Tag Archives: reputational risk

The Conflicted Board

Our last post about cyberfraud and business continuity elicited a comment about the vital role of corporate governance from an old colleague of mine now retired and living in Seattle.  But the wider question our commenter had was, ‘What are we as CFEs to make of a company whose Board willfully withholds for months information about a cyberfraud which negatively impacts it customers and the public? From the ethical point of view, does this render the Board somehow complicit in the public harm done?’

Governance of shareholder-controlled corporations refers to the oversight, monitoring, and controlling of a company’s activities and personnel to ensure support of the shareholders’ interests, in accordance with laws and the expectations of stakeholders. Governance has been more formally defined by the Organization for Economic Cooperation and Development (OECD) as a set of relationships between a company’s management, its Board, its shareholders, and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set (including about ethical continuity), and the means of attaining those objectives and monitoring performance. Good corporate governance should provide proper incentives for the Board and management to pursue objectives that are in the interests of the company and its shareholders and should facilitate effective monitoring.

The role and mandate of the Board of Directors is of paramount importance in the governance framework. Typically, the directors are elected by the shareholders at their annual meeting, which is held to receive the company’s audited annual financial statements and the audit report thereon, as well as the comments of the chairman of the Board, the senior company officers, and the company auditor.

A Board of Directors often divides itself into subcommittees that concentrate more deeply in specific areas than time would allow the whole Board to pursue. These subcommittees are charged with certain actions and/or reviews on behalf of the whole Board, with the proviso that the whole Board must be briefed on major matters and must vote on major decisions. Usually, at least three subcommittees are created to review matters related to (1) governance, (2) compensation, and (3) audit, and to present their recommendations to the full Board. The Governance Committee deals with codes of conduct and company policy, as well as the allocation of duties among the subcommittees of the Board. The Compensation Committee reviews the performance of senior officers, and makes recommendations on the nature and size of salaries, bonuses, and related remuneration plans. Most important to fraud examiners and assurance professionals, the Audit Committee reviews internal controls and systems that generate financial reports prepared by management; the appropriateness of those financial reports; the effectiveness of the company’s internal and external auditors; its whistle-blowing systems, and their findings; and recommends the re-election or not of the company’s external auditors.

The Board must approve the selection of a Chief Executive Officer (CEO), and many Boards are now approving the appointment of the Chief Financial Officer (CFO) as well because of the important of that position. Generally, the CEO appoints other senior executives, and they, in turn, appoint the executives who report to them. Members of these committees are selected for their expertise, interest, and character, with the expectation that the independent judgment of each director will be exercised in the best interest of the company. For example, the ACFE tells us, members of the Audit Committee must be financially literate, and have sufficient expertise to understand audit and financial matters. They must be of independent mind (i.e., not be part of management or be relying upon management for a significant portion of their annual income), and must be prepared to exercise that independence by voting for the interest of all shareholders, not just those of management or of specific limited shareholder groups.

Several behavioral expectations extend to all directors, i.e., to act in the best interest of the company (shareholders & stakeholders), to demonstrate loyalty by exercising independent judgment, acting in good faith, obedient to the interests of all and to demonstrate due care, diligence, and skill.

All directors are expected to demonstrate certain fiduciary duties. Shareholders are relying on directors to serve shareholders’ interests, not the directors’ own interests, nor those of management or a third party. This means that directors must exercise their own independent judgment in the best interests of the shareholders. The directors must do so in good faith (with true purpose, not deceit) on all occasions. They must exercise appropriate skill, diligence, and an expected level of care in all their actions.

Obviously, there will be times when directors will be able to make significant sums of money by misusing the trust with which they have been bestowed and at the expense of the other stakeholders of the company. At these times a director’s interests may conflict with those of the others. Therefore, care must be taken to ensure that such conflicts are disclosed, and that they are managed so that no harm comes to the other shareholders. For example, if a director has an interest in some property or in a company that is being purchased, s/he should disclose this to the other directors and refrain from voting on the acquisition. These actions should alert other directors to the potential self-dealing of the conflicted director, and thereby avoid the non-conflicted directors from being misled into thinking that the conflicted director was acting only with the corporation’s interests in mind.

