Understanding Workforce Risk: Ask The Experts

Risks associated with fraud, bribery, and corruption have always been present. Unfortunately, the risks have only increased and the pressure to take preventative measures is rising. International Fraud Awareness Week presents an opportunity to ask critical questions.

Experts Stephen Martin, Partner, and Jamen Tyler, Managing Director, at global advisory firm StoneTurn, sat down with us to answer the most frequently asked questions we receive. We talk about where to focus, how the pandemic has shifted priorities, and the most common mistakes you want to avoid.

Q: How has the pandemic impacted fraud risks in company operations?

A: It should come as no surprise that moving a workforce to remote work, particularly during a crisis like what we face now due to COVID-19, increases the risk for fraud in a company’s operations. We often think of fraud as arising when three factors align in what’s known as the “fraud triangle.” First, someone needs to have a motivation or pressure to commit fraud, which is often due to personal financial stress or business pressures. Second, they need to rationalize the fraud. This includes both justifying the fraud (for example, thinking that they deserve more money) and believing that the company won’t detect the fraud. Finally, they need the opportunity to put their plans into action. The COVID-19 crisis can trigger all three of these factors.

• Motivation
  • Individuals may have new motivation to commit fraud due to personal financial strain. For example, COVID-19-related medical bills or reduced income if they or another earner in their household were furloughed or laid off due to COVID-19.
  • Companies may be putting additional pressure on their employees to make up for lost profits due to the economic downturn. In addition, companies may put additional responsibilities or duties on employees to make up for staffing cuts.
    
• Rationalization
  • Working from home reduces company’s ability to monitor workers’ day-to-day conduct. This may lead potential fraudsters to believe that the company will not notice their activity and make it easier for them to justify fraud.
  • Similar to motivation, employees may justify fraud by pointing to the need to protect their family or pay for hefty medical bills. They may also become dissatisfied with their job responsibilities, hours expectations or other changes in their work due to working remotely and/or the economic downturn.
• Opportunity
  • As noted above, homes are much less secure than office environments, and can provide a number of additional opportunities for fraudulent activity. While workers may previously have had access to company information, files, or programs only during office hours within eyeshot of a supervisor, working from home may provide access 24 hours a day, without any such monitoring. Similarly, it can be difficult to track workers’ comings-and-goings during the course of the day, which can increase the risk of time entry and payroll fraud.

The good news is that there are many ways to mitigate these risks. Companies should be on the lookout for burnout and dissatisfaction among their workers. They should also be aware of business units that may be putting increased pressure on their employees to make up for losses or poor performance due to the economic downturn. In addition, companies should make sure they have ability to monitor their operations for common forms of fraud, including inflated time entry reports, inappropriate invoicing, misuse of company assets, and misappropriation of company accounts. These controls should be communicated clearly and consistently to relevant workers, as should the importance of compliance and ethical conduct.

Assessing increased risk due to remote work

Q. How prepared are most organizations for the increased burden of managing compliance and risk during the pandemic?

• A. Many companies struggle to conduct risk assessments during the best of times. With travel restrictions, lack of day-to-day visibility, and resources focused on response to the pandemic, risk assessments are even more challenging right now. It might be tempting to cut or freeze compliance budgets and reallocate resources to other initiatives, but that would be a mistake. Past downturns have shown, significant reductions in compliance efforts always lead to compliance or government enforcement issues down the line, which typically cost more than conducting proactive compliance reviews and enhancements.
• Companies must work creatively to address and manage risks cost-effectively and efficiently to maintain compliance program resources (whether internal or external) to manage new risks and reporting requirement burdens.

Q. What is the most common mistake businesses are making during the pandemic that leads to increased risk?

• A. Reducing compliance-focused resources and staffing is by far the most common mistake companies make during a crisis. When resources are removed from compliance functions, compliance issues tend to follow.
• Another common pitfall is not evaluating current programs to ensure the essential elements, particularly for training and education, oversight and reporting, and response and enhancements, do not require an update. Especially in times of crisis, companies should review their compliance programs to make sure they meet government expectations and, where possible, industry best practices to reduce and address compliance risks.

Q. What causes the risk profile to change for a remote workforce?

• A. Remote workers introduce increased risk in four ways.
  • Less Transparency and Oversight - Lack of visibility into day-to-day activities makes it more difficult to identify potential wrongdoing.
  • Less Communication - Remote workforces decrease opportunities for informal communications and in-person conversations about risks and compliance issues.
  • Network Security Issues - Home or public networks may be more susceptible to security threats.
  • Confidential Information - Working out of home offices, and transporting materials between offices and homes, complicates protective measures for confidential materials, as well as information and trade secrets.

