To Learn more about COVID-19 in South Africa, visit sacoronavirus.co.za

Category Archives: Blog

Harness the power of POPIA to prevent fraud?

Read Time: 8 minutes

From the start of July 2020, the Protection of Personal Information Act (POPIA) came into force in South Africa. Its objective is to ensure that personal information that is held or processed by a third party is done so lawfully and securely. Information may now only be processed if the purpose is adequate, relevant, and not considered excessive.

Organisations have approached the implementation of POPIA with trepidation, with concerns rasied about changes to ways of operating businesses and the unknown impact of increased compliance costs on profits. Is POPIA just another piece of legislation that places obligations on businesses and brings little benefit?

Few organisations know that POPIA can be used to detect and prevent employee fraud and collusion, allowing businesses to monitor risk events in a cost-effective way before events become a crisis.

Continual Monitoring Vs Cost Of A Crisis On Shareholder Value

The benefits of continual monitoring are clear. You will detect risk issues as they are evolving and prevent the risks impacting your organisation by taking appropriate mitigating action. Experts identify the need to undertake continual monitoring and by adapting your risk framework within your organisation to take advantage of POPIA, you can enjoy these benefits.

The cost of screening and lifestyle assessment has been identified as a consideration for the extent of implementation by some organisations we surveyed. Certainly, the cost of continual monitoring should be taken into consideration as you implement your risk framework within your organisation. The cost of the monitoring process depends upon several factors including the cost of the information you are collecting, the cost of the resources used to undertake the management of the framework and the costs of compiling and distributing the data within your organisation.

To find out the true cost of a Public Crisisread our previous blog
(https://corporateinsights.co.za/continual-monitoring-versus-the-costs-of-a-crisis/)

Is it better to treat an Issue Before It Becomes A Crisis?

So how long does it take for an issue to become a full-blown crisis? And how could you possibly catch it from happening? The Guardian newspaper published an article about the five identified phases of the sub-prime financial crisis that hit the global financial markets in 2008. From sub-prime to downgrade, the article highlighted five stages of the crisis to hit the global economy since the Great Depression, isolating them to the dates, 9 August 2007,15 September 2008, 2 April 2009, 9 May 2010, and 5 August 2011.

From the result of surveys conducted, the implicit answer is yes. Management and treatment of risk results in better value for a company than management of a crisis. Managing risk will require you to track and monitor leading risk indicators.

Management and treatment of risk results in better value for a company than management of a crisis.

A right to privacy

How does what we have described relate to a person’s right to privacy? Does an employer have the right to undertake the evaluations and monitoring we have discussed? Does the employer have to inform employees they are undertaking these evaluations?

Polity[i] states POPIA’s reach is wide – it regulates all organisations who process personal information – information about employees, customers, suppliers, and those who outsource key processing activities, share data offshore, or engage in direct marketing.

Personal information broadly means[ii] any information relating to an identifiable, living, natural person or where applicable, an identifiable, existing juristic person (companies, CC’s etc.) and includes, but is not limited to:

  •  contact details: such as email addresses, telephone numbers, physical addresses etc.
  • demographic information: such as age, sex, race, ethnicity etc.
  •  information relating to the education or medical, financial, criminal, or employment history of the person.
  •   biometric information: such as fingerprints
  •  the personal opinions, views, or preferences of the person
  • the views or opinions of another individual about the person
  • private correspondence sent by the person or further correspondence that would reveal the contents of the original correspondence.
  •  The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
  •  Processing means anything that can be done with the Personal Information including collection, usage, storage, dissemination, modification, or destruction.

