Internal to External:
A Change in Approach to Risk Management
Global Fraud and Risk Report 2021/22 - Bribery and Corruption Risk
Global Fraud and Risk Report 2021/22 - Internal to External: A Change in Approach to Risk Management
John le Carre once wrote, “There’s only one thing worse than change and that’s the status quo.” Just because a business has seen success with internal audits and enterprise-wide risk assessments, it doesn’t mean it should simply rest on its laurels and consider its risk management strategy a job well done. While internal departmental structures and processes may experience slow, tectonic-like shifts, the external environment is far more turbulent.
That’s why connecting the dots between internal controls and external scrutiny is crucial; because they move at different speeds, their integration has to be well nurtured and properly cultivated. Kroll’s own research suggests that nearly half (46%) of all organizations surveyed put lack of visibility over third parties as their number one vulnerability when it comes to managing bribery and corruption risk. With the best will in the world, this cannot be fixed by continually looking inward. These days, businesses need to see the wood and the trees; in other words, they need to have a tight grasp of their internal data as well as the ability to zoom out to the external environment.
The Unfortunate COVID-19 Catalyst
The pandemic is continually mentioned alongside the word “unprecedented,” but there are few words better able to describe its impact on businesses and the global economy. As demand for digital goods and services skyrocketed, the opportunities for bad actors to peddle their unethical practices also boomed. The Organisation for Economic Cooperation and Development (OECD) even put out an official warning in 2020 about the escalating risks of bribery and corruption specifically related to the pandemic.1 Dramatic shifts in supply chains, digital migration and customs controls were all cited as potential avenues of exploitation.
The pandemic has also put organizations under intense financial pressure, particularly those that had to close their doors or limit their service due to lockdown restrictions. Nobody can blame these businesses for putting preservation above all else, but with incidents of bribery and corruption regrettably on the rise, survival can come at a devastatingly high cost. If organizations felt they had a blind spot for third-party suppliers before the pandemic, they now probably feel like they’re fighting a losing battle. This signals all the more reason to equip themselves to tackle corruption early and fend it off at the gates–but how?
Stepping Outside of the Box
Thanks to cloud transformation and digitalization, supply chains are now more like entangled webs that are near-impossible to map and analyze. Nevertheless, the mantra “a chain is only as strong as its weakest link” holds firm and true. If businesses are to curb the ever-increasing threat of bribery and corruption, they must look beyond internal blanket control functions and off-the-shelf solutions.
To do so, businesses need board-level engagement, robust internal control frameworks tailored by department and the application of data-driven analytics to assess and identify risks as they emerge. This is only possible if a business is able to step outside of its own environment and close the gap between internal policies and external developments. It’s one thing to run internal controls and clamp down on unethical practices within an organization, but if a business doesn’t keep one eye on external threats it runs the risk of becoming complacent and set in its ways. This is difficult, but not insurmountable.
Part of the problem here is that for too long businesses have gotten used to simply “getting by” on their current tools and processes to stay on the right side of a rapidly transforming compliance landscape. When regulations appear to change with the wind and new compliance obligations sprout up every month, any business could be forgiven for just doing what they have to do to keep up. That might be possible internally to a degree, but what about external risks? How can a business take ownership over risks that would otherwise be out of its control in order to mitigate them and improve its defensive posture?
Well, it can start by educating third parties. It’s a soft touch, and one that benefits both parties equally. If a business can pass on some of its wisdom to one of its long-term suppliers through training or “meeting the team” sessions, for example, that supplier will become less vulnerable, making it a stronger link in the chain. As a backup to this approach, businesses should also seek a “right to audit” clause in any supplier, distributor or third-party contract. This will at least give businesses some kind of jurisdiction over their supply chain should a risk or potential threat emerge, otherwise every third party becomes a blind spot during an assessment. An organization could also run local public records and social media reviews to get an indication of possible external risks that might impact third parties in their business chain, or take steps to understand their suppliers’ culture.
While often underrated and undervalued, company culture should be front and center of any strategy to curb bribery and corruption risk. Cultivating a culture of education, transparency and openness within a business and extending that to third parties where possible will give businesses an incredibly strong foundation on which to build out their future efforts. This will almost certainly involve some level of investment when it comes to communicating and instilling the company message throughout an organization. Some businesses may even choose to create sector-specific stakeholder groups that can work together in order to build the company message and spread it far and wide.
Given respondents’ concerns about third-party risk, these cultural checks may need to extend outside the organization. Businesses are increasingly conducting a culture check on a target company as part of an acquisition process or similar transaction to look for issues which might be hidden from public view.
This extends far beyond the “tone from the top” approach that businesses are used to taking internally. Instead, values and their accompanying messaging need to be formed on the ground with people that frequently represent the business and engage with third parties, and those third parties also need to be engaged and influenced. Only then will businesses be able to see an organic shift in culture and communication that in turn creates a “hostile environment” for bribery and corruption.