From time to time, directors may be sued’ by shareholders or third parties who believe that the directors have failed to live up to appropriate expectations. However, courts will not second-guess reasonable decisions by non-conflicted directors that have been taken prudently and on a reasonably informed basis. This is known as the business judgment ru1e and it protects directors charged with breach of their duty of care if they have acted honestly and reasonably. Even if no breach of legal rights has occurred, shareholders may charge that their interests have been ‘oppressed’ (i.e., prejudiced unfairly, or unfairly disregarded) by a corporation or a director’s actions, and courts may grant what is referred to as an oppression remedy of financial compensation or other sanctions against the corporation or the director personally. If, however, the director has not been self-dealing or misappropriating the company’s opportunities, s/he will likely be protected from personal liability by the business judgment rule.

Some shareholders or third parties have chosen to sue directors ‘personally in tort’ for their conduct as directors, even when they have acted in good faith and within the scope of their duties, and when they believed they were acting in the best interests of the corporations they serve.  Recently, courts have held that directors cannot escape such personal liability by simply claiming that they did the action when performing their corporate responsibilities. Consequently, directors or officers must take care when making all decisions that they meet normal standards of behavior.

Consequently, when management and the Board of a company who has been the victim of a cyber-attack decides to withhold information about the attack (sometimes for weeks or months), fundamental questions about compliance with fiduciary standards and ethical duty toward other stakeholders and the public can quickly emerge.   The impact of recent corporate cyber-attack scandals on the public has the potential to change future governance expectations dramatically. Recognition that some of these situations appear to have resulted from management inattention or neglect (the failure to timely patch known software vulnerabilities, for example) has focused attention on just how well a corporation can expect to remediate its public face and ensure ongoing business continuity following such revelations to the public.

My colleague points out that so damaging were the apparently self-protective actions taken by the Boards of some of these victim companies in the wake of several recent attacks to protect their share price, (thereby shielding the interests of existing executives, directors, and investors in the short term) that the credibility of their entire corporate governance and accountability processes has been jeopardized, thus endangering, in some cases, even their ability to continue as viable going concerns.

In summary, in the United States, the Board of Directors sits at the apex of a company’s governing structure. A typical Board’s duties include reviewing the company’s overall business strategy, selecting and compensating the company’s senior executives; evaluating the company’s outside auditor, overseeing the company’s financial statements; and monitoring overall company performance. According to the Business Roundtable, the Board’s ‘paramount duty’ is to safeguard the interests of the company’s shareholders.  It’s fair to ask if a Board that chooses not to reveal to its stakeholders or to the general investor public a potentially devastating cyber-fraud for many months can be said to have meet either the letter or the spirit of its paramount duty.

The Internet & the Unforeseen

Liseli Pennings, last year’s speaker for our Central Virginia Chapter’s training event, ‘Investigating on the Internet’, made the comment during her presentation that on-line investigative tools are outstanding for working unforeseen fraud events.  When a potential fraud risk has been identified through routine risk assessment, what its effects would be can be discussed and hypothetically anticipated to some degree as part of the assessment.  However, Liseli pointed out, when catastrophic fraud events occur without warning, seemingly out of the blue, and no mitigation has been discussed or is even immediately possible, the results can be devastating to our clients. When these types of sudden, unforeseen fraud events occur, rapid information gathering can be critical to a successful investigative outcome and that’s where skillful use of the internet comes in.

Liseli’s comment got me to thinking about a key question.  Are these types of fraud events truly unforeseeable or are they caused by a failure to gather adequate information on the front end to anticipate them and their effects? Unanticipated fraud events and their effects typically are associated with financial factors. However, as we’ve often discussed on this blog, some of the most catastrophic events can be non-financial in nature, such as damage to reputation, which also can lead to financial losses. As part of their proactive risk assessment processes, fraud examiners can play a vital role in monitoring the client’s environment and providing valuable information to management to help identify and mitigate these types of risks.  If an organization is not prepared for these types of sudden, catastrophic fraud events, the losses can sink the organization; only look at what happened to Martha Stewart Enterprises because of her trading scandal and to Target because of the overnight revelation of the hacking of its customer accounts as well as to a host of others.

Viewed narrowly in hindsight, there seems to have been little these companies could realistically have done on the front end to mitigate the effects of such unforeseen events.  The only way to manage such events effectively is to convert them from unforeseen to foreseeable events with potential for catastrophic losses that can be mitigated through anticipation and preparation. Anticipating the potential for such events is critical, requiring information that is current, forward-looking, frequent, comprehensive, reliable, and diversified and available, to an ever-growing extent, to the CFE on the public internet.  Systematic use of the internet to broaden the scope of fraud risk assessment is a trend only now firmly taking hold.