A responsible person must comply with 8 conditions to lawfully process personal information[iii]

  • ACCOUNTABILITY: You will be responsible for ensuring POPIA compliance
  • PROCESSING LIMITATION: You must only process that information which you require.
  • PURPOSE SPECIFICATION: Personal information must be collected for a specific purpose.
  •  FURTHER PROCESSING LIMITATION:  Further processing of personal information (i.e., outside original purpose) must be compatible with the original purpose of collection.
  • INFORMATION QUALITY: You must keep personal information records accurate and up to date.
  •  OPENNESS You must disclose certain information to data subjects (i.e that their information is being collected, where it is collected from and how it is used
  •   SECURITY SAFEGUARDS: You must secure the integrity and confidentiality of personal information.
  • DATA SUBJECT PARTICIPATION: You must allow data subjects to access their personal information.

One way to ensure that any personal information that is obtained and therefore processed complies with the provisions of POPIA is to obtain the explicit consent of the individuals concerned while explaining why the information is required and how it will be used. This would be necessary should the person concerned not be in your employ.

It is permissible under POPIA and the National Credit Act (NCA) to obtain and use employee information for fraud detection and prevention without being obliged to obtain specific consent from the individual employees.

To comply with POPIA, you should not access information, unless it is considered to be:

  1.  non-confidential information, or
  2. it is for a Permitted Purpose or
  3. it is with the consent of the consumer (the employee in this case).

Information that is generally known by others or available to the public is not generally considered to be confidential information.  The following information is not generally considered confidential: Deeds Office information, Judgments, CIPC information concerning companies and directors, information related to trusts, landline telephone numbers and internet or social media posts or media articles as they all reside within the public domain.

A Permitted Purpose

POPIA and the NCA both permit organisations to collect and process information to detect and prevent fraud and collusion.

Employers may engage in the permitted purpose of fraud detection and prevention services as set out in Regulation 18(4)(b) of the NCA. Under the NCA, it may be possible for you in certain circumstances to access consumer and payments data of an employee for a prescribed or permitted purpose. Where an employer requires access to a consumer credit record to consider a candidate for employment in a position that requires honesty in dealing with cash or finances they are able to access such information in terms of regulation 18(4)(c) of the NCA. Section 11 of POPI refers to a permitted purpose for processing personal information and this provision is helpful to enable employers who wish to undertake risk assessments for a permitted purpose.

There are additional sections of and regulations to the NCA that assist employers to detect and prevent fraud. Section 68(1) of the NCA defines confidential information and permits employers to undertake risk assessments, provided that, the employer protects the confidentiality of that information and, in particular, only uses that information only for a purpose permitted or required in terms of the NCA.Additionally, regulation 18(4) lists the prescribed (or permitted) purposes for which a credit bureau may issue a credit report. Among other purposes, a person or employer may access a consumer credit information for the purpose of fraud detection and fraud prevention services.

Use POPIA to detect and prevent fraud and collusion

POPIA introduces more obligations upon organisations to collect, process and store personal information in a responsible manner. Equally, POPIA does not seek to limit the ability of organisations to detect and prevent fraud and collusion by employees and provides organisations with the necessary permissions to do this for permitted purposes. In such circumstances, organisations may detect and prevent fraud and collusion by employees without necessarily being required to obtain their prior consent.

Protect yourself and use our POPIA compliant solutions

Corporate Insights has developed a one-of-a-kind modular system that combines TransUnion’s big data universe with our own artificial intelligence and smart logic algorithms. It enables you to continually monitor, detect, act on, and prevent critical risks, both internally and externally.

The Corporate Insights system will allow you to protect your business from succumbing to the typical pitfalls that lead to corruption. It also comes with a host of additional benefits to ensure your company continues to operate optimally, free of the threat of corruption.

Click here to book a demonstration or call us today to find out how you can transform your business.

*What we describe in this blog is not legal advice and you should obtain advice appropriate to your circumstances. What we talk about here works for us.

PPE scandal reminds SA of ever-present corruption

Read Time: 7 minutes

The Covid-19 pandemic has left an indelible mark on people around the globe, and while the South African government initially made a positive start to its local response, the corruption scandal that erupted over the supply of PPE abruptly halted all feelings of goodwill, and for citizens, was simply another reminder of how rampant corruption was within government.

