Transforming corporate cultures by placing CFEs in top echelons

During an interview at the 30th Annual ACFE Global Fraud Conference, the Board of Regents opined on how to change corporate cultures, new corporate compliance guidance, ethics vs. profits and more.

The participants

(From left to right)

• Eric R. Feldman, CFE: Feldman is the senior vice president and managing director - corporate ethics and compliance programs for Affiliated Monitors Inc. and a longtime ACFE Faculty member. Previously, he had a 32-year career with the CIA and other U.S. federal agencies.
• Elizabeth J. Simon, CFE, CPA: Simon is the director of ethics & compliance for Cox Communications Inc. She serves on the board of directors of the Atlanta (Georgia) Compliance and Ethics Roundtable.
• Bethmara Kessler, CFE: Kessler is a lecturer and consultant. She's the former head of integrated global services for Campbell Soup Company and has served as chief audit executive, chief compliance officer and head of enterprise risk management for Fortune 500 companies.
• Ryan C. Hubbs, CFE: Hubbs is the global anticorruption and fraud manager for Schlumberger Limited. For more than 18 years, he's conducted international corporate investigations and forensic audits for companies within the energy sector.
• Tony Prior, CFE: Prior is head of financial crime operations at National Australia Bank. He's the founder of the ACFE Sydney Chapter and a former federal agent with the Australian Federal Police.

CFEs can trumpet the age-old “tone at the top” concept, but if top executives aren’t working to transform corporate cultures throughout organizations then fraud prevention and deterrence will continually run up against roadblocks. The members of the ACFE Board of Regents know this from their years of consulting with C-suite execs who want to tackle fraud but also have to wrestle with timid general counsels, fluctuating quarterly reports and concerned stakeholders.

The Board gathered at the beginning of the recent 30th Annual ACFE Global Fraud Conference to opine on the latest anti-fraud issues during a 90-minute Fraud Magazine interview. Here’s a fraction of their views on new corporate compliance guidance, placing CFEs in top management and on boards of directors, vetting unqualified investigators, growing anti-fraud cultures, ethics versus profits and more. (Comments have been edited for clarity and brevity.)

New guidance on corporate compliance

FM: What are some of the new anti-fraud topics that are consuming your time?
Hubbs: One of the things that I’m seeing is re-evaluating what compliance means. The [April] U.S. Department of Justice [DOJ] guidance has come out [“Evaluation of Corporate Compliance Programs”], and very large organizations are still receiving large FCPA [Foreign Corrupt Practices Act] deferred-prosecution agreements. Organizations are spending time trying to determine what else they need to implement or improve on.

Feldman: The assistant attorney general for the [DOJ] criminal division, Brian Benczkowski, put out that new guidance. ... It’s focusing attention on prevention and on the impact that good ethics and compliance programs can have in preventing fraud if they are organized and executed correctly.

The previous guidance was emphasizing corporate culture more so than in the past. The new guidance is also saying that a program has to be based on risk. They want to see fraud risk assessments. They don’t use that term, but that’s what they’re implying. [Feldman presented the Pre-Conference “Practical Issues in Ethics and Compliance: How to Evaluate Your Own Compliance Program Using the U.S. DOJ Guidance” at the 30th Annual ACFE Global Fraud Conference. – ed.]

The DOJ wants us to understand the risks of employee misconduct and organizational misconduct, and they want to see a program that is organized and structured in a way that gets at those risks. If all you have is an enterprise risk assessment that doesn’t identify fraud, then you’re not going to be able to structure a program that addresses those risks.

Kessler: There’s been a tension between general counsels [GC] and the rest of their organizations. “Do we want an effective compliance program? What’s the risk if we actually find out all these things that we then have to manage? Is there a risk if we don’t actually manage them effectively and it comes back to bite us?” I think that this DOJ memo is going a long way in terms of incentivizing even GCs to say, if we do have a situation, we want to make sure that we can defend our position — that our program was effective.

