What do you do when an employee comes forward with criminal, legal non-compliance or other allegations against a colleague, or the company?
What is employee risk?
Organisations are constantly at risk. These risks include, but are not limited to, theft, fraud, corruption and cybercrime. Furthermore, they are posed by, among others, business partners, suppliers and/or service providers, employees, and other unknown third parties (in particular when it comes to cybercrime).
Employee risk is the risk employees pose to organisations in relation to economic crime and other irregular conduct. Because of the level of trust afforded to employees, it is often considered one of the greater risks facing organisations. Employees have direct access to an organisation's assets, infrastructure, trade secrets and proprietary information. Employees are also most likely to have first-hand knowledge of any system and/or internal control weaknesses which can be manipulated to perpetrate unlawful and/or irregular conduct.
Organisations should be fully cognisant of the risks their employees pose in the modern workplace so effective measures can be implemented to mitigate them.
These measures may include:
One of the most effective ways in which any irregular conduct is identified in an organisation is through disclosures made by whistleblowers. It is important, therefore, that organisations appreciate their importance. To ensure legal compliance, it is essential to have proper reporting processes in place to protect the employees who disclose information.
Whistleblowers have recourse in terms of the law. The Protected Disclosures Act sets out the manner in which whistleblowers may "blow the whistle" on illegal and/or corrupt practices in the workplace. It also prescribes what conduct a whistleblower in the workplace may not be subjected to. In essence they may not be unfairly treated simply because they "blew the whistle".
How a whistleblower uncovered a multi-million rand fraud
A relatively new and junior employee in a company came across certain purchase orders that had been raised by one of the company's other divisions. These purchase orders were raised in relation to services that had purportedly been provided by a service provider. In the relevant payment packs relating to these purchase orders, she noticed that the invoices had brief descriptions of consulting services rendered and unusually large disbursement amounts.
Something did not sit right with her and she probed further. She found that the relevant service provider had been providing services to the company for several years and the sample of invoices that she looked into all had the same brief descriptions as well as unusually high disbursement amounts (without any supporting documentation).
Furthermore, in addition to several other discrepancies that she identified, there was no service level agreement on file relating to the service provider, as would have been required in terms of the company's processes.
As a result, she escalated the matter internally. At the time, senior management felt that there was most likely a plausible explanation for the red flags identified; all the pertinent invoices had been signed off by the relevant manager who was a particularly senior employee. However, notwithstanding this, given the discrepancies that she identified, a more comprehensive and independent investigation was commissioned.
The investigation revealed that the relevant manager had been signing-off invoices submitted by the "service provider" for several years in instances where no work was actually being done. Once the company paid the invoices, the manager would instruct the "service provider" to pay the disbursement portion of the applicable invoices to certain third parties. The "service provider" would keep the rest of the payment made. The investigation revealed that the manager was linked to these third party entities. Over the course of several years, in excess of R10 million had been misappropriated from the company by this manager.
This case highlights the importance of creating a culture in an organisation where whistleblowers do not fear reprisals for reporting any suspected irregular or improper activity. In this case, the company had a culture in which junior employees felt safe to report conduct and when the whistleblower escalated the matter, her concerns were taken seriously. The company took steps to ensure that she was protected from any reprisals, particularly since she had reported suspected irregular activity involving a fairly senior employee within the company.
Make sure your company takes employee risk seriously
In order to deal with employee risk effectively, we recommend companies consider implementing these measures and, in particular, review reporting processes. The Protected Disclosures Act should be applied to anyone who discloses information relating to potential irregularities or improprieties within an organisation. Failure to do so effectively means the organisation is failing to meet its legal obligation. Failure to take employee risk seriously could open an organisation to significant financial and reputational harm should it become a victim of fraud or corruption in the workplace.
Patel is National Head of the Employment practice and Mohamed a Director in the Corporate Investigations Sector of the Dispute Resolution practice at Cliffe Dekker Hofmeyr.