Trendspotting: Protiviti’s PreView of Emerging Risks

Some superheroes see through walls. Exceptional corporate leaders see over the horizon and around corners, spotting emerging risks before they become obvious obstacles. These leaders may be interested in the latest issue of Protiviti’s PreView newsletter, in which we evaluate trends using the global risk categories developed by the World Economic Forum as a working framework.

In this issue, we discuss:

  • Global connectedness and investing in emerging economies – Unpredictable political leaders, natural disasters, and too much trust in a single foreign currency can rock your boat all the way to China. No one is immune from the effects of globalization.
  • Urbanization – More people are flocking to cities, demanding products and services: mortgages, paved roads, electricity and water. One obvious question is, how will it all be funded? And the big question from a business perspective, what will it mean from the standpoint of investing for growth opportunities?
  • Shifting demographics and the decline in global fertility rates – Fewer workers, more retirees, and sharply dropping populations in developed countries mean fewer consumershow will policymakers and businesses deal with the unmistakable long-term trends?
  • Entrants from anywhere – Innovate or die. And watch for those startups out of Africa. Global interconnectivity has opened the floodgates of funding capital – what are the opportunities and threats for established incumbents?
  • Artificial intelligence – Your smart home is calling you. Your car is out to pick up milk. And the ATM knows you need a loan – before you do. Is this convenient or scary? Someone has the answers – and it’s probably an A.I.

That’s what’s around the corner. Looking over the horizon, here are some of the risks on our radar:

  • Cybergeddon. A global governance of the Internet is needed, as there are serious political challenges of balancing security with personal privacy.
  • Growing competition for natural resources. There is an increased focus on sustainability – from resource availability to the corporate impact on the environment, society and the economy.
  • Reputation risk for companies with supply chains tangled in human rights violations. More companies are outsourcing labor to countries where labor and environmental standards are low, and this can present a double-edged sword.

We welcome your participation in our ongoing emerging risks discussion. You can download the latest PreView here, and we welcome your comments in the comment section below.


Conducting Whistleblower Investigations – Part 3: The Interview

In conjunction with International Fraud Awareness Week, we are running a series of blog posts by our Investigations & Fraud Risk Management practice leaders. For more on the topic, and to listen to our recorded webinars, visit

Scott Moritz - Protiviti NY 2013 (hi res) (2)

By Scott Moritz, Managing Director, Investigations & Fraud Risk Management

and James Gibson, Director, Investigations & Fraud Risk Management


In our previous two blog posts, we provided general advice on preparing an investigative plan and discussed the value of triaging allegations by performing some basic investigative steps to evaluate the credibility of the complaint as a first stage. Below, we focus on the third and crucial stage of the investigation, confronting the subject in an investigative interview.

When Should You Perform the Interview?

One of the most common mistakes in internal investigations is rushing to perform an admission-seeking interview before the facts have been collected. This can be damaging to the investigation for several reasons. First, it alerts the subject or subjects to the suspicion and affords them an opportunity to alter their actions, destroy or alter evidence or otherwise disrupt the investigation. Second, it tells the subject how much the interviewers actually know. If the interview is performed before enough proof is gathered, the subject can easily explain away the allegation leaving the interviewers with nothing to confront him or her with in terms of documentary or testimonial evidence. Finally, jumping the gun on the interview removes any incentive for the suspected individual(s) to cooperate with the investigative team, while they may be more inclined to do so if they believe that you have enough evidence against them and that cooperating may limit their potential exposure to criminal or civil liability.

You will very likely only get one chance to conduct an interview of your subjects and so it is better to resist the impulse to pull the interview trigger early. A wiser course of action is to wait until you have reviewed all of the available evidence and prepared for the interview as much as possible to get maximum results.

Who Should Lead the Interview?

Whether it is a witness interview or an admission-seeking interview, part of the investigative planning process requires that there be a candid self-assessment of the internal team to gauge whether they have the skills necessary to conduct the interviews successfully. Former law enforcement officers, prosecutors and litigators usually have the needed skills due to their years of experience interviewing suspects and witnesses – however, not every company has people with this background in-house. If you don’t have a person with the right investigative interview skills, outside help is your next best option.

