Code19 - Decrypt the World.

The uncurious due diligence

An insidious gang of unlikely assassins is killing the investigative due diligence, at a time when it has never mattered more. Time for a rethink.

Photo credit: Korall/Wikimedia Commons

In the early 1970s a remarkable thing happened. A former US attorney, the son of a struggling businessman heading a printing company in New York, went private and offered investigative services to client companies whose unscrupulous purchasing agents extorted kickbacks from printers in exchange for contracts, and whose corrupt activity caused spiralling costs to all.

Three decades later the US attorney in question, Jules Kroll, had sold his company for US$ 2 billion. Kroll Inc. inaugurated the concept of corporate investigations, including investigative due diligence (IVDD). The principle behind it was simple: that businesses were entitled to find out if their prospective partners were clean, and that this peace of mind could be achieved by using perfectly legal investigative techniques which were hitherto the sole province of law enforcement, intelligence agencies and journalists.

Since 1972 when Jules Kroll founded his company, the investigative due diligence has had a stellar career: it has uncovered thousands of potentially risky business partners first in the US, then in the wider Western world and finally all over the globe as the Cold War ended and the demand for IVDD in new and unexplored markets skyrocketed. Initially with Kroll as its sole provider, the IVDD then began being offered by a whole raft of competitors big and small, and in the late 1990s even the lofty Big Five (now reduced to four) accounting firms joined in. Nowadays the sober number-crunchers all offer investigative due diligence as a matter of routine, with methods previously used by sleuths, spooks and whisky-swilling journos.

The benefits for all have been incalculable. But ironically, in an age when creeping autocracies are clamping down on free and public information in all its forms, when corrupt politicians and tycoons are stashing their illicit earnings in shell companies in tax havens and when general opacity is making a triumphant return after a brief bout of post-Cold War euphoria, the investigative due diligence is now under severe threat – especially at bigger companies.

Welcome to the new Uncurious Due Diligence, a potential but by no means inevitable tragedy in Three Acts.

Act One: Rise of the (delusion that) machines (can do your work for you)

404

Oops! We couldn't find what you were looking for.

Information-gathering methods have evolved immensely since the days of Jules Kroll, when investigators had to rely on public libraries, reference books, newspaper clippings and more or less bibulous human sources stealthily contacted at cocktail parties, embassy dos and bars. The internet has made a vast amount of this information available to all, free of charge. That this has been useful to corporate investigators is both beyond dispute and an understatement: instead of peering laboriously through the eyepieces of clunky microfiche readers in ill-lit news agency basements, investigators can now use media aggregators that can be searched by source, country, industry, language date and publication; instead of spending a day or more travelling to a company registry halfway across town or country to sift through reams of yellowing files buried in acres of dusty ring binders, investigators can access these online and retrieve them almost instantaneously. (As for the bibulous sources, many of them have their own blogs nowadays.)

But the heady revolution of the Internet has also caused a huge misconception: the idea that all you need is a magic database to crack it all. Call it the Fallacy Of The Omnipotent Algorithm (“FOTOA”): misled due-diligence managers at the bigger companies have taken to comparing database accesses as school boys used to compare sticker collections, and an entire sub-industry has grown on this premise, with certain data companies purporting to do your job entirely for you. A certain large accountancy firm already trumpets a “proprietary research technology” and an attendant “due diligence tool”, and this latter term is becoming more widespread even in non-investigative firms. A well-known consumer-goods business, for example, boasts of “having implemented an automated tool to improve the efficiency of [their] anti-bribery and corruption third-party due diligence programme.”

The FOTOA has therefore caused a familiar phenomenon: rather than using the technology to benefit us, we have squeezed ourselves to fit around the technology. The result has been a hugely demoralising industrialisation – a rather mordant irony in the era of the much-ballyhooed knowledge economy – of the research process, where analysts with good degrees are now being forced to become automata and run dozens of pre-approved search strings in one database after another, without regard to meaning or common sense, supposedly to make sure they haven’t “missed” anything. In keeping with this new industrialisation, the physical and psychological effects suffered by the analysts who are forced through this process are more reminiscent of the Victorian textile mill than the 21st century professional-services firm.

