The Future of Scandal: Technology and Corporate Wrongdoing
For as long as there has been business and investors, there have been those who have sought to make money illicitly by breaking the rules and misleading others.
Nowadays, corporate scandals come in many shapes and forms, but among the most common are those related to fraud and price-fixing cartels. One thing that links all modern scandals is the importance of electronic devices, both as a means of propagating a scandal and as a source of electronic evidence that can be used to detect a scandal or deal with the legal consequences.
This article examines the life cycle of a scandal; how they are created and how they emerge, as well as offering practical advice on prevention and crisis management.
How do scandals start and how can they be prevented?
A joint report by the International Corporate Governance Network (ICGN), the Governance Institute (ICSA) and the Institute of Business Ethics (IBE) suggests that certain corporate cultures can increase the chance of wrongdoing.
The report highlights some ‘red flags’ that can be an indicator of malfeasance and according to the report are not industry-specific; with examples being drawn from banking, retail, manufacturing and automotive sectors. According to the report there are three main factors that lead to a degeneration in ethical behaviour:
- “Corporate stress” which encourages employees to take short-cuts
- Tolerance of minor rule breaches and an atmosphere where rules are pushed to their limits
- Focus on short-term targets
Much like the ‘Broken Windows’ theory of crime, the report’s authors believe bad behaviour is incremental. What could start as relatively minor breach could develop into something more serious.
Other factors given by the report include:
- controversial pay deals, such as high executive pay or targets which encourage risk-taking to hit short-term targets
- complex legal structures which make it hard for boards and management to work out what is going on inside the company
- poorly executed takeovers which lead to a mix of cultures within a company, with “pockets” of bad behaviour thriving beyond the control of the board
- lax financial discipline, for example both Northern Rock and RBS had excessive leverage which led to their problems as the crisis hit.
The report also warned of the dangers of “autocratic” chief executives who staff are afraid of angering for fear of reprisals, meaning that vital information about potential problems might never reach senior management.
The report said that the best way of improving companies’ corporate cultures to reduce risk was to get boards more involved and have a better understanding of the way staff are motivated and treated.
Changing company culture can be a long-term process. A more immediate preventative measure is to look to corporate communications. Scandals, particularly cartels, live and die by conversation. Without communication between parties, there can be no cartel, in the traditional sense of the word.
Including checks on communication can be a powerful part of any robust compliance strategy. Since evidence showing misconduct may be found in written communications and among irregularities found in financial data, savvy compliance officers and in-house counsel regularly conduct mock dawn raids and perform compliance audits. Both these methods are good starting points for companies wanting to take a more proactive approach to compliance.
What is a mock dawn raid?
Mock dawn raids are usually conducted by third parties, such as lawyers and ediscovery providers, to deliver the experience of an unannounced inspection from an authority. Computer forensics professionals will seize electronic devices, such as laptops, computers and phones, as well as take copies of data from servers and the cloud. They may also take paper documents. Data stored on these devices will then be forensically copied for analysis and a full audit trail maintained. Other consultants may train a variety of personnel (including receptionists, in-house legal and IT) on the proper procedures to follow when confronted with a surprise inspection.
After a mock dawn raid, it is possible to learn from the experience and identify areas that the company ought to address.
Mock dawn raids are a powerful tool for compliance officers because they can help to assess a company’s level of readiness for investigations and they also send a strong message to employees that compliance is taken seriously
Authorities such as the European Commission and Competitions and Markets Authority recommend that companies conduct internal reviews to assess compliance. Regularly reviewing samples of electronic communications and information is an important part of an internal compliance audit. The benefit of such audits is to gain insight and to be in the driving seat if anything seems out of place.
Information gathered from interviews may lead the audit toward particular sources of data for review. Email, databases and even social media can be targeted to provide an organisation with a more comprehensive view of the levels of risk to which it is exposed.
As the know-how to interrogate databases develops, companies are increasingly using specialist data analytics tools to proactively examine financial, operational and transactional data. Even light analysis of databases can uncover patterns, anomalies and red flags. For example, data can be arranged graphically to show purchases by country or account number. Outliers such as purchases being made in unexpected countries or to duplicate accounts can then be investigated.
Regardless of the method chosen, organisations that carry out internal reviews to detect wrongdoing, such as corrupt practices and anti-competitive behaviour, are better positioned to defend themselves should a scandal be uncovered.
What industries are at risk from corporate scandals in 2017?