Establishing Rapport With the Subject

Ever heard of “good cop”? Most interviews go better when some level of rapport has been established. If someone is being interviewed purely as a witness, let them know at the beginning to relieve any tension or nervousness that they may feel. Have a list of the topics you want to review with your witness, bring any supporting documentation you want to discuss and seek the witness’s commentary on it – it may be of use to you when you confront the suspect.

Establishing a rapport with your subject may be more challenging but is equally important. Allaying the person’s concerns, dispelling misconceptions on how an interview might be conducted, finding common ground and being matter-of-fact with your questions all can contribute to a more productive interview. Establishing a rapport could also help your subject to view you as someone they need in order to navigate the unfamiliar territory of being the focal point of an investigation successfully, and cause them to be more cooperative as a result.

For both witnesses and suspects, in-person interviews are much more productive than telephone interviews since so much of communication is non-verbal. Experienced investigators are very attuned to the physical cues of interview subjects, especially when a question is uncomfortable or the subject is being deceptive.

Choosing the Location

The location of the interview can influence both the results you get and the way the investigation proceeds. Should you conduct the interview in the office, where your subject may refrain from being too candid, or a neutral location where they may feel more even-footed? Is it in the interest of the investigation for the interview to be conducted where everyone can see or should you take steps to keep it away from public view? The answers to these questions will vary based on the type, level and purpose of your investigation.

Who is in the room also matters. Most interview subjects are less comfortable discussing improper activities before a high-level company representative or an attorney. If an in-house attorney is in attendance, there may be a need to administer an Upjohn warning, a sort of corporate Miranda warning, in which the attorney advises the interviewee that the attorney is representing the company and not the subject as an individual. Upjohn warnings can often have a chilling effect on the interview, leading to a lower level of cooperation or, in some cases, to an abrupt halt.

Interviewing Union Members or Third-Party Employees

A collective bargaining agreement between a union and a company, if it exists, may limit the company’s ability to conduct investigations of union members. Members of a labor union may have to be interviewed according to the conditions set forth in the agreement. More frequently, union members attend interviews with their union representative or shop steward who are there to advocate for the union member.

When interviewing employees of third parties, such as suppliers or vendors, having a representative from the company on whose behalf the investigation is conducted can help convince the subject that this is a serious matter that could have implications for the supplier’s continued relationship with the company. Ideally, the company representative should be someone that the interviewee knows and believes wields some influence over the relationship between the company and the supplier.

In conclusion, and back to our football analogy, the interview is your game day. Like the game, the interview tests your readiness for getting into the “end zone” and will result in as much success as you’ve prepared for. Choosing the right setting, establishing a rapport with your subject and making sure that you select your questions carefully and are in a position to counter any false exculpatory statements will sharply increase your chances of obtaining the valuable information you need for your investigation – and help you act like you’ve been there before.

Conducting Whistleblower Investigations – Part 2: Triage and Gathering of Evidence

In conjunction with International Fraud Awareness Week, we will be running a series of blog posts by our Investigations & Fraud Risk Management practice leaders. For more on the topic, and to listen to our recorded webinars, visit

Scott Moritz - Protiviti NY 2013 (hi res) (2)By Scott Moritz, Managing Director, Investigations & Fraud Risk Management

and James Gibson, Director, Investigations & Fraud Risk Management


As discussed in yesterday’s post, a triage phase is a limited investigation designed to test the validity of an allegation of fraud or bribery.

Let’s look at a hypothetical example: A whistleblower complaint against the company’s chief technology officer (CTO) alleges that she has undisclosed conflicts of interest with several of the vendors providing services to the company, has been paid kickbacks by other vendors, has manipulated competitive bid processes in favor of companies that she either owns or has been bribed by, and has a number of offshore bank accounts into which she has deposited the money generated from the scheme. Part of the investigative planning process includes breaking down the investigation into component parts and developing a list of investigative steps designed to gather information on each part in an effort to prove or disprove what has been alleged.

Let’s take the allegations one at a time:

Undisclosed conflicts of interest in technology vendors

One possible way to triage this allegation is to perform a background investigation of the CTO to see if any of the vendor companies have been registered in her name or using her home address. Some embezzlers are so bold, they use the company’s own mailing address to register shell companies and simply intercept the mail that comes to the company from the Secretary of State’s Office. Legal research databases, such as Lexis-Nexis or Thomson-Reuters, can provide electronic access to U.S. public record repositories, including corporate registrations for the 50 states. Corporate registrations are available in many other countries, too.