What I particularly think is very powerful is this whole idea of the effectiveness, that it really actually works in practice and that it’s not just a set of words. A lot of compliance programs in the past have been about having checklists. They report that checklist to somebody on the board, the board feels good about it, but then bad things happen and everybody’s like, where was everybody in the mix?

Hubbs: The question is whether the “risk” was on the checklist to begin with. If you’re not doing fraud risk assessments and identifying those weak points, then you don’t know what your real risks are. The fraud landscape is changing so fast, that a risk that you might not have considered three years ago is now present. Or controls that you had in place for the last three years might have protected you 90% of the time. But those same controls are only protecting you 60% because the fraud risk landscape has changed and you haven’t kept up. This is why monitoring and updating component of the COSO fraud risk management guidelines [COSO/ACFE Fraud Risk Management Guide] is so important.

Kessler: I think you’re making a good point. Because what happens is a lot of organizations look at risk assessment as an annual or biannual exercise, and it’s really not. Risk is constantly changing in the organization, inside and outside, and from a lot of different perspectives.

People think of the exercise of risk assessment as something separate. It actually is supposed to represent what risk businesses are facing day-to-day in the operations. That should be something that’s fluid and organic and not something that’s episodic.

No unqualified investigators

Feldman: The other piece of the guidance which hooks back into our roles as fraud examiners is the investigations piece. The weakest link that we see in doing assessments of corporate ethics and compliance is their ability to conduct credible professional investigations. It’s amazing to me, the kind of inquiries that they try to pass off as investigations even in very large companies; that they really are not the things that we would see as professional fraud examinations. I think the need for companies to hire more and more fraud examiners to implement that guidance — that’s going to be top of mind over the next couple of years.

Simon: I think some of the struggle with that is that there are people within the company or groups ... that do investigations when they’re not trained to do them. There’s a lot of data now that we’re mining and using to evaluate different people in different ways — the sales department in an organization, for example. They’ll find these problem areas that are fraud-related, and they’ll just go on their own and do investigations to find out more, and they don’t really know how to do them. I think that we need to make sure that as corporate companies we are aligned and collaborating among all the many groups that may have some kind of reach into potential fraud.

Prior: That’s almost a structural thing in an organization, isn’t it? It needs a central reporting mechanism. You can identify who are the preferred SMEs [subject matter experts] to do the investigations. Is it a CFE, or someone with an HR specialty or some other aspect? If you don’t have that central reporting and oversight, you’re going to get those disparate little subgroups, cottage industries of investigation — what they think are investigations — being undertaken.

Feldman: You have to have written policies on investigations. To your point, Tony, even if you do have centralized reporting — which you’re right, you need to have — it’s the enforcement of that. Because managers in many organizations, depending on the culture, they want to take matters into their own hands. It’s my problem. It’s my area. I’m responsible. I’m going to fix it.

Simon: You have sales people that are incented on targets, and their leaders are also incented on their teams meeting the targets. The leaders are not going to do anything to prevent the bad behavior from happening if the team is meeting their targets even if it’s done by committing fraud. The leaders don’t have any incentive to get rid of the bad apples because they may have to pick up the slack and do more work in order for the team to hit those goals.

Prior: In Australia, we concluded a report in February commissioned for banking in the financial service sector. It showed that banks and financial institutions’ conduct was totally inappropriate in dealing with customers. It came down to an employee dealing with a customer and not asking the question, “can I?” — but “should I”? That simple shifting question. Are they putting the customer or the employee first?

Feldman: That’s the rub there. The “can I?” versus “should I?” That’s ethics versus compliance, isn’t it? The GC gives the guidance to the manager on what’s legal, and how you can do things legally but who answers the question, “should I be doing this in the first place?”