Fraud prevention and mitigation related decision-making takes place in the present and affects the present but, more importantly, it affects the future. Historic information is valuable for some decisions but, to be effective, the information gathered for most decisions must be current and updated continuously. In this respect, CFE’s and risk managers should consider the nature of the information source and the frequency with which it is updated. For example, printed encyclopedias become dated quickly. Web and mobile sources may be considered the most current, but, as Liseli pointed out last year, this is not always the case. The very abundance of internet related resources requires of those gathering on-line information that they exercise extra care in specifying how information is verified and how often as well as when and under what circumstances it is updated.  To have comprehensive and diversified information, examiners must accept that some information they uncover won’t be completely reliable. Knowing that, they must have a methodology for evaluating the degree of reliability of each source, gathering corroborating and refuting information, and discerning the truth among the conflicting information.

When assessing the probability potential for unforeseen fraud events within the context of a client environment, CFE’s and loss prevention managers should avoid the tendency to plan and act based solely on past events and risks. Internet based scanning and assessment systems and processes ideally should be developed to anticipate the next wave of risks that might be carrying unforeseen events ever closer to the organization. It would be simple if dealing with one unforeseen fraud event eliminated all others but fraud examiners especially are aware of how often one fraud spawns another.

In casting a wider, on-line based, risk assessment net forward looking examiners might ask questions like:

–What is the next wave of technological, societal, industrial, and environmental changes that could affect my client organization, and what will be their implications for the organization?

–Have organizations that have a “bring-your-own-device” policy for cell phones, tablets, and other devices considered all the potential implications of such a policy, including privacy issues and the potential risk to proprietary information?

–What information on these devices is discoverable in legal cases?

–Are these sources included in the fraud assessment process?

–How quickly are events changing within the organization and its environment?

How do CFE’s sift through this deluge of information to glean what is relevant to the organization? What filters are available within the media in use? Which sources have features available that push the information to the user based on chosen criteria?

Some such sources are …

–Industry and trade organizations, especially including websites, magazines, newsletters, forums, and roundtables.
–Social media.
–News outlets such as print, Internet, and cable television.
–Think tanks and consultants.
–Governmental and quasi-governmental organizations.
–Personnel using cutting-edge technology.

Unforeseen financial related fraud events most often arise from a lack of information.  To be effective, information gathering must expand beyond those sources that are most familiar to risk assessment professionals and to others like CFEs involved in risk management; the more diverse the sources, the more effective the information gathering. Gathering information from only neutral sources may seem on the surface to be the most effective strategy; but this can create a severe deficit of information. Information from sources in competition with or in opposition to the client organization should be included. This will include information from sources that have a different political stance, moral compass, or divergent viewpoint. Gathering information from governmental organizations should include a wide variety of domestic and international sources. Information gatherers must evaluate the political purpose behind the information, its slant, and the reliability of the information.

Unforeseen fraud events can be devastating to an organization, not just because they are catastrophic, but because they are unexpected and initially mysterious in nature. But like all events, if they can be better understood and anticipated, their effects can be managed and mitigated so they will not be as damaging to the organization.  The use of as many information sources as possible, including those internet based,  is key to assessing their risk and potential impact.

After the Deluge

delugeFew events are more devastating to a firm’s reputation than a well-publicized fraud and even more so if the fraud extends to a circle of one or more trusted business partners.

The ACFE tells us that a fraud can impact an organization’s reputation in many ways; and that reputation is based on how well the firm meets the expectations of diverse stakeholders such as customers and investors. Events like a fraud that indicate the organization may have fallen short of such expectations can impact the bottom line directly in terms of sales, expenses, and capital availability.  Surviving and moving forward from such an event and, more importantly, restoring confidence and ensuring that reputational damage is not extended or repeated depends on the policies and people the organization has in place to manage its damaged reputation moving forward.

What’s essential is that every organization have some sort of formal plan in place, preferably prior to a fraud event, to manage the post event fall out; if it doesn’t have such a plan, it behooves every enterprise to develop one as a critical component of its overall fraud prevention program.

The nature of the reputational risk specific to the organization, its risk appetite, and its major reputational risk management activities are all important pieces of information used to craft the overall fraud response plan. Defining the focus and output of the response plan is a critical step not only to development of the plan itself, but also to craft the timing of effective communications to stakeholders, pre and post any fraud event, addressed by the plan. Determining these details up front will give management the substance needed to create a road map that yields compelling results both through the after-fraud period and into the future.