Of course, it might be helpful to know the names of the companies to which the whistleblower is referring in case the companies are not registered in the CTO’s name or using her home address.  If the whistleblower used a hotline website or a toll-free number to communicate the complaint, these should enable you to communicate with the whistleblower confidentially, one-on-one, to ask follow-up questions. Asking the whistleblower targeted questions is a good way to assess the merits of his or her complaint. If it transpires from this conversation and your database search that there are indeed companies registered or connected to the CTO, this may provide you with a sufficient business case to advance from the triage phase to a more comprehensive investigation comprised of the following steps:

  1. Reviewing the vendor master file to see if any or all of the companies are on the list and, if yes, examining the aggregate spend for each
  2. Obtaining and reviewing the vendor file for supporting documentation for each transaction associated with the suspect vendors, including purchase orders, invoices, bills of lading and associated approvals
  3. Interviewing procurement, accounts payable or other personnel in a position to know the company’s vendors for any additional information in an effort to confirm that the work was performed and/or the products were delivered
  4. Quantifying the potential losses or financial benefit to the CTO associated with the undisclosed conflicts of interest

Payment of Vendor Kickbacks and Manipulation of Competitive Bid Processes

Investigations of vendor kickbacks and bid manipulations are among the more difficult and time-consuming types of fraud investigations.  Once it’s been determined, in the initial phase of the triage, that the alleged vendors are on the vendor list and any possible connections to the CTO have likewise been examined, the following steps should take place:

  1. Review any competitive bid selection process documents in which any of the suspect vendors may have been included.
  2. Determine if the lowest bidder was selected.
  3. Review emails of the CTO and other bid process participants for any relevant correspondence related to the bid process.
  4. Review invoice pricing and compare to those of other, similar providers in an effort to determine if the prices or overall invoices are above market pricing and may have been inflated in order to generate the alleged kickback.
  5. Quantify the overall disbursements for each vendor suspected of paying kickbacks, including any excessive charges that appear to be above market.

Offshore Bank Accounts

Perhaps even more difficult than proving kickbacks is proving the existence of an offshore bank account into which illicit money has been deposited.  Short of seeing direct transfers from company accounts into the offshore accounts, such accounts are often identified through other, indirect means after the triage phase has been completed.  Phase II activities that could lead to the identification of offshore bank accounts include:

  1. Reviewing corporate emails and computer hard drives for corporate or personal emails to private bankers, receipts confirming international travel, email confirmation of deposits or other transactions, online or electronic account statement, or personal financial records and phone records evidencing calls to offshore financial institutions or advisers
  2. Identifying any signs of international travel to locations not associated with professional activities, especially locations known for bank secrecy, such as the Cayman Islands, Cyprus, Latvia or Belize
  3. Performing background investigations and field investigations in any country in which you believe the CTO may have established accounts or to which she has traveled in the past two years.

As made evident above, a lot of the activities at this investigative stage involve email, computer hard drive and network drive file reviews, as well as, in some cases, office searches. Having an understanding of the various electronic systems that may contain evidence, including telephones, company-issued smartphones, instant messaging accounts, accounting, payroll and travel & entertainment expense systems (and the audit trails for each); access control and closed-circuit television systems is crucial in getting the evidence you need to prove or disprove an allegation. Part of the general investigation planning process should be an in-depth understanding of these systems, including how far back their records are archived, the names and contact information for the individual(s) managing each system (including cell phones), and some level of assurance that the systems are being archived correctly and can be restored for future analysis. The individuals with knowledge of and access to these system may need to be part of your investigative team when the time comes.

Let’s assume you’ve done the triage following the steps above and have enough evidence to confront the subject or subjects. We’ll discuss the interview process in our final post in this series, tomorrow.


Conducting Whistleblower Investigations – Part 1: Preparation

In conjunction with International Fraud Awareness Week, we will be running a series of blog posts by our Investigations & Fraud Risk Management practice leaders. For more on the topic, and to listen to our recorded webinars, visit

Scott Moritz - Protiviti NY 2013 (hi res) (2)

By Scott Moritz, Managing Director, Investigations & Fraud Risk Management

and James Gibson, Director, Investigations & Fraud Risk Management


Legendary football coach Vince Lombardi once said: “When you go into the end zone, act like you’ve been there before.”

