’ caseloads expand, complaints end up sitting in a queue waiting to be investigated, while the company remains vulnerable to the risks the tipsters were warning about, and the SEC timeline is running.
A 2018 study of customers of the compliance software company NAVEX Global found that case closure times have blipped to 44 days and has dropped to 40 days according to their 2019 study. This metric is important given that, under certain agency whistleblower provisions, an organization will have limited time to complete an internal investigation.
Moreover, when the various categories of fraud are compared, cases involving suspected accounting, auditing, and financial reporting fraud took the longest to resolve by far – 55 days! In other words, the average case closure time for cases of suspected financial fraud was almost halfway to the 120-day deadline – the point at which employees are incentivized to report the case directly to the SEC and expose the company to additional, sizable sanctions.
Hidden and Direct Costs of Delayed Response Even setting aside potential SEC sanctions, delays in investigating whistleblower tips are costly in other ways. Delayed responses to tips can cause employees and other potential sources to lose confidence in the hotline or other whistleblower program, undermining the effectiveness of the the compliance and ethics program and adding further complexity to the risk management effort. Most companies expend considerable time, effort, and resources in creating compliance and ethics programs. Failing to establish a system for dealing with allegations or tips in a timely manner can mean those expenditures are probably wasted. There are also direct costs associated with delays in handling tips. The losses resulting from a fraud scheme are directly related to how long the scheme goes on. The ACFE’s 2018 Report to the Nations found that the median losses for frauds that were uncovered in six months or less was $30,000. But at the other end of the scale, schemes lasting more than five years caused a median loss of $715,000. Simply put, the longer perpetrators are able to continue, the more financial harm they are able to cause. Clearly, the absence of an effective program for handling whistleblower complaints promptly and effectively can have a significant and direct financial impact – in addition to the regulatory, employee relations, and reputational risks such a shortcoming entails.
A Triage Approach While there is no single, one-size-fits-all method for following up on whistleblower complaints, the most effective approaches are similar in many ways to medical triage programs, such as those implemented by hospitals and first responders during emergencies to help medical professionals prioritize the treatment of patients. In medical triage, those with serious, life-threatening injuries are treated ahead of those whose conditions are less severe. In the same way, a fraud triage program helps risk, audit, and fraud professionals prioritize the investigation of tips and whistleblower complaints. Those that indicate serious, material risks are addressed differently and more aggressively than those that reflect mere misunderstandings, minor errors, personal grievances, or false tips, all of which could tie up investigators unnecessarily. Under a fraud triage program, the same principles apply. Hotline tips or complaints that do not indicate fraudulent behavior can be delegated to human resources, IT, or other line or support functions that are capable of handling them more efficiently. Meanwhile, complaints that involve suspected fraud, but which are less significant in terms of financial losses, control failures or other risks, may be set aside temporarily while larger, more material cases receive immediate attention.
Proper Staging of the Allegation – the Critical First Step A swift and thorough triage process leads directly to a more appropriate and timely response. The specifics of that response will vary, of course depending on the nature and severity of the case, but the fundamental elements of the treatment include forming the right team to investigate, understanding root causes, and providing timely disclosure to all constituencies. Before such a response can be planned and executed, however, the tip or allegation must be evaluated or “staged” based on a consistent set of criteria. Navigant’s fraud governance framework identifies five such stages:
Stage 1 Stage1 allegations have a low threat level and do not suggest a breakdown of internal controls. Tips that get grouped into this stage do not have a financial or reputational impact. These may include employee-to-employee disputes, isolated cases of small-scale employee theft, and the normal policy complaints, misunderstandings, and personal disagreements that are often raised through a whistleblower program. In most cases, these complaints are best handled by human resources or management personnel.
Note: Human Resources and management should be trained on proper investigation protocols, including the escalation process. A basic level of review should be performed and documented to corroborate that no further investigation is warranted. This review and documentation could be performed by a branch or office manager. For an employee who is the target of such a complaint, management should consider placing such employee on a temporary legal hold which triggers the retention of email and other documents until the risk of retaliatory litigation has passed.
