ARTICLES

Forensic Forecast

20
20

2020 and the beginning of another decade

The winds of change are upon us - how will organisations respond?

What will this new decade bring? What are the legacies of the last decade? We are now operating in a time of increased scrutiny and higher personal risk when organisations get it wrong. The stakes are high and the risks are real.

Poor business conduct presents due to either bad culture, weak or in some instances corrupt leadership, compliance failures, incompetence or the unfortunate pursuit of sales and revenue above all else. These themes emerged again throughout the last decade and culminated with front page headlines.

The revelations of the past few years have seen some businesses slow to react and others be more proactive with remediation programs. Increased enforcement and litigation; the evolving threats associated with cyber crime and foreign interference, are now demanding more of organisations.

We expect that the use of technology to monitor compliance and identify misconduct will increase. New technologies provide greater knowledge and power, which results in greater responsibility for risk managers.

New criminal offences and whistleblower legislation have put Directors and executives on notice and regulators have moved away from a consultative approach. Independence is vital and has been the catalyst for Boards, management and legal counsel to reassess how investigations are handled.

We enter the year with recession warnings, the impact of the devastating bushfires still to be determined and the influence of the coronavirus on markets yet to play out. We expect discretionary spend will tighten.

In times of uncertainty people often do things they usually would not. Organisations are now navigating corporate crime investigations, which are difficult matters that often present conflicts for senior management.

The key themes for 2020 require careful consideration and assessment. Our experts are working with our clients to help them respond to and avoid unwanted events or scrutiny.

Download Forecast

Insights from the cyber frontline

01

Human driven insights key to response and risk quantification activities.

Organisations, regardless of size or structure, are naturally becoming more technology integrated and reliant. Almost every employee requires a digital device to do their job and their use of these devices to create, store, share and communicate data, is fast becoming an organisation’s first line of defence – the “Cyber Frontline”.

This frontline is full of valuable insights if you know where to look and is also one of the most common locations where organisations come under attack. It is where your staff and customers are most vulnerable and coincidently, is often the weakest chink in an organisation’s armour.

Monitoring the actions of staff has been frowned upon for many years, that is, until the unwanted compliance, HR, cyber, fraud or external agency calls on an organisation. Regulators, Directors and shareholders expect management to monitor risk. The use of technology to capture what someone is doing on your systems is an efficient and less intrusive risk management tool. It has been used successfully to identify or prevent IP theft, data and privacy breaches, fraud and even low productivity.

The rise in technologies that are observing activities and attempting to block or report suspicious events based on rules and signatures is a direct response to the risks. Most recently, we have seen technologies attempt to leverage the benefits of Artificial Intelligence (AI) to evolve these rule and signature based technologies, to have the ability to learn and understand cyber threats and criminal tradecraft.

There remains room for greater value and insights to be obtained from IT systems or the Cyber Frontline. This provides an opportunity to use advanced analytics and AI to quickly detect even slight deviations in human behaviour and a faster transition to response and risk quantification activities.

Speed of detection and response will be critical to mitigating the impact of incidents and events in a world where 100% prevention is impossible.

Our Forensic Technology experts work with the broad range of technologies that capture this critical data. They expect that in 2020, as they develop better dashboards for executives to gain insights and apply risk management lenses, we will see significant improvements in identifying risks and avoiding unwanted events.

Proactive Compliance Programs

Organisations seek to embed a compliance culture as a result of recent enforcements.

The fallout from the Financial Services Royal Commission and resulting enforcement actions highlights the fact that regulators are no longer offering the olive branch.

Organisations must now take steps to comply with legislative requirements by anticipating and rectifying risk areas without being prompted to do so. Increasingly, they are expected to not only embrace the letter, but the spirit of the law, and implement programs to embed a compliance culture.

Organisations must seek to have an effective compliance program which draws on a range of methodologies, including data analytics, to achieve the objective of managing compliance risk. Achieving this requires top-level commitment and dedicated and experienced personnel. The program must be responsive to regulatory change, which means anticipating regulators’ thinking. Policies and procedures have to be clear, consistent and accessible, and subject to regular review to ensure they remain fit for purpose.

Routinely conducted risk assessments where accountability is clearly assigned, understood and supported by monitoring and testing of controls is essential. A key element of a good compliance program is a training program where the content and delivery method is tailored to reflect positions, roles and responsibilities.

The requirement to have whistleblower protocols where there is a trusted avenue for reporting misconduct with no detriment or retaliation is now mandated and this should be supported with robust investigation protocols.

