Global Featured Wired

The Art of the Possible: Risk-Based Compliance for Business Associates

The Compliance & Ethics Blog -

By Mahmood Sher-Jan, CHPC, EVP and GM RADAR business unit This is part 2 of a 3-part series on healthcare business associates risks. The first part is Business Associates 101: Are a Business Associate?  If you do business with healthcare covered entities in any capacity that involves accessing, processing or maintaining identifiable personal information […]

Highway 61 and IRS Involvement in FCPA Enforcement

Corporate Compliance Insights -

If you need a reason to bolster your monitoring efforts, you may find the recent FCPA enforcement action against Vicente Eduardo Garcia to be quite instructive. One noteworthy feature of this investigation was the involvement of the IRS’s Criminal Investigation unit, the lesser-discussed of the DOJ’s two investigative bodies, called in to comb through mountains of data and identify violations. The post Highway 61 and IRS Involvement in FCPA Enforcement appeared first on Corporate Compliance Insights.

(This is only a summary. Click on the headline to view the entire article at Corporate Compliance Insights and participate in the discussion.)

Recent U.S. Department of Justice Memorandum, “Individual Accountability for Corporate Wrongdoing,” Targeting Individuals May Result in Unintended Consequences

Global Compliance News -

Deputy U.S. Attorney General Sally Quillian Yates issued a memorandum to all attorneys of the United States Department of Justice entitled “Individual Accountability for Corporate Wrongdoing”. How does it affect your business?

The post Recent U.S. Department of Justice Memorandum, “Individual Accountability for Corporate Wrongdoing,” Targeting Individuals May Result in Unintended Consequences appeared first on Global Compliance News.

Are You Approachable?

Leading in Context -

By Linda Fisher Thornton The pace of change is out of control in the workplace. Have any of you learned more than three new software programs this week? Have you had to deliver on deadline in spite of being completely new to a project? Have you struggled to get the attention of colleagues when you need their input, only to find that they are too busy to make the time to meet?

Cleaning Up a Compliance Program Mess

Corruption, Crime & Compliance Blog -

You have just been hired as the new Chief Compliance Officer of a global company operating in over 80 countries, including numerous high-risk corruption countries. You have no staff and have been given a budget to hire 5 full-time professionals, support staff, and technology, if reasonably priced.

When you look into the existing compliance program, you realize that everything is a mess. There are no real controls in place, third parties are being hired with perfunctory diligence, and training has only focused on the company’s code of ethics and compliance. Your code is strong but nothing has been done, in reality, to implement or enforce it.

Internal audit has not focused on any aspect of the company’s code of ethics or compliance program but instead has conducted a variety of inquiries relating to corporate finances and reporting.

What should you do?

Well, resignation is not an option. Instead, you need to roll up your sleeves and get started on cleaning up this mess.

How do you do that?

The first thing you need to do (besides drinking a glass of wine or a beer) is to take a deep breath and develop a realistic timeline for action. At a minimum, turning this program around will take two to three years, unless the government has launched an investigation of the company.

So, once you have a timeline in mind, and a realistic set of expectations, where do you start?

One key time-intensive function is to identify staff and begin the hiring process. Most CCOs underestimate the time it takes to put together a new staff. It can take two years to find the right people with the appropriate skill set.

Assuming resources come in to the CCO as needed, the CCO has to conduct a realistic appraisal of risks and ongoing (or expected) activity. A formal risk assessment is not needed; instead, a CCO has to rely on a gut-check risk assessment and put together an action plan. In this circumstance, the CCO has to stop the bleeding – identify and patch together controls to mitigate the most significant risks.

One area that should be avoided is putting a significant effort into creating or promoting an ethical culture. I do not mean to suggest that an ethical culture is not important but in terms of priorities, the CCO has to develop some of the compliance infrastructure before enlisting the CEO and senior management to step up and promote an ethical culture.

As an initial matter, it is important for the CCO to develop internal relationships by demonstrating compliance solutions, fixing the program that everyone knows is not working (but probably will not say), and establishing working relationships with important internal allies, especially in legal, audit, human resources, and finance functions.

Once the significant projects are identified, the CCO has to take steps to address the deficiencies. One area where the CCO is likely to start is on training. An ineffective training program has to be fixed right away to ensure that everyone understands the law, company policies, and what is required to ensure compliance.

A code of conduct training initiative is a strong start but much more is needed, particularly in complex areas like anti-corruption, export control/sanctions, and antitrust. There is nothing more dangerous to a company than to have lawyers, business managers, and employees operating in a risky world with no clear understanding of what the law and compliance requires.

