Last week, Nick Watson shared an article he’d contributed to, showing how oligarchs (enabled by unethical banking types) evade/negate awkward investigative reports.
They weaponise GDPR to batter any investigator with the temerity to maintain records exposing misdeeds.
Then I saw this quote from Michael Sauga in Der Spiegel:
“The truth is that its [Switzerland’s] financial industry has become as “dependent on dirty cash flows as German industry is on Russian gas”. As Swiss banker Josef Ackermann, the former head of Deutsche Bank, has said, targeting Russian assets too vigorously would be “devastating for the financial sector”. In its reluctance to do so, Switzerland is proving itself to be “the Kremlin’s willing helper”.
What’s the link?
Well, I’m not Switzerland-bashing alone; people in glass houses (the UK property, football, and banking system have long aided and abetted the same clientele as Swiss bankers serve).
I amcurious about the efficacy of regulation in sectors where behaviours and incentives live in a different universe.
Regulation and reality
I keep hearing how the financial services sector is (one of the) most regulated. Almost “suffocatingly” so, according to a few folks I’ve spoken to.
So what? Well, it’s not working. To avoid slipping into a quagmire of tongue-in-cheek compliance, or regulatory tombstoning, we need to STOP OBSESSING ABOUT CONTROLS!
Data from the Association of Certified Fraud Examiners (ACFE) surveys suggest that control failures account for a third (or less) of violations. In the majority of cases, human behaviours cause the override. Looking back at investigations and risk assessments, the majority of the time, the short-circuit is not simply “a bad actor” seeking to subvert controls for personal gain. It’s people breaking the rules (and often their ethical principles) because:
💣 They were told to
💣 Pressure – to hit targets (financial, time-based, etc.)
💣 They thought they were doing right by the company
Told to
The tone from the top matters, but so does the mood in the middle. Consider asking people things like:
☑️ Are leaders and managers held accountable for their actions?
☑️ Do your leaders understand the risks the organisation faces?
☑️ I am incentivised to behave ethically
☑️ I can raise questions and concerns easily with my manager
☑️ My team discusses ethical decisions (including tough ones)
The trick is to allow enough anonymity that people might answer truthfully but have enough identifiers to understand where there might be problems. Generally, no *group* should be smaller than 5-10 people. Some typical categories to enable analysis:
👉 Location
👉 Department
👉 Function
👉 Length of service
In a previous life, an ‘anonymous’ employee engagement survey asked for these details and job title and salary band. I was the only person in my ‘group’ in that office and therefore knew my answers would be easily attributable. Don’t do that.
Pressure
Psychological safety can help understand the pressures people face. There are questions here too, but I’ll keep some powder dry.
The simplest starter, however, is to ask if targets can be achieved ethically. If your leadership feel that employees are moaners or naysayers and will answer that question in the negative, then you have your answer about where the problem lies. Start looking for a new job.
Another way to approach this is to ask people to do pre-mortems – something Hemma Ramrattan Lomax, Ph.D speaks compellingly about. If we can create cultures where we openly discuss how we respond (ethically) when things go wrong (worst-case scenarios), we might avoid the many violations that stem from poor decision-making under pressure.
Doing right by the organisation
Most of us don’t wake up wanting to do harm. I’ve seen myriad examples of people doing *wrong* because they think they’re helping their organisation – from well-organised supplier frauds that build slush funds to pay off capricious officials (off the books and records) to fat bribes to avoid extortive harm (detention, physical abuse, denial of access, etc.).
The bingo below provides a few such examples. In these cases, we need a proper risk assessment.
What’s a proper risk assessment?
I know I often bang on about this, but a risk assessment looking at internal controls and benchmarking is not a risk assessment. It’s an audit, at best. If you’re not calibrating external threats – often stakeholders with leverage – you’re not assessing risks. If you’re not evaluating internal behaviours, culture, and implementation (not existence) of controls, you’re not assessing risk.
Your people have all these answers; you must create the psych safety where they’ll tell you. Please let me know if you would like examples of how to do this. I’m making the *how* in risk assessment accessible in as many channels as possible:
🖥️ Via the Ethics Insight risk assessment platform
👩 🏫 Through the Making Risk Relevant training program
📖 In the Bootstrapping Ethics book
📲 Here, and through risk clinics
💼 Advisory work
📊 Through an e-book I’m developing (any topics you’d like demystified?)
If we get better at actually assessing risk, things get better.
But progress is slow. Let me rewind to another story of bankers and oligarchs.
I did my first due diligence project (for a bank) on a dodgy Russian-Ukrainian businessperson in 2006.
The bankers were incentivised to close the deal and railroad any risk findings, including murder, significant drug abuse, corruption, and weapons smuggling (we didn’t get documentary evidence of murder, so it was A-OK to proceed, apparently).
Little has changed in some areas and industries, and I really don’t want to be saying this same stuff in another 17 years (2040 🤯).
It’s time to make risk relevant…