Stage 2 These allegations are more serious in nature, and often indicate some deficiency in the design of internal controls. Examples include business rule violations such as recurring employee theft or patterns of falsifying expense reports. If the allegation is substantiated, then the result of the remediation process is a change to a business process or business rule, followed by an enhancement of the company’s preventive or detective internal controls. Because they indicate a deficiency in internal controls, such allegations are escalated to the internal audit function in order to obtain a deeper understanding of the control environment. Internal audit should evaluate what controls are currently in place, and determine where the breakdown in internal controls occurred. It is also important to assess if the allegations are signs of a bigger problem or if they could have an impact on financial reporting. If financial reporting is affected, sensitivity testing must be performed to calculate the low case, medium case, and worst case financial impact. Internal audit’s review also might identify multiple violations. Again, the employees affected should be put into a legal hold which triggers the retention of email and other documents until the risk of litigation passes. In some cases, employee termination may be warranted.
Stage 3 These allegations are serious in nature, generally involve an override of internal controls, and thus are at a minimum a serious deficiency. But they have only a minimal impact on the financial statements or the company’s reputation. More serious allegations in this category include fraud, embezzlement, and bribery involving employees or mid-level management. Such cases require the same level of investigation as Stage 2 cases, along with an internal investigation that usually is conducted under the direction of the general counsel, involving compliance and internal audit as well. In some instances, the investigation might need to be performed independently by a function or person who is not directly involved in the control environment.
Stage 4 These are serious allegations that could have an impact on the completeness and accuracy of the audited financial statements, and that could indicate a material weakness in internal controls. They do not, however, appear to involve any member of the senior management team. Such cases are generally addressed through an internal investigation, usually under the direction of outside counsel operating under privilege. The investigation often involves the use of independent, outside experts as well.
Stage 5 These are serious allegations that involve one or more members of the senior management team, or are serious enough to damage the company’s reputation. The receipt of allegations in this stage usually place the company into crisis management mode, and could result in the restatement of audited financial statements or added regulatory scrutiny. In such instances, the board generally should engage outside counsel and forensic investigation experts to initiate a privileged and confidential fact-based investigation. The external auditors may also be involved and a disclosure to the SEC may be required. It’s important to note that, in both Stage 4 and Stage 5, engaging outside experts is generally necessary. Other critical elements of the Stage 4 and Stage 5 responses include having a qualified and experienced investigation team, along with a time-phased work plan that is minimizes disruptions to the organization’s day-to-day business as much as possible. The investigators will begin with fact-finding interviews to help them evaluate who else to interview and when. The investigators will also help the company identify a list of custodians who will be interviewed to understand where their data was being saved (for example, on email servers, mobile phones or other devices, flash drives, cloud servers, and network folders). Generally, a large-scale data collection effort will then ensue in order to search and preserve all potentially relevant information. The goal is to determine who knew what and when, and how high up the chain the knowledge went. The investigation will also assess if the audited financial statements be relied upon, so that counsel and board members can determine what disclosure requirements might apply. In addition, where internal control issues are noted, outside counsel can also recommend and assist in recommending new or enhanced policies, procedures, and controls.
Ownership, Responsibility and Follow-Up Obviously, the triage staging system described here is not the only plausible methodology an organization can use for evaluating allegations of wrongdoing and planning appropriate responses. Other thought leaders in the field have proposed evaluating tips according to various other criteria such as the severity of the allegation, the specificity of the information it contains, and similar factors. Ultimately, whatever triage process and framework is chosen it will need to be customized to reflect the company’s particular situation and its particular industry. In many instances, boards may choose to combine elements from several approaches.
Regardless of the specific criteria upon which the system is based, the importance of maintaining written policies and procedures cannot be overstated. Moreover, but in all cases it is important in all cases that the responsibility for developing, implementing, and maintaining the triage response system be clearly defined. The assignment of this responsibility will vary as well, depending on the size and nature of the organization, its governance structure, the volume of whistleblower complaints and other factors. It could fall to internal audit, the corporate general counsel, a board committee, a designee of the CFO, or some other person or group – but in all cases it’s essential to have a designated individual or business function that is responsible for initially capturing complaints and performing the triage o the allegation(s). Once the framework is set and data is being collected, it’s also important to step back and periodically assess what the data is saying. For example, if the complaint hotline is bombarded with a high frequency of inconsequential complaints related to minor personnel disputes uniform violations or employees complaining about having to work a holiday, then it may be time to provide additional training on how the complaint hotline is to be used. An increase in sexual harassment complaints or complaints related to substandard working conditions could be provide an early warning of a potential leading indicator for a class action lawsuit. Similarly, an increasing number reports of low dollar employee theft are usually signs of a larger cultural problem. Evaluating the data and trends captured in your complaint system can help you make decisions that could prevent the next “big event.” In that sense, an effective, well-designed, and consistently executed fraud triage effort can pay even bigger dividends that go beyond the direct benefit of helping you evaluate and prioritize tips and complaints more efficiently.