A year on from the start of the Covid-19 pandemic, we look back on the latest corruption scandal to hit our shores.

Demand leads to shortage, price hikes

Demand and high prices is what initially led government to scramble to secure enough PPEs and ironically, the shortage of PPE in South Africa came about when unusually large volumes of protective masks were sourced from South Africa in order to supply desperate Asian buyers with stock. This provided South Africa’s normally staid protective mask market with a steroid-like shot in the arm, while also leading to massive shortage when the pandemic eventually hit our own shores.

As a result, the South African government needed to import masks to shore up the supply deficit locally. Unfortunately, reports soon began to emerge that masks were being imported for amounts often between four and seven times the prices prior to the pandemic. Media reports of domestic price gouging also soon became public knowledge, with some of the country’s most trusted providers being implicated…

Data from a presentation that the Competition Commission made to Parliament in May 2020 shows the extent of the price hikes in the new protective mask market.

  • Dischem stores hiked prices for surgical masks between 46% and 261% and was fined R1.2-million by the Competition Tribunal in July 2020 for price hiking.
  • Babelegi Workwear Overall Manufacturers & Industrial Supplies in Centurion hiked the price of facial masks from R41 to R500 per box.
  •  Hennox Supplies and Sicuro Safety hiked prices for FFP1 masks tenfold. FFP1 masks are a lower-grade mask not suited for medical use.

Government scrambles to shore up supplies

The end-result was that the South African National Treasury issued instructions for the emergency procurement of PPE shortly after the declaration of a National State of Disaster by SA President Cyril Ramaphosa. This was done in an attempt to procure enough PPE and ensure that the price was set to avoid price gouging.

A set of instructions were issued to ensure all the necessary checks and balances were covered, including:

  • That any purchases comply with the requirements of the existing legislation governing financial management
  • That deviations in the case of emergencies or sole supplier awards are allowed
  • That any purchases in excess of R1-million must be reported to the National Treasury within 10 days
  • That maximum celling prices listed in the instructions be adhered to
  • That only suppliers that are registered on the National Supplier database may be used to purchase from

And if that was not enough, to ensure that there was sufficient control and oversight over the emergency application of the public purse, the instructions went further to state that the responsible accounting officer should in addition:

  • Implement and report on an internal system for financial control and risk management to account for the funds spent on COVID-19 purchases
  • Ensure that the personnel that procure any supplies are duly authorised to do so
  • Enable internal audit units to pick up on irregularities in a pro-active manner
  • Generate expenditure reports that can be scrutinised.

Where did all go wrong?

Despite the attempts to regulate the procurement process, by the close of 2020, the government anti-corruption watch dog, the Special Investigating Unit (SIU), had sprung into action with a probe into more than 600 companies involved in the supply of R7.5-billion of irregular PPE purchases by government entities.

The SIU probe revealed that, in the haste and scramble to bid for and receive tenders from government, politically connected individuals contracted in companies in which they had a shareholding, were a director or had recently formed, giving the impression that there was little regard for hiding their obvious involvement.

Some key problems that went seemingly unchecked in the bidding and procurement process that applied all or in part to a contract were:

  • Tender winner was not registered on National Treasury’s central supplier database
  • Tender winner did not have a track record in the manufacture or supply of PPE
  • Tender winner did not have an electronic footprint, website or corporate email
  • Tender winner was either a government employee or close family member of a government employee.
    Sometimes a close family member was part of the tender adjudication or tender award process
  • Addresses of the bidders were sometimes residential dwelling units rather than business premises
  • Tenderers were sitting at top a supply chain and were acting as middle men without owning or holding the stock that was supplied
  • Third party due diligence did not appear to have been undertaken on tender bidders or awardees
  • Emergency procurement instructions issued by national Treasury were disregarded

The rot goes to the top

The scandal was far reaching, and felt throughout government, with even Ramaphosa’sspokespersonKhuselaDiko implicated in dodgy dealings after her husband’s company was issued with a PPE tender and subsequently paid R80 million by the Gauteng government for supply of PPE.