Aside from training, a CCO has to focus on another key risk. In many cases, a company with a compliance mess may not have a real due diligence program for third parties or vendors/suppliers, or an established export control/sanctions screening compliance process.

Depending on the nature of the risk, the CCO should target a compliance fix in the high-risk area. If the CCO explains what he or she is doing and why to the business side, the managers will easily understand why the CCO is putting in controls and how the compliance effort will protect the company’s business operations. It is a quick and easy way to demonstrate the CCO’s competency and practical approach to solving compliance problems.

For the CCO who walks into a compliance mess, my key advice is to be realistic, demonstrate your competency, and build internal relationships that will lead to (relatively) easy successes.

The post Cleaning Up a Compliance Program Mess appeared first on Corruption, Crime & Compliance.

DOJ’s Adventist Settlement Puts the Power of Whistleblowers in “Stark” Relief

The Compliance & Ethics Blog -

By Molly Knobler and Tim McCormack of Constantine Cannon There is no denying that certain aspects of the Physician Self-Referral Law, more commonly known as the “Stark Law,” are complicated.  The Stark Law and its corresponding regulatory scheme include a web of technical terms, safe harbors, and interpretive guidance.   Is this complexity a necessary byproduct of […]

Business Associates 101: Are We a Business Associate?

The Compliance & Ethics Blog -

By Rick Kam This is part 1 of a 3-part series on healthcare business associates risks. Picture this: You’re a small consulting firm and you were hired to do an audit on coding for a healthcare insurance provider. Suddenly your client discovers that patient records have been lost or stolen, they’re investigating the incident, […]

The Corporate Crisis: Executive Misconduct

Ezine Articles - Business Risk Management -

How a corporation responds to a potential crisis involving allegations of an ethical lapse on the part of a senior executive has the potential to shape its corporate image long after the initial event is over. As Toyota and the Subway corporation are currently discovering, despite all best corporate governance efforts, including expertly crafted corporate compliance programs and codes of conduct, no corporation is immune from the damage that can be sustained from the alleged ethical lapse or misconduct on the part of a senior executive or corporate spokesperson. Mitigation efforts can be especially challenging when the senior executive's alleged...

Learning from VW: Check Your Software

The Compliance & Ethics Blog -

By Adam Turteltaub Last week saw the revelation that Volkswagen gamed emissions control testing.  Multiple news stories have since reported, and VW did not deny, that the emissions control system in its diesel cars could sense when a test of pollutants was being conducted.  The emissions controls switched on during the test and then […]

Supply Chain Disruption Hits 76% of Businesses a Year

Risk Management Monitor -

Almost a quarter of businesses reported annual cumulative losses of at least $1.05 million (CAD $1.4 million) due to supply chain disruptions, and 76% of businesses reported at least one instance of supply chain disruption annually, according to a survey conducted by the Business Continuity Institute and Zurich. The top causes of supply chain failure among businesses surveyed were ones that will likely get even more frequent in the coming years: unplanned IT outages, cyberattacks, and adverse weather.

As the supply chain continues to grow ever longer, adding more potentially disruptive risks along the way, businesses are learning some painful lessons about the financial and reputational damages that can result from failures to ensure supply chain resilience.

Check out the infographic below for some Zurich’s top insights on supply chain visibility, including the biggest sources of damage and key steps to mitigate losses:

Why Fraudsters Usually Have the Last Laugh—And What to do About it

Corporate Compliance Insights -

How difficult is it to become a successful fraudster? Easier than you might think. Despite a number of high-profile convictions in recent years – including that of Bernie Madoff, currently serving a 150-year prison term – most fraudsters get away with their wrongdoing and only a fraction of the stolen funds are ever returned. Just “the cost of doing business” as far as fraudsters are concerned. The post Why Fraudsters Usually Have the Last Laugh—And What to do About it appeared first on Corporate Compliance Insights.

(This is only a summary. Click on the headline to view the entire article at Corporate Compliance Insights and participate in the discussion.)

Volkswagen Manufactures Fraud and Ignites Anger

Corporate Compliance Insights -

Volkswagen's emissions scandal will cost the company dearly; knowingly misleading the world about the quality of one of your key products will do that. The company's previously solid reputation is now sullied, but is the damage beyond repair? This scandal certainly (ahem) drives home the importance of a strong ethics and compliance program. The post Volkswagen Manufactures Fraud and Ignites Anger appeared first on Corporate Compliance Insights.

(This is only a summary. Click on the headline to view the entire article at Corporate Compliance Insights and participate in the discussion.)

