VRI is committed to advancing the interests of the law enforcement and homeland security communities. VRI participates in select media, non-profit, government and industry events that help our country become stronger, safer and more prepared.
Whether motivated by justice, disgust, revenge, self-preservation or some combination of each, individuals who make wrongdoing known and detail it do so in ways that can significantly impact their lives and livelihoods. How your organization incents and interacts with such individuals can play a major role in whether otherwise undetectable cancers that may be growing within your organization are cured or spread. How society protects and treats such individuals is both symptomatic and determining of the security and justice by which we live.
Let’s consider the Federal Witness Protection Program:
When I was first assigned to run the program in the late 1970s, the mafia’s ability to intimidate insiders who would testify against it was a major impediment to the federal government’s ability to successfully prosecute many of the nation’s most dangerous and damaging criminals. To encourage knowledgeable witnesses to testify, those individuals needed to understand and we at the United States Marshals Service needed to deliver a program whereby their safety and ability to live a life as close as possible to “normal” in the program would be as close to guaranteed as possible. To facilitate their lives after testimony, we not only gave witnesses new identities (and birth certificates, drivers licenses and school records for their new identities), but also found them housing, jobs, cars, schools and provided career, psychological and credit counseling and other services to help them succeed.
Comparing what we did to enable and better the lives of protected witnesses to how the corporate world typically treats whistleblowers is revealing. Whereas we went to great lengths to make federally protected witnesses and their families safe and comfortable (and within the confines of reality, productive members of society), the typical corporate whistleblower loses their job and often ends up in damaging litigation with the organization that they were nominally trying to protect. While some of this is certainly attributable to whistleblowers with ill motives and/or insufficient evidence, in cases where a whistleblower shines a pure light on certain fraud, waste, abuse, harassment or other wrongdoing within an organization, you would think that they would be more commonly embraced for their service rather than chillingly lawyered out the door.
The latter is part of the reason why ten years ago Sarbanes-Oxley mandated that the hotlines it requires companies to operate to report accounting and financial fraud to Audit Committees be confidential and anonymous and that corporate boards investigative without undue influence from executive management. Other similar legal regimes exist to protect those who report harassment and discrimination. Interestingly, certain proposed legislation reported in yesterday’s Wall Street Journal would greatly reduce substantial fines for bribing officials under the Foreign Corrupt Practices Act (FCPA) if the company self-reported the incident to the Justice Department.
But beyond the procedural Kabuki dance of regulatory compliance and liability management, an executive leadership team and board that genuinely wishes to root out fraud, waste, corruption and abuse will substantively encourage and carefully reward individuals in the organization who prevent, deter, detect and effectively respond to indicators and incidents of illegal, unethical and otherwise undesirable activities. Sometimes a sincere whistleblower at the lowest level can be a company’s greatest return on investment and mandated hotlines can prove more than mere requirements but effective “early warning systems”. The target culture (and supporting reward and discipline systems) should not be one that rewards petty snitches but one where individual witnesses’ natural intolerance for unwanted, unnecessary and illegal acts can safely and effectively make such acts known before they further damages or destroy the organization’s profits and reputations. Coach Paterno’s “greatest sorrow” at failing to do more to report and confront alleged sexual abuse in his organization — immeasurably greater for the victims of alleged abused that could have and should have been stopped by earlier prosecution of its alleged perpetrator — may not destroy the Penn State Football program. But both the football program and the school as a whole have been irreparably damaged by the apparent reality and certain perception of its environment.
Now let’s consider interactions among public and private security:
Harry Markopolos (Madoff). Simon Wiesenthal (Nazi War Criminals). Amnesty International. Independent Directors. Independent Private Inspector Generals/ Integrity Monitors (appointed and voluntary). Medicare Zone Program Integrity Contractors (ZPICs). The Ombudsman at your local paper…
A diverse array of non-government individuals and entities outside of your organization can play significant roles in discovering, reporting and addressing breaches of law and integrity allegedly within or otherwise perpetrated by your organization. With equally diverse abilities (or inabilities) to effectively gather, manage and take action on useful intelligence, it is important that – whether or not you embrace the strategies and tactics such third-party watchdogs may be employing to fulfill their missions – that you at least know what they’re doing and why.
