One of the less savoury aspects in terms of most HR professionals is dealing with employee malfeasance. While companies most companies have written guidelines on standards of behaviour, having to institute a process and ensure that protocols are followed is less likely to be defined.
Depending upon the industry and size, a company might not have the skills nor a dedicated team trained in how to handle situations that can lead to prosecution.
What is Employee Fraud?
There are so many aspects of HR that are well-defined. Recruiting, for example, starts with a business need that evolves into a job spec which in turn leads to a search, review of applications and resumés, shortlisting, offer, negotiation and hire. Every point in the process is more than likely to have been documented. And companies do such for a myriad of their other processes.
Beyond processes, departments including HR also set out policies. They might dictate how to execute public tenders, and working hours and also implement a code of ethics. By having policies companies hope to stay on the right side of the law, project a righteous public image, promote a strong work ethic and have some protection for having implemented a preventative measure should staff behave in ways contradictory to the company.
But what happens when, perhaps through a whistleblower or an audit, fraud for example is detected? While there might be clear steps defined for confronting the allegations and, if found in the wrong, a protocol for dismissing staff, are there also steps and guidelines on what needs to be done should a crime have occurred?
Of the greatest perils a company can face, it is to be suspected or held criminally liable. Not only does it impact the company’s reputation, but management even if they seem to be innocent can find themselves in jeopardy.
What to do with Employee Fraud?
Having a working plan as to what to do in advance of a case of suspected fraud is critical. Sometimes, in the heat of the revelation of the crime or the speed with which management comes to be aware, emotions run high and poor decisions are made. And as a crime might have transpired, criminality can transfer to specific individuals in the company. The first step in avoiding fraud is to identify the possible types of fraud your enterprise may encounter
Therefore, like having a code of conduct or ethics, management, probably through the HR function, should define a protocol of measures to take depending upon the crime alleged. That protocol should include the following measures:
- Involving legal from the onset
- Preserving evidence and ensuring that nobody can contaminate or tamper with it
- Logging all actions of those informed, implicated and/or aware regarding the allegation
- Advising any regulatory body with oversight if such exists and/or the authorities
- Informing those in public relations in order that they can formulate a corporate statement
- Determination of who is within the inner circle so that one can form an investigation team
- Assessment of criminality, financial and reputational risk
- This means reporting progress and findings.
Aside from foreseeing how the company reacts, it should also ensure that in advance, it is preserving records should a crime arise. That means preserving log files and enabling additional services (for example, using MS Protection facilities in Exchange to track remote access, log files and preserve emails that users might try to delete).
What types of Employee fraud are there?
Depending upon the situation, different steps might apply. A robust set of procedures should have the more likely scenarios gamed out such that one can find the most relevant scenario and see what the likely risks, steps, and so forth might apply. For example, for an FMCG company, one could expect the following scenarios to have been gamed out:
- Sabotage or contaminants in the production and/or warehousing
- Bribes paid to secure contracts or curry government policy
- Theft of product
- Suffering a data breach, data theft, or being the target of a business email compromise
- Under or overstatement of assets or liabilities to affect the financial statement
- Fraudulent transactions, possibly meant to hide an earlier theft.
How to Prevent Employee Fraud?
A key element of the success of a crime is to eradicate the evidence. Consider, as long as nobody is aware of the crime, nothing happens to the perpetrators. As such, criminals will invest in destroying the evidence. And when that is not possible then obfuscating, confusing, manipulating, and delaying access to such.
In some situations the data, the perpetrators might be able to erase the data themselves. In other situations, though, the data might automatically be erased after a short period. For example, log files of access and communication, in the interest of saving disk space, are routinely deleted.
IT must be tasked with working through such as part of the disaster recovery preparedness. Just as they should ensure that there are firewalls, anti-virus, and rogue user activity monitoring (in case, for example, a user unwittingly downloads and activates a ransom malware which starts encrypting data and attempting to infect the rest of the company), IT should also assure the business that data that could be evidence can preserved.
It should be obvious that the right legal advice is sought as soon as possible. As part of the protocol, one should know the right skill set to engage. While a company might have a generalist handling contracts, that does not infer that the person retained has experience dealing with the authorities in say a data breach.
Knowing a firm that can be retained in an unexpected situation could make a key difference in how the company comes out at the end of the incident. If one of the first steps of an incident is to find the right sort of lawyer, then time and evidence will be lost.