The result? The Gauteng minister for Health, Bandile Masuku, subsequently lost his job, his wife who works as a member of the Johannesburg Mayoral committee and the President’s spokesperson have been placed on “special leave” pending an investigation which at the time of this article is still on-going.

Gauteng Premier David Makhura announcing that this was the biggest financial scandal to hit Gauteng since 2014and that he and his fellow MECs would submit themselves to lifestyle audits to demonstrate that their private spending is in line with their state-funded incomes. He would also produce a list of every company that has scored a COVID-19 related tender .

Following up on his claims, during December 2020, Makhura told a virtual sitting of the Gauteng Legislature that PPE corruption was undermining the government. “This does not seem like something that just happened. It seems like it was a proper plan, designed to ensure that rules are not followed. And as quickly as possible, people make a quick buck. We want the money recovered. These people must go to jail .”

In response to the national scandal, the Minister of Finance, Tito Mboweni, declared in an August 2020 address to Parliament, that government accounting officers had “flouted” procurement instructions and has increased prices by as much as “800%”. In a rear-guard action later that month, presumably after being caught asleep at the wheel, the South African Cabinet released a statement saying that all government departments would be expected to submit all procurement contracts awarded during this period to this ministerial team to be published and made accessible to the public.

PROTECT YOURSELF

Corporate Insights has developed a one-of-a-kind modular system that combines TransUnion’s big data universe with our own artificial intelligence and smart logic algorithms. It enables you to continually monitor, detect, act on, and prevent critical risks, both internally and externally.

The Corporate Insights system will allow you to protect your business from succumbing to the typical pitfalls that lead to corruption. It also comes with a host of additional benefits to ensure your company continues to operate optimally, free of the threat of corruption.

Click here to book a demonstration or call us today to find out how you can transform your business.

Getting your strategy right, ROI and keeping errors at bay

Read Time: 8 minutes

Once you have created a framework to help manage your risk of corruption, you need to ensure that you have a strategy in place to roll it out, a system to avoid errors creeping into your framework, and a clear ROI in place. Our latest article looks at all of the above, in order to ensure your new framework yields the maximum results.

Getting the strategy right

Knowing your risks is one thing, having a strategy in place to ensure they do not occur, is something else entirely. It is key to ensure you have the right strategy in place:

  • Prioritise your risk: Using the knowledge you now have of your business, identify and rank the areas of your business that hold the highest risk factors. Prioritise the highest risks and focus on them first.
  • Use the data you have: This could come from your personnel system or your compliance system, which could be beneficial in helping evaluate the risks to your company. The key is to start with what you have on hand. You can always add to your framework later and improve/adapt your learnings accordingly.
  • Plan your meetings: Schedule time with the executives, managers whose approvals will be needed, compliance and risk team members and any necessary support staff. Meetings you will need to schedule in advance:
    • Goal meeting
    • Framework outputs and area to apply within the business
    • Analysis of data and wire framework straw model evaluation.
    • Framework refinement meeting
    • Results analysis and refinement meeting
  • Start at the top: Starting the framework with the executive management provides the confidence to the organisation that what you are doing is fair, transparent and applied to all without fear or favour. The executive is also a small enough group to enable you to use it as your ‘trial’ or ‘pilot’ project.
  • Communicate and explain:

    Communicating clear, concise reasoning for the framework will build trust among your staff that it is not aimed at getting rid of people, but rather to protect and grow the business.

    Involved HR and legal from the start and reward for maintaining or improving their integrity score – it’s easier and a lot cheaper than the alternative.

