This is the second part in a series of articles exploring COVID-19 Key Risks. The first part was on Business Continuity Risk in a Pandemic.
Many organisations have requested information and commentary in relation to risk and the impact of the COVID-19 pandemic on organisations, and many are querying which changes they should be making to their risk registers.
The COVID-19 pandemic will change the ways organisations operate in both the short and long term. What is the ‘new normal’ for businesses? What are the key risks for organisations right now? Which areas should organisations focus on in order to maintain high standards of governance, risk management and compliance?
As a result of our engagement with organisations around the country, over the next few weeks, the GRC for Executives Blog will provide organisations with a risk management perspective on the many changes and challenges that organisations face now and into the future in a series of articles.
While we may rate the risks that we will discuss in this series of articles as ‘Key Risks’, new developments and new perspectives should be considered when making changes to your risk register.
Motive and opportunity are the frequent precursors to criminal behaviour. The COVID-19 pandemic has changed the way most of us work and that in turn gives rise to new opportunities for unethical behaviour, criminal acts and misconduct. What motivates an individual to engage in fraud or corruption varies for each person, but the COVID-19 pandemic has presented a number of factors: significant financial hardship due to lost or reduced income, addictions such as drugs or gambling aggravated by isolation and stress, as well as the need to get things done when there is no one to check that the required (time-consuming) procedures are followed.
With a large proportion of the workforce working from home, and operations working on reduced occupancy limits and limited staffing, there is a much greater risk of theft, fraud and corruption taking place or continuing, where a lack of direct oversight can lead to workers more readily being able to steal from petty cash or office supplies and inventory, gain access to sensitive files that they should not be accessing, or obtain and pass on sensitive commercial information.
Working from home arrangements mean that workers are given greater autonomy, which requires a greater level of trust on the employer’s part. While most people are honest and trustworthy, the ability of supervisors and managers to monitor staff and provide guidance will be severely hampered by their inability to carry out physical oversight, especially when their own home environment may be causing distractions such as the presence of children who are not at school or childcare, or other household members working from home. Working from home arrangements may also give rise to opportunities for third parties to gain access to commercially sensitive information either accidentally or wilfully, as other household members may see a benefit from using information that is left ‘lying around’.
There are a number of ways that an employer can reduce the risk of fraud and corruption. Managers should ensure that they interact regularly with staff, preferably via videoconference, as staff feeling that they are left to their own devices can lead to intentional misconduct or serious lapses in judgment, because no one was checking for mistakes or misunderstandings. Managers should discuss with employees their work and key compliance requirements, and encourage employees to raise any uncertainties about their work. This is especially important with more junior employees or those embarking on new work. At the most basic level, managers should be checking that staff are actually at work for the requisite periods for which they are getting paid.
More concrete ways of reducing the risk of fraud are ensuring that there are accurate records of company equipment and other valuables, and where they are located: whether still in the work premises or in the home of an identified staff member. This inventory should be audited for currency and completeness from time to time. Staff should also be reminded at regular intervals to ensure that they observe confidentiality, privacy and security obligations, and not leave confidential documents on shared printers, or allow family members to use work computers.
Having a staff code of conduct is another key method for reducing the risk of fraud. The code sets the ethical tone for an organisation, and while staff may find it annoying to be continually reminded of it, it is necessary for the occasional reminder to ensure that all staff are aware of what an employer expects of them and the undertakings that they have made to fulfil those expectations.
For any organisation committed to conducting its business with honesty, fairness and integrity it is crucial to ensure that its staff and other stakeholders know that any wrongdoing will not be tolerated, and if wrongdoing is identified it will be addressed appropriately. Even organisations for whom survival, rather than more lofty ideals, is front of mind at this time, the risks associated with wrongdoing going unchecked can mean the difference between pulling through the pandemic and drowning in lost assets and revenues, prosecutions, damaged reputation, and the loss of key staff.
In this environment it becomes particularly important for an organisation to make it clear that it won’t tolerate wrongdoing and that it encourages and supports individuals who let the organisation know what is happening so that it can be stopped.
The key whistleblower risk in 2020 is not having a clearly communicated whistleblower program. While this is also a legal compliance risk for most companies (having a whistleblower policy for public companies and large proprietary companies has been a statutory requirement since 1 January 2020), the potential or actual damage to an organisation from ongoing misconduct or criminal activities continuing undetected cannot be underestimated.
The message is clear: people should have the confidence to come forward and report fraud, corruption, misconduct, or any other illegal activity, without fear of personal or professional repercussions, and with the support of the law and their workplace. It is essential to maintain confidence and stability in our financial services industries, charities and NFPs, and the economy at large, that people can identify and ‘blow the whistle’ on activity that can cause harm or loss to consumers, investors, donors, the environment, and the community.