Q. What are the three most common gaps in compliance programs?

1. Proactive and Effective Risk Assessments— Far too often, companies either lack a sophisticated risk assessment process or fail to conduct risk assessments altogether.
2. Regular Training and Communication— Compliance training and communication shouldn’t stop at onboarding. Effective compliance programs include recurring compliance messaging in a variety of formats, including email campaigns, in-person discussions, newsletters, and quick-hit communications from senior leadership. Training, too, should be conducted regularly to ensure key compliance areas are top of mind and well-understood.
3. Ongoing Oversight/Monitoring and Reporting— Companies that lack anonymous reporting hotlines and related “Speak Up” training miss out on a key mechanism for identifying compliance issues, namely, whistleblower reports.

Q. What type of risks do we need to be on the lookout for since many have transitioned to a more remote workforce?

• A. Remote workforces can exacerbate a number of risks due to a lack of direct oversight and visibility, loss of connection and in-person communication, and reliance on potentially insecure networks or workplace tools, among other things.

For example, research by BITSIGHT showed home networks are 3.5x more likely than corporate networks to have at least one family of malware present.

And that’s just one example. Chief compliance risks we foresee include:

• Fraud
  • This could include misconduct by third parties, employees, or criminals exploiting business executives working from home. The economic impact of the pandemic may increase pressure on both companies and employees to perform, which can lead to fraud and compliance-related misconduct at all levels. In fact, in previous economic downturns, we observed increased levels of fraud and non-compliance, including financial fraud and failure to report issues, even among managers and executives.
• Misuse of Company Assets
  • Without day-to-day oversight, some bad actors may feel emboldened to use company assets, like computers or other equipment, for inappropriate purposes like personal use or fraudulent or illegal activity.
• Data Security
  • As employees rely more on virtual workplaces or potentially insecure home networks, the risk of data breaches, including from phishing and smishing, a form of phishing via text/SMS message, has increased. Likewise, the potential for individuals misusing or accidentally disclosing confidential documents increases when working from home.
• Corruption and Bribery
  • Risk of corruption and bribery, particularly among third parties and in supply chains, may increase as transparency and on-the-ground visibility decreases. This is particularly the case in international operations. In addition to international corruption, we may see increased issues— and related scrutiny— around government programs created in response to the pandemic.
• Effectiveness of Compliance Communications
  • Conveying compliance messaging with remote employees can be difficult, even with video conferencing and online communications, which may decrease the effectiveness of a company’s compliance program.
• Outreach and Support
  • Quick chats and office visits allow for compliance professionals to engage with employees and vice versa. Lack of face-to-face interactions may make it more difficult for employees to seek support—and compliance professionals to provide it.
• Speak Up Culture
  • In-person meetings, lunches, and social activities are important for creating and maintaining a company’s culture, including compliance and Speak Up culture. Companies will need to be creative and think strategically about how to sustain their culture, particularly for new employees.
• Charitable Donations/Corporate Social Responsibility
  • Some bad actors have sought to exploit the increase in corporate giving related to COVID-19 relief by creating fraudulent charities or soliciting bribes and kickbacks via “donations” to select charities. All organizations should be thoroughly vetted before making any donation.

Q. When rolling out new policies to the remote workforce, how should businesses ensure employees understand those policies?

• A. Communication is key to rolling out new policies to a remote workforce. Policy rollouts should include effective messaging from the compliance team and senior leadership about the substance and background of the new policy. Training may be needed to ensure understanding of changes to key compliance policies and procedures like conflicts of interest, anti-bribery, or insider trading. Just as important, though, is ensuring that remote workers have access to the compliance team to answer questions and address concerns. To ensure a complete and effective rollout, make sure that employees certify or attest to receiving, understanding, and complying with the new policies. Track certifications/attestations and follow up with personnel as needed until all applicable personnel have responded.