Lastly, as facts come to light, there might be a need to escalate the allegation. If an investigation starts with human resources or internal audit, they should be trained on what to do if the matter intensifies!
Matters that generally require escalation include, but are not limited to:
Violation of law – antitrust and competition, anti-bribery and corruption, employment discrimination and harassment, fraud against third parties by employees
Accounting, books and records – public financial reporting, internal financial reporting and disclosure, insider trading, SOx, Dodd-Frank
Environmental, healthy, safety
Any employee theft, misappropriation, or fraud against the organization in excess of $$$$$$$
Code of Conduct Violations of the Executive Leadership team
Misconduct by Legal, Ethics and Compliance employees – failing to investigate or stopping an investigation
Third party frauds against, or thefts from, the organization
Care should be taken and consultation with legal counsel and compliance is wise move, unless they are or appear to be involved, then go directly to the Board of Directors
Board members, I would seek to understand the escalation process and I would review the allegation log to ensure investigations are being done timely, you are being briefed on all serious matters, proper discipline has been applied, and internal controls are installed or enhanced to try to prevent and detect possible future bad or “carryover” behavior!
I welcome your comments and suggestions.
Jonathan T. Marks
This material is protected by Copyright Laws and may not be reproduced in any form without my express written permission.
This e-book is intended as a guide for Chief Compliance Officers (CCOs) and those responsible for developing and implementing compliance policies and procedures for an organization. Compliance, when done properly and embraced fully, should be seen as a necessary business process. It is our vision that companies have more than a best-in-class compliance program going forward.
The time is now for companies to take the next step up to make compliance a part of the business process of the organization. This would not only allow companies to meet the Department of Justice’s requirement that compliance programs be more fully operationalized, but it is our firm belief, that a more effective compliance program will make the company’s internal controls operate more efficiently and enable it to operate more profitably. With the increased efficiencies for compliance offered by data analytics and AI, a robust compliance program can demonstrate internal commercial inefficiencies which can be remediated for greater return from assets.
Some of the biggest mistakes made when handling a crisis are not dealing with the problem head on, thoughtless or insincere comments, lack of communication with stakeholders, unprepared spokespeople, getting defensive after receiving backlash, or, sitting back and letting the problem grow. Domino’s, Sony, Samsung, BP, United Airlines, Equifax, KFC, are all good examples of companies who stumbled with crisis management. Organizations should study these crises and learn from the mistakes!
In today’s environment, organizations of all types face a variety of threats to their operations. Some risks can be planned for, monitored, and mitigated; but other high-impact, hard-to-predict events are occurring more often.
I’ve been around some horrific corporate or organizational events and I will say that when the heat gets turned up, the executive leadership team sometimes “melts like butter in a hot pan“.
Crisis readiness has taken on increased importance and urgency for boards and management teams. The list of potential crises that organizations can find themselves
facing today looms large (see sample list below).
Thanks to social media, the speed with which news of a crisis, whether accurate or inaccurate, can spread is literally reduced to minutes, making the organization’s ability to respond quickly and effectively highly critical.
Root cause analysis of numerous crises have revealed that a boards involvement and oversight is often questioned when an organization’s response is deemed to have fallen short. This is particularly true in cases where early warning signs were ignored or the crisis was attributable to the organization’s culture or tone from the top.
While not every crises causes harm, an organization’s response can result in major business risks.
The key message or “truth cocktail” for boards is generally you are overconfident and underprepared. In addition, many boards need to realize that crisis prevention (enterprise-wide risk assessment) is integral to crisis readiness and response.
Boards are generally not truly crisis-ready!
Crisis prevention goes hand-in-hand with risk management, as risk management involves identifying and anticipating the likelihood, impact and speed of onset of risk events that could become crises, and implementing programs and a system of controls to prevent and respond to to such risk events and mitigate their impact.
Risk assessments should be done at the speed or introduction of risks and the cadence of the organization. Not at a prescribed period!
