Corporate Crime in Hard Times
SOME OF THE MAJOR ECONOMIC DOWNTURNS of the last century were coupled with increases in crime, sparking fears that the current downturn would be similar. Instead, violence and property crime have continued to decrease since the economy started faltering in fall 2008. However, some data show that during the recession, companies may have become more vulnerable to being victimized by internal financial crime.
In the November 2009 PriceWaterhouse Coopers (PwC) U.S. supplement to its global economic crime survey, 35 percent of American companies said they had been the victim of at least one significant economic crime from August 2008 through July 2009. Because this was the first time the study asked companies about their experience on a per year basis, the data cannot be used to identify whether fraud is up year over year, but the study’s authors state: “We noted a striking relationship between declining financial performance and increasing incidences of reported fraud.” Of companies that reported an economic decline, 88 percent also reported fraud.
The report spotlights the “fraud triangle” as a tool for identifying potential indicators of fraud vulnerability in companies. The triangle is the trio of pressure, opportunity, and attitude or rationalization. Most of the executives interviewed by PwC believed their fraud risk was due to higher pressure in the faltering economy. This included pressures to meet performance targets in an effort to keep jobs or secure bonuses.
Respondents who thought fraud risk was due to increased opportunity believed that the layoffs of those who detect frauds, like internal auditors, might be the culprit. They also speculated that fraud could be due to a general decrease in resources dedicated to preventing and detecting fraud, otherwise known as internal controls.
A majority of the fraud perpetrators were company employees in middle management. “If we’re going to say it’s around pressure, who is really the one who, within a company, really experiences the weight of that pressure?” explains Sandra Parrado, a coauthor of the United States edition of the PwC report. She continues: “It’s management that is the one that needs to demonstrate the numbers, that is responsible for performing… they’re also the ones that are having to deal with the consequences of having a smaller staff, that now need to deal with a higher workload, that now need to deal with perceptions of greater risk.”
What types of fraud and crimes are occurring in the downturn? It depends on the business. For many companies, the types are the same as during normal financial periods, only the numbers will increase. For example, Tyson Johnson, CPP, director of global security and investigations for Celestica, says he has seen an increase in attempted thefts at sites where high-value products are manufactured. Types of fraud cited by PwC’s report are asset misappropriation and bribery.
Although PwC looks only at economic crime within companies, it’s a bit more difficult to track economic crime in general, which might include money laundering and Ponzi schemes.
Michael L. Benson, professor in the School of Criminal Justice at the University of Cincinnati, and others say it’s unclear whether such crimes are increasing during the recession, or they are just being discovered now. “What the economic downturn has really done is it has exposed a lot of frauds and illegal activities that were going on during the economic boom but that we didn’t notice,” Benson says. A prominent example is Bernard Madoff’s Ponzi scheme, which was going on for more than a decade but only came to light once the recession hit.
PwC also found that companies are not necessarily proactive in fighting and preventing fraud. The survey uncovered what the report authors called “an unsettling complacency about performing regular fraud risk assessments.” The report found that only 15 percent of companies surveyed had any plans to increase the number of fraud risk assessments being performed.
Parrado and coauthor Chuck Hacker noted also that the company’s reaction depends on what is considered acceptable loss for that sector. “[I]f you’re a retailer and you see that your shrinkage is one to two percent or something, it’s probably an acceptable risk even if the items are being stolen, where it might not be as acceptable at 10 percent,” says Hacker.
Another consideration is whether the type of crime or the resulting loss has a regulatory component that could result in large fines being assessed. In that case, the company has an additional motivation to try to prevent the loss. But some companies forget that there are additional costs to fraud than what can be measured in accounting sheets and criminal investigations. These include reputational damage, which can be difficult to recoup.
Due to the recession, many companies cannot afford to hire more investigators or auditors. But there are affordable measures all companies should consider to deter corporate crime among their executives and employees.
Risk assessments. Most security professionals know how important risk assessments are to physical security. They are equally critical for detecting vulnerabilities in internal controls that could create the opportunity for economic crimes to be committed. The PwC report states that a company that does not conduct such assessments essentially “looks for no evil and as a consequence finds none.”
One company that has taken a proactive stance is Medco. To augment its risk assessments, Medco has convened a steering committee to look at enterprise fraud risk assessment, says Marene N. Allison, the company’s vice president of global security at the time of this interview (she is now with Johnson & Johnson).