Merely encouraging people to disclose suspected wrongdoing is not enough – there must be appropriate procedures to provide confidence in the commitment of the company to address wrongdoing. This is particularly important when many staff are still working from home and may not be in a position to informally ask for advice regarding suspected or perceived wrongdoing, or they may not even know who to ask about who they should be talking to. For example, a temporary replacement or junior staff member on higher duties who is covering for a (fraudulent) employee whose is absence is due to the COVID-19 pandemic, might have no idea who they should go to in order to discuss or report their suspicions.
A critical element in reducing the risk of wrongdoing going undetected and unreported is to make it as simple as possible for witnesses (whistleblowers) to raise their concerns. To do that requires a potential whistleblower to know :
- who they can approach to raise their concerns (and having options available as to the individuals or entities that they can approach)
- how they can approach the person (this is likely to be an issue when they are not able to just bump into them in the office)
- that if their concerns are reasonable, the matter will be taken seriously and investigated, and they will be given feedback on what is happening
- that they will be protected from detriment, including by protecting the confidentiality of their identity
Under the recently expanded whistleblower protection regime in Part 9.4AAA of the Corporations Act, whistleblower protections extend not only to current or former employees, officers, board members, contractors and others who provide paid and unpaid services or goods to an organisation, but also to spouses and relatives of these individuals. The categories of people to whom protected whistleblower disclosures can be made has also been expanded to include board members, company secretaries and senior managers of the organisation, the organisation’s auditors and actuaries, as well as ASIC and APRA. All of those recipients are then required to ensure that, if or when they receive a report of suspected wrongdoing, they take the appropriate action, including protecting the whistleblower as required by the whistleblower legislation.
This brings us to the next whistleblower risk: the risk of the recipient of a whistleblower disclosure not knowing what they should be doing, and therefore breaching the legal protection requirements, or not knowing what to do with the information that they have received.
All companies and constitutional corporations must comply with the whistleblower protections. The need to put them into effect will arise in businesses of all sizes, nature and types, at every level, so it is important for organisations to not only provide a supportive environment for potential whistleblowers, but also for all staff to understand their obligation not to victimise an actual or suspected whistleblower.
Should a whistleblower (or a person suspected of being a whistleblower) face any repercussions in the workplace, including termination of employment as a result of the whistleblower disclosure, the employer or organisation faces the risk of being charged with a criminal offence, as well as being liable for a civil penalty or payment of compensation to a whistleblower who suffers loss, damage or injury as a result of the detrimental conduct. In addition, the affected person can take action under the Fair Work Act. The same protection against detriment applies to suppliers or contractors, protecting them from having their contracts terminated or not renewed as a result of their whistleblower disclosure.
The risk of harm to the organisation as a result of a botched whistleblower response does not stop at the legal consequences. If an employee whistleblower is dismissed by the organisation, this will potentially attract negative media attention. Frustrated whistleblowers can turn to social media or traditional media to raise their concerns in a way that would be harmful to the organisation’s reputation.
The experience of a whistleblower being badly handled by the organisation is also likely to have a negative impact on the culture of the workplace and general morale, as other staff will be deterred from coming forward to identify wrongdoing if they see their colleague treated poorly as a result. This also impacts on how the organisation’s ethics and integrity are perceived both inside and outside the organisation – failing to properly investigate a disclosure or victimising the whistleblower would indicate that the misconduct is condoned by the organisation, as was suggested had happened in many instances discussed by the Banking Royal Commission.
Actions to Take
- review their current COVID-19 pandemic working arrangements and identify the areas that are the key areas of risk for fraud, theft, and corruption, for example physical theft opportunities, or employees avoiding compliance with procedures. Procedures or monitoring should be amended to address these identified risks
- ensure that all staff have regular contact with their managers and that their managers encourage questions
- ensure that equipment inventories are maintained and checked
- ensure that all staff are reminded of their obligations under the code of conduct
- ensure that all staff, contractors, and other stakeholders are aware that the organisation encourages disclosures of misconduct, and unethical or criminal behaviour and will take appropriate action and protect whistleblowers
- if required to have a whistleblower policy, ensure that the policy complies with the requirements of Part 9.4AAA of the Corporations Act and ASIC’s Regulatory Guide 270 and that it is communicated to (at least) all staff and officers, including board members
- if the organisation is a companyor constitutional corporation,ensure that all staff and board members understand their obligations, including not causing detriment to actual or suspected whistleblowers
- ensure that all board members, company secretaries, and senior managers understand what steps they need to take to deal with a whistleblower disclosure and to protect the whistleblower.
If you would like to discuss how CompliSpace’s Fraud & Corruption and Whistleblower Programs can assist your organisation, please contact us directly on 1300 132 090.