Crisis Readiness and Response
A key role for the board is to work with management to develop and approve a robust crisis response plan tailored to the company’s specific risk profile, periodically engage in disaster rehearsal exercises, and test and refresh the response plan as appropriate. A pivotal component of any crisis response plan is the communication protocol, which should address the following questions at a minimum:
Who gets notified—for example, the board, trusted advisors, regulators, customers, shareholders, or other stakeholders—and when?
What channels will be used to communicate internally and externally?
How will the organization monitor and manage reputational issues, particularly
via social media?
Just planning is not enough!
Even the best-prepared organizations will experience a crisis—and there’s rarely a
perfect response. The ability to avoid disaster—and to avoid mismanagement of
the situation—will largely be determined by the effectiveness of the organization’s crisis prevention efforts, crisis response plan, proper training of the crisis team, and leadership to effectively manage the crisis.
Practice, practice, practice…regularly conduct disaster rehearsal exercises or crisis management simulations that are impactful and help reveal blind spots that can be remediated and ultimately prepare you and your team for not if, but when something ugly happens.
Reach out and find out more how we can help you communicate trust when a triggering event occurs.
Copyright 2019 JT Marks
Some Triggering Events
Alleged fraud or an ethics violation
Whistleblower retaliation claims
Workplace violence or harassment
Regulatory enforcement action
Merger or acquisition dispute
Product safety and recall
Data security breach
Intellectual property theft
Loss of key leadership or staff
Supply chain interruption and distress
Key Elements of a Crisis Plan
Key principles and policies for crisis management
Identified command post and backup that isfullyfunctional
Designated chain of command
Response modules that contain crisis communication templates and materials
Crisis management team activation protocol and process
Guidelines to help develop a crisis communication strategy
An online infrastructure for crisis communication
Key contacts internally and externally
Back up resources
Disciplined post-crisis review
The key requirement is the process and tools must be easy to apply to the situation.
Realize and understand human behavior and that getting past denial and recognizing a crisis is usually the most challenging! Organizations often misclassify a problem, focusing on the technical aspects and ignoring the issue of perception, which we all know can become reality in a blink of an eye.
Don’t think of crisis management as a magic trick. The odds of pulling a rabbit out of hat when a crisis is in play are remote.
I welcome your thoughts and comments, but realize the awareness of risks or threats is not the same as being able to effectively deal with them!
If you want to reinforce your learning, then listen to the podcast on this topic by clicking here.
A significant June 2019 decision by the Delaware Supreme Court interpreting the Caremark doctrine that limits director liability for an oversight failure to “utter failure to attempt to assure a reasonable information and reporting system exists” prompts this update.
The Court said that in order to “satisfy their duty of loyalty,” “directors must make a good faith effort to implement an oversight system and then monitor it” themselves, because the existence of management- level compliance programs alone is not enough for the directors to avoid Caremark exposure.
The Delaware Supreme Court reversed the Delaware Court of Chancery’s dismissal of a Caremark claim that arose out of the Blue Bell Creameries’ (“Blue Bell”) ice cream listeria outbreak where there was an alleged pattern of disregarded food-safety warnings. The Delaware Supreme Court’s opinion in this closely watched case provides useful guidance to directors about the proper role of the board in overseeing risk management and compliance programs.
Breach of Duty
Caremark defines a director’s duty of care in the oversight context and is at the very least a label attached to what all now agree is a necessary and proper subject of attention for every board of directors: corporate compliance as a function within the broader task of enterprise risk management. Caremark defined duty of care as “the care an ordinarily prudent person in a like position would exercise under similar circumstances”.
The Caremark decision built a high wall for plaintiffs to scale in asserting a board’s failure to comply with duty of care and loyalty standards. A landmark case before the Delaware courts in 1996, the decision written by the Court of Chancery of Delaware for In re Caremark International Inc. clarifies the board’s duties in relation to its oversight activities. The court outlined what plaintiffs must prove when claiming that directors breached their duties, notably that:
Either the directors knew or should have known that violations of the law were occurring; and, in either event,
The directors took no steps in good faith to prevent or remedy that situation; and
Such failure resulted in the losses alleged in the complaint.
Recently, the Delaware Supreme Court overturned and remanded a decision by the Chancery Court, ruling that a Plaintiff had indeed scaled the Caremark standard in their complaint. The case, SeeMarchand v. Barnhill, No. 533, 2018 (Del. June 18, 2019), involved the directors and officers of Blue Bell Creameries’ (“Blue Bell”) founded in 1907, the creamery produces a product lineup that includes Blue Bell Ice Cream, Light Ice Cream, No Sugar Added Ice Cream, Sherbet and frozen snacks that are manufactured and distributed to supermarkets and food stores through Blue Bell’s direct store delivery program.
