Stay connected

Get the latest insights into Canadian business

Toggle

Risky business

By Lila MacLellan | April 30, 2015
Risky business
Salim Hasham & Simon Padgett

Last May, Nazir Karigar became Canada’s first executive sentenced to a jail term for a bribery scheme concocted abroad, and the poster child for the recently fortified Corruption of Foreign Public Officials Act. As a former agent for Cryptometrics Canada Inc., which had been a subsidiary of the now-bankrupt U.S. firm CryptoMetrics Inc., Karigar was charged with offering at least $450,000 to high-profile officials in India, where bribery and corruption are deemed to be rife. His misdeeds earned him three years behind bars from an Ontario judge.

The story wasn’t as high profile as the payoff schemes attached to some other companies doing business abroad. However, it does show that although Canada ranked as the 10th “cleanest” country on the 2014 Corruption Perceptions Index published by Berlin-based non-governmental organization Transparency International, Canadian companies working in nations much further down the list are more vulnerable to fraud and can no longer expect Ottawa to be lenient with punishment. Plus, there is a newer risk of being debarred from Canadian government contracts if convicted of bribery abroad.

What’s sobering is that the Cryptometrics Canada case is unusual in a couple of ways. First, even though PwC’s 2014 Global Economic Crime Survey found that 36 per cent of Canadian businesses have reported being victims of fraud – an umbrella term for asset misappropriation, falsification of financial reports or the abuse of power that’s seen in corruption cases – most fraud and corruption activities go undetected. Second, the majority of occupational fraud (between 80 and 85 per cent, according to the Austin, Texas-based Association of Certified Fraud Examiners) is committed internally by a rogue staff member or even senior management. 

Typical cases of employee theft or fraud in sums of hundreds of thousands to millions of dollars are the kind of embarrassing incidents that companies tend not to publicize, says Simon Padgett, Vancouver-based Regional Head of Forensic Services for PwC Canada. But they’re common. 

Four fraud factors to consider

So, how does an expansion-bound company assess its vulnerabilities when considering moving into overeseas markets? Padgett names four key areas that a firm of any size or sector should evaluate before zeroing in on the specifics of its business.

The first is culture, he says, and it has an outsized influence. “We know that in some countries, you may have to pay a bribe just to get out of a speeding ticket,” notes Padgett. That kind of endemic problem can catch Western CEOs off guard: “I’ve spoken to clients who say, ‘But Simon, if we don’t pay this bribe to get this contract or licence, my 1,000 employees will be made redundant tomorrow. We will be closed down with no business.’” Legal compliance, Padgett will respond, is a way of “making the world a better place for our children and grandchildren – not an overnight fix.” 

An unstable economy or a long-term recession in a foreign market also invites increased fraud risk because the more worried or frustrated staff are, perhaps because they have not had raises or bonuses for many years, the more likely it is that some will turn to desperate measures. A third consideration is distance itself: managers may not fully grasp that keeping tabs on what is really happening halfway around the globe is often difficult and unfeasible. Finally, trading in a country with a largely transient population boosts the odds that some employees will turn to insider theft, feeling confident they’ll have skipped town by the time their deed is discovered. 

Offensive tactics

Anti-fraud programs should offer organizations the following key features: a framework for a regular fraud-risk assessment process; anti-corruption policies that spell out what fraud is and what the consequences are when it happens; an effective whistle-blowing system; anti-fraud training; a code of conduct declaration for employees; and a monitoring and testing methodology to test program effectiveness. 

These methods help mitigate risks that can’t be eliminated entirely, Padgett says. “People need to be aware that an organization can be seen as an easy pot of money and that in certain areas of the world, it will be targeted.”

Cyber risks keep growing

Cyber attacks are just one method of defrauding companies, but they’re tremendously popular. PwC research shows that the compound annual growth rate of digital assaults on businesses has risen by 66 per cent since 2009. Globally, the total number of detected attacks now average more than 100,000 per day, according to Salim Hasham, a Toronto-based Partner in PwC Canada’s Consulting and Deals Practice and National Leader of the firm’s Cyber Resilience capability. However, this number should be taken in context, Hasham says: Estimates suggest that more than 71 per cent of all incidents are not even detected, making their frequency and impact significantly higher.

Here, too, there’s been an uptick in insider activity, adds Hasham, who points out that it’s relatively easy to use baiting or phishing techniques or to simply pay an employee for access to the company’s IT systems and data. Unfortunately, most corporations subscribe to the outdated theory that cyber protection is synonymous with IT protection, he says, “so as we’re raising the bar in tech security, cyber criminals are turning to the weakest link in the chain, which may include either your supply chain or, more broadly, the human element.”  

To deal with the new fuller scope of cyber risks, more managers are testing their company’s resiliency though threat-modelling exercises. These involve looking at the five or six specific groups of actors who may be interested in infiltrating your firm. “They range from nation states to criminal organizations and include terrorist groups, social activists and now, in some cases, domestic intelligence,” Hasham says. 

Part of the exercise asks managers to look at exactly which assets are attractive to outside groups based on their discrete motivations. Many CEOs still don’t recognize what’s most valuable within a company beyond customer or credit card information, whether it’s intellectual property coveted by a foreign nation or data that would command a high price on the black market, Hasham says.

Modelling also means combing through “the entire supply chain, the entire human resource population, your vendors, your customers, your relationships,” he explains, not only to identify weaknesses in IT security for organizations and their suppliers, but also to profile potential fraudsters in both cases. Examine how you handle mergers and acquisitions data and deal-related communication to staff, Hasham counsels. Consider how you’re conveying expectations of the ways your partners should be working with you to prevent cybercrime. “Compared to these things, the technology is actually straightforward,” Hasham explains. 

The content of this field is kept private and will not be shown publicly.
About PwC Canada Hide Footer