10 minute read 10 Jun 2019
brushes on the desk

How overburdened compliance functions can respond in unethical times

By Emmanuel Vignal

EY Asia-Pacific Forensic & Integrity Services Leader

Asia-Pacific Forensics Leader. Focuses on helping organizations build out their integrity agendas. Working with organisations in Mitigating and anticipating risks.

10 minute read 10 Jun 2019
Related topics Assurance Forensics Risk

Show resources

  • EY how should over burdened compliance functions respond (pdf)

EY Asia-Pacific survey highlights warning signs that organizations are in danger of letting fraud risk spiral out of control.

Against a backdrop of economic and geopolitical uncertainty, organizations need strong ethical leadership to give employees a better moral compass when making day-to-day workplace decisions. Yet EY Asia-Pacific Fraud Survey 2017 (pdf) found a host of red flags that are a persistent concern, but even more so during high-pressure times.

Significant numbers of the almost 1,700 employees we surveyed do not know about or do not understand compliance policies. A third do not feel comfortable reporting unethical behavior. Many are unaware of key fraud, bribery and corruption risk areas. As a result, as many as two-thirds of APAC employees said they are taking actions that they know are unethical or risky. A quarter say their colleagues are failing to report misconduct.

With anti-bribery and anticorruption (ABAC) policies failing to improve ethical conduct and regulatory enforcement in the Asia-Pacific area reaching an all-time high, the reduced budget — and the slowing recruitment that economic uncertainty may cause — could create a dilemma for compliance teams.

EY survey results below suggest that organizations must rethink their approach to compliance and harness technology, including forensic data analytics, to detect unethical behavior with fewer resources. Employees need absolute clarity, and leadership must:

  • Incentivize ethical conduct
  • Encourage, protect and reward whistleblowers
  • Take transparent and consistent action against misconduct
Close up of a wooden hammer
(Chapter breaker)
1

Chapter 1

Ethical standards are not improving

A greater focus on preventing fraud, bribery and corruption has not translated into success, creating concerns in the war for talent.

Never before have governments cooperated so extensively in combating bribery and corruption and imposing legal sanctions against fraud. As a further complicating factor, anti-corruption and anti-trust regulations are becoming entwined, increasing the complexity and difficulty of compliance.

Companies have responded in kind. More than four in five (83%) respondents report organizational efforts to combat fraud, bribery and corruption have been expanded (51%) or sustained (32%) in the last two years, with an upward trend in the percentage of organizations with ABAC policies and codes of conduct.

Bribery

35%

of respondents say it is a common practice to use bribery to win contracts in their industry or sector, up from 14% in 2013.

Yet this investment in compliance policies and processes are not always translating into ethical conduct.

More than half of EY survey respondents (52%) still feel ethical standards have not improved in their organizations. More than two-thirds (69%) say they have had information or concerns about misconduct in their company. The percentage of respondents who had seen people with questionable ethical standards being promoted rose to 43%.

When organizations promote people with questionable ethical standards, their behavior becomes contagious. These people replicate this practice, which they’ve rationalized as being acceptable, throughout their new team and misconduct spreads.
Diana Shin
EY Forensic & Integrity Services, China

This is not just a regulatory or reputational problem: it also has talent implications. A notable 87% of respondents under the age of 25 and 82% of all respondents said they would start looking for another job, if their organization were involved in a major fraud (up from 78% in 2015), including 37% of all respondents who would be unwilling to continue working for their company (up from 29% in 2015).

Two-thirds of respondents regard a good reputation for ethical behavior as a commercial advantage. But their desire to work for a compliant company is not just about wanting to be on the “winning team” — it goes to strongly held personal values around integrity, honesty and ethics. These findings suggest that organizations with a strong compliance culture will continue to be the big winners in the recruitment and retention of talent.

keys in a keyboard
(Chapter breaker)
2

Chapter 2

Standards are not being applied consistently

Certain unethical behaviors can be seen as acceptable in today’s workforce, particularly among executives.