On April 20, 2015, Blue Bell voluntarily recalled all of their products from the supermarket and food store shelves and shut down all production operations after the Centers for Disease Control and Prevention (“CDC”) and the U.S. Food and Drug Administration (“FDA”) and several state health agencies found evidence that linked listeriosis (“listeria”) to Blue Bell Creameries products. Listeria is a life-threatening infection caused by eating food contaminated with the bacterium (germ) Listeriamonocytogenes. The germ infected ten (10) people with several strains of Listeria and resulted in the reported deaths of three (3) people. As the organization’s revenues dropped precipitously, it terminated more than half of its workforce and ceased paying distributions to its limited partners. Ultimately, Blue Bell was fined by government authorities for poor safety policies and practices.
Blue Bell suffered losses because, after the operational shutdown, Blue Bell suffered a liquidity crisis that forced it to accept a dilutive private equity investment. The plaintiffs in this case brought a complaint that two key executives (President & CEO and the Vice President of Operations) and the board breached its fiduciary duties.
The complaint alleges the President and CEO and the Vice President of Operations
breached their duties of care and loyalty by knowingly disregarding contamination risks and failing to oversee the safety of Blue Bell’s food-making operations, and
that the directors breached their duty of loyalty under Caremark.
The court was compelled to decide in the plaintiff’s favor due to evidence of the simplicity of the organization’s business model; the industry-specific risk of food safety; the lack of board oversight of food safety issues; and the absence of protocols by which the board expected to be advised of developments in this risk area.
It was concerning to the court that when “yellow and red flags about food safety were presented to management, there was no equivalent reporting to the board and the board was not presented with any material information about food safety” during the critical period leading up to the three deaths. In the court’s view, these facts created “a reasonable inference that the directors consciously failed to attempt to assure a reasonable information and reporting system exist[ed].”
The Caremark standard is burdensome for the plaintiffs’ bar to overcome. Indeed, it was stated in a footnote of the Marchand v. Barnhill ruling that “[under Delaware] law, director liability based on the duty of oversight is possibly the most difficult theory… upon which a plaintiff might hope to win a judgment.”
The key Delaware Supreme Court determinations, both fact-driven, were:
Independence. The Supreme Court held that one director, viewed by the Court of Chancery as independent, was not independent based on the allegations in the complaint. As a result, the court found that a majority of the board was not independent and disinterested for purposes of the board’s consideration of a stockholder demand to file a lawsuit against directors and officers.
Oversight. For purposes of denying a motion to dismiss by the organization, the facts alleged by the plaintiffs were sufficient to satisfy the high Caremark standard for establishing that a board breached its duty of loyalty by failing to make a good faith effort to oversee a material risk area, thus demonstrating bad faith.
Some Guidance for Directors
Marchand is a noteworthy decision, both because it illustrates the outer bounds of directors’ oversight duties and because it represents a rare instance of prospective Caremark liability.
The specific deficiencies at Blue Bell listed by the Court serve as a helpful guide to the minimum best practices under Delaware law: a board should consider
Dedicating a committee to its main compliance risks;
Establishing protocols requiring management to keep it apprised of compliance practices, risks, and reports;
Setting a schedule to assess its main compliance risks on a regular basis;
Formulating procedures for the communication of red or yellow flags to the board and memorializing the associated discussions in board minutes; and,
Arranging for and documenting regular discussions of compliance risks at board meetings.
Review Your Public Filings
Given that the risk factors listed in Form 10-K generally represent the organization’s core areas of concern, directors should review their organization’s recent public filings and evaluate the organization has an adequate board-level oversight process in place to address relevant risk factors.
Monitoring and reporting systems
A board-level compliance monitoring system directed at and overseeing the organization’s central compliance risks must be in place. The Court made clear that, where appropriate board-level oversight systems exist, Caremark claims generally fail. The compliance system must be implemented in good faith, must be governed by appropriate procedures, and must be tailored to the organization’s business and its core compliance risks.
