You are currently browsing the tag archive for the ‘SAP’ tag.
In some parts of the world, bribing government officials is still considered a normal cost of doing business. Elsewhere there has been a growing trend over the past 40 years to make it illegal for a corporation to pay bribes. In the United States, Congress passed the Foreign Corrupt Practices Act (FCPA) in 1977 in the wake of a succession of revelations of companies paying off government officials to secure arms deals or favorable tax treatment. More recently other governments have implemented anticorruption statutes. The U.K., for instance, enacted the strict Bribery Act in 2010 to replace increasingly ineffective statutes dating back to 1879. The purpose of these actions is to enable ethical and law-abiding companies to compete on a level playing field with those that are neither. A cynic might wonder about the real, functional difference between, say, Wal-Mart’s recent payments to officials in Mexico to accelerate approval of building permits and the practice in New York City of having to engage expediters to ensure timely sign-offs on construction approval documents. No matter – the latter is legal (it’s a domestic issue, after all) while the former is not.
Moreover, the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have increased their oversight of bribery. At the beginning of 2013 they jointly issued the Resource Guide to the U.S. Foreign Corrupt Practices Act. For its part, the SEC has stepped up enforcement using its own resources. Recently, it charged a group of bond traders with enabling a Venezuelan finance official to embezzle millions of dollars by disguising the money as fees paid to the broker/dealer to handle apparently legitimate transactions. Tellingly, though, there was another relatively recent bribery issue that involved Morgan Stanley where the SEC declined to include that company in an enforcement action because it had demonstrated diligence to prevent it.
Before anticorruption laws, it was expedient for corporations to pay government officials to close business, get preferred status or prevent punishment. Once the laws were established, that stopped being the case. However, from a management standpoint, compliance with the law became complicated because of the dual nature of the corporation, which is both an entity and a group of individuals. In the case of the latter, when an individual breaks the law, is that person at fault, is the corporation or are both? Regardless of how a case is decided, there can be severe reputational damage to a company found violating the law, and that will have repercussions for corporate boards and executives.
This question leads to the agency dilemma, an important consideration in enterprise risk management. Economists long ago recognized the agency dilemma when the modern corporation separated the roles of its principals (that is, the shareholders) from its management. The agency issue exists where the best interests of the principals are either not aligned or in conflict with the interests of the agents (the professional managers running the corporation). But agency issues also extend to the company’s executives and may be rife in any large-scale business. Within the management group, authority to act independently is delegated down through the hierarchy, and the interests of the lower-level managers may be in conflict with those of senior executives, the board of directors and shareholders. For example, suppose that a local manager believes his performance evaluation, compensation and prospects for promotion hinge on the timely opening of a new facility. Confronted with a culture of payoffs for permits, that manager may try to find a way to pay officials for expedited consideration, especially if he is local to the area. From that individual’s perspective, corrupt activity may be the norm, and he may believe himself to be clever enough to violate company policy without detection.
It was once acceptable for a company to claim that it had a stated policy prohibiting bribery and that executives were ignorant of an employee’s actions. Absent proof to the contrary, that often was enough. However, the FCPA changed this norm, imposing the need for diligence and affirmative actions on the part of companies to prevent employees from breaking the law as well as to detect and report any such violations that do occur (which is how the Wal-Mart situation came to light). Public standards, too, have changed since the 1970s. Despite its self-disclosure after the fact and the steps it took to address the corrupt behavior, Wal-Mart suffered severe reputational damage. Yet even with the likelihood potential consequences, our benchmark research reveals that just 6 percent of companies have effective controls for managing reputational risk.
We assert that the most effective control is to prevent illegal activity from taking place at all. Short of that, companies that can demonstrate that they have taken all reasonable steps to prevent a violation of the law are in a better position to claim that the individual, not the company, is at fault.
An organization should have clearly articulated and documented antibribery and corruption policies and procedures, institute mandatory training of and signed acknowledgements of having taken it by executives and managers, and put in place incentives and disciplinary measures. However, these required measures are increasingly insufficient to demonstrate diligence in preventing corrupt activities. Companies also must have a software-supported internal control system that flags suspicious activity immediately and triggers a rigorous remediation process that analyzes, investigates and documents the disposition of each incident. Incidents that are detected long after their commission are more difficult to cope with and pose much higher legal, financial and reputational risk.