Respondents tell us that senior managers are ignoring unethical behavior and condoning misconduct to meet business targets. The result is employees who can justify wrongdoing and organizations in which people do not feel comfortable reporting fraud, bribery and corruption.

Of EY survey respondents in senior management roles, 44% feel offering cash payments to win or retain business could be justified, compared with 29% of all other employees. When it comes to bringing forward sales and booking revenues early to meet short-term financial targets, 45% of senior management thought this was justified.

Withhold misconduct information

51%

of senior management respondents feel under pressure to withhold information about misconduct (a rate that falls to 41% across all ranks).

Senior managers must consistently model, encourage and enforce compliant conduct. Yet EY survey findings suggest this is not happening in almost half of the region’s organizations. Forty-nine percent of respondents say that, even though they see senior managers saying no to bribes, those same managers would ignore the unethical behavior of employees if their actions helped to achieve corporate targets.

Tellingly, almost a quarter (24%) of respondents do not believe that management would protect people who report cases of fraud, bribery and corruption. Meanwhile, 21% believe that their organizations simply do not investigate breaches of ethical standards.

These findings help to explain why, despite investment in compliance, employees are still engaging in unethical behavior, such as paying cash to win contracts or misstating financial performance. Making ABAC policies work requires behavioral change. Unless line managers ensure people feel comfortable to report misconduct, employees remain reluctant to do so.

Tough growth conditions used to justify unethical practices

Many employees are sympathetic to the view that tough economic prospects can excuse poor conduct. Asked if they personally could justify inappropriate conduct to help their business survive, more than two-thirds say they would introduce more flexible product return policies for customers. Almost a third (32%) would offer a cash payment to win or retain business. Here again, we find perceptions of leadership endorsement driving these inappropriate behaviors.

We can see this phenomenon playing out in corporate reporting: 50% of all respondents believe that companies in their country often report financial performance as better than it is.

Forensic data analytics is crucial for identifying early warning signs of fraud or corruption — such as changes to product return policies or retrospective rebates within sales. What individuals may see as small, justifiable sales policy modifications, regulators could interpret as aggressive channel stuffing that fraudulently inflates revenue.

Employees bypassing whistleblowing hotlines

The good news: the percentage of employees willing to use a whistleblowing hotline climbed 10 points, to 63%, from 2015 to 2017.

However, given the choice, only 27% of respondents would opt to report misconduct using their in-house whistleblowing hotline, with 23% preferring to go direct to senior management. In contrast, 39% would rather use an external channel, with one in five saying they would be most comfortable calling an anonymous law enforcement channel, such as the police or a government hotline.

This preference for external channels may stem from employees’ lack of faith in their organization’s willingness or ability to take appropriate action in relation to whistleblowing reports, or a perception that the external channel offers greater anonymity. Only 37% of respondents have confidence that a report to the company’s whistleblowing hotline will always be followed up.

This is not simply about providing a whistleblower line; it is about building a system for whistleblowing that ensures matters are received efficiently and dealt with.
Rob Locke
Oceania Leader, EY Forensic & Integrity Services

How to improve employee trust and confidence in hotlines

Companies should:

  • Make a strong commitment to confidentiality to build trust in using hotlines. Senior management must communicate regularly and with conviction that each report will be treated confidentially, without exception. Organizations should also consider outsourcing some element of the disclosure receipting process to engender greater independence and rigor.
  • Strengthen triage and case management systems. All complaints must move through the system toward resolution, and reports must be seen to be investigated. Organizations must act and be seen to be acting on every complaint. Even if, on investigation, no further action is required, this should be communicated.
  • Introduce whistleblower champions. These advocates should raise awareness of the importance of speaking up about issues and educate employees about their options to make disclosures. An effective way to enhance awareness and encourage staff to raise concerns is by sharing success stories. The communication can be as simple as sharing key whistleblowing management information or through case studies in staff training programs.
  • Use benchmarking to ensure best practice and effectiveness. A robust program of regular, independent benchmarking against industry peers can help organizations to assess whether a hotline is fit-for-purpose and making the best use of the latest technology, such as mobile apps. Benchmarking will examine a hotline’s effectiveness considering an organization’s operations, geography, industry, workplace culture, risk profile and history of known events.
see through a camera lens
(Chapter breaker)
3

Chapter 3

Compliance lacks clarity

A significant number of employees misunderstand critical elements of compliance policies and processes.