  • Share your findings: Release the findings from the ‘pilot’ you ran with your executive, before running an actual pilot and then a larger roll-out. This transparency will create further trust in the system from the outset.
  • Run a real pilot: Following the executive ‘pilot’, use those results to commence a pilot in a section of the organisation that is a priority for you.
  • Expand the framework: Once you have implemented the framework in your company, it will be time to expand the framework to your key suppliers and or customers. It’s best to start with the material relationships; the twenty percent of the relationships that generate 80% of your value.

Avoiding errors creeping in

When rolling out a new framework, there are bound to be some teething issues, from negative feedback to missed opportunities, but the key is to avoid a full-blown breakdown when introducing your module throughout the company. Below are some ways of ensuring you don’t go down this road.

  • Assume nothing: You may believe you know all the risks confronting your business, but it is key to engage with your employees, suppliers and customers to ensure nothing falls through the cracks. Run surveys with employees, suppliers and customer, engage on social media, leave no stone unturned.
  • Embrace the feedback: Don’t ignore negative feedback. Bad news travels fast and you need to ensure that you are aware of any poor reviews so that you can act fast in analysing the information at hand, reviewing your framework and assessing the correct response.
  • Keep the data fresh: You need to ensure your remains up to date. What you relied upon in the past may no longer be relevant and the need for continual evaluation is critical. We recommend a monthly update or at a minimum, quarterly.
  • Ignoring the emotional drivers of choice: People respond better to positive reinforcement than to punishment, with 90% of people driven by emotion. With this in mind, you should aim to be tapping into a positive mindset, with your motivations all aimed at creating trust and fostering lasting relationships.
  • Forgetting to update and improve: Make frequent reviews a priority, starting with monthly reviews, and then allowing for larger intervals later on, while the board should be reviewing your framework every six months. Your improvements will enable you to consistently offer a better product and have a better understanding of what is happening within the business.
  • Do not over-promise and under-deliver:

    When you make promises you are not certain you can deliver upon, you put yourself and your framework model that you have developed into an untrusted category or in a risky position.

    By attempting to roll out a product that does not work yet is risky business. The same can be said if you launch or before you have worked out all the details and bugs for execution. Either of these scenarios will set your users/employees up for a bad experience with your organisation and with the framework. Either way you lose trust as well as the benefits of your framework model. Ultimately, all your hard work ends up being for nought.

  • Trust the results: You need to trust your system. It is easy to disregard an irate employee or consumer, but you need to take the high road and let them feel valued. You may have to make tough decisions on rare occasions, because of the results of the framework, but that is what it is designed to do: protect you from harm and loss.

Establishing your ROI

There are two ways to develop an ROI.

  1. Dividing the revenue that you can measure to the cost of your framework model and its program;
  2. Determine the incremental costs of specific interventions of the framework for tenders, customers and suppliers against those platform costs.

Either way, your framework model should provide you with meaningful data that helps you grow relationships that deliver value for all and not just for a select few.

Know your allowable acquisition cost

Knowing how much it costs for you to implement a framework model is important for any compliance officer, regardless of the size of the business, because it directly impacts your target ROI.

Establish benchmarks

Establish benchmarks from the data in your framework model that demonstrates the reduction in time or cost to:

  • Evaluate candidate employees
  • Reduction in disciplinary hearings
  • Reduction in forensic investigations
  • Reduction in regulatory risks
  • Reduction in supply chain costs
  • Increase in business acquisition
  • Brand awareness and growth
  • Media and brand exposure.
  • Reduction in the complexity of compliance systems
  • Reduction in the number of compliance failures.

Adjust your benchmarks

Once you start getting real data from actual systems and you are confident of their reliability, begin to adjust your estimates and re-run scenarios from your earlier forecasts. Make appropriate adjustments to your assumptions so you can launch new versions of your results that can help you forecast and predict risk events in advance.

Avoid the dashboard trap

Just because your dashboard or central location for viewing all the data points simultaneously can measure everything, it does not mean it should.

