'Trust comes on foot but leaves on horseback.' That old Dutch saw is as relevant today as ever, according to an auditor-turned-reputation-crisis-manager who spoke at MetricStream's governance, risk and compliance conference yesterday. He also said some interesting things about bribery, fraud and country risk.

The speaker was Cees Klumper, the chief risk officer at "the Global Fund," a massive multi-national inter-governmental charity, who has been in five organisations that suffered major reputational damage. Reputational risk is a compliance issue in that compliance failures can easily lead to reputational damage. This is because both phenomena share the same space in the public eye.

Klumper started by saying that he was not concerned about 'repuational risk' as much as the materialisation of that risk: "We're concerned about the actual damage to our reputation, which is what happens when the risk materialises. This happens as the result of three things; in other words, three things must happen for reputational damage to occur."

The three elements of reputational damage

Klumper's first criterion was simple: "You do something bad. You do something wrong to an embarrassing degree. Organisations make mistakes all the time."

He wasted no time mentioning his second criterion: "That may not be so bad if nobody finds out, so [for damage to occur] it has to be found out. It has to become known to the people you care about; to your main stakeholders (perhaps customers, or shareholders, or the board).

"It's not really the media that you should be concerned about because the media really doesn't care about your mistakes. They're really agnostic. What they do care about, or what they will jump all over, is if they get a sense that the people YOU care about care about your mistakes. Then they are all over it. But by themselves the media are not particularly interested in anything that you do. They're interested in news and if important people become interested in you, they then become the middlemen, making sure that the information becomes public.

"The third part of this equation of reputational damage is how you talk about what happened, i.e. your communication. Something bad can become public but you can (sort of) manage it to the best of your ability by communicating very well. That's a whole different topic. There is such a thing as 'crisis communications' or 'reputation management communications.'"

Smarter planning

For Klumper, the most important factor by far was the first - doing something very wrong. He thought that every compliance officer should take the second one, becoming pubic, for granted.

"Organisations try to hide their mistakes. From my experience (and I've had quite a bit) I can remember only one example of something going horribly wrong with a client of mine that never came out. This was great for them; if it had come out it would have cost them great damage. I have five examples of where it did come out and I [advise you to] assume that it will come out.

"Anything that you can do wrong as an organisation that's embarrassing to you can cause reputational damage - that's reputation risk in my definition."

The Global Fund to fight AIDS, TB and Malaria

Klumper invoked a corruption-related case study, starting with the outfit that employs him at the moment. It calls itself the 'Global Fund' (estd 2002) and Klumper admitted that few had ever heard about it. This, he said, was a fund to fight AIDS, TB and malaria around the world.

"We are an international organisation, a development and aid organisation. We are a Swiss foundation based in Geneva (where I live and work) that is not subject to Swiss laws. We have a 'hosting agreement' with the Swiss Government, pursuant to which we are not subject to ANY laws. We have diplomatic immunities and privileges.' As an officer of the organisation, I'm a diplomat so if I say something silly, my reputation might suffer but I can't be sued for it, at least not in Switzerland, the United States and a lot of other countries.

"Every year we provide $4 billions' worth of funding to health programmes in the 130 poorest countries of the world. These countries, which include Somalia, Nigeria, Syria, North Korea, Afghanistan, Iraq, Yemen, Mali and Sudan, are near the bottom of the TI corruption perceptions index. They rank extremely high on just about any measure of risk you care to name. My team maintain an index that's an amalgam of 10 indices. The least risky is still called 'risky' and from their it goes to 'extreme' and 'severe.'

"Now, $4 billion is a lot of money but it's even more money in a country where the average income is $300 a year. In sub-saharan Africa it's the income of a million health workers who deal with these diseases. We do it all from Geneva with 700 people, which is not a lot considering. We don't actually implement it ourselves. Everything goes through other organisations, usually the ministries of health in these nations, for salaries of healthcare workers, bednets, anti-retro-viral drugs for AIDS patients, prophylaxis for malaria, etc. We're essentially a funding organisation; we don't do anything. We provide the funding and oversee [the process to see] that it's spent well. Where does the money come from? If you pay tax, it comes from you. More than 90% is from governments and the rest from wealthy individuals and private foundations.