Nurturing anti-fraud cultures

FM: You’re saying organizations are shifting from an emphasis on tone at the top to growing anti-fraud cultures. What are some suggestions for changing the culture of an organization? If you don’t have tone at the top, it’s not going to seep down to the rest of the culture anyway.
Feldman: Most executives have gotten the memo, and they know what they need to say and do. It’s seeping down through the various layers of the organization to that first-line manager that influences the behavior of the employees. It’s getting the hearts and minds of that first-line manager to focus in on good ethical decision-making. The way you do that is with incentives. If the only thing they’re being incentivized is the financial performance metric, and they’re not being held accountable for having conversations about ethical behavior and ensuring that decisions are made consistent with the core values of the company, then you’re going to lose.

We see mixed messages coming from senior leadership all the time. Yes, we want you to make money, meet the targets. Oh, by the way, let’s be sure that we do this correctly. Sometimes, the message they’re hearing is, “just don’t get caught."

Kessler: I once had a case where a company was having a challenging period. And the CFO was a highly ethical individual. In order to make sure that there was a better chance of hitting the numbers, they got all the financial directors and the divisional CFOs together and they had a rally — like a town-hall type of thing. The CFO said, “I need you to do whatever you can to make the numbers.”

The intent was, “Don’t go on boondoggles and spend money that’s wasteful. Make sure you’re doing whatever you can to legitimately get the sales.” Nobody who really knew this individual would think that they were saying, “cook the books.” But there were individuals who interpreted it that way. And when we were doing the investigation and interviewed these folks, they basically said that they believe they were directed to [cook the books].

It actually gave me a pause — what I started doing was anytime I go to a forum where there’s a senior leader making a statement, I always sit with a little note pad, jot down anything that could be misinterpreted and find a way to share it with the leader so they can clarify to folks, if necessary.

Simon: I think to your point, it’s difficult as you’re climbing the corporate ladder, and I think new leaders need to have more training on how to do this. Because as you get higher up in an organization what you say means something different to other people than if you were just a lower-level person.

For example, if you are a leader and you’re in a meeting brainstorming with other people, perhaps thinking out loud, the other people in the room may take it as, “This is what I need to do,” and then go and do it. That may not be the intent at all. I think that there really needs to be more training as you go up the chain on how your words may be interpreted.

Prior: I think on the on the flip side is a leadership role for middle managers. There’s an old saying, “The behavior you walk past is the one you condone.” I don’t think any model should rely solely on the tone at the top. Having some key performance indicators or some way of measuring that those middle managers are practicing ethical behaviors — supporting the culture — is really important as well.

Feldman: I’ll tell you a quick story that underscores that. We were doing an assessment of an international consulting firm. Their written code of conduct said, “We rely on our first-line managers to communicate the ethics message and translate that into day-to-day decision making.” Now, that is beautiful. That is what you want.

Being the trusting soul that I am, we did our first focus group with first-line managers. I read them the excerpt from the company’s code of conduct just to remind them, and I asked just out of curiosity, “How do you do that? How do you communicate that ethics message to your staff and get that translated into what they do every day? Because, that’s really where the rubber meets the road.”

They all looked at each other, and they started laughing. I said, “What’s so funny? I thought that you were doing this.” They said, “Listen, all this company cares about is how many contracts I sell. If they wanted us to communicate some ethics message, they’d, No. 1, train us on how to do that, and then, No. 2, they would incentivize us.” It would be in a performance appraisal. It would be consideration for promotion. None of which took place. The organization wasn’t communicating to its staff that they wanted them to be ethical leaders. They got promoted based on purely financial metrics.

FM: Do we all need CFEs to be whispering in the right ear of every middle manager?
Kessler: I think there’s an opportunity for CFEs to actually become bigger power brokers and players in organizations. To be the ones who are the evangelists and spread the message — everything from holding informal “lunch and learns” to having those instructive conversations with leaders whose words or actions could be misinterpreted by others. But I think we absolutely have an opportunity and a responsibility to play the role of helping to ensure that the culture is being shaped in a way that is ethical, credible and has integrity.

Feldman: I’d like to see more of a focus in corporate compliance functions on anti-fraud and anti-fraud education, not just on legal and regulatory compliance. You’re not going to achieve regulatory compliance unless the culture is good and people want to comply.

