Kent Kedl, Senior Partner, and Ben Li, Associate Director, at Control Risks explain that conflicts of interest are easy to come by but much harder to deal with
A conflict of interest (COI) occurs when an employee derives personal benefit from actions or decisions made in their official capacity within the company. Some recent, real-life examples include:
A foreign company bought a Mainland China-based company and retained the former owners to work with the new company; however, the business did not experience any growth for two years. It was later discovered that, on the day of purchase, the former owners had secretly set up a new company and immediately started to siphon off business to the new entity.
A sales manager set up multiple distribution companies through friends and family. She gave special pricing and rebates to these companies so they won more business than other distributors. She received a portion of their business into her personal bank account.
A procurement manager set up a deal with suppliers whereby he received a 10 percent kickback for awarding them business.
The seriousness and impact of COI issues can be debated, but their prevalence cannot – COI is associated with doing business in mainland China. If your company has been in mainland China for more than ten years, our research shows that you have a more than 75 percent chance of having undiscovered COI issues.
Too serious to ignore but difficult to investigate
In the past, many companies ignored COI issues because they assumed this was just the cost of doing business in Mainland China until they started counting the cost. Lost revenue from employees siphoning off business to competing companies that they own, and reduced margins through excessive discounts to COI companies, are the most apparent direct costs of COI. The indirect costs are harder to calculate but are often the hardest to regain: loss of legitimate distributors and suppliers unable to compete with insiders, and in the most serious of cases, reputational damage, erosion of shareholder value and exposure to regulatory investigation.
In the most egregious cases, COI issues in highly regulated industries led to questions about quality, prompting regulator investigations, followed by a tangible impact on share prices. Unresolved COI problems result in losses to a company – the proverbial death by a thousand cuts – and are a serious distraction to managers who would rather focus on growing the business.
As a company comes to realise the extent and impact of their COI issues, they are frustrated by their lack of success investigating and prosecuting these cases. Traditional financial audits usually do not work – if they did, the company would have discovered the problem long before a whistle-blower came forward. But even when a company finds evidence, what should it do? Local law enforcement agencies in Mainland China are rarely interested in taking on such cases – usually, they tell companies that these are ‘internal matters’ that they should deal with themselves – and strict labour laws often present difficulties in dismissing employees, even with cause.
COVID-19 brings a further twist to an already complex tale, increasing the threat of insider fraud or COI. Work-from-home procedures and other factors weakening internal controls make companies more vulnerable to unscrupulous employees taking advantage of their knowledge of loopholes. While resolving these issues at such a stressful time may feel like one more item on the to-do list, failing to address them robustly and immediately would significantly impact the company’s efforts to rebuild their business in Mainland China.
Outside-in: a different, and more successful, approach to COI
COI issues are usually discovered when a whistle-blower makes allegations that someone in the company is self-dealing through conflicted interests. The whistle-blower typically gives some names of companies and a description of how an employee is using them for their own benefit. Companies then conduct a financial audit, but in most cases cannot find a connection. It is unsurprising that audits rarely uncover COI issues: an auditor is not an investigator. Auditors follow a prescribed set of tasks to ensure that proper governance has been carried out in book- and record-keeping. If they find an issue, they raise their hand. Because COI issues are, by definition, perpetrated by company insiders who are familiar with the internal processes and controls that auditors would be looking for, they are quite easy to hide and can only be identified through a rigorous investigative process.
COI is fundamentally a problem that takes place outside the company with third parties linked back to inside employees, so it is recommended that investigations start outside the company and then move inside, to avoid attracting attention and ensure full possession of the facts before making significant decisions.
1. Business intelligence
Using public-record research and discreet enquiries with sources, investigate the allegations to establish the validity of the alleged behaviour in the market. Is the employee really connected to the named company, either directly, through family ownership, or a business agreement? How, specifically, might the employee be benefiting – through kickbacks or equity ownership, as a competitor? How widely is this known in the market? What other employees may also be involved, and how deep is the problem?
Hard evidence can often be found during this process, such as the employee registered as a director of a conflicted company. At the very least, enough evidence can be found to either close the case or take the investigation ‘inside’ the company for further exploration.
2. Data analytics
Using a large company dataset consisting of HR files, vendor and distributor masters and financial transactions, findings from the business intelligence work can be applied to look for evidence of connections inside the company. Look for suspicious connections and transactions. For example, an employee’s personal telephone number given as the contact number for a third party, a series of third-party transactions for round numbers, or invoices paid to a vendor outside the normal accounts payable cycle.
3. Transaction testing
Testing is required to find the specific transactions recorded in the company’s system associated with the outlier connections. Outside the context of a COI investigation, these transactions usually appear normal in a traditional audit, but when combined with the evidence gathered through business intelligence and data analytics, they become the ‘gotcha’ evidence a company needs to act against an employee.
A combination of these three steps identifies the extent of the problem, where to find evidence, and, most importantly, the hard facts needed to confront the employee or to consider next steps. In sensitive cases, evidence alone may be insufficient to act. You may need to carry out extensive business continuity planning before approaching the employee, for example, because of the individual’s influential C-suite position and the potential harm they could bring to the firm. And don’t be too swift in dismissing an employee either: In some cases they then go on to report you to the regulators for precisely the bad acts committed by them. The subsequent six-month investigation can be paralysing.
Don’t just plug the leaks, fortify the dam
This leads to the final step – scenario planning, and considering the impact of rapid steps taken to resolve an ingrained problem. Too often clients focus on chasing perpetrators and ignoring the fundamental vulnerabilities in their systems and processes that got them into trouble in the first place.
In addition to the high success rate of the ‘outside-in’ approach, the ultimate value is that it clearly identifies systemic problems in selecting, qualifying and managing third parties. Investigations often enable a company to shut down an instance of self-dealing and then strengthen processes and governance to mitigate against future COI risk. These changes can include an internal review of the control weaknesses that allowed the COI to flourish, designing an effective third party screening programme, and leading employees to value and take seriously the results of the screening, resulting in a stronger compliance culture. For clients with a large pool of third parties, establishing data-driven fraud monitoring programmes is an additional and crucial step to catch any future COI attempts.
Once a company starts to gain a reputation for taking COI seriously, it no longer has to hear, “this is just the way business is done in Mainland China”. Rather, its financial performance improves, and its management has time to focus on more important things.
This article was first published by Control Risks