Tackling fraud in emerging markets

Ethical Boardroom Feeds -

By Gillian Duncan & Wayne Malgas of Control Risks


Although emerging markets have seen slower growth since 2010, they still account for approximately half of global gross world product and continue to present significant opportunities.

Moving into these markets, or consolidating and expanding current operations, will be part of the growth plans for many international companies, particularly due to infrastructure needs and consumer demands for energy, banking and financial products and services as well as various consumer products that exist in emerging markets.

Understanding the risks in these emerging markets is critical to being able to capitalise on these developing opportunities. In particular, emerging markets are often associated with corruption and nepotism; where the business practices considered as ethical and compliant in developed countries may not yet apply. Tackling fraud, bribery and corruption is therefore a crucial step in successfully entering or expanding in emerging markets in regards to regulatory pressure but also in a broader strategic vision of establishing sustainable business and operations in those countries.

‘It won’t happen to us’

Although fraud and corruption are separate criminal offences, there are many instances where these are the flip-side of the same coin. Corruption often takes the form of misrepresentation resulting in prejudice to the victim resulting in it being intrinsically linked to the predicate offence of fraud.

Control Risks conducted a global survey in 2014 to assess the attitudes of international companies and asked respondents whether they expected to conduct an anti-corruption investigation of an employee in the next two years. The replies showed that 67 per cent of organisations do not expect to (44 per cent stated that it was ‘very unlikely’; 23 per cent stated that it was ‘somewhat unlikely’) and only eight per cent stated that it was ‘almost certain’.

Interestingly, however, in a follow-up question 57 per cent of respondents replied that they had in fact conducted an internal anti-corruption investigation. This indicates a disconnect between what companies think and the practical reality; that there is still an attitude of ‘it won’t happen to us’. This attitude could have more serious consequences in emerging markets where investigative resources could be limited and remedial measures not as straightforward as it would be in developed markets.

Prevalent fraud trends

Financial statement fraud and asset misappropriation continue to be prevalent in emerging markets. The Association of Certified Fraud Examiners (ACFE) conducted global research on occupational fraud that included high-risk emerging markets. Its report to the nations on Occupational Fraud and Abuse found that asset misappropriation accounts for the highest frequency in occurrence in the period 2010 to 2014, followed by corruption with the lowest frequency in occurrence being financial statement fraud.

However, when analysing the median loss for the three categories of occupational fraud for 2014 the list is reversed, with financial statement fraud accounting for the highest figure at $1,000,000 followed by corruption at $200,000 with asset misappropriation showing the lowest median loss at $130,000. These results indicate that notwithstanding lower frequency in occurrence, the impact of financial statement fraud is significant.

Intellectual property (IP) fraud is also receiving more attention due to its financial impact. Intellectual property theft and counterfeiting has become a major concern for many companies globally, but emerging markets continue to present particular challenges that makes combatting and enforcement more difficult than in developed markets. These challenges include systemic weaknesses in the criminal justice systems in particular, lack of law enforcement capacity, as well as compounding factors, such as consumer attitudes.

More insidious are official attitudes to IP fraud. Our experience in conducting investigations of this nature in emerging markets shows that in many jurisdictions there is a marked lack of understanding of IP rights by law enforcement. Also, it is difficult to request action from authorities on theft of IP when a country is facing political instability or serious and violent crimes, such as murder and robberies. Governments invariably allocate resources to what is perceived as more serious problems. If not for persistent lobbying of relevant government bodies as well as the dedication of resources by international companies, fighting intellectual property fraud will continue to face significant hurdles in emerging markets.

Increasingly, many fraud schemes are becoming cyber-enabled. Some of the ways in which fraud is being perpetrated is cyber dependent, such as electronic frauds where perpetrators use the web to commit an offence, while others are traditional frauds that have either become more substantial or frequent through the use of cyber means, such as the theft and sale of critical data.

Cyber-enabled fraud

Many people assume cyber breaches are a uniquely developed-markets problem as the major attacks that make the headlines are on large multi-nationals, predominantly in the United States and Europe. However, this is due to two key aspects. Firstly, data breach and protection regulations in the US and EU require greater reporting on incidents while these requirements do not exist in many emerging markets. Secondly, for some international companies, core assets and business critical information are often held in their headquarters in the US and EU, however, the ‘cyber’ route into the organisation can often be from locations in emerging markets, which are often seen as the ‘weak underbelly’ from a cyber-security perspective.


“The cyber route into an organisation can often be from emerging markets – the ‘weak underbelly’ from a security perspective”


The 5th Conference of Parties to the United Nations Convention on Transnational Organised Crime held in 2010 identified cybercrime as one of the ‘new and emerging crimes of concern’. The question arises: cyber security has featured more prominently on the agendas of multilateral organisations, national governments as well as international companies over the past decade or so, but to what extent has this awareness translated into practical action by international companies?