Among the steps they’ve taken is to survey employees to see “what people are feeling about fraud...and report back those findings to our board of directors,” she explains. Allison says the board will examine the survey results to see whether the company needs to make changes in its fraud prevention efforts.
Collaboration. Security personnel are not the only ones who can help prevent and detect white collar and corporate crimes, which is why it is essential to take advantage of staff from other departments who may be able to assist.
Allison says Medco includes several departments on the fraud steering committee, from security to auditing to compliance. “Working with audit and compliance and the privacy office together, we do so much more than if we did it alone or if it was just security,” she explains. Each participant is coming from their own area of expertise, she notes, adding: “You’re working together to come up with something that works for the corporation.”
Joe Baxter of Toyota also makes sure to work with other departments and disciplines for more effective crime prevention. “I think the ongoing collaboration between legal and internal audit, [human resources], and the corporate security team is critical. And when I say ongoing collaboration, it’s not chatting here and there. We meet weekly. So we’re reviewing cases, progress of those cases,” says Baxter, who adds that this includes physical security and an assessment of goals and progress on initiatives.
Uniformity, accountability. Some advisors recommend that companies ensure a certain degree of uniformity in standards but the ownership of the process has to go to the site level to ensure accountability. That was the process adopted by Celestica.
The company revamped security to ensure that its sites, which had been operating as “individual organizations,” would conform to standard security requirements and controls. Uniform best practices were shared among all of the locations.
At the same time, management wanted to “assign accountability to individual business groups or managers along the process flow of a product lifecycle,” says Johnson. Those managers were made a part of risk management. He adds that “if there’s vague ownership, you find that sometimes it’s an increased likelihood of theft at that part of the process. So we ensure that there is ownership, transparency, and tight procedure across every part of the process flow from raw materials arriving at dock door A to finished goods exiting out of dock door B. So that’s really how we’ve designed it.”
Johnson says Celestica also took a look at the different street values of raw materials, and assigned added security to certain points throughout the manufacturing life cycle based on that value analysis. Some products were given more security protection as they got to stages in the manufacturing process where they had a greater street value.
Employee awareness. Experts also agree that it’s important to instill a security culture as a measure against fraud. The PwC report notes that companies tend to underestimate the importance of this factor, which increases in a downturn. “Companies are actively reducing the resources, both in terms of personnel and financial capital, committed to their internal audit and compliance functions. Culture then becomes their first—and in some cases—only line of defense against fraud,” the report states.
Allison says employee awareness of fraud prevention programs is taken seriously by management at Medco. “We have an awareness program that starts the first day you’re hired. Every employee coming into the company sees somebody from security.”
The awareness program further entails yearly training as well as periodic seminars with security representatives. Additional awareness messages are disseminated to employees whenever relevant information becomes available, Allison explains.
Michael Levi, criminology professor at Cardiff University, agrees that the security culture of a company becomes even more important during downturns for various reasons. The threat of layoffs can have a corrosive effect on morale, he notes, which can also make employees less inclined to follow rules.
Hotlines. While audits help, anonymous tips are the most common means of fraud detection, and companies should facilitate reporting, experts agree.
Johnson says that reading most fraud reports and studying the issues of fraud or theft reveals that “what you really end up with is, it’s usually by accident or by whistle blower that you identify where issues of fraud are happening.”
Moreover, the PwC report found that 76 percent of fraud in companies has an internal agent as the perpetrator. That’s why it’s so important to encourage employees to call whistleblower or ethics hotlines where they can provide anonymous tips and be honest without fear of repercussion.
The first step is to establish a reliable means of collecting tips anonymously and to have a set protocol for handling all responses. Then management must ensure that employees are aware of the hotlines and know that the company takes tips seriously.
Toyota’s Baxter says his company’s ethics hotline has yielded tips regarding misuse of company resources, among other problems.
The 2002 Sarbanes-Oxley Act mandates that publicly traded companies, such as Medco, give employees a way to provide anonymous tips, and the company must be able to prove that employees know how they can do so. Allison’s team fulfills this requirement by having employees sign a form noting that they have been made aware of the hotline.
“We have a really good track record with people calling the ethics hotline and letting us know [if they suspect something],” says Allison.
These security measures can help to hold losses down, but there will always be corporate crime and fraud. As Allison says, “It’s really about greed. And greed doesn’t have anything to do with the economic downturn.”
Laura Spadanuta is an associate editor at Security Management.