Wait, you might say, what does football have to do with internal investigations? The answer is, they both rely on skill and preparation. In football, part of game preparation is viewing game film, understanding what type of plays your opposition runs, and then structuring your game plan in such a way as to effectively counter whatever the opposing team may do on game day. And even though your efforts may not always be as effective as you would have liked – your opponent may run plays that you didn’t see on any game film – preparation, in football, is indispensable. It is just as vital with investigations.

Preparation, of course, is best done in advance, and not in the heat of battle. It’s a good idea to have in an investigative plan and investigative protocols in place before they are needed. These plans and protocols should be sufficiently broad to cover the full spectrum of situations that could give rise to the need for an internal investigation. Some of the more common occurrences that trigger the need for an internal investigation include:

  • Law enforcement or regulatory actions
  • Hotline tips or an anonymous letter
  • An employee, customer or supplier complaint
  • Missing assets or other anomalies discovered through an internal audit
  • A network intrusion evidencing data loss
  • Exfiltration of proprietary data
  • Civil litigation or threatened litigation
  • Adverse media reporting or adverse social media

Below, we focus on some broad ways in which a company should be prepared, so that when the need for an investigation arises, it can act like “it has been there before.”

Assess the Company’s Investigative Capabilities and Fill the Gaps

Even before the need for an investigation arises, in establishing their investigative protocols, companies should evaluate their ability to conduct an internal investigation, identify the individuals within the company that should take part or assist in the process, and determine whether there are any skillsets that may be necessary but don’t exist within the company. The typical investigation requires some or all of the following skills: forensic accounting, employment law, human resources expertise, computer forensics, network security, electronic discovery, background investigations, interviewing and interrogation. If any of these skills don’t exist within the company (and, with most organizations, there’s a good chance that will be the case), determine whether it’s feasible to enter into contracts with service providers in advance of needing them so that you are not pressed to negotiate a contract last minute, placing additional time pressure on an already time-sensitive situation.

Determine Whether the Work Should Be Performed Under the Attorney-Client Privilege

One of the very first steps in the planning process is determining whether an investigation should be performed pursuant to the attorney-client privilege. Again, an investigative protocol that sets certain guidelines for all investigations can be very helpful in making these determinations. Seek the advice of your company’s general counsel (who may in turn seek the advice of an outside law firm) to determine the right approach. The attorney-client privilege protects communications between an attorney and his or her client. It also enables service providers working at the direction of counsel to perform work and generate work product that is also privileged under the attorney work product doctrine. If the decision is made to perform the work under privilege, an attorney – either an in-house or an outside counsel – oversees and directs the investigation, and the information collected as part of the investigation is protected by that privilege. As part of directing the investigation, the attorney defines the investigative team, including any subject-matter experts on subjects such as computer forensics, forensic accounting, interviewing and interrogation etc.

Agree Upon the Scope of the Investigation

Typically, very little is known at the beginning of an investigation, and team members should always go into it with the understanding that the scope may need to change as new information comes to light. Nevertheless, team members should review the allegations and develop an initial scope of work that is likely to provide the information needed to determine if the allegations have merit. Cost is an important consideration when setting the scope – sometimes, a triage or limited investigation can yield information that either corroborates or refutes the allegation early on, before a full-blown investigation is launched. This triage phase can save unnecessary costs in the case of baseless allegations, or provide the investigative team with enough information to make a business case for a full investigation. Not all investigations lend themselves to a triage phase, however; sometimes, the initial information provides a sufficient basis to progress to a full investigation immediately.

In tomorrow’s post, we will delve into the details of a triage with specific examples, and the actions that may follow if the allegations are found to have merit.

Happy Cow vs. Hedgehog: Getting Straight on Principle 8

In conjunction with International Fraud Awareness Week, we will be running a series of blog posts by our Investigations & Fraud Risk Management practice leaders. For more on the topic, and to listen to our recorded webinars, visit

Pam VerickBy Pamela Verick
Director, Investigations & Fraud Risk Management




International Fraud Awareness Week provides the opportunity to have meaningful dialogue on a topic that often seems difficult for many executives to freely talk about, unless it’s at a designated time for “awareness” or “assessment.”

The topic is fraud risk.