Organizations should work to clarify and raise awareness of what ethical conduct looks like. As a matter of urgency, leaders should make sure that they know the answers to the following questions.

1. Do employees understand your ABAC policies?

According to 2017 EY survey, for the vast majority of organizations, the answer to this question is likely to be: “No.” A massive 85% of respondents want to change their organization’s ABAC policy to make it more understandable. Specifically, they think existing policies are too long and use unnecessarily complex language (including legal jargon).

Beyond simplifying and shortening ABAC policies, employees believe understanding would be greatly helped if policies are provided in the local language and explained in terms of real-world, local business examples that clearly demonstrate compliant behavior.

Budget and decision making authority

24%

of respondents believe their head office does not provide enough budget and decision-making authority to local business management to fight bribery and corruption in their market.

2. Is your code of conduct practical?

A significant minority (39%) of respondents say their code of conduct has little impact on actual employee behavior, perhaps in part because employees either do not understand or do not see the relevance of this element of compliance.

Two years ago, a majority of employees told us their code of conduct should be more flexible to accommodate local needs. 2017 EY survey finds little has changed, with 57% of respondents once again agreeing with this point.

Some respondents also believe there is a disconnect between directives from head office and the realities of the local market. A worrying 14% of respondents believe that the management team at head office does not understand the local business environment.

3. Do you have a well-articulated gift giving and entertainment policy?

More than one-third of respondents say their organization either has no gift giving policy at all, or that they have a policy but it is vague and they do not understand it. Interestingly, the majority of employees have strong opinions about what their gift giving policy should be. Almost 60% of respondents want their organization to avoid all ambiguity and provide employees with an exact monetary amount for gift giving and entertainment.

Clear policies and procedures around gift giving are essential, as temptations for bribery and corruption abound. Best practice includes:

  • Communicating a clear policy statement in the local language
  • Setting a “no exceptions” monetary limit 
  • Clarifying the approval process for gifts within this limit
  • Describing what are and what aren’t suitable gifts or entertainment options
  • Explaining in unambiguous terms the potential implications of noncompliance

 

 

Organizations need clear, simple policies that make it easy for front-line employees to politely decline a request for a deviation.

4. Are you tackling the complexities of third-party risk management effectively?

The ecosystem of third parties has grown more complex, as companies have changed their business models to take out costs and secure growth in new markets. With more outsourced or distributed functions, new players in their supply chains and organizational reliance on third parties has never been greater — nor the risk more far-reaching.

Our 2017 survey finds an increase in awareness of third-party risk: 62%, up from 55% in 2015. Three in five respondents believe that third parties constitute a “significant risk” to their organization. In relation to the third parties they work with, more than 80% say it is important to understand each organization’s: media coverage of fraud, bribery and corruption; past or current litigation; and its compliance culture.

Yet a significant number of organizations in Asia-Pacific are still not proactive enough when it comes to onboarding and monitoring their business relationships. Nearly a third (32%) of the respondents say their organizations do not conduct any audit reviews of their third parties or are unaware of such activities when managing existing ones.  

Communication gaps

26%

of respondents do not know whether their organization is conducting compliance audits, suggesting gaps in communication around third-party risk.