The FOTOA has made it all too easy, amidst this flurry of Internet 2.0 hype, to overlook a simple fact: all these databases do is to aggregate data, not analyse it. In the best of cases these databases offer mere duplicates of information easily found elsewhere by any dedicated analyst allowed to get to know his subject well. So-called “red-flag” search strings, in particular, produce far too many false positives and uncover far too few real red flags for this method to be even remotely cost-effective – after all, “red flags” aren’t posted like a price tag on a supermarket item, whether they appear in a newspaper article or not: you have to work at them to reveal them. Wrongdoers don’t generally advertise their behaviour, and only a tiny fraction of this behaviour is directly reported by the media, which by the way are as hamstrung and ineffectual as they have ever been: in the democratic world an unprecedented concentration of media ownership has stymied independent journalism at the same time as financial pressure caused by the competition of online “citizen journalism” has prompted mainstream media to slash investigative budgets. Meanwhile the dictatorships, after a timid period of very relative openness in the 1990s and 2000s, are now cracking down on free speech as heavily as ever (and gaining new recruits in young democracies like Turkey, Poland and Hungary).

The result is that now more than ever, real corruption is not found in online articles featuring the word “corruption” – it is found by peeling layers of shell companies; identifying suspicious counterparties; linking frontmen to string-pullers; poring over the details of so-called “consultancy” contracts. Uncovering real red flags requires real critical thinking, analysis, deductive and inductive skills – the very skills, in other words, that our universities dispense to graduates nowadays at increasingly crippling cost, and which incidentally are extolled by all our governments at every opportunity as the golden benchmarks of education in a modern globalised society.

The FOTOA is therefore, ultimately, a fatwa on reason. It has fostered a perverse mentality whereby the number of premium database logins and search strings is now thought to matter more than the quality of the actual analytical spadework. The result is a substandard product which only has limited use for clients. There is no reason why these clients can’t pay for a news subscription themselves, and of course they already have Google: in fact, companies are already creating dedicated internal compliance sub-departments (of which more later) for the very purpose of running these “dumb” searches.

What clients will however always lack, and where investigative practitioners provide the real added value, is the people trained in the skills necessary to analyse and investigate. The rest is just hype. The question which clients stubbornly continue to want answered by investigative due diligence, even after two decades of technological revolution, remains unchanged today: “What does it all mean for me?”

It is not the sort of question you can subcontract to machines. Anybody purporting to offer any sort of systematic, due diligence-dedicated “technology” or “tool” is offering a false hope at best.

Act Two: Your new friend, a certain type of compliance officer

People would have been less susceptible to all the techno-hype in the first place without the regulatory blinkers that have descended on the business world in the past 15 years, and perversely encouraged a pusillanimous tokenism at the expense of a judicious outlook on risk.

Two regulatory watersheds have affected the corporate investigations industry: one was the new flurry of legislation prompted by the great corporate scandals around the turn of the millennium, i.e. Peregrine Systems, Enron, WorldCom, Global Crossings et al. Occurring as they did so close to the cataclysm of 9/11, these were relatively little noticed by the general public, but their impact has been immense: arguably these scandals resulted in the most significant attempt by any government to regulate business since the Great Depression, when the Securities & Exchange Commission was created in the US. The other regulatory watershed was of course the 2008 global financial crisis, which fostered a distrust in the public towards business bordering on the murderous.

What is particularly interesting, though, is not so much the concrete regulations in and of themselves but the climate of fear and overreaction they have fostered in the business world. After all, the more punitive of these business regulations had already been in force for decades: the US Foreign Corrupt Practices Act, for example, which mandates criminal prosecution for attempts at bribery even on foreign soil and routinely results in stiff sentences, was first introduced in 1977. The UK has had bribery legislation in force since 1906. But especially since 2008, a generalised fear of the pitchfork (probably made worse in the Twitter and YouTube era of instant naming and shaming) has swept the business community and led to all business risk falling under the ill-defined and ever creeping brief of “compliance”.

Investigative due diligence has also fallen under the purview of compliance managers, with three attendant problems. The first one is that too many compliance officers have no training, experience or knowledge of any kind in investigation: at present they tend to have a mixed bag of vaguely applicable para-legal and quasi-financial credentials, too often acquired through hurried ad-hoc seminars in financial crime and money laundering, which incidentally are dangerously over-focused on banking. ln the age of the globalised economy, also, most of these compliance officers still have no working knowledge of languages even in strategic locales; no substantial international exposure; and no real cross-cultural skills. That’s the first problem. The second problem is that, especially with US legislation making compliance officers directly liable for offences, compliance managers have a built-in incentive to be as conservative and risk-averse as possible. The third problem is that like in all newly created positions, the instinct of the compliance officer is to justify his or her salary by over-scrutinising. Finally, there is this: although very many compliance officers are without question thoughtful and honourable people, corporate politics do not necessarily encourage the rise of the thoughtful and honourable.