In the latest Deal Drivers Africa publication by Mergermarket, supported by Control Risks, the survey found that only 56 per cent of organisations contemplating acquisitions conduct cyber due diligence on their targets, against 79 per cent who conduct financial due diligence. Despite the significant and well-publicised breaches in cyber security, it is a concern that cyber risks are not fully appreciated. Many companies that expand into emerging markets through acquisitions inherit potentially weak compliance and technology processes unable to identify or mitigate fraud and/or cyber threats.

There is also a misconception regarding the prevalence of internet activity in emerging markets. In its 2013 Comprehensive Study on Cyber Crime, the United Nations Office on Drugs and Crime (UNODC) found that in 2011 at least 2.3 billion people had access to the internet. More than 60 per cent of internet users are in developing countries. The prevalence of the internet is a positive development that enhances communication and economic activity, but unfortunately also provides a platform to facilitate crimes. International companies that ignore or give insufficient attention to their cyber vulnerabilities expose themselves significantly. The saying that ‘you cannot manage what you don’t know’ applies. It is therefore essential that international companies regularly examine the resilience and robustness of their cyber security and match this to the risk profile of the operating environment.

One of the most well-known types of cyber-enabled fraud emanating from emerging markets are ‘419 scams’: the victim receives unexpected communications, usually through emails where they are persuaded to pay money upfront for further financial reward that never materialises (419 fraud is named after the relevant section of the criminal code in Nigeria, where many of these frauds originate).

These 419 frauds usually involve a scenario whereby a well-known and wealthy individual’s identity is used – often claiming to be from a familiar organisation. The targeting of companies’ clients by fraudsters pretending to be from their organisations can be embarrassing and damaging, especially if they do so in a sophisticated way, crafting realistic emails based on thorough research of the victim and the organisation they pretend to be from and spoofing emails to appear like they come from the legitimate sender. This increase in sophistication has been a key trend recently and while the bulk of 419 scams are still poorly worded emails from chiefs and princes, increasingly we have seen fraudsters using network intelligence reconnaissance to gain information about who to target for what information and communicating from seemingly legitimate, spoofed email addresses.

In addition, these scams are moving from Nigeria to other emerging markets. Nigerian ‘romance fraudsters’, who find victims through online dating and then ask for money or even use blackmail, have been relocating to Malaysia because of its internet infrastructure and advanced banking system as well as poor law enforcement, combined with the increased focus of preventative measures aimed at Nigerian-originated emails.

While these scams are frustrating, there are also far more damaging cyber-enabled frauds emanating from emerging markets. Electronic frauds, such as account take-overs and electronic fund transfers, have had a major impact on corporations as well as individuals and are becoming more widespread. This is because access to the skills needed to undertake this action is becoming easier. We have seen increased co-operation between hackers and traditional criminals, with hacking-as-a-service being bought by organised criminal groups to conduct frauds. Even in developed markets police forces have difficulty in investigating these kinds of attacks due to their complexity and they often have to be handled by specialised law enforcement agencies. In emerging markets these investigations can be impossible due to systemic weaknesses in the criminal justice system as well as weakness at the prosecution level.

Data and intellectual property theft, touched on above, is another example of cyber-enabled fraud on the rise. Cyber means can be used to illegally obtain the IP but also to trade it. Cyber marketplaces exist on the dark web providing the forum for the purchase of illegally obtained information. Business activity in the dark web has been growing, with dozens of new marketplaces launched since the closure of the infamous Silk Road marketplace in October 2013.

For organisations wanting to understand their specific exposure, dark web marketplaces and associated forums can be monitored to understand the specific illicit goods and services available, including those that relate to your organisation. These could range from corporate IP to illegal tickets for shows or even airlines. More generally, monitoring such online mediums is useful in understanding how threat actors are adapting to disruptive law enforcement action and making use of increasingly sophisticated methods to operate, which can be used to inform where best to spend your information security budget.

Looking ahead, cybercrime will continue to pose a significant and growing threat to the private sector as cybercriminals become more confident and capable to target well-defended business assets. The criminals behind this could be thousands of miles away, outside of any region your business operates in, but you could be targeted specifically or opportunistically if you have particularly valuable assets or easily exploited vulnerabilities.

