Why is it so important to understand the nature of the disturbing information provided?
First and foremost once we have received information about potential misconduct we cannot afford to ignore it. Why? Most obvious answer would be, because there are regulations that impose criminal, civil and administrative liability for corporate negligence. Corporate entities, especially those running commercial activities are required to apply due diligence in selection, supervision and organisation. We could collectively call these conditions corporate liability triangle. Non-compliance with them may lead to costly consequences. Examples of regulations imposing such liability for corporate negligence could be the US Foreign Corrupt Practices Act (FCPA), UK Bribery Act 2010, French Sapin II or Polish Act on criminal liability of corporate entities.
Secondly, as researched by the Association of Certified Fraud Examiners (ACFE) and published in annual Reports to the Nations, the longer we tolerate fraud or other misconduct the greater are losses resulting from it. This is a simple consequence of a fraud Triangle by Donald Cressey, where the opportunity, pressure and justification lead to misconduct. The longer it is tolerated the easier is for the perpetrator to justify his or her actions. The increase of fraud damage in the function of time is very dramatic and leads to multiple-fold increase of losses. Moreover, the longer we wait with reaction the harder it is to recover the losses. Also, some of them may also not even qualify to insurance claim due to the limitation periods.
Thirdly, and lastly in this entry, if we turn our blind eye to fraud or misconduct, we may face the allegations of aiding and abetting to the perpetrators, especially if our obligation by the contract or law is to prevent misconduct and ensure regulatory compliance and we did the opposite by not to take action. This subsidiary liability is particularly dangerous for those who by definition are obliged to care for the good of the corporation, such us management boards or C-suit managers.
What do we need to do with the information about potential fraud or other misconduct?
First we need to triage it, by applying a filter of 7 golden questions leading to understanding of: (1) what might have happened? (2) when?, (3) where?, (4) how?, (5) who did it or was involved?, (6) why has this happened?, and last but not least (7) what it means for me / the organisation? The latter is potentially the most important. It drives to the next step of the triage.
The next step, is to understand whether the information received describes a criminal or otherwise forbidden act, and whether is possible that the act took place, also whether the act has anything to do with our organisation. It might be that the description meets a definition of a crime and sounds likely it has happened but has nothing to do with us. Then it is only our moral obligation to report to the law enforcement. However, if the event description is associated with our organisation and meets the condition of likelihood and criminal event, then we need to act upon it in order to manage the adverse consequences and mitigate the losses.
Sometimes, the information provided by the source (either internal or external) may be blurry, in this case we might need to get back to the source or perform internal preliminary checks, but preliminary not leading to alert possible perpetrators of the reported misconduct. If our preliminary follow up checks confirms likelihood of a criminal action affecting our organisation we need to act upon it, and act without undue delay.
More on the planning, investigation team composition and forensic hypotheses in the next chapter.
