The key to managing risks around employee malfeasance is to nurture a strong culture that encourages principled and ethical behavior. Such a culture starts with senior executives and the board of directors setting the bar high and accepting nothing less from everyone in the organization, regardless of position or level of responsibility.

The Scope of the Fraud Problem

Businesses that fail to build their corporate culture on a foundation of effective risk and governance principles may incur a significant cost. The 2016 ACFE Report to the Nations on Occupational Fraud and Abuse provides an analysis of 2,410 cases of occupational fraud that occurred in 114 countries throughout the world. According to the report, the total loss experienced in these cases exceeded $6.3 billion, with an average loss per case of $2.7 million. The bottom line: Criminal activity, including fraud and theft, impacts company balance sheets, not to mention share price.

In response, many companies have made a concerted effort to emphasize ethical culture from the top down. Regulatory agencies have instituted stricter legislation, such as the Sarbanes-Oxley Act of 2002, increasing management's responsibility for fraud risk management. It goes without saying that regulatory compliance is non-negotiable. And maintaining share value is a public company's lifeblood. Both goals make a compelling case for sustaining an ethical corporation.

But the search for reasons to emphasize ethics shouldn't stop there. Anyone familiar with the high-profile corporate scandals of the last 15 years (e.g., Enron, Tyco, WorldCom) knows that reputation matters. No board of directors wants to see the company's image and goodwill diminished by the type of public excoriation that can quickly turn a respected corporate icon into a forgotten historical footnote. What's more, customers and shareholders aren't the only parties with a stake in the moral standing of a company; employees also have their professional and financial futures invested in their organizations. The actions of a few bad apples can spoil the bunch, impacting the careers and livelihoods of honest, compliant colleagues.

The good news? Disciplined, ethical insiders can be a company's best defense against corruption. A survey conducted by Kroll Associates, Inc., found that "employee-discovered and reported fraud is well ahead of the next two sources of discovery, external (31 percent) or internal (25 percent) audits."

What Is Bad Behavior?

Internal fraud often takes place within the bounds of financial reporting. It is most commonly perpetrated through the manipulation of financial statements, unauthorized access to accounting applications, the overriding of system controls, backdating of agreements, or altering of accounts receivable. Another avenue for fraud is the misappropriation of assets in schemes that involve inventory theft, payroll theft, fraudulent disbursements, or even encouraging distributors to accept more product than necessary.

Corruption can be blatant—in the form of outright bribery—or more nuanced, such as theft or fraud through the misuse of customer data for personal or corporate gain. We also know that perpetrators rarely act alone. Most instances of internal fraud are enabled by employees in collusion with colleagues, employees, vendors, customers, or third parties.

Why They Do It

Unlike the one-dimensional bad guys portrayed in movies, criminals in real life commit fraud because they're facing very human pressures and motivations. Mandates handed down from management, such as overly aggressive sales targets, might lead to undue stress and financial problems that push individuals to find weaknesses to exploit. A personal problem such as a gambling addiction might be to blame in some cases. Peer pressure can't be dismissed either, as employees may feel pressure to collude from others in their professional groups. It's also important for organizations to be sensitive to the external socioeconomic and geopolitical environment, and to be aware of the pressures these factors may create internally that could motivate employees to commit fraud.

Sometimes, for employees facing pressure from one or more of these sources, the opportunity to commit fraud is too tempting to ignore. Employees are more likely to succumb if the company's culture reinforces the perception that perpetrators won't get caught. An otherwise reticent fraudster may be emboldened by product complexity, opaque processes, and even special skill sets that allow the individual to manipulate flaws in the corporate infrastructure.

For these reasons, companies need to consider adjusting the corporate culture in ways that can make fraud opportunities seem less appealing. Management should reevaluate incentive structures that promote risk-taking and address any areas in which oversight is ineffective. And if opaqueness in a product or process might risk opening the door to fraud, the company needs to dedicate resources to increasing transparency.

Organizations should also consider how a prospective fraudster might rationalize his or her actions. Workers taking advantage of their employer often internally justify what they're doing by citing high turnover among overworked fellow employees, resentment toward the company, or the dehumanization of the corporate entity. Management can counter these sentiments by creating a corporate culture that encourages, rewards, and reinforces adherence to a principled code of conduct. Corporate leaders should communicate expectations clearly and help employees understand, through a review of historical violations, what constitutes criminal behavior. Sharing these insights can help employees better recognize and avoid misperceptions about risk.

How to Build an Ethical Culture

What are the fundamentals of an ethical corporate culture? Different elements often intertwine to help create an ethical environment within an organization. The basics include:

• board involvement—i.e., the "tone from the top";
• a written code of conduct with supporting policies;
• regular ethics training for executives, managers, and employees;
• strong pre-employment screening;
• confidential reporting systems; and
• reaction and response in the event of a violation—in other words, acting on a zero-tolerance policy for internal fraud.

