I hope the Wells Fargo scam is causing boards, executives and practitioners everywhere to pause and reflect: Could something like this happen to us?
If it can happen at a great institution like Wells Fargo, it can probably happen anywhere.
In a couple of posts, I have shared questions that should have been asked and that should drive similar questions at other companies. For instance, why did management set incentive goals that didn't appear to be aligned with driving revenue or earnings? What led to the failure of the controls that were designed to ensure that customers approved the opening of accounts in their name? Why didn't customer complaints lead to identification of the problem? Why was the problem allowed to continue for at least five years? Did management have any idea that the culture of the organization would permit such a pervasive scheme? What was the role of internal audit, of the compliance officer, of whistleblower provisions and of risk management?
In
a podcast with MIS Training Institute (which I recommend), I made another point. I think this is critical for everybody to understand.
I said that when people feel they are able to get away with a minor fraud, they will do something else. The level of fraud may start small, but it almost always increases.
I asked what else has been happening at Wells Fargo.
**********
The public reaction by the Wells Fargo CEO, John Stumpf, included an observation that the scam only involved at any time about 1,000 people of the 100,000 in the branch network.
Let's set aside the fact that 5,300 people were fired over a period of five years and that this number does not count anybody who was less severely disciplined or not caught.
Let's set aside the fact that 1,000 people fired in each of the last five years reflects a
continuing failure and, to me, indicates a breakdown rather than a one-time failure in controls.
The point is that he seems to believe that this is a small level of incidence, almost (in my words) an
acceptable level of risk.
See also: Bridezilla and Workers’ Comp Fraud
I am drawn to agree that this is a low level of failure. I'm not sure it is so low that it would be acceptable.
Let's talk reality.
While it looks and sounds good to say that an organization has zero tolerance for fraud, corruption and a failure to comply with laws and regulations, that zero level is just about impossible to achieve.
You would need somebody looking over everybody's shoulder all the time to ensure that no inappropriate activity was happening, and somebody looking over
that person's shoulder to make sure they were watching properly.
All you can do is have what a prudent person would believe is a reasonable level of control, given the risk of fraud.
According to studies by the Association of Certified Fraud Examiners, the typical company loses about 6% of its annual revenue to fraud. That number includes theft of time, personal use of the company's laptop and so on.
Is that an acceptable level? Maybe it is; maybe it isn't. You decide for your company — and consider the cost of reducing the fraud risk. Is the cost greater than any reduction in fraud risk?
The same goes for compliance issues or the activity reported at Wells Fargo. Was a reasonable level of control in place? Could controls have been improved to reduce the risk without incurring substantial cost? I suspect the answer is yes, but we don't know enough of the facts yet.
**********
Let's also consider other forms of fraud, abuse and corruption.
Are these acceptable practices, or are they another form of fraud?
- The CEO of a multibillion-dollar company approves the funding of a charity of which his wife is the chair. There is no clear benefit to the company, no link to its operations.
- In response to falling revenue and profits, the CEO of another company lays off about 10% of the workforce. The board awards him a $1 million bonus for completing the reduction in force. At the same time, the CEO spends $1 million to renovate the executive suite of offices.
- A senior manager in IT refuses to provide support for the implementation of a disaster recovery plan because it is not included in his personal objectives.
- The vice president of procurement for Malaysia refuses to follow instructions from the executive vice president (EVP) of procurement (to whom she does not report) and adhere to global contracts with major vendors negotiated by that EVP. Instead, she negotiates successfully with the local subsidiaries of those vendors. While she obtains better prices for Malaysia (for which she and her boss, the president of that region, are rewarded) she puts the corporate contract in serious jeopardy.
- A senior executive decides to hire a friend.
- The chairman puts pressure on the company to select as a director an individual whom he knows will vote his way rather than searching for a director who will add critical expertise.
All of these are situations where, in my view, individuals put their personal interests ahead of those of the enterprise as a whole.
They act in a way that brings them rewards but that hurts the company as a whole.
See also: How Bad Is Insurance Fraud Really?
While technically they have not stolen and have not broken any laws, they have acted inappropriately. I will let you decide what to call their behavior.
But let's be honest: Self-dealing is ripe around the world. Very few are selfless, putting the interests of others ahead of their own.
**********
So what does this all mean? Where am I going?
- What we have seen at Wells Fargo (based on the few facts we know) is, in some ways, normal human behavior. When people believe that the behavior is encouraged or at least not discouraged and that they will not be caught, they will "game" the system.
- While we focus on fraud, we might be better off focusing on behavior and actions. There are many forms of behavior that will harm the organization.
- We cannot prevent or even detect all actions that result in a loss to the organization. We need to understand all of its forms, the impact and likelihood of each, and ensure that we have the controls in place that provide a reasonable level of assurance that risk is at acceptable levels.
- Management must take ownership of the design and operation of those controls.
- Internal audit should provide assurance on the management of the more significant risks.
- When the level of risk that the controls are failing rises, the root causes must be investigated.
- A low level of fraud, if left alone, will normally grow until it is unacceptable.
I welcome your views.