Take the NYPD’s Civilian Complaint Review Board (CCRB). When I was Commissioner there were individuals who were dedicated and sincere about disciplining officers who were brutal, discourteous or otherwise acting improperly, but on the other edge of the sword were politically appointed members who had a strictly anti-police agenda that prevented them from being objective in their duties. During my tenure the vast majority of allegations presented to the CCRB were found to be unsubstantiated – I specifically remember a group of taxi drivers that filed a complaint with the CCRB every time that they received a traffic violation in the hope that it would stop the officers from doing their job (it didn’t work). In all cases, the public’s need for an objective, independent entity to voice legitimate complaints and root out prohibited behaviors needed to be properly balanced with Police Officers ability to properly do their jobs without hesitation. We found that having a senior police official be the final arbiter of individual complaints (with oversight from elected officials) was the most effective way to achieve this balance.
Straddling the public and private sector, the practice of integrity monitorships is a way for organizations to defer prosecution, resuscitate a reputation or otherwise satisfy government regulators and customers that it intends to prohibit specific behaviors and/or generally run a clean shop going forward. Typically structured for a limited period of time around a certain set of issues, the integrity monitor is usually given the authority (and is expected) to report uncured potential and actual integrity incidents directly to prosecutors and/or industry regulators. Often working with a new senior management team brought in to “clean house” from integrity breaches perpetrated, condoned or negligently undetected by the prior senior management team, integrity monitors both conduct their own investigations and work to strengthen the integrity culture and supporting policies, procedures and mechanics of the subject organization. In the monitorships where I’ve been involved, this typically generates a palpable Return on Investment because not only do our services enable monitored organizations to acquire or retain certain new business, but we also typically evidence actionable intelligence of recoverable fraud, waste and abuse well in excess of our monitoring fees. With 5 cents of every corporate revenue dollar lost to fraud, it will not surprise me if the integrity monitoring model for some decades applied to city and state contractors (as well as for certain municipalities and municipal agencies) continues its evolution to the private sector.
Finally, let’s talk about technology to discover and address prohibited activity:
Governments, financial institutions and non-financial corporations are increasingly using technology to catch fraud, terrorist and other illegal activity before it happens and discover it when it does.
From large scale efforts such as the Center for Medicare and Medicaid Services (CMS) national deployment of predictive modeling algorithms to address what is believed to be a $70 billion annual fraud problem (in perspective, last year’s recovery of $4 billion of Medicare/Medicaid fraud was reported as a record), to systems used every day by banks and credit card companies for fraudulent transactions, anti-money laundering, cyber crime detection and fulfilling “know your customer” requirements, both preventative systems to monitor communications and validate transactions and forensic / data mining systems to discover and respond to incidents have benefited from advances in artificial intelligence and generally become more effective and easy to use.
Correspondingly, the emerging facility of corporations to monitor their IT networks for individuals’ uses of certain key words as well as the semantic meaning of what individuals receive and transmit (and with whom), makes it easier to discover employees who commit fraud, violate policies, breach contractual obligations or otherwise commit unauthorized or illegal acts via company owned computers, tablets and smartphones.
While, as I’ve discussed in previous communications, there is still much work to be done to improve the ability of predictive modeling and surveillance technologies to efficiently find important needles in ever growing “Big Data” size haystacks, the current ability of such technology to prevent and bear witness to non-desired activity is firmly established. As such, it may be very profitable for your organization to implement data surveillance / data mining technology in concert with best practices to discover and address prohibited activity with human eyes, ears and mouths.
The bottom line is that witnesses, whistleblowers and watchdogs are necessary, important and — when properly managed — beneficial to your organization..
Be safe and enjoy your day.
Chairman and CEO
Vigilant Resources International (VRI)
About This Communication
The intention of this weekly communication series is to explore security threats and vulnerabilities and the technology that can help avoid or minimize them. I’m writing this series because I believe that security operations and technology — depending on how they are implemented and utilized — can either be byzantine, distracting and harmful or tremendously helpful in protecting lives, assets and reputations. I enjoy doing what I can to help people and organizations achieve the latter.
Security threats and vulnerabilities discussed in this series may include (and certainly will not be limited to) a full spectrum of physical, cyber, economic, reputational, man-made and natural disaster/weather related threats and vulnerabilities. Security technology considered may include (and certainly will not be limited to) physical security technology (cameras, alarms, access controls), cybersecurity, cybersurveillance, personal protective equipment gear, emergency communications, data mining, fusion centers, pin-mapping, predictive modeling, internal controls, and forensics.