"We have a very large and active 50-man internal audit group called the Office of the Inspector General. They travel to these countries to investigate suspicions of misuse and corruption and they publish their results online."

Dirty laundry online

Klumper was keen to encourage others to follow him in putting audit statements online: "Very unusually, we put all our dirty laundry online. All the internal audit and investigation reports are on the site. We've been doing that ever since we established the office in 2005. In 2011 the fact that, as you might expect, the fact that things go wrong became a news item and people were stealing amounts of $5 million or $10 million, a reporter wrote an article on some old published news reports of 2010 that mentioned this and belatedly created a storm. The organisation almost collapsed. Why is that? Because the last thing that taxpayers want to hear is that your hard-earned money are lining the pockets of the stereotypical corrupt government official who is now going around his poor country to night clubs in a Mercedes. Donors in particular were extremely nervous. They froze their funding."

2003 Royal Ahold

Klumper gave another example of his experience. Royal Ahold was a supermarket chain with a turnover of $40 billion and 250,000 employees that hit the headlines for all the wrong reasons in 2003. Fraud was discovered at both at the holding level in the Netherlands and at one of the major divisions in the United States. At the holding level, the CFO had withheld a side-letter from the external auditors in which it was clear that the holding firm did not have a controlling interest in a subsidiary in Scandinavia, thus committing basic book-keeping fraud. This might not seem very significant, but the fact that the CFO did this with the knowledge of the CEO aggravated the offence. Meanwhile, in the US there was a much more sinister book-keeping fraud going on in one of the major subsidiaries, where they inflated earnings by perhaps $1 million over a long period of time. The CFO and CEO were convicted of fraud and fired. This put that company in a major tailspin and class action lawsuits followed. Klumper joined in 2005 as part of the clean-up team, whose additional remit was to implement the Sarbanes Oxley Act 2002 (also known, during its passage, as the "Public Company Accounting Reform and Investor Protection Act" and "Corporate and Auditing Accountability and Responsibility Act").

2009 GAVI Alliance

Klumper mentioned another scandal at another outfit, GAVI: "I was there as head of internal audit while GAVI was having the same problems of fraud and corruption and I was the one investigating and publishing reports to some of the same donors as the Global Fund. With GAVI there was no negative fallout, though, whereas the Global Fund nearly went under."

Wakker Dier

"A good 90% of Dutch people know about this animal protection foundation/society that I'm in. It's basically a media agency that inflicts as much reputational damage on supermarket chains as it possibly can. It's about production animals and farm animals. The consumer buys the cheapest meat he can find - that's what creates bad living conditions for animals. Our organisation has decided not to target the customer but the middleman, because it's at a supermarket where supply and demand come together. They wield [he said 'yield'] enormous power. We embarrass them into improving their behaviour, inflicting reputational damage by denouncing them in public.

To restore trust, publicise the size of the problem

Having set the scene, Klumper looked at the strategy the Global Fund followed to restore public trust. The first step was easy - it fired nearly all its top managers. Secondly, it tried to measure the extent of the issue.

"The inspector-general's office is going around finding all these corruption and fraud cases, but what is the extent of the problem? They're sometimes reporting misuse of 20-30%. If we project that onto $4 billion, are we losing $1 billion a year to fraud and corruption?

"I looked into it with my team and we saw that yes, we were losing tens of millions but it turned out to be less than 2% of the spend. That deflated a lot of the hype and a lot of the tension."

To restore trust, go after the fraudsters

"The second thing - which is what taxpayers would expect - is that we were merciless towards foreign corruption. We had a zero tolerance policy, so we set out to recover as much as possible and so far we've written off about 4% of that $100 million and we've recovered more than 50%."

Klumper's organisation has an advantage that almost all banks lack: a bevy of understanding government customers. He therefore painted a picture (in a passage that revealed his shortcomings as an English-speaker) in which it was 'surprisingly easy' to recover funds.

