EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Taking decisive mitigation and remediation actions
Companies need not wait until the investigation is completed before taking decisive mitigation or remediation actions. When an incident happens, regulators will often question whether other risks may be present in the organization or whether similar issues may occur in other territories where the organization operates.
Regulators are increasingly sharing information with their counterparts in other jurisdictions. An example is the payment of bribes to government officials. Many anti-bribery and corruption regulations are extraterritorial, including Singapore’s Prevention of Corruption Act, the Malaysian Anti-Corruption Commission Act, the US Foreign Corrupt Practices Act and the UK Bribery Act. An incident impacting an organization in one territory can quickly escalate and impact its operations in other key markets.
The board should conduct risk and controls assessments as soon as practicable and in parallel with the investigation, but without impeding it. Acting swiftly to identify and remediate risks and control weaknesses, as opposed to waiting for the investigations to complete, will go a long way in restoring the confidence of regulators and other stakeholders.
Importantly, as part of remediation measures, companies need to establish an effective fraud risk management framework to strengthen proactive fraud prevention, detection and monitoring controls. Having a whistle-blowing hotline may not be sufficient — the program needs to be tested for effectiveness. The adoption of fraud detection systems, case management and workflow solutions to enable the compliance function to anticipate and detect risks more effectively is also crucial. This will provide greater assurance to regulators and other key stakeholders that adequate measures are implemented to prevent similar issues from reoccurring.
By staying vigilant and proactively directing the management to establish a crisis management framework, the board will enhance its effectiveness in overseeing adverse events and safeguarding stakeholders’ trust. The board should consider the following questions:
- What are the crisis management plans or playbooks in place to help the board and management deal with adverse events?
- How will the board directors discharge their fiduciary duties in the conduct of a complex corporate investigation where the ethics and integrity of the senior management have been called into question?
- Does the board have the ability to quickly draw upon the experience of independent forensic and legal experts at its disposal to avoid common pitfalls, address issues swiftly and secure stakeholders’ trust?
- Has the board implemented effective monitoring of financial transactions using technology and data to identify and investigate fraud indicators?
- How often is the fraud risk management program, including the whistle-blowing program, tested to confirm that it is effective?
- Is the board able to justify that the management has established adequate controls and procedures to prevent and detect fraud?