Many organizations are now well into the adoption of COSO 2013 as their integrated control framework in complying with Sarbanes-Oxley Section 404 (SOX) and for other purposes, but are still struggling with Principle 8 – a critical part of the Risk Assessment component of COSO 2013. Principle 8 focuses on four types of fraud – fraudulent reporting, corruption, asset misappropriation, and management override of controls – and the potential for each risk to occur.

Some management teams seem clouded by a “No Fraud Here” mentality, in which fraud is simply not possible within their organization. In these cases, management often views a fraud risk assessment as a mere afterthought, “check the box” exercise, or even a “necessary evil.” Others don’t want to “plant ideas” in the minds of their employees. However, it’s important to remember that fraud is an inherent risk within every organization. Principle 8 is not about rooting out hidden fraud, it’s about taking a realistic and objective look at where fraud could occur, the likelihood and impact a fraud risk event could have on the financial, operational and reputational well-being of the organization, and ensuring that there are appropriate controls either to prevent or detect such risk.

Some organizations simply place all fraud risks in the “green zone” – all good! No yellow caution flags, or red danger signs, just one big field of green. I call it the “Happy Cow” syndrome – big happy cows unwittingly grazing in a wide green field with not a care in the world.

However, that’s not the world organizations live in today. Sadly, the potential for fraud is woven into the fabric of everyday business. Jim Collins, in his book Good to Great, extolled the virtues of good planning and a strong survival instinct over a reactive, “we’ll cross that bridge when we come to it” mentality. He equated planners with “hedgehogs,” after the 1950s business parable by philosopher Isaiah Berlin — which told the story of a frenetic fox who exhausted himself running from a wolf, while his companion, a hedgehog, mitigated risk with the simple strategy of presenting himself as a spiky ball.

When it comes to Principle 8, a hedgehog would:

  • Recognize that considerations of fraud are part of the overall risk assessment process, which also includes Principle 6 (defining risk objectives) and Principle 7 (identifying and analyzing risk)
  • Prioritize both inherent and residual risk
  • Consider various types of fraud (COSO Points of Focus 31), along with those which align with Cressey’s Fraud Triangle:
    • Fraud incentives and pressures (COSO Point of Focus 32)
    • Opportunities (Point of Focus 33)
    • Attitudes and rationalizations (Point of Focus 34)
  • Respond to fraud risk with a balanced approach to prevention and detection controls

In a world driven by SOX compliance in the United States and similar compliance regimes in other countries concerned with internal control over financial reporting, there is a tendency to focus fraud risk assessment activities on financial fraud. But recent events, such as allegations of fraudulent environmental impact statements, and the reputational damage caused by inflated resumes of top executives, illustrate the need for a clear-eyed evaluation of fraud risk beyond activities which specifically impact financial reporting.

From a practical standpoint, that means expanding the types of fraud considered within a risk assessment, greater inclusion of personnel from all departments, business units and locations, and the use of multiple techniques (brainstorming sessions, fraud risk workshops, interviews and employee surveys) to identify and validate potential vulnerabilities arising from fraud.

As we celebrate Fraud Awareness Week, let’s put to rest the defensive and dangerous doctrine of “No Fraud Here.” It’s time we all positively embraced the responsible and necessary action of a well-planned fraud risk assessment. And it’s time we stopped being happy cows with a comfortable but unrealistic outlook and became more like hedgehogs, who have considered the danger and are suitably prepared for it. Because that’s how, I think, we get not simply from good to great, but from good to exceptional!

Who Are Your Customers, Business Partners and Employees? Information Drives an Effective Anti-Corruption Program

In conjunction with International Fraud Awareness Week, we will be running a series of blog posts by our Investigations & Fraud Risk Management practice leaders. For more on the topic, and to listen to our recorded webinars, visit

scott-moritzBy Scott Moritz
Managing Director, Leader of Protiviti’s Investigations & Fraud Risk Management practice



The difference between high-performing anti-corruption programs and those that aren’t often comes down to the information that the organization collects and analyzes in the execution of its anti-corruption vigilance. Such information provides the basis for informed decisions across a wide range of anti-corruption activities: background investigations of customers; controls and prohibitions over gifts, travel and entertainment; the review and approvals of requests to make charitable donations; and hiring decisions, among others.