Don’t become obsessed with the numbers. Apply your focus to the areas that need to be improved and where you need to make decision to improve your scores. A carefully thought-out measurement plan, tied directly to your goals, should be the only actionable information to drive decisions.

The framework explained

Putting together a working detection and prevention framework is the first step in safeguarding your business against corruption. We have previously provided a summary of our framework model, which has been used by organisations in South Africa. This should help you better understand how it can help simplify your task in preventing corruption from damaging your business. To revisit this article, click HERE.

How risk-scoring models help your business

The people you employ are critical to your business. Ensuring that you have the right people, in the right positions throughout your organization is critically important to its success and sustainability. Maximizing the effectiveness of the tools you use to ensure you select the right people is just as essential. Find out how risk-scoring models help your business HERE.

Protect Yourself

Corporate Insights has developed a one-of-a-kind modular system that combines TransUnion’s big data universe with our own artificial intelligence and smart logic algorithms. It enables you to continually monitor, detect, act on, and prevent critical risks, both internally and externally.

The Corporate Insights system will allow you to protect your business from succumbing to the typical pitfalls that lead to corruption. It also comes with a host of additional benefits to ensure your company continues to operate optimally, free of the threat of corruption.

Click here to book a demonstration or call us today to find out how you can transform your business.

Continual monitoring versus the costs of a crisis

Read Time: 6 minutes

In previous articles, we have spoken about the need for putting together a working detection and prevention framework as the first step in safeguarding your business against corruption. The need for this framework to operate on a continual basis has also been discussed.

By implementing this type of framework, you will enable your employees to make risk-based decisions and enjoy the 360-degree view of corruption risk that you have developed for them. Further to this, by monitoring the risk you have identified on a continuous basis, your employees can use the data and the results to make better risk decisions and transform your business. This will enable them to protect the reputation of the company and ultimately, generate greater returns for shareholders and the community.

Essentially, the continual monitoring allows you to prevent and detect corruption and avoid the costs of an investigation after corruption has already occurred. But how does continual monitoring of your business weigh up against the costs of a crisis?

The benefits are clear

A number of experts have identified the need to undertake continual monitoring, and by adapting the framework to your organisation, you can enjoy the benefits as mentioned above. Amongst the concerns of companies we have surveyed, the costs of a continuously monitoring system is one that has come up.

This is obviously something that needs to be considered. The costs of the monitoring framework is dependent on a number of factors, including the cost of the information you’re collecting, the cost of the resources used to undertake the management of the framework and the costs of compiling and distributing the data within your organisation.

These costs need to be sized up against the costs to companies that have fallen foul to a corruption crisis. So what exactly are the costs of a crisis?

In their study on the impact of a crisis on shareholder value, Rory F. Knight & Deborah J. Pretty found that firms affected by catastrophes fall into two relatively distinct groups: recoverers and non-recoverers. Recoverers are considered to be companies that act quickly in managing the crisis, looking at amending the mistakes that were made. Non-recoverers, meanwhile, either don’t believe the fall-out will be severe or they simply act too slowly to stem the reputational damage caused by a crisis.

Looking at trading of 0-50 days after the corruption was exposed, it was found that the initial loss of shareholder value is approximately 5% on average for recoverers and about 11% for non-recoverers. By the fiftieth trading day, the average cumulative impact on shareholder value for the recoverers was 5% plus. So the net impact on shareholder value by this stage was actually positive.

The non-recoverers, however, remained more or less unchanged between days 5 and 50 but suffered a net negative cumulative impact of almost 15% up to one year after the catastrophe.

A PR nightmare

The costs of a PR crisis, meanwhile, can often have a lasting effect on the reputation of the company involved. According to a study from Clutch.co, much of this is down to how a company immediately responds to the crisis.

Using Pepsi and United Airlines as examples, Clutch.co surveyed 500 consumers to measure their willingness to purchase products or services from both companies before, immediately after, and seven months after each brand experienced a severe PR crisis.