As third parties continue to be the nexus between companies and Foreign Corrupt Practices Act enforcement actions, it is critical that relationships are scrutinized with more care and consistency:

  • Faced with limited budgets and a growing number of business relationships, companies need to have a risk-based third-party management approach by categorizing each of their third parties into low-, medium- or high-risk entities and conduct appropriate levels of integrity due diligence to understand the compliance risks associated with new and existing business partners.
  • Business volume, nature of the business relationship, location of operations, government interactions and history of wrongdoings are all factors that can help determine the level of risk and scrutiny required to manage third parties. If deemed high risk or if any red flags were found, a more frequent and comprehensive audit approach should be incorporated throughout the life cycle of the business relationship. 
  • Since the level of risk may increase after onboarding, companies need to proactively monitor their third parties by identifying changes in ownership structures or new compliance red flags. Our 2017 survey findings suggest that many organizations are neither equipped to detect changes in third-party risk conditions nor able to adapt appropriately.
  • As a priority, companies should harness the digitized information now available for third-party risk assessment. Organizations can use forensic data analytics to quickly transform large volumes of transactional and publicly available data into valuable actionable business intelligence. This will enable the appropriate monitoring and review of risk drivers, so that companies’ compliance functions can respond accordingly.

A global pharma company operating in Mainland China wanted to assess risk around travel agencies organizing events. An EY team conducted due diligence on high-risk vendors and assessed a sample of transactions, then performed physical site visits, forensic reviews and interviews. Questionable and sometimes nonexistent events were found.

dices on palm
(Chapter breaker)
4

Chapter 4

The way forward

Here are five key steps to take now to mitigate risks.

Without more assertive action from boards and management to assess the risks and take robust action, we can expect more large-scale fraud, bribery, corruption and competition scandals in Asia-Pacific involving major corporations.

To ensure compliance policies deter unethical conduct, Asia-Pacific business leaders must provide absolute clarity and consistency around how to reduce the risks associated with fraud, bribery and corruption. Companies should:

  • Revisit ABAC policies. Existing ABAC policies should be simplified and provided in the local language. Organizations that don’t have them need to introduce clear gift-giving and entertainment policies. To make policies effective, all leaders, including line managers, must proactively educate employees that compliant behavior is not a hindrance to commercial success, and incentivize and empower employees to make compliance a top priority.
  • Harness forensic data analytics (FDA). This is key to keeping up with the mountains of data organizations must sift through to prevent and detect fraud, bribery and corruption. Compliance teams need to harness FDA to monitor the full range of data points — not just looking for red flags in financial data, but also proactively using sentiment analysis of emails (where legally permissible), and text to detect early warning signs of misconduct.
  • Raise the bar for third parties. As companies look to grow their businesses in the area's emerging markets, compliance programs will need to raise the bar to include multiple ABAC and anti-competition laws and regulations, especially with Asia-Pacific regulators continuing to focus on the risks third parties pose to companies.
  • Benchmark whistleblowing hotlines. Benchmarking will help organizations to identify how to improve their whistleblower protection and effective reporting mechanisms. Companies must adopt and enforce policies to protect whistleblowers from retaliation and ensure appropriate, consistent and transparent follow-up to their disclosures.
  • Treat data risk as one holistic program. Cyber criminals, hackers and malicious insiders are targeting organizations for sensitive commercial information as well as cash. Companies are increasingly vulnerable through careless employees and others not following technology security protocols. As a result, cyber and insider threats have become part of one larger data risk that requires a holistic approach for its prevention, detection and investigation.

 

EY Asia-Pacific Fraud Survey 2017

The EY Asia-Pacific Survey 2017 contains insights from business leaders on the risks and challenges organizations face in fighting fraud and corruption in an era of significant technological advances.

Download (pdf)

Summary

The impact of fraud is increasing on all fronts. As a priority, senior management needs to undertake an urgent assessment of the spiraling threats facing their organizations and strengthen their defenses around both people and technology.

About this article

By Emmanuel Vignal

EY Asia-Pacific Forensic & Integrity Services Leader

Asia-Pacific Forensics Leader. Focuses on helping organizations build out their integrity agendas. Working with organisations in Mitigating and anticipating risks.

Related topics Assurance Forensics Risk