Software is available that helps detect activities that violate anticorruption laws and regulations as they occur or shortly thereafter; this is far more effective than waiting for internal audits or (worse still) whistleblowers to uncover malfeasance. To prevent violations of the FCPA and other antibribery statues, corporations must be able to monitor their financial and other systems for warning signs. These applications take advantage of operational intelligence, a class of analytical capabilities built on event-focused information-gathering that can uncover suspicious actions as they occur. Our research on innovating with operational intelligence shows that companies use an array of systems (led by IT systems management and major enterprise applications such as ERP and CRM) to track events, analyze them, report results and create alerts when conditions warrant them, as detailed in the related chart. The research also shows that about half (53%) use 11 or more information sources in implementing their operational intelligence efforts. In the future, effective FCPA software increasingly will need to look at a wider range of internal data as well as information from external sources and social media to determine, for example, whether a consulting company that just received a finder’s fee is run by or employs a relative of a government official. Today, companies can utilize software from large vendors such as IBM, Oracle and SAP, as well as vendors with FCPA-specific software such as Compliancy and Oversight Systems.
Bribery and corruption are unlikely to disappear entirely. Regardless of anyone’s best intentions, corporate boards and executives can find themselves enmeshed in a scandal not of their own devising. The best defense in such cases is plain evidence that the organization has done everything reasonable to prevent its occurrence and has discovered and dealt with it promptly if it does. Policies and training are vital components, but software can be the extra component necessary to improve the effectiveness of monitoring and auditing to support anticorruption efforts.
Robert Kugel – SVP Research
SAP recently announced its new Fraud Management analytic applications. Currently in “controlled” (limited) release, it’s a promising start for the product and a good example of the type of business process revolution that’s possible when companies can execute complex analytics on big data sets using in-memory and other advanced processing techniques. Over the next several years a wide swath of basic corporate processes will be transformed by the shift to in-memory processing and big data technology, two key foundational elements of my office of finance research agenda. HANA has been a consistent element of SAP’s product strategy and underlies many recent new releases, such as Business Suite on HANA.
When it pushes the product into general release, SAP will offer three initial flavors of Fraud Management: an insurance claims fraud offering, another designed for use in the public sector and a cross-industry application (for use in, for instance, the purchasing function). It’s likely that quite a few more will follow, given the broad potential use of advanced fraud management analytics. SAP is also focused on developing Fraud Management as a platform that partners can build on to create their own analytical applications that utilize large data sets and in-memory processing for fraud prevention, detection and remediation. I think the fraud management platform has greater long-term potential to drive business for SAP than its internally developed applications because of the requirement for detailed knowledge about how specific types of fraud can be detected in computer systems as well as the need to provision such systems within the context of a company’s unique technology and data infrastructure.
Fraud is a pervasive risk in business. According to the Association of Certified Fraud Examiners the cost is about 5 percent of revenues and therefore a $3.5 trillion annual problem. I’m not sure how much of that is addressable, but for any company the cost of fraud adds up. Fraud exists in internal and external modes and affects all of a company’s facets. Financial fraud can be ruinous to a business. When perpetrated by management it poses reputational risk.
Fraud prevention has been a longstanding corporate activity. In finance, separation of duties and requiring two signatures, for example, are practices designed to keep a single individual from embezzling funds. Multiple invoice matching aims to keep vendors from receiving payment for goods never received. Our research finds that only about one-fourth of companies have adequate controls for separation of duties and internal fraud. Companies conduct internal audits to root out breaches in financial integrity and compliance failures. External auditors exist to provide third-party assurance that attestations to shareholders and other stakeholders are accurate. Forensic accountants are enlisted to document fraud. Managing fraud is a discipline with specialties and subspecialties that reflect the important differences in businesses and the roles of those working in them.
Preventing fraud in public companies’ financial statements was the main point of the Sarbanes-Oxley Act of 2002, passed in the wake of several spectacular management frauds. The act recognized the importance that IT systems play in modern fraud prevention and fraud management. Until the 1990s, computer systems were a point of vulnerability because systems were highly proprietary, companies had only partially automated their businesses, and computing power was expensive, so it was difficult to detect fraud. Since then, though, computer systems have made it much easier to manage fraud. Today, midsize or larger companies perform almost all activities using IT systems that are open and transparent. They achieve a high level of fraud prevention by ensuring that systems are highly tamper-resistant through, for example, identity management – ensuring you are who you say you are. Companies make fraud management more effective by using IT systems to impose controls, automatically test and monitor these controls, and generate automatic alerts and responses when conditions are met.