When assessing risks, many international companies tend to approach this solely from the perspective of risks originating from the environment itself without considering risks emanating from within their organisations. This includes the systems and procedures that are in place to identify and mitigate risks. This approach to emerging markets compounds the problem and is, in itself, a risk. When lapses occur, the tendency is to find the causes in the environment without focussing on internal shortcomings. It therefore requires a great deal of introspection by international companies of how practically it is able to navigate the complexities of operating in emerging markets.

When dealing with fraud risks in emerging markets, be they traditional or cyber-enabled, the basic elements of risk management remain: prevention, detection and investigation. These cannot be applied through merely being hopeful that fraud will not manifest itself. It requires a directed and well-defined anti-fraud programme that achieves results through design and not mere luck.

Case Study: Competitor-perpetuated fraud

A global manufacturing company had a suspected cyber-enabled fraud in one of its African subsidiaries. The company was concerned that many client requests were not making their way to the sales department and that it was consistently losing work on the basis of price to local competitors. It suspected foul play but didn’t have proof of what was happening. It asked Control Risks to conduct a holistic and comprehensive investigation with a focus on collecting and preserving evidence that might, in the future, be used against the perpetrators.

Control Risks and our technical partner, MWR Infosecurity, conducted remote analysis and deployed investigators on-site to rapidly understand if it had been breached and, if so, the extent. Through this process we were able to quickly ascertain that this breach was limited to email and did not appear to have come from a broader network compromise.

The investigation then focused on email logs, processes and procedures within the organisation. Our on-the-ground investigation highlighted that webmail (remote access to emails via the internet) was available to all employees, yet was not regularly used by anyone. Nevertheless, our technical investigation showed evidence of webmail being regularly accessed. In an environment where logs were not routinely retained, we therefore focused our investigation on finding evidence of this webmail access.

Through this process we traced the webmail access to a competitor’s IP address. We also found that after the passwords of the webmail accounts had been changed, there were several failed attempts to access webmail through this same IP address.

The client is considering legal action and we were able to provide corroborated evidence to pursue the perpetrators. This provides an interesting insight into the kinds of frauds that routinely occur in emerging markets. In this case, a competitor who was likely reading proposals sent to clients in order to be able to undercut on pricing.


About The Authors:

Gillian Duncan, Commercial Director Cyber Security, Control Risks London. Gillian is a Director at Control Risks. She is responsible for driving the Cyber department with a focus on strategy formulation and relationship management. Gillian brings both strategic and operational experience to cyber security with a background as Business Operations Director for Control Risks’ Europe and Africa region as well as over 10 years in strategy roles, including as a management consultant.



Wayne Malgas, Senior Consultant, Compliance, Intelligence, Investigations and Technology, Control Risks Johannesburg . Wayne leads the Corporate Investigations and Business Intelligence practice in the Johannesburg Office of Control Risks. He was previously a Chief Investigating Officer at the Directorate of Special Operations (DSO), a specialised law enforcement agency in South Africa that was mandated to investigate serious economic offences and transnational organised crime. After leaving the DSO he joined the foreign service of South Africa and served as a senior diplomat in the United Nations Security Council (UNSC) and given responsibility relating to the counter-terrorism agenda items.



The post Tackling fraud in emerging markets appeared first on Ethical Boardroom.


Subscribe to Hong Kong Loss Prevention Association 香港防損協會 aggregator - Global Featured Wired

HKLPA (@the_hklpa) Tweets

RT @NDDCEL: Ethics training is broken. Can #storytelling fix it? 4 weeks 15 hours ago
RT @EthicalSystems: "We are trying to give advice to organizations that are incredibly complex. When you put individuals together, they… 1 month 1 week ago
RT @sh_oldenberg: To Understand Complexity, Use 7 Dimensions of Ethical Thinking 2 months 1 week ago
RT @ComplianceXprts: 7 Things Every SME Exporter Needs To Know About Protecting Their Brand 2 months 2 weeks ago
RT @ComplianceXprts: Exporters Guide To Managing Compliance - Download our free ebook now! 2 months 2 weeks ago
RT @mikevolkov20: Episode 14 - What Every Compliance Officer Needs to Know About Data Privacy and the EU's GDPR - Corruption, Crime &… 3 months 3 weeks ago
RT @ComplianceXprts: What You Need To Know About Auditing And Risk Management In The Transport Industry 4 months 5 days ago
RT @EthicalSystems: Our 2017 End of Year Letter from @JonHaidt and @azishf "This is the time for the business… 4 months 1 week ago
RT @ComplianceXprts: Inspection of Facilities and Sporting Venues - Due Diligence 4 months 1 week ago
RT @ComplianceXprts: 14 Essentials For Your Compliance Management System 4 months 3 weeks ago