Consider a business email compromise. The company quickly realised they had paid millions to a fraudster and they informed their bank and engaged their corporate attorney. Neither reacted hastily enough to engage the police overseas.
The attorney assumed the bank knew what to do; the bank thought a SWIFT message was sufficient internationally as that was the typical solution domestically. When a legal expert on such crimes was later retained, it was clear that the delays due to inexperience gave the perpetrators the time needed to flee.
Logging and Repercussions
Timelines are critical to investigations: not only for the crime itself but for the actions taken by those that detect, report and then investigate. As the company makes efforts to safeguard the remaining assets in the business and/or preserve evidence, mistakes might be made, items duplicated or knowledge might be lost. This can be addressed by a regime of journaling the steps taken. Logging comes in different forms thus identifying the possible logging types and repercussions is essential in preventive action.
In some situations, the fraudsters wrangle a way to remain within the company, unsuspected. And they use their positions to impede or eliminate the collection of information. Logging might reveal such.
Finally, should a crime lead to prosecution, contemporaneous notes can play a significantly in the resulting proceedings. Trying to recreate what one did from memory, months or even years later is difficult. This is why it’s common in police dramas to see cops pulling out their notebooks.
Keeping an Inner Circle
Controlling what is known is critical to an investigation. Perpetrators are better able to interfere with evidence and mislead investigators if they have privileged information. To guard against leakage, those investigating need to be tight-lipped. And, as with any situation, the more people with inside knowledge, the more likelihood of information leakage.
From the outset of an incident, responsibilities for the investigation should be clearly defined and the company should be careful to limit those involved and what they are privileged to know. In many situations, it is preferable to engage a 3rd party to if not lead, then provide resourcing, so as to limit the dissemination of information. Firms specializing in such should be well versed in the rules about evidence, the relevant laws and techniques for gathering data, and also, importantly what must be reported.
Security around communications, evidence collected, procedures, etc., should be kept outside of the company. Thus the concept of the inner circle. Those within the zone of trust should work in concert, and in a manner to avoid letting key information slip out. Care should be taken to reinforce the need for security among those admitted.
Informing the Authorities
This can get tricky. On the one hand, the crime must be reported. On the other, engaging the authorities can relinquish control of an investigation, and the evidence obtained, and can also impact the ongoing normal operations of the company. Release proprietary information might harm a company, and as mentioned earlier, the fewer people with access to information, the less risky such leaks are.
It may be that the company has no choice. With certain data breaches, for example, a company has 72 hours to report to a data ombudsman. Failing to report may void a company’s licensing, contractual obligations, or ability to later make a claim or take a write-off.
Gaming through the possible scenarios in advance of a crime can help identify what strategy to take and when to notify those with regulatory oversight.
Sometimes, what is reported to be a crime might turn out to be either a mistake or a deception, perhaps done by a competitor simply to create chaos. Involving the authorities when such is the case is more than just embarrassing. Thus there should be a concerted effort to validate that the crime has occurred and that the company must report such to stay on the right side of the law and its contractual obligations.
Public Relations and Reporting
The way that information is released to stakeholders, as well as the general public, requires both a good feel as to what the reaction might be and, what can be made public that might tip the hand of investigators.
The PR effort needs to consider what damage rumours can have to the business. And whether the business can sustain admitting something in advance rather than confirming such after the fact. Invariably, the situation is already bad as the company has been tricked or failed to police itself. And there will be some entities that will be able to benefit.
However, how a company comes clean can also bolster its reputation. Though not a crime, Digital Equipment suffered a fire that destroyed one of its key software development offices. As the company quickly implemented a disaster recovery solution, its PR capitalised on its prowess and turned such into a marketing point to clients.
At some point, it is likely the company will want or be expected to answer the outstanding questions related to the crime. Some will want to know to prevent a repeat, and others, to see that the company has learnt lessons and instituted additional safeguards – this is especially important to the partners, loyal staff, and investors.
As part of the conclusion of the investigation, a company needs to be able to spell out the cascade of events in a clear narrative that most people can follow; and show that lessons were drawn and steps are taken to avert a repeat.
Given that most crimes are perpetrated by staff, invariably there will be recommendations that HR will need to heed along with implementing changes to policy and procedures.