As stated earlier, scandals can stem from misconduct of individuals or small groups of individuals and so in theory any industry runs the risk of a scandal. However, corporate culture aside, some industries are more at risk from corporate scandals emerging simply because they are more heavily regulated than others and the regulator’s focus is increasingly broad.
The Competition and Marketing Authority (CMA) stated that their priorities for 2017 were in the following areas:
- Consumers’ access to markets and barriers to decision-making
- Online and digital markets
- Technology and emerging sectors
- Regulated sectors and infrastructure markets
- Markets for public services
- Sectors that are important to economic growth
Ostensibly, this covers quite a large swathe of industries operating in the UK and beyond. Any corporation whose business activities fall under the above categories should consider making compliance a priority for 2017.
On a more international scale, the European Commission has also laid out its priorities for 2017, and whilst they are broadly analogous with the CMA’s, there are some interesting points to note. Firstly, European antitrust authorities will gain increased powers to prosecute breaches of competition rules under draft legislation to be proposed by next June, following talks between the Commission, corporations and competitions experts.
Currently, the Commission is proposing the following actions to increase the power of national regulators.
- giving national authorities tools to detect and sanction violations of EU competition rules;
- encouraging companies to come forward to national authorities with evidence of illegal cartels through ‘leniency’ programmes;
- ensuring the independence of the national authorities
- ensuring authorities have sufficient resources and staff
Big data and how companies use big data is also a priority for the Commission. Companies in possession of big data can potentially trigger both Articles 101 (antitrust cases) and 102 TFEU (abuse of dominance cases). However, the Commission is looking to strengthen its ability to enforce the rules in cases involving big data.
During a speech in late 2016, Margarethe Vestager, the European Commissioner for Competition stated that the Commission does not object to the collection of large data sets as long as they don’t hurt consumers in the process, by undermining competition. In order to combat this, the Commission is aiming to release a proposal on legislation for big data in early 2017. Based on Vestager’s comments in the speech, this is likely to be in the form of a directive rather than a regulation.
She also commented that further scrutiny may be required for mergers with valuable data, even if the turnover of these companies is not large enough to come under the usual merger control criteria. Again, this widens the pool of companies who are at risk of corporate scandals emerging from regulation, bringing in smaller players who might not be prepared for competition scrutiny. Companies handling large data sets should ensure they are up to speed with the latest directives and understand how their data can breach EU law and take steps to ensure compliance.
What should companies do?
Going looking for trouble leaves some companies feeling squeamish, but the authorities often impose lower fines when a company confesses and provides good quality evidence to help the authorities with their investigations.
If the wrongdoing is exposed by a whistle-blower or as a result of a regulatory investigation, this can add considerable pressure to any internal investigation the company chooses to instigate. Companies who are implicated in this way are more vulnerable to penalties. Also, if the matter has had time to grow in scale, they face potentially larger legal penalties and fees than if they had put themselves into the whistle-blower position. And when outside investigators looking at one issue discover further skeletons in the closet, this can lead to further scrutiny, public criticism and costs.
If a company is implicated in a scandal, what is the best way to manage the situation?
- Act quickly and launch an internal investigation as soon as possible. Once news of a scandal is in the public domain, an investigation by a regulatory body is almost inevitable. An internal investigation will help get to the heart of the issue and enable a company’s legal team to form a strategy based on evidence found in the investigation. Time is of the essence, so technologies such as predictive coding can help find hot documents as early as possible. Predictive coding learns from the decisions made by human document reviewers to prioritise other similar documents for review and to predict how unseen documents might be categorised.
- Think outside the box when it comes to data. Email and calendar appointments are some of the most important sources of electronic evidence, but valuable evidence can be found from other sources, as well. Twitter, Instagram and even GPS data from satellite navigation systems can provide revealing information that may be vital to a case.
- Use an experienced digital forensics provider. It is of vital importance that data is collected in a forensically-sound, defensible manner. Digital forensics experts employ the correct techniques to carefully and accurately contain, preserve and extract critical evidence. This includes the implementation of a strict “chain of custody” procedure and audit trail throughout the analysis of the data. Leaving the task of handling such important evidence to in-house IT teams, potentially without advanced forensics knowledge, can compromise the defensibility of a case.
Although corporate scandals and wrongdoing can seem somewhat inevitable, a rigorous compliance regime and a positive company culture can reduce the risk of scandals causing reputational and financial damage should wrongdoing be found.