The first step in crafting a reputational risk component of the fraud response plan is to determine the specific nature of this type of risk at the CFE’s client organization. For example, a company that produces consumer products may need to consider its reputation in terms of:

–Consumers. Perceived product quality, value, and safety.
–Investors. Perceived future returns on investment resulting from the company’s innovations, strategy, and execution.
–Suppliers/vendors. Perceived reliability of orders and timeliness of payment.
–Employees. Perceived fairness of the treatment they receive while manufacturing, selling, and supporting the company and its products.
–Online community. Perceptions of stakeholders, including consumers’ product opinions, media reporting on company activities, and competitors.
–Regulatory entities. Perception that the company’s products comply with laws.
–Local community. Perception of the company as a responsible corporate citizen.

CFE’s need to identify the key reputational risks, work with business process experts to prioritize those risks based on the extent to which they could impact the bottom line, and then determine which risks will be included in the final plan. A plan that tries to cover all aspects of reputational risk in the manner of a check list may be too broad to execute; the enterprise’s specific reputational risks to be covered need to be identified and pre-agreed to with management up front.  As the CFE and management work to determine the reputational risk scope, both need to understand the organization’s reputational risk appetite. Many organizations conceive risk appetite solely in terms of financial impact, sometimes further defining it based on financial drivers such as customer loss or asset value reduction. Facilitating a discussion of reputational risk appetite among the enterprises business process owners is a valuable CFE contribution that not only will assist in the development of the response plan, but also in its acceptance by the business. Quantifying reputational risk appetite helps management understand the tangible impact of the risk and thus how much reputational risk executives are willing to bear. In addition, it allows the CFE to communicate the impact of the reputational review work in the individualized value terms defined by the organization’s leadership.

The value added by the up-front work to understand the major vehicles the organization presently uses to manage its reputational risk will depend on the factors affecting that risk and the nature of the business itself.  Some mitigation activities may be proactive, such as establishing a product quality department or monitoring the organization’s social media presence. Others may be reactive, such as having a sales refund plan.  It’s important to remember successful reputation management following a fraud does not hinge upon one person or process (like having a hotline of public relations function), but rather on a series of controls and processes across the entire organization that work together to form a wide pattern of reputational defense. Being aware of existing activities will prepare CFE’s to include an evaluation of them in the fraud response plan. The focus of a fraud response plan can vary based on the nature of the risk and the maturity of the reputational risk management infrastructure. If there is no formal existing plan, then the CFE might prepare and present a best practice fact finding of the present state of the controls over reputational risk. If some kind of response program does exist, then the CFE might focus on control enhancement and process improvement. Financial implications, including reputational damage impact modeling and the cost of risk mitigation, also could be made part of an existing response plan, as could regulatory compliance processes such as the steps involved in the reporting of data breaches.

When one or more of the victim enterprise’s business partners are involved in a fraud against it, the reputational challenge in the post-fraud period is further complicated.  Important questions to ask concerning such third-party relationships during and after the investigative and prosecutorial phases of the fraud are complete include:

–Is there a formal business contract?
–What requirements and rights regarding compliance, possible fraud and anti-corruption does the contract contain?
–Does the contract include an audit clause?
–Who owns the business partner?
–Has the partner disclosed all relevant third-party relationships?
–Have all of the partner’s operating locations been disclosed?
–Does the partner have ongoing litigation or unique governmental relationships that might create an adverse impression among existing customers or external regulators?

Where information is needed involving client response to post-fraud reputational impact, CFE’s can visit partner organizations to gather the appropriate data.  Red flags impacting reputational risk for the CFE to be aware of include limited information about the respective entities, inconsistent data points, operations in politically charged locales, prior regulatory sanctions, and connections to or ownership by politically exposed individuals or environments with uncertain economic or commercial laws or regulations. And while examination of these items falls within the purview of compliance or legal departments, and ultimately management, some opportunity exists for CFE’s to assist with the review of due diligence reports to assess the completeness and adequacy of information in support of management’s general reputation evaluation process and decision-making.

While supporting the preparation and on-going management of client fraud response plans, CFE’s can provide additional value as the organization experiences changes over time. As the company grows, changes its sourcing and marketing strategies, and acquires other businesses, new third parties that provide products and services to and on behalf of the company will be identified and should be considered for inclusion in the company’s reputational planning.  The company’s reputational management efforts need to keep pace with the organization, and CFE’s can help evaluate the scope and breadth of that program by assessing alignment with the company’s changing business and operational fraud prevention profile.

Acting within the framework of their knowledge of the client organization, business risk assessment competency, and mandate to evaluate the adequacy of design and overall effectiveness of anti-fraud related internal controls, CFE’s can help facilitate any company’s fraud recovery/reputational repair due diligence efforts.