Fraud detection and prevention is a process of finding needles in haystacks. Today, the largest number of those needles are found based on tips, according to the Association of Certified Fraud Examiners, which credits tips for uncovering 43 percent of corporate frauds. Another 15 percent are found as a result of management reviews and 14 percent from internal audit. IT systems detect just one percent.
It’s probably not feasible and almost certainly not worthwhile to eliminate all business fraud because the cost would exceed the recoverable amount. Up until now, the technology available to analyze data sets for fraud has not had the power to make using it a practical option for broad-based, continuous investigation. The breakthrough that Fraud Management can achieve is to substantially lower the cost of detecting fraud and mitigating its impact. One reason the insurance industry is a likely early adopter is that decades ago it became common for companies to raise the threshold of materiality in examining claims to achieve an appropriate cost/benefit balance. Today, it’s common for insurers to pay a claim automatically where the cost of investigating it is higher than it’s worth. Lowering the cost of investigation through increased automation and factoring in other issues such as the impact of delaying compensationon customer satisfaction could enable insurance companies to reduce payments on fraudulent claims without jeopardizing profitable relationships. In-memory computing of very large data sets can address this issue more efficiently because it has made it both feasible and cost-effective to sift through immense piles of information to detect suspicious items within a reasonable amount of time.
In-memory computing of large data sets also makes organizations more auditable. Utilizing an analytical application makes it possible to detect the electronic equivalent of the erasures, handwriting style discrepancies and different colored inks that were the staples of auditing and accounting fraud risk management in the days of paper ledgers and journals. And utilizing Fraud Management and other similar analytical applications will not necessarily be confined to a reactive mode. The use of predictive analytics with large, real-time data sets makes it possible to detect suspicious activity as it evolves, enabling companies to initiate preventive steps before a fraud has been completed. For example, it should be possible to examine insurance or warranty claims at the time they are submitted to generate a fraud potential score that companies can use to decide whether to pay the claim immediately or investigate further.
While it has substantial potential, SAP faces at least three significant challenges in marketing and selling Fraud Management. First, because the incidence of addressable fraud is widely scattered across an enterprise it can be difficult to identify the natural buyer for the platform. These types of buyers are rarely on the prowl for technology solutions to their business issues. They may not keep up with technology trends, nor would they immediately see the connection between in-memory processing of big data sets and fraud management. Second, the HANA platform is a necessary but insufficient component to fraud management solutions. One of the most challenging aspects of implementing a fraud detection and prevention system is identifying the things that need to be monitored and measured, creating algorithms or describing patterns that define “suspicious” events, items, values, ratios or relationships (to name five), and then defining thresholds and conjoint conditions (to name two) that indicate that an item is worth investigating. Third, fraud detection efficacy is a tradeoff between the percentage of frauds detected and their value balanced against false positives. Perfect detection is likely to be more costly than it is worth because of the effort wasted investigating red herrings. Here again, automating the optimal selection of needles in the haystack is critical. While SAP can create some number of applications to address broad-based needs, it also will need to rely on subject matter experts to implement these applications. Expert organizations will also be able to use the SAP platform to create fraud management applications for individual companies and even specific functions or business units. Fortunately, many of the large audit firms, forensic accountants and specialized fraud consultants with subject matter knowledge have been selling this expertise to natural buyers for decades. These organizations, and others such as insurance companies, have developed a considerable body of knowledge built on decades of experience. They are well positioned to form a productive partner channel with SAP.
However, SAP ultimately will be competing with other software companies (such as IBM, Microsoft and Oracle) for the platform business. To become a preferred solution for consulting and implementation partners, Fraud Management must prove itself to be one that these subject matter experts can readily use to create affordable solutions for their clients. The solutions that these partners provide must also be readily usable by the clients so they can adapt to an evolving fraud landscape and extend their coverage as need arises.
It’s still early days for this promising technology. I’m enthusiastic about its potential, but past experience suggests that it’s wise to temper that enthusiasm. We can only guess at the “gotchas” and other barriers that SAP, other software vendors, partners and customers will encounter as they figure out how to employ the power of in-memory processing of big data and use Fraud Management to reduce costs.
Robert Kugel – SVP Research