Effective anti-corruption programs are tailored to fit a company’s unique size, product mix and customer base and take into consideration the Hallmarks of Effective Compliance Programs as outlined in A Resource Guide to the U.S. Foreign Corrupt Practices Act (the Guide), published by the U.S. Department of Justice and the Securities and Exchange Commission (2012), as well as other authoritative guidance. The Guide provides detailed information on what the U.S. government views as an effective compliance program; however, companies that are not collecting the right information on which to make critical compliance decisions risk violating the Foreign Corrupt Practices Act (FCPA) just the same.

Below, we outline the three most critical areas for which companies need to collect the right information, in order to deem their anti-corruption programs effective.

1. Customer Information and Categorization

Most companies are ill-prepared to answer even the most basic questions about their customers – for example, whether the customer is a government or private enterprise. These companies must collect sufficient information (e.g., the identity of majority shareholders, directors and key executives) that would allow them to readily identify the category of customer they are engaging with. Employees of government agencies, state-owned companies or public international organizations, such as the World Bank, the International Red Cross or the United Nations, are very likely to meet the definition of “foreign officials,” and interaction with foreign officials in a commercial context needs to be conducted with careful scrutiny to avoid violating anti-bribery statutes.

The risk comes into play most often where gift-giving and charitable contributions are involved. If your organization is not collecting that type of information that would allow it to distinguish foreign officials from regular customers easily, classifying them into risk categories, and educating company personnel on the risks of providing gifts, paying for travel or entertainment of these individuals, either directly or through your retained intermediaries, sooner or later you will find yourself offering “something of value” to gain “an unfair business advantage” – which together form the basis of a bribe payment and a violation of the FCPA.

Companies with well-developed anti-corruption programs, on the other hand, not only have this type of knowledge about their customers but they also anticipate the need to provide a gift, entertainment or contribution and have a control process in place through which they ensure the propriety of the interaction. The process may include submitting a written request, setting forth the details of the proposed business courtesy or contribution, the nature of the relationship with the receiving customer or agency, and the business case supporting the need. This enables a supervisor to evaluate whether the gift is reasonable and appropriate from an anti-corruption compliance perspective, and positions the company to better defend itself if a law enforcement or regulatory agency were to question the transaction later on.

2. Focus on Intermediaries

Another common lack of knowledge relates to third-party business partners and the subset of those that can act as intermediaries for the company and as such give rise to liability under anti-bribery laws. To protect itself from being held liable for violations by a third party, a company must have complete transparency and control over its non-U.S. intermediaries’ practices, including sales and payment practices, record-keeping, and the extent of anti-corruption training of the intermediary’s employees – especially those likely to interact with foreign officials.

Some intermediaries may be designated as “high risk” and held to a heightened standard of care if they meet certain criteria. The criteria used to risk rank intermediaries often includes whether they are operating in a country designated as representing high corruption risk by the Transparency International Corruption Perceptions Index; whether they are paid by a sales commission, contingency fee or success fee; and whether the nature of their business activities puts them in regular interaction with government agencies and state-owned companies. In this last category, sales agents, distributors, freight forwarders, customs brokers, environmental consultants, tax advisers, lawyers, accountants and consultants are most commonly among the types of business intermediaries that represent heightened corruption risk.

It is also important that intermediaries apply the same standard of care with regard to gift-giving as the company. This is especially true for distributors, since companies often have little knowledge about the distributors’ customer base. Distributors should be classifying customers themselves and submitting planned gifts for approval, similar to the company’s own anti-corruption practices.

3. Employment and Internship Candidates

Recent investigations and enforcement actions have brought into focus certain illegal hiring practices and have exposed the fact that many companies do not really know whether a candidate is a family member or close associate of a government official with whom the company does business. While hiring the family member of a government official isn’t necessarily illegal, these are potential high-risk hires, and companies need to be careful to ensure that a new hire or intern does not represent either a conflict of interest or the appearance of quid pro quo.

The problem is that most companies are not collecting the type of information about their potential hires that would enable them to make this risk-based decision. The most important things to know are whether any of the candidate’s family members are foreign officials and whether anyone within the company was asked by a foreign official to assist the candidate in securing employment. The company also needs to determine whether it has had any prior business with the government or state-owned agency to which the prospective hire is connected, to avoid accusations of quid pro quo (hiring a relative of a government official in exchange for a government contract, for example). By understanding upfront the candidate’s political connections, the company can take steps to ensure that the candidate meets all of the company’s hiring criteria, there is no business before the candidate’s family members at the time of his or her candidacy, and no other factors exist that would result in contravention of the law.