It turns out, perhaps unsurprisingly, that the ability for a company to rebound comes down to the response of its PR team.

When a passenger on United Airlines was filmed being violently removed from one of United’s flights, the resultant fallout saw consumers’ willingness to purchase a flight through the airline dropping from 68 percent to 42 percent. Seven months later, this number had improved to 58%, but 30% of consumers still said they no longer trusted the brand and would not purchase tickets.

The reason? Consumers felt the airline’s PR team was too slow to respond, and when they did, their response was considered to be insincere.

Pepsi, meanwhile, was left facing a major backlash after their ill-advised advertisement showing celebrity influencer Kendall Jenner bringing a violent protest to a halt using the power of an ice-cold Pepsi. In response, they pulled the advertisement, apologised, and owned up to the mistake. As a result of their quick actions, consumers’ willingness to buy Pepsi products only dropped from 56 percent to 55 percent, and the 1 percent loss was fully redeemed 7 months later.

How to catch an issue before it becomes a crisis

So how long does it take for an issue to become a full-blown crisis? And how could you possibly catch it from happening? The Guardian newspaper published an article about the five identified phases of the sub-prime financial crisis that hit the global financial markets in 2008. From sub-prime to downgrade, the article highlighted five stages of the most serious crisis to hit the global economy since the Great Depression, isolating them to the dates; 9 August 2007. 15 September 2008. 2 April 2009. 9 May 2010. 5 August 2011.

Tracking the precipitation of the crisis over several years before it became a full-blown crisis, the article pinpointed clear indicators during the ramp up to the crisis that could be have been detected and monitored before the issue became a full-blown crisis.

This is assuming, of course, that you knew what leading indicators would have required tracking beforehand.

The article had the benefit of hindsight, of course, but in formulating risk management policies, corporate managers have to evaluate alternative strategies against the criterion of shareholder value maximisation. Thus, a decision to manage certain types of risk should hinge on whether the value of the firm is higher or lower under risk management.

From the result of surveys conducted, the implicit answer is yes. The management of risk results in better value for a company than the management of a crisis. Managing risk will require you to track and monitor leading risk indicators. Your framework provides you with categories of risk and the data to monitor these risks within your organisation over time.

The framework explained

Putting together a working detection and prevention framework is the first step in safeguarding your business against corruption. We have previously provided a summary of our framework model, which has been used by organisations in South Africa. This should help you better understand how it can help simplify your task in preventing corruption from damaging your business. To revisit this article, click HERE.

Protect yourself

Corporate Insights has developed a one-of-a-kind modular system that combines TransUnion’s big data universe with our own artificial intelligence and smart logic algorithms. It enables you to continually monitor, detect, act on, and prevent critical risks, both internally and externally.

The Corporate Insights system will allow you to protect your business from succumbing to the typical pitfalls that lead to corruption. It also comes with a host of additional benefits to ensure your company continues to operate optimally, free of the threat of corruption.

Click here to book a demonstration or call us today to find out how you can transform your business.

 

What to do when risk is identified

Read Time: 6 minutes

In previous articles, we have dug down into the framework you should develop to detect and prevent corruption in your business. By using a risk-scoring model that uses continual assessment you can ensure your business is able to to pick up on any changes of behaviour/circumstances over times. The framework allows for you to identify corruption red flags, whether they be on an individual employee, a supplier or a collection of summary data for a department or series of positions in your organisation.

The next question is: what do you do once the risk has been identified?

Risk mitigation has often been tackled by in the form of a simple, but very effective tool called the 4T’s of risk treatment. The four treatments are defined as: Terminate, Treat, Transfer or Tolerate.