FM: Why is it taking so long to change things? 
Hubbs: There is still a mindset across all industries that fraud doesn’t happen here. It happens with our clients, with our competitors, but it doesn’t happen here. We hire good people, and nobody here would jeopardize their job. But I think the reality is a lot of decisions on fraud prevention and fraud detection comes back to some people’s beliefs about their own mortality. We either take proactive approaches to preventing something bad or responsive actions to a bad event.

Some people go to the doctor all the time. Some people don’t do any preventive measures to keep themselves healthy. It’s not until they have an event that they either start exercising, change their eating habits, etc. I think it’s almost the same way with fraud. It’s something that nobody wants to talk about. It happens to other people, and maybe I don’t understand the risks because I don’t really understand my organization’s fraud risks.

Simon: I think a lot of it is about change management. So, you’re saying people are in denial, and the first phase of change management is denial. If we’re all denying that there is fraud happening in the organization, then we’re never going to get past that to go to the next step. If we want to make change happen then we have to go through that whole process of making it happen.

Kessler: If a CEO said, “I’m going to make fraud prevention a big item,” it’s almost saying, “I believe that fraud is occurring in my organization.” I was the chief audit executive in an organization, and I wanted to implement a proactive fraud program that looked for red flags of fraud, waste and abuse. When I presented my audit plan, I had a board member say to me, “You’re wasting your time. Fraud doesn’t happen here; we have really good people.” By the time I did my first or second of these, I found people who committed fraud, and they were fired. Fraud exists in every organization. I’ve had cases where very senior people have committed fraud. People that were the moneymakers of the organization. Is there a consequence? Is there a punishment? What’s the accountability that’s put on the leadership to actually take action?

I’ve had situations where I’ve seen people paid to go away, situations where people were allowed to stay in the role because they were too important to let go. What you’re doing is now you’ve set the bar in your organization that we tolerate this.

Prior: An organization takes action against an employee. How the individual is dealt with is typically an employee relations/legal function, but try and get some independence to the decision. The precedents set by that decision can have cultural impacts across the whole organization if the employee is not seen to be treated in a correct manner.

Feldman: In order to change the culture, you have to have the influence right up front. If it’s the general counsel of the organization that has ultimate responsibility for ethics and compliance, the GC has a fiduciary duty to protect the corporation. If it’s a publicly held company, especially any whiff of fraud is going to impact stock price pretty substantially, even if there’s an allegation.

The GC does not want that fraud to surface, and the GC does not want the anti-fraud education to take a front seat instead of a back seat. You’ve got to have an ethics and compliance officer who’s structurally independent, who has a seat at the table and can influence the direction the organization goes.

Concentrating on ethics first, profit second

FM: It’d be nice just to have a test case of a new startup that from the very beginning decides to do it right rather than concentrating on the bottom line and realizing that they need to concentrate on ethics first and then talk about the bottom line after that. 
Kessler: Yes, there are B Corps designation for businesses. [See “Certified B Corporation,” a project of B Lab, which certifies businesses that it says “meet the highest standards of verified social and environmental performance, public transparency, and legal accountability to balance profit and purpose.” B Lab says there are more than 2,500 Certified B Corporations in more than 50 countries. – ed.]

It’s interesting to watch those companies start up and shape because ethics is actually at their core. Whether they apply the ethics consistently to how they behave from a corporate perspective equally to products and services and things that they offer is the question.

FM: Wouldn’t it be great if they had a team of CFEs at the start-up of the new B Corp in top management at the very beginning. They would be able to inculcate these values.
Feldman: The problem is until organizations see a return on investment from ethics and anti-fraud emphases — if they’d look at it from a strategic point of view instead of viewing it as more overhead — you’re not going to see massive change. It’ll be incremental until that happens.

Kessler: Right, and most of it now is the posturing of the cost of avoidance. So, the whole DOJ memo — the reason people are paying attention to it is because if they end up in a situation they want to be able to get credit for all the effort and work that they’ve done. It’s not about that this is something that’s benefiting my bottom line.