Compliance risk is the threat posed to an organization’s financial, organizational or reputational standing resulting from violations of laws, regulations, codes of conduct, or organizational standards of practice. To understand risk exposure, many organizations should review and improve upon or implement a comprehensive risk assessment process to fully incorporate compliance risk exposure. The assessment should be performed by subject matter experts along with appropriate business and functional personnel in order to achieve successful results
Never truncate the oversight process by merely listing risks.
Align the board’s oversight and risk mitigation efforts with the organization’s most significant risks, given its strategy and business model. Listing the organization’s risks or documenting them in a heat map from time to time but failing to identify key risk indicators, assign ownership and implement mitigation efforts falls short of effective oversight. A well conducted risk assessment will identify and prioritize the most critical risks and enable the assignment of resources to effectively and efficiently mitigate these top risks.
Allow time on the board agenda for risk oversight, and set risk escalation and monitoring protocols.
Executives responsible for managing risk should be positioned to succeed with policies, processes, reporting, and systems appropriate to the industry. Risk management issues should be discussed regularly. In understanding who is responsible for the key risks, the broad strokes of the risk responses in place, and the nature of arising issues, the board should ask questions to satisfy itself that mission-critical matters are escalated to their attention in a timely manner,especially those related to compliance.
Pay attention to culture.
Organizational culture and performance incentives were highlighted as areas of concern in the case against Blue Bell because it was inexplicable to stakeholders that management did not inform the board of the matters in question. The board must have confidence that management will act promptly to inform it when mission-critical issues of any nature arise. Setting specific and clear expectations of management and risk owners who are tied to mission-critical risks, and including relevant topics at regularly scheduled meetings will help the board attain that confidence and nurture a culture of trust, openness, transparency and timely communications about emerging problems. Companies are encouraged to conduct cultural assessments to help identify risk culture, levels of transparency for reporting concerns and ability to promptly respond to complaints or concerns
Delineate full board and standing committee roles.
The complaint against Blue Bell Creameries alleges that, despite the importance of food safety, the board had no committee overseeing it, no full board-level process to address it, and no protocol by which the board expected to be advised of developments relating to it. When delegating responsibilities to its committees, the full board should ensure the appropriate committee covers the key risks—whether it currently exists or has to be created and newly chartered—and that information flows are sufficient to apprise the full board of critical matters.
According to the court, “minutes from the board’s […] meetings are bereft of reports on the listeria issues […] [and] revealed no evidence that these were disclosed to the board.” The court’s findings suggest an expectation that management will escalate mission-critical matters to the board on a timely basis, that the board will set protocols for such escalation, and that there will be evidence in the minutes that such matters were discussed by the board. It was troubling to the court that the board left the organization’s response to the listeria outbreak to management instead of holding more frequent emergency board meetings to provide ongoing updates to board members.
The Blue Bell Creameries case is based on unique facts related to food safety and compliance matters. Nonetheless, the court’s decision might be more than a metaphorical “shot across the bow” and a real warning for boards to ensure their risk oversight processes meets or exceeds fiduciary standards and takes into account the unique regulatory demands of the industry.
The Delaware Chancery Court’s decision in In re Caremark has greatly influenced the growing field of Compliance as a legal subject and field of practice over the past 20 years. That being said, having active and engaged board oversight in the areas of risk and compliance is a must!
About 48 million people in the U.S. (1 in 6) get sick, 128,000 are hospitalized, and 3,000 die each year from foodborne diseases, according to recent data from the Centers for Disease Control and Prevention. This is a significant public health burden that is largely preventable.
The Food Safety & Modernization Act (FSMA) is aimed at preventing intentional adulteration from acts intended to cause wide-scale harm to public health, including acts of terrorism targeting the food supply. Such acts, while not likely to occur, could cause illness, death, economic disruption of the food supply absent mitigation strategies. Rather than targeting specific foods or hazards, this rule requires mitigation (risk-reducing) strategies for processes in certain registered food facilities.
This rule applies to both domestic and foreign companies that are required to register with the FDA as food facilities under the Federal Food, Drug, and Cosmetic (FD&C) Act.
This rule is designed to primarily cover large companies whose products reach many people, exempting smaller companies. There are 3,400 covered firms that operate 9,800 food facilities.
With the help from a true friend, Tom Fox, I am entering the world of Podcasting.
I will be developing at least three Podcasts per month that will focus on pervasive governance and fraud issues impacting Boards and their organizations. One objective is help the practitioner go from detection to prevention, if possible, so that a crisis can be thwarted.
Click here for the Podcast feed. I welcome your feedback and suggestions.