Put these problems together and what you get is a massive push within companies to extend due diligence – as it is (poorly) understood by many compliance staff – to almost any third-party, “just in case”. And because it is of course impossible to perform proper investigative due diligence on thousands of subjects, quality falls prey to quantity. The result is the bulk brute-force IVDD, reported on spreadsheets instead of Word documents, populated by boxes to tick and spurious traffic-light risk assessment systems. There is no room for nuance and detail at this sort of scale, where a tabular report is considered the height of sophistication. Senior management are meanwhile all too ready to dump the problem of what they regard as tiresome, intrusive and incomprehensible regulation on newly created compliance departments, and lose all interest in the general outcome or in properly influencing the process. They do so, however, at their peril.

Act Three: Et tu, Corporate?

It’s at this point that the IVDD has become the victim of a veritable trahison des clercs : the accountants who so heavily dominate larger professional-services firms in particular have found natural common ground with the least inquisitive elements of the emerging compliance class. After all, it is surely no stretch to venture that accountants too tend to love the quantitative, the spreadsheet and the risk aversion. And they particularly loathe the idea of opinion, an essential companion to analysis in any investigative context, but which in the accountancy field is a loaded term and one that is heavily bound, gagged and shackled. This particular industry bias has corrupted the genetic code of the IVDD, which in some bigger companies has accordingly been stripped of all analytical power.

This fundamental failure in the accounting profession to understand qualitative reporting, analysis and opinion in other professions has led many bigger companies to embrace the worst compliance bureaucrats uncritically, rather than educating them in the proper way to conduct IVDD. By indulging the mistaken instincts of newly-minted compliance officers, relying solely on unanalytical research and propagating the idea that all clients should safeguard themselves against all risks anywhere, regardless of context or analysis, misled IVDD practitioners at some bigger companies encourage the idea in business and wider society that all risks are equally probable, relevant and important. This is both a false and a very damaging proposition.

Why? Partly because it promotes a pervasive, nebulous anxiety which may or may not contribute to the staggering rates of mental illness in Western societies in particular, but also because it blunts the necessary sense of proportion and priority that everyone otherwise should apply when dealing with risk. Put plainly, when everyone is primed to care about everything, then no one cares about anything: people led to think that when in central London they should equally watch out for hurried cyclists and stampeding elephants will first be paralysed with fear and then stop watching the road before crossing altogether, neither of which is a healthy or appropriate response to risk. The result? Clients who are erroneously encouraged to believe, by the mere fact that this sort of product is offered, that they should carry out perfunctory “due diligence” on thousands of entities at a time, when in reality only a fraction of these are really worth checking out, but checking out properly.

This sort of sausage-factory approach to due diligence is a dangerous delusion and will not prevent the next big scandal; it will not sensitise clients properly to real business and operational risk; and it will not encourage anyone to behave more ethically or responsibly in business. It will merely bureaucratise the due diligence process, making it just another irritating paper-chasing exercise to pay mere lip-service to, then circumvent and eventually ignore altogether. This is already what’s happening. At the very least, expert practitioners and producers have a responsibility to educate their consumers on what constitutes a good product.

The investigative profession matters profoundly and not just for the business world, but for society at large. Ultimately investigation is about finding the truth. But everywhere, investigators are being beaten down: in Russia and China they are arrested or murdered, while in the Western world the search for the truth is being stymied by more insidious but just as effective straightjackets: strained journalistic budgets, an academic world tyrannised by the misguided imperative of publish-or-perish, and a coterie of pusillanimous lawyers, regulators and business bureaucrats.

The demand for the truth will always be there, and clients understand that too: already they are – wisely, and despite the best efforts of certain corporate operatives to peddle old snake oil in new bottles – turning away from the brute-force IVDD, which has become much too expensive for work that essentially can now be done by a machine, and is far too uninquisitive and unanalytical to be of any real operational use. Having damaged the concept of investigative due diligence so much, it is the duty of practitioners everywhere to now restore it to its former glory.