Fighting fraud necessarily starts with the code of conduct. Ethical codes are not new; in fact, they are as old as mankind itself. The Biblical Old Testament describes the Israelites' receipt of the Ten Commandments thousands of years ago. The Code of Hammurabi is a well-preserved list of crimes and corresponding punishments developed by the Babylonians of ancient Mesopotamia in around 1754 B.C. And the Hippocratic Oath, which scholars widely believe was written between the fifth and third centuries B.C., requires new physicians to swear to uphold specific ethical standards.

Like these ancient texts, a corporate code of conduct provides a framework for ethical employee behavior and decision-making. Corporate codes are usually built upon the values that define the company. They help employees and directors weigh decisions and guide them past the easy thing, to the right thing.

A corporate code of conduct is a pragmatic necessity, especially when you consider that behaviors which violate ethical codes may also be in contravention of laws or regulations.

Training plays a key role in enhancing employees' understanding of the organization's code of conduct, as well as the overall ethical, legal, and regulatory requirements they're expected to uphold. Training also helps employees understand how the principles in the code of conduct relate to their everyday roles—and that they must report actual and suspected breaches of the code (and that retaliation will not be tolerated). Managers should encourage employees to ask for clarification whenever they are not sure about any aspect of the code.

Best practice is to mandate that all employees and contractors complete code-of-conduct training annually. Training typically consists of a variety of courses to guide employees. Modules should include topics such as privacy breaches, phishing, social engineering, identity theft, information security, anti-money laundering, and anti-bribery and corruption.

After well-executed training, employees will understand:

• the meaning of their organization's code of conduct;
• how the code relates to their daily work;
• how to recognize behavior contrary to the code;
• how employees can make good decisions when presented with challenging situations; and
• how to raise concerns to the appropriate people when a violation of the code of conduct is suspected.

After an employee has completed code-of-conduct training, he or she should be required to sign an attestation acknowledging his or her understanding of the company's code of conduct, his or her obligation to uphold the organization's core values by complying with the code, and a commitment to follow the code. Non-compliance should have serious consequences, and employees must be confident that they can report actual and suspected breaches of the code without fear of retaliation.

Another key to developing an ethical culture is to effectively screen candidates before they become employees. When it comes to internal threats, an ounce of prevention is worth a pound of cure. And prevention starts before an employee ever sits down at his or her desk on the first day of work. Pre-employment screening (PES) is the process of investigating the backgrounds of potential employees and contingent workers. Careful screening during the hiring process is crucial in developing a strong ethical culture. A good PES program should include criminal background checks (domestic and international), confirmation of education and experience listed on the applicant's resume, and even credit bureau and identity checks like fingerprinting where required.

Closing the Loop on Fraud Prevention

One of the most effective ways to detect internal fraud is through a corporate ombudsman's office. Information gleaned from insider tips often leads to investigations that uncover fraudulent behavior. An ombudsman's office can assist in detecting, responding to, and evaluating fraud and other criminal activities by receiving, retaining, and reviewing concerns about a range of issues. These might include unresolved code-of-conduct–related concerns that employees believe have not been appropriately dealt with by management, as well as concerns about accounting, internal controls over financial reporting, or auditing matters.

Mechanisms for reaching a corporate ombudsman's office can include anonymous whistleblower hotlines, as mandated by the Sarbanes-Oxley Act, regular mail, and/or an online submission form. Some organizations also have a separate ethics office, led by a chief ethics officer, that responds to employee questions and in some cases provides ethical advice.

It's absolutely critical that violations, deviations, or other breaches of the organization's code of conduct or internal policies be reported and dealt with in a timely manner. Allegations of criminal activity and suspected breaches must be thoroughly investigated using accepted investigation standards to ensure that appropriate action is taken against individuals found to have engaged in criminal practices. This may include corrective action, up to (and including) termination of employment. Employees may also be subject to civil, criminal, or regulatory action.

No company wants to become the next ugly headline. Every instance of corporate misconduct reminds us that it is important to establish and nurture a strong ethical culture from within. In fact, doing so is an absolute necessity in today's business landscape. Developing an ethical corporate culture will help a business avoid the significant financial and reputational consequences that it would incur if an employee were to perpetrate fraud or corruption.

Fortunately, gaps in ethical culture and corporate codes of conduct are relatively easy to remedy. With just a few simple steps and an emphasis on transparency and communication, businesses can protect themselves, their employees, and their stakeholders.

Ed Rosenberg is the chief security officer at BMO Financial Group. He has more than 25 years of experience consulting with public and private companies, governments, and law enforcement agencies, specializing in financial institutions in North America, Europe, and the West Indies. Rosenberg has consulted on operational risk matters (including complex litigation, fraud, and security); performed detailed due diligence reviews; and assisted troubled companies with financial planning and turnaround management.