  • Terminate:
    Risk Mitigated by prohibition of activities through limitation resulting in the termination of service, prohibition of activities i.e. dangerous practices.
  • Treat:
    Risk mitigated through application of policy, procedure with reference to standards and guidelines.
  • Transfer:
    A decision is made to pass the impact of the activity to a third party BUT you remain responsible for defining and evaluating the KPIs of the third party’s performance. Insurance is the most common form of transfer, while other typical interventions here are the use of external investigators, counsellors or therapists.
  • Tolerate:
    No action taken, no policy statement, risk occurrence is expected and treated during normal course of business, for example, late deliveries, bad weather, technical issues etc.

You risk-scoring framework will ultimately dictate your actions on identified risks. Taking an instance of financial distress, for example, you could manage it in a variety of ways. You could decide to treat it by counselling or supporting an employee, particularly so when the risk is considered minor or moderate, or you could decide to treat the risks identified by application of policy or a disciplinary code, if the risk is such that this action is warranted.

You could decide to terminate the risk occurring, such as disclosure of sensitive information by prohibiting social media posts related to company commercial or confidential information.

Further evidence required

Alternatively, you may find the evidence at hand is insufficient to make a determination and you require further information for analysis before you can reach a decision. Typical examples of this are when an employee has extensive commercial interests and there is a risk that there may be a conflict of interest.

If you find yourself in these circumstances, one option is to undertake a due-diligence evaluation of the circumstances that lead to the risk report.  There are usually several types of due diligence. A level 1 is a high level review looking for key or material risks. When you find them, a level 2 is undertaken to get more detail on these risks to make a decision. If you are still unable to determine the risk, a level III (typically an investigation) is launched.

FCPAcompliancereport.com describes a Level 2 report as: supplementing the initial data with a deeper screening of international media, typically the major newspapers and periodicals from all countries plus detailed internet searches.

This will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company, the third party’s key executives and associated parties.

Level 3 due diligence, meanwhile, is a deep dive into the background of an individual or company. Typically, this is a full investigation and is undertaken when the information you have received from both the lifestyle assessment and Level 2 due diligence is unable to satisfy the risk criteria you have defined.

A level III due diligence will typically require an in-country ‘boots-on-the-ground’ investigation. A Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in-country investigation.” These types of investigations are normally only required on a small number of subjects, during a given period of time.

Continual assessments plug the gaps

In our experience, however, by using a framework that is set up to continually monitor for threats of corruption, there little or no need for investigative intervention, as you are identifying risks as they emerge, before they manifest as a problem that would require a level 3 investigation. The risks that are identified during the lifestyle assessment are generally mitigated through support, advice and monitoring the actions implemented to improve or rehabilitate the risk issue so that it is no longer a threat to the organisation.

Of the 15% to 20% of cases that do need further investigation, only about 3% to 5% would need a Level 3 due diligence investigation.

And while nobody wants such investigations to be necessary, it is far more palatable than the alternative of a forensic investigation (worth linking out to article on forensic investigation) once the crisis has already occurred. It is more cost-effective as well.

The framework will provide you with a solution so that you can quantify your risks, and the cost of measures to mitigate them. You will also remain in control of any action you decide to take. If applied correctly, the framework should ensure that you do not need to launch wide scope forensic investigations that become public crises, damaging your reputation in the process.

The framework explained

Putting together a working detection and prevention framework is the first step in safeguarding your business against corruption. We have previously provided a summary of our framework model, which has been used by organisations in South Africa. This should help you better understand how it can help simplify your task in preventing corruption from damaging your business. To revisit this article, click HERE.

Protect yourself

Corporate Insights has developed a one-of-a-kind modular system that combines TransUnion’s big data universe with our own artificial intelligence and smart logic algorithms. It enables you to continually monitor, detect, act on, and prevent critical risks, both internally and externally.

The Corporate Insights system will allow you to protect your business from succumbing to the typical pitfalls that lead to corruption. It also comes with a host of additional benefits to ensure your company continues to operate optimally, free of the threat of corruption.

Click here to book a demonstration or call us today to find out how you can transform your business.