Lifting the lid on risks and workplace culture
Rory Gregg
Minor fraud and petty theft within large organisations is a cost of doing business. The issue isn’t whether it is happening – it is to what degree.
In a recent research study, the School of Psychology at Newcastle University (UK) found that people a more likely to follow “social rules” when they perceive (or believe) that they are being watched.
Even a simple poster of a person’s face staring outwards, or the presence of more people in the vicinity was found to be enough to very significantly increase people’s compliance with rules.
This is certainly not the first Behavioural Economics research study that has looked into this particular area, but it does put a very different spin on retail fitouts that use large images of beautiful people.
In a nutshell, the best way for leaders to ensure compliance or honest behaviour is to lead by example, and to openly keep an eye on the performance of team members. Corporate culture and the actions of leaders can heavily influence the incidence of fraud and theft.
Total reliance on “mechanistic” or automated threat detection systems can be a recipe for disaster. Any automated system eventually needs input from people, and that invariably becomes a potential point where fraud can be introduced into the system. Where leadership oversight is lax, then the temptation and opportunity to defraud will be high.
Accounting systems have been highly automated for several decades, with systems to help automatically detect discrepancies. Yet large scale corporate fraud still occurs, as was seen recently when major financial frauds involving millions of dollars were uncovered at Visy and Queensland Health.
Unfortunately, many organisations deliver some of the perks of corporate employment in a way which panders to base temptations. A seemingly bottomless stationary cupboard, and lax oversight of mobile phone expenses being two areas which can lead to bigger problems.
A few months ago, Verisign – one of the key suppliers of technology security for Internet connected systems – revealed that their IT systems had been breached by hackers, with unknown data loss. Given the critical role that Verisign plays in the functioning of the Internet, this single breach could end up having an extraordinary impact on millions of organisations.
The Verisign breach occured in 2010, with senior executives of the company claiming they were only told in September 2011. Those same executives then chose to bury the disclosure in their financial filings, where it was eventually discovered 3 months later by a journalist.
Verisign clearly needs to turn around a highly disfunctional corporate culture. Leadership plays a crucial role in influencing corporate culture. Based on their lack of leadership accountability, and their subsequent tick box approach to disclosure, it seems to me that there will be more pain ahead for the company.
Perhaps we should just be thankful that they run critical Internet infrastructure, and not nuclear reactors.
The Swiss Cheese Model by James Reason is a conceptual model which is commonly used to analyse the interactions between systems, and the way they contribute to failures in end to end processes. It is a useful mechanism for evaluating potential latent and active problems, giving insight into cumulative levels of risk.
The model can be used proactively to delve into critical business processes. When you start to lift the lid, you often find that coalface employees are well aware of shortcomings, and may well have flagged concerns or the need for change on previous occasions.
Once a problem is identified, correcting the broken workflow or policy is just a single element of what must be achieved. Leadership within the organisation needs to play a positive role in the process, providing encouragement, explaining the need for change, adjusting relevant KPIs, and ensuring that team members have appropriate training.
Automated detection systems will always have blindspots that can be exploited. To catch problems before they spiral out of control, employees must feel comfortable that they can communicate problems to their managers, and that concerns won’t just fall on deaf ears.