When fraud or other malpractice is discovered, we tend to interpret it as evidence of management weakness. Whether or not that is the case, the first instinctive reaction of managers is often “Cover it up! They will do their own shotgun investigation, and move on with as little publicity as possible. It happens at every level; even at the top level many companies have preferred to reward malpractice with early retirement rather than face the publicity that an investigation might generate. This is unfortunate, as it sends the wrong signal to the organization, and erodes the internal culture. And, the organization loses the opportunity to learn from mistakes, raise internal awareness of risks and identify root causes that need fixing.
Fraud will happen
In practice, good management and strong internal control cannot guarantee the absence of fraud and malpractice. Every organization, to varying degrees, decentralizes authority and responsibility to its members. Management cannot maintain absolute control over the actions of employees, suppliers and business partners. The owners cannot fully control management. We simply cannot manage without trust. As a result, there will always be opportunities for fraud to occur. When it does, if the incident is detected, competently investigated and appropriately resolved, that is a sign of management strength, not weakness!
We need to change our attitude towards the risk of fraud and malpractice. Typically, managers see these as an unlikely events, exceptions. We know they are possible, but we don’t expect it will happen in our organization. As a result, when a serious incident occurs we are caught off guard, embarrassed, and anxious to cover-up. We need to change our mindset and recognize that some amount of fraud and malpractice is highly probable. We can and should take reasonable preventive actions, but we should also be prepared to handle the incidents that will occur. By preparing a response plan, we can in a calm and organized manner set priorities, identify resources, and assign responsibilities. Then when the time inevitably comes, we can manage the investigation not as a crisis but as a normal business process.
Silo Mentality and Investigations
Various functions in the organization might have some capacity or mandate to investigate. There is internal audit, security, legal, HR, certainly line management, and others. If incident response plans are not formalized, the function that owns a particular investigation is often the one who first learns about it. There have been cases where two parallel internal investigations were started by different functions, each ignorant of the other! A formal incident response plan ensures that information is shared by a small, central group and that each investigation is managed by the persons most qualified to do so. More on this subject later!