"First of all, you don't expect to be able to recover amounts you've lost to fraud and corruption - usually that's gone. But as we work mostly through large, oftentimes government implementors, the one thing governments always do is pay. Usually governments can always pay, there's always resources available and the implementing country governments that if they were the ones responsible for, on their watch, allowing basically government employees to steal from our funds, they understand the value of their reputation and they don't want to jeopardise future income streams, because we have an ongoing relationship with them, so in the end, we find it surprisingly easy to actually recover those funds.

"In very very unusual circumstances it doesn't happen and then we have another mechanism to add a penalty to that and deduct it from future flows and that hurts and names and shames them, which they don't like. By and large, it's surprisingly easy."

A risk management matrix

Klumper, drawing once again on his 'clean-up' experice at the Global Fund, advised compliance officers to try another strategy to alleviate reputational risk: "Another thing - and that was a lot more work - is that we implemented 'leading practice risk management.' There was no risk management function [originally and] I joined the Global Fund to help set one up. My team is ten people and over the last three years we have implemented what others have told us is a 'leading practice' in our world.

The fund also hired a new head of communications and continued to revel in the fact that it always published its investigation audit reports, thereby holding itself up as an extremely transparent organisation. Klumper's chest puffed with pride: "On our website you can see the 60 cases or so that we've had about recovery of funds. When I joined this world I thought that you should never publish audit reports but I've come to embrace it as a very good thing.

"Finally, 2% isn't really embarrassing but if it is more than 10-20% in one case, it is. So we have to address the reasons why that happens [and find deeper causes]. This takes a long time and it's necessary to educate the organisation and everybody around it about proper risk management to prevent embarrassing situations from happening."

The heat map

Klumper then presented a 'heat map' of the whole organisation. It featured 19 individual risks under 4 headings: programmatic and performance; financial and fiduciary risks (this is where you will see the fraud, corruption and theft); health services and products; and finally governance, oversight and management risks.

"The colours indicate how we have ranked the risk levels - the reddest ones are the worst. The data points we have measured to come up with this heat map total 34,000 and that number is broken down as follows. We have about 600 grants that we make to these 130 countries continually for each of the diseases, so 4 per country. Underneath these 19 risks, per risk we have about 10 contributing risk factors that country teams judge. 10 x 19 = 190.

"The biggest risk for three years' running is treatment disruptions, which happen when somebody who is HIV+ needs pills regularly and the flow of medicines is interrupted because of logistical problems or because supplies didn't show up on time or the doctor didn't come that day. It's not fraud and corruption! That's relatively low, in the middle.

Country risk not a factor in fraud and bribery?

"Just last week, I analysed our fraud and corruption cases to see where they happen, to see if fraud and corruption happens more in the riskier countries or not. It turned out to be right around the average. The level of country risk is not really correlated with the likelihood that people will actually be able to steal money from us. I attribute that to the possibility that if you have experienced people, they know what to do to prevent corruption even in the most dire circumstances, whereas if you go to more trusting societies, it becomes relatively easier.

"It's like in retail where I've also worked a lot. There is an accepted level of what we call shrinkage. As long as it's around 2-3%, it's normal and acceptable. This 'heat map' is what you need to be able to demonstrate as an organisation that has been through significant concerns about its ability even to assess risk or have any knowledge of it. You have to be able to show pictures like this in order to restore trust. Rebuilding trust is a lot of hard work. Trust comes on foot but leaves on horseback.

"Reputational risk management, for me, is about both talk and action. It is about doing all the right things well and talking well about it. Reputational damage is the result of a breakdown in both, especially the former."

How can you be sure that it is 2%?

A questioner from the audience asked about the 2% 'shrinkage' figure: "How sure can you be that it is really 2%? What are your arrow-bars and how do you get to the conclusion? How do you know if you are missing some important fraud scenarios that might be diverting your money away without you noticing it?"

Cees Klumper's reply was a little rueful: “We know the 2% is not the whole number because people who steal from you don't tell you that they're stealing from you. You have to go and look. The truth is that it is higher than 2%.

"The question is, how much more? Well, because we have zero tolerance for fraud and corruption, we look extremely hard. We really do.

"We have a 24/7 whistle-blower hotline in all the local languages which we actively promote with posters and campaigns. We get a lot of references that way. I'm sure the real figure is a factor of that – it could be 8% or 6% or 5%...somewhere in that order. I know it's not 30%."