The return to the workplace risk assessment imperative

Q. Should one do a risk assessment before reopening a location? If so, what does it mean for the organization?

• A. Yes. As locations start to reopen, companies should conduct risk assessments for each location to identify how best to mitigate employee health risks related to COVID-19. Risk assessments should consider a myriad of government guidance and requirements upon reopening. This may include assessment of potential high-risk environments, like communal workspaces, and your ability to mitigate those risks.
• From a compliance standpoint, organizations should ensure employees are safe and comfortable with returning to work, and they are able to speak up and raise issues and concerns as needed.
• As a general matter, companies need to move forward with compliance risk assessment reviews. During times like this, organizations often stop conducting risk assessments proactively as they focus on getting through the crisis. To effectively identify and address compliance risks, however, organizations need to make sure they’re reviewing and addressing both the risks identified above and compliance risks beyond those raised by COVID-19. This should include a review of government requirements and guidance that generally apply to organizations in their industry. Organizations should particularly focus on performing assessments in high-risk jurisdictions where they have lost visibility into operations during this time.

Q. If a business wants to conduct an internal risk assessment, what expertise should they be tapping into?

• A. Outside of a focused, return to work-type risk assessment, internal risk assessments need to involve personnel from compliance or legal, human resources, training/learning/development teams, internal audit, finance and accounting, data analytics, and IT, as applicable. Companies with business units like government relations, sales teams, and others who may have compliance-related responsibilities should make sure to consult with these teams to identify potential risks from their activities.
• Even companies that conduct risk assessments internally may want to consider retaining external advisers to assist with and review the process while the assessment is underway to provide a better view of industry best practices and government expectations. Likewise, companies should have external advisers to periodically review their internal risk assessment process.

Q. What role can risk assessments play in mitigating misconduct?

• A. Risk assessments allow organizations to identify ways in which processes, procedures, or other operations may create risks to the organization. In doing so, the organization can also evaluate ways to reduce those risks. For example, a risk assessment may find that a company is exposed to bribery or fraud risks from charitable donations made to unvetted organizations. Once this risk is identified, the organization can implement due diligence and approval requirements to mitigate that risk.

Q. With the extra responsibilities of businesses having to protect their employees and customers upon returning to normal business operations, what will be the biggest obstacle?

• A. Lack of transparency and visibility into operations globally will create a hurdle for returning to normal business operations. Just as importantly, though, resource limitations or reallocations due to the economic impact of the pandemic may create additional burdens for businesses in protecting their employees and customers while maintaining effective compliance programs. One potential option is to use an external compliance adviser that can provide additional support to augment these limited resources temporarily.

Q. How will businesses be held accountable for non-compliance? Will the new OHSA and EEOC guidelines play a role?

• A. Companies will be held accountable for non-compliance with applicable laws, including anti-bribery/anti-corruption, sanctions, anti-money laundering, and similar laws, whether such non-compliance was due to COVID-19-related oversight limitations or not. While in the short-run enforcement has not been a priority, we will certainly see an increase in enforcement activity, particularly around government aid in the USA and abroad, such as Payroll Protection Program (PPP) loans. Organizations should expect audits and reviews related to these payments.
• Beyond enforcement activities, organizations may face reputational impacts from non-compliance during the COVID-19 crisis. These impacts have already been seen with respect to companies taking advantage of government funding initiatives. Non-compliance with other laws during the COVID-19 crisis will create similar reputational issues for organizations.

Q. What are the most common signs an organization needs an external risk assessment?

• A. Companies are likely to require an external risk assessment if they have never conducted a risk assessment within their operations, or if they lack sufficient resources and expertise to conduct one.

• Regulators and enforcement agencies expect companies to conduct risk assessments on an ongoing basis. As a baseline, then, all organizations need to be conducting periodic assessments of compliance risks within their operations to ensure their compliance program effectively addresses those risks. Companies that see specific issues or concerns from a compliance standpoint should focus on those issues during the risk assessment. Risk assessments are often targeted, for example, on third parties used by an organization or acquisition or merger targets post-close.

Q. What type of protection does an external risk assessment provide?

• A. As noted above, government regulators and enforcement agencies expect that companies will conduct risk assessments. Hiring an outside third party to conduct or advise on the risk assessment process can help organizations ensure that they have a strong procedure for conducting those assessments. Moreover, doing so can provide an independent view of the organization’s compliance program, as well as recommendations for how to enhance it to help reduce risks, meet government expectations, and maximize profitability.

I hope you’ll join me in thanking our guests Stephen and Jamen for sharing their deep expertise. Risk management is not easy, but it is critical to your organization. Know you don’t have to go it alone. Skillsoft and StoneTurn are here to help.

John Arendes is the Customer Market Leader, General Manager of Global Compliance Solutions at Skillsoft.