Hubbs: Eric and I were talking last night on how we can increase fraud awareness for management in organizations. One of the things that CFEs should start reporting is not only fraud losses but the loss of future revenues needed to pay for the loss. Say you lost $500,000 in an expense-account fraud scheme. If your organization’s profit margin is 10% — the amount left over after all expenses are paid — you’d have to ask your sales personnel to go find $5 million of new revenue to cover this one loss. This adds a significant magnitude to the loss. A $100 million fine and penalty would need $1 billion in new revenue to cover the fine. Management is continually focused on revenue and CFEs should be as well. Framing losses in this light can help increase discussions about fraud prevention and the overall impact fraud can have on an organization — well beyond the initial losses.

Kessler: It would be interesting to see more CFEs in the boardroom. If you have CFEs on an audit committee that are looking at the compliance program and actually challenging the GCs against some of the decisions that they may be making from a legal perspective. Because that’s where you have the true governance piece that’s protecting shareholders, that’s protecting the company.

Feldman: They need to know what to ask. Board members and the committee members need to know the right questions that I need to ask of the executives when they come and make their presentations.

I’ve been before boards where I’ve asked the question, “Any of you have an idea what the ethical culture is of this company?” They don’t have a clue. Most CEOs really don’t have a clue. They know what they like it to be aspirationally, but they don’t know what it is. Then you ask a senior leadership team, “Who’s responsible for culture?” They’ll all point at each other. Well, it has to be HR because that’s the squishy human resources thing.

No, it’s the GC because they’re in charge of compliance. No, it’s internal audit because they talk to everyone. The answer is everybody, but someone needs to be focused on it and report on it, and the board needs to ask about it.

Simon: Senior leaders are sometimes so far removed from the people who do the jobs. They don’t know what the culture is because they don’t talk to those people; they don’t interact with those people enough.

Feldman: I go into companies at the time of an ethical failure and they’re really at their lowest point, and I’ll sit and meet with the CEO. CEOs say to me, “I don’t know what happened in my company. I send out relentless email messages about ethical behavior, and I don’t understand why they didn’t follow it.” Really shows just a lack of situational awareness.

Kessler: I had a case where it was a while into a particular fraud, we were doing the interviews of the folks that would have potentially been knowledgeable about it. As soon as we walked in the room, they’re like, “Oh, thankfully, somebody’s finally investigating this, so and so is such a crook.” We asked, “Why didn’t you tell anybody?” Every single one said, “I did.” Then when we asked who they told, some went to HR, some went to a different manager, some called into the hotline. But the way they had described it, it became an HR issue instead of a fraud investigation.

In the end, the guy had gotten away with a couple of million dollars. We would have been able to catch it much earlier if the program was effective, had protocols and if there was somebody in charge that was actually connecting the dots.

Simon: Culture means different things to different people, too. Because if I think about the culture in my company, everyone’s super nice, very family-oriented, but that’s not really what we’re talking about, necessarily. We’re talking about, how do you make decisions about the numbers? How do you make decisions about what to do? That’s not what they think about necessarily when they think about culture.

Hubbs: Multinational organizations also struggle with culture especially when there are employees from dozens of different countries. What is ethical behavior in one geography may not even exist in another society.

Feldman: That’s right.

Hubbs: Conflicts of interest and self-dealing in some societies may be how some business transactions are done. In some societies excessive gifts and entertainment are normal, but in other countries it can be against the law. If your organization conducts business across multiple geographies it can be difficult to promote, grow and sustain a single and strong compliance culture.

Feldman: It’s not all negative. I was in a company a couple of weeks ago where I asked the question about the culture and they said, “The leadership of this company would step over a million dollars to avoid even the perception of doing the wrong thing.” That’s really what you want to hear.

FM: Who were you asking?

Feldman: Rank-and-file employees, staff engineers, project managers. It was very inspiring.

Dick Carozza, CFE, is editor-in-chief of Fraud Magazine.