Ellen Zimiles, partner at Guidehouse and the firm’s Financial Crime, Fraud & Investigative Services leader, speaks with Global Finance about corporate fraud and managing risk.
Global Finance: Is fraud connected to economic cycles?
Zimiles: There are many of instances of fraud that take place all over the world, but we think they occur regardless of economic conditions. People steal when the economy is both good and bad, but it’s revealed more when the economy is bad. Bernard Madoff was fine for a long time—people wanted to take their money out when the economy started to turn, and that’s how the fraud was revealed.
GF: Which comes first: regulation or scandal?
Zimiles: It’s a combination of regulations and their enforcement. In many situations, regulations addressed issues, but they weren’t enforced. A company needs to have a mature infrastructure and control function so people could properly manage and control risks and decide what businesses to pursue. If there’s no enforcement of controls by the government or internally, people can take advantage of breaches and gaps in enforcement.
GF: Sarbanes-Oxley and Dodd-Frank put controls in place that prevented some financial-statement fraud cases and established capital requirements. Is crypto the outlier in the equation?
Zimiles: Crypto is fascinating. The people running these businesses may have started as product engineers looking to create the next thing, but they’re not risk managers. Over time, some crypto firms brought on people to manage risk.
Crypto firms can’t operate in a vacuum—they need banks and partners. To access banking services or funding to create the next product or platform, they need to demonstrate that they have a mature risk management infrastructure. Banks are going to be very careful and will have a greater focus on KYC standards, which will drive crypto firms to have more mature infrastructures.
GF: Many Chinese companies listed in New York must decide whether to give Public Company Accounting Oversight Board auditors access to their companies. Will Chinese companies adopt more transparency in financial reporting?
Zimiles: The independence issue is very different in China than in other parts of the world. Auditors are supposed to be independent, but China may not enforce independence issues as strongly as other countries. E-discovery of employees’ computers and associated privacy issues are different in China—you can only look at employee emails if the employee allows you to, wherein in other parts of the world, your work email isn’t private from your employer. If those policies don’t change in China, then there won’t be the same transparency as in other countries, and you need independence and transparency to get to parity with the rest of the world.
GF: What can investors do differently to protect themselves against corporate fraud?
Zimiles: Constantly do due diligence—not just during the initial funding. Investors can check that the company continues to have the same focus on controls and antifraud issues. You’ll see problems after the initial funding, not at the outset, like when companies miss targets but think they can meet them in the future and never do. Oftentimes, a small part of the business that doesn’t get the right attention creates the biggest risk.
GF: What are common mistakes in corporate risk management?
Zimiles: No one wants surprises, and the worst thing you can do is to have a surprise. If something goes wrong, like targets are missed, it’s important to tell the market what has happened and your plan to fix it. Surprises are very disturbing to an organization because there are people and systems in place that are supposed to catch problems.
Organizations tend to focus on growth, but they may not have a clear process for understanding risk tolerance and risk acceptance. Sometimes risks are bundled together—we get some quantification, but it’s not broken out so people can understand what to manage. There may be credit risk, market risk, operational risk and financial crime risk all under the same risk bucket, and no one can pinpoint the problem because it’s masked by what’s well managed. With a good risk management process, you can easily find and highlight the issues.