Compliance reporting should be meaningful and facilitate the identification of actions and clear accountability.

Finally, it is important to recognise the need for continuous improvement whereby the origin of any misconduct and control failures are understood and addressed. Boards more than ever are aware of the requirement to ensure regulatory obligations are met, so there is no excuse for not establishing a proactive compliance framework.

Compliance failures of the last decade are a result of poor accountability and a reduced appetite by management to support risk and compliance teams. Instead we have seen prioritising of revenue opportunities and higher risk products and services. 2020 will see increased compliance activity by organisations and undoubtedly regulators

02

Corporate Crime

03

Is the nature of a corporate investigation changing?

The regulatory scramble continues across Australia following the revelations of the various Commissions of Inquiry over the past three years. Combined with new criminal provisions for company Directors and Officers and recent whistleblower legislation, we have already seen an increase in investigations.

Organisations are now commissioning an independent investigation for more serious allegations, regulatory matters or cases that implicate senior management or advisors.

Regulators are more active and demand more information. Significantly, investigation and enforcement agencies are boosting their resources and are taking a more adversarial approach. Negotiated actions of the past with legal teams managing the parameters will no longer be the norm.

Whilst financial investigations require specialist skills in financial analysis, accounting and asset tracing, corporate crime offences call for investigators with experience examining corporate conduct. This has been an area that insolvency and forensic practitioners have explored and reported to ASIC. Management should be ahead of the regulators and undertake an independent investigation so they are able to take legal advice and decide a course of action based on evidence.

In order to get it right, when investigating serious allegations in 2020 organisations should consider:

  • Demonstrating from the outset that the investigation will be conducted by an independent and experienced investigative team, ensuring facts are identified and reported without fear of reprisal.
  • That the investigative team must be cognisant of potential mistakes that can negatively impact whistleblowers, employees and significantly damage an organisation’s reputation.
  • Engaging external lawyers to maintain legal professional privilege and to provide legal advice following an independent investigation.
  • Experienced investigators with the ability to ensure the integrity of evidence by identifying and securing evidence as soon as possible to ensure there is no potential for loss or manipulation.
  • Continuous disclosure and mandatory reporting obligations, therefore requiring that any investigation is conducted in a timely manner with key findings being communicated at the earliest opportunity

Integrated Risk Management Model

Foreign interference exposing the growing need for integrated risk management.

Rising awareness of foreign interference as a new focus for risk management, together with cyber, is helping to drive mature organisations towards an integrated risk management model. This model allows organisations to exploit synergies between all of their risk management processes.

Foreign interference, as distinct from legitimate and transparent forms of foreign influence, involves activities that are covert, deceptive, corrupting or coercive and intended to advance the interests or objectives of foreign actors. Investigative media reports and Government agency warnings show that major corporations and other institutions including universities are targets. Countering Foreign Interference (CFI) has become a top national security concern.1

Cyber risks are well known to most businesses and many are well on their journey to building resilience. Less well known, is how hostile foreign state actors are exploiting cyber vulnerabilities to conduct acts of foreign interference which is, in turn, creating new vectors of cyber harm. Increasingly, clients find that they cannot manage cyber risks without considering foreign interference risks, and vice versa. As a result, “siloed” risk management approaches are proving ineffective. The nexus between the two is most clear with respect to trusted insiders. We are currently assisting large companies to review their trusted insider programs with these facts in mind.

More generally, hostile state actors are exploiting vulnerabilities in procurement, supply chains, physical security, KYC programs, research programs, human resources, sales and investor relations in order to pursue their objectives at the expense of Australian businesses. They are obtaining valuable IP and sensitive personal information to manipulate hiring, contracting, lobbying and even M&A processes.

Improved systems of accountability, transparency and due diligence that are required to effectively manage foreign interference risks are also conducive to managing other risks across the organisation.2 CFI is providing an opportunity and catalyst for organisations to introduce, or for a few, reinforce their integrated risk management.

1. www.homeaffairs.gov.au/about-us/our-portfolios/national-security/countering-foreigninterference/cfi-strategy

2. www.education.gov.au/ufit

04

Mitigating the risk of adverse outcomes

05

Directors and senior executives to prioritise litigation and regulatory matters.

The risks have become more evident as trends towards personal accountability for Directors and senior executives will elevate litigation and regulatory matters on Board and management agendas.