At the end, it all comes down to knowing the vital information needed in the appropriate circumstances and asking the necessary questions to obtain that information. While an effective anti-corruption program involves more than learning about your customers, intermediaries and employees, companies that understand the critical significance of the above three areas and are serious about improving the quality of the data they collect and analyze to support their decision-making processes will significantly reduce their risks of violating the Foreign Corrupt Practices Act, the UK Bribery Act or other anti-corruption statutes.

Ten Keys to Managing Reputation Risk

Warren Buffett once famously said that it takes 20 years to build a reputation and just five minutes to ruin it. All of us see evidence of how true this bit of wisdom is all the time. In the wake of recent corporate scandals, I thought now might be a good time to revisit some of the advice we give our clients on how to preserve reputation and brand.

These “Ten Keys to Managing Reputation Risk” were originally published in April 2013, in Volume 5, Issue 2 of The Bulletin, but they are as relevant today as they were then. They represent what I believe to be the nuts and bolts of reputation risk management, and their effectiveness or absence can make or break a company, as many have discovered first hand. We have organized them below according to five broad imperatives.

Strategic Alignment – A sustainable reputation begins at the top.
  • Effective board oversight – Sets the expectations and lays a foundation for managing reputation risk. The board is an organization’s last line of defense in preserving its reputation and brand image.
  • Integration of risk into strategy-setting and business planning – Makes risk a factor at the decision-making table and facilitates the intersection of risk management with performance management. (This is a critical connection.)
  • Effective communications, image and brand building – While a good story is easy to tell, some companies are better at it than others. Messages that the press, analysts and others communicate are influenced by the good marks on the other nine keys discussed here.
Cultural Alignment – The importance of ethical and responsible business behavior has never been more evident.
  • Strong corporate values, supported by appropriate performance incentives – Tone at the top is vital to effective corporate governance and appropriate incentives help drive a consistent tone in the middle.
  • Positive culture regarding compliance with laws and regulations – A record of having made a strong effort to prevent and detect fraud and corruption is essential to demonstrating the “reasonable assurance” regulators expect.
Quality Commitment – All companies with a strong reputation are noted for their commitment to quality people, processes, products and services.
  • Priority focus on positive interactions with key stakeholders – Stakeholder experiences, or the accumulation of everyday interactions with customers, employees, vendors, regulators, shareholders and other stakeholders in the company, get noticed in the marketplace and are a powerful approach to improving and sustaining reputation. They represent critical “moments of truth” that collectively define an organization’s reputation.
  • Quality public reporting – Quality public financial reporting is something investors expect. If management doesn’t deliver it, it may take a long time for the markets to forgive and forget.
Operational Focus – A strong operational focus is vital to managing reputation risk.
  • Strong control environment – The control environment comprises, among other things, the organization’s commitment to integrity and ethical values; the organizational structure and assignment of authority and responsibility; the process for attracting, developing and retaining competent people; and the rigor around performance measures, incentives and rewards to drive accountability for results. The standards, processes, structures and technologies that provide the basis for carrying out internal control across the organization, lay the foundation for a strong controls culture.
  • Company performance relative to competitors – Even if a company does everything else right, its reputation will suffer if its business model is not competitive in the marketplace.
Organizational Resiliency – A company’s reputation is inextricably linked with the resiliency provided by its risk management and crisis management.
  • World-class response to a high-profile crisis – Sooner or later, every company faces a crisis. Its reputation depends on the rapid and decisive response to crisis situations, putting responsibility to the safety of people first. It is a management imperative to build a rapid-response crisis management capability for sudden and unexpected events, especially where they relate to security, safety and environmental issues.

The ten keys outlined above represent the key components to address to reduce reputation risk to an acceptable level. Their common thread is a consistent and sustaining culture that recognizes the value of reputation and actively protects it with a systemic commitment to quality, ethics, communication, controls and preparation.

No company should believe it is immune to a reputational crisis. Nevertheless, a sincere and concerted effort to manage reputational risk by paying attention to the ten components outlined above gives a company a good shot at making it through the fire with its reputation intact.