Whilst personal liability for breaches of certain legal obligations is not new, a number of recent actions point towards increasing frequency of legal or regulatory action against Directors and executives and more direct consequences for those whose conduct is found wanting.

Directors’ and officers’ insurance premiums have reportedly increased amid a rise in class actions and claims against Directors. This should not be a surprise as litigation often follows hot on the heels of regulatory investigations including Royal Commissions, or public examinations by liquidators.

Under the Banking Executive Accountability Regime (BEAR), an accountable person’s variable remuneration may be reduced if they fail to comply with their obligations.

Initially applicable to the Big Four banks, the BEAR has already been extended to capture all authorised deposit-taking institutions and, in the wake of the Hayne Royal Commission, the Federal Government has recommended the BEAR be extended to all financial services entities regulated by the Australian Securities and Investments Commission.

Whilst the BEAR relates to financial services, it is not hard to imagine future Commissions of Inquiry and changing community expectations leading to the introduction of similar regimes or legislation impacting other sectors.

In this environment, we expect to see Directors and senior management teams paying closer attention to any disputes or regulatory inquiries they face and allocating necessary resources to mitigate the risk of adverse outcomes.

The year ahead will surely see many Directors consider the risk and reward in their role. It will certainly provide further momentum for the Board to demand more information from management and be closer to management decisions.

Payroll Underpayments

The cost of under payment extends well beyond the financial.

The number of organisations admitting to mistakenly underpaying staff wages and superannuation entitlements continues to escalate. The size and sophistication of an organisation was no guarantee of having got it right. From grocery giants to charities, the incidences are widespread and can no longer be considered isolated. Why is that?

Australia has complex labour laws. Employers must navigate a myriad of Acts, employment awards and, potentially, single or multiple enterprise agreements. We have been working with clients who have been mortified to find errors in their systems and processes designed to cope with this complexity.

Stakeholders and the public may not be forgiving, particularly if underpayment impacts lower paid members of the workforce who have been, or are already doing it tough.

The fallout for an organisation as it faces immediate reputational issues in the eyes of customers and suppliers is an adverse impact on staff morale. How the organisation responds is crucial.

Resolving the issue and restoring stakeholder confidence can be costly. In addition to the cost of correcting the underpayment itself, effective remediation also involves legal, financial and communications expertise to ensure an organisation gets it right, is seen to get it right and respectfully manages the relationships with its workforce and the regulator to achieve a transparent and fair outcome.

Whilst the remediation of underpaid payroll has run in the tens of millions for some organisations, on scale it is having a material impact to the financial year results. The costs that come with a payroll remediation program include communications, legal and accounting specialists. When compared with the underpaid payroll it is a small but necessary cost to restore confidence and demonstrate to regulators, the broader market and importantly, the organisation’s workforce, that it has been corrected with independent expertise.

The recent high profile underpayments are likely to continue the wave of scrutiny. As regulatory surveillance, an organisation’s self-audit, or a media exposé may reveal, we will see the continued trend of payroll investigations and remediation programs well into 2020.

06

Growing Arbitrations in Australia

07

Arbitration to continue to be a preferred option for the resolution of disputes.

In late 2019 Australia held an International Arbitration Conference, which brought together legal and industry experts. The conference showcased Australia’s well established arbitration practitioners and expertise in the international space.

International arbitrations are particularly well suited to state based disputes and commercial disputes where there are multiple parties from different jurisdictions. There are recent examples where Australian companies have participated in international arbitrations, involving complex construction disputes in the resources sector.

Arbitration is an attractive alternative to the courts for the resolution of disputes for a number of reasons including:

  • Confidentiality of the process and arbitral awards.
  • Flexibility of the process given the reduced formality in arbitration proceedings and the ability to set time limits for arbitral hearings.
  • The parties’ ability to be involved in the selection of the arbitrator(s).
  • The parties’ ability to choose the location where the arbitration will be heard.

For these reasons, arbitrations can often be a cheaper and quicker way to resolve disputes.

A key feature in arbitrations is the provision of expert evidence. Such evidence can often be pivotal to the outcome. The provision of expert evidence is well suited to arbitrations where the flexibility of the process can allow for matters such as common questions to be put to the experts, the provision of joint reports and the giving of concurrent evidence. This is not always the case through the court systems.

Much of the focus of the International Arbitration Conference was on ways to grow arbitrations in Australia. There is considerable interest in this as the flexibility, confidentiality and cost savings should see arbitrations continue to be a preferred dispute resolution method.