Forensic, Risk & Compliance
Forensic, Risk & Compliance – We create security for your company
Your company is exposed to numerous risks that can have operational and financial consequences, damage its reputation and, in the worst case, jeopardize its continued existence. The environment has changed massively in recent years. In addition to the effects of the geopolitical situation and COVID-19 on global supply chains, increased raw material prices and a shortage of skilled workers, new risks such as cyber attacks and compliance violations are increasingly coming to the fore. The Corporate Social Responsibility Directive (CSRD), flanked by the Supply Chain Duty of Care Act (LkSG), the Whistleblower Protection Act (HinSchG), KRITIS, NIS2 and other requirements threaten to overburden companies and cause considerable damage if they fail to comply. In addition, there are other singular events such as fraud, corruption, antitrust violations and general breaches of due diligence obligations.
Compliance and risk management
Compliance is often seen as a buzzword for excessive processes and controls in large companies, but it also applies to SMEs. Compliance with laws and regulations is a matter of course – there are no useful or tolerable violations of laws and regulations. In addition to the self-evident tax, labor, antitrust or criminal law requirements, regulations (e.g. on occupational health and safety or environmental protection) and new regulations such as the CSRD, the LkSG or the HinSchG must be observed. At the same time, data protection compliance has become considerably more important as a result of the GDPR and IT compliance (e.g. due to the expansion of KRITIS use cases and NIS2). Even if your company is below the respective thresholds, you are still affected by the disclosure of requirements that affect your customers.
Risk management has taken a back seat to compliance management. However, risk management is the comprehensive term! Compliance is “only” one risk category within risk management – alongside operational and strategic risks as well as risks in (financial) reporting. It should therefore always start with an overall view of the company and industry-specific risks to be managed. A functioning compliance management system (CMS) must be embedded in a functioning risk management system (RMS).
(Forensic) special investigations
If there are indications of deliberate or unintentional compliance violations, the management must investigate them. For the initial assessment, criteria catalogs are used to evaluate the credibility of whistleblowers and the plausibility of the information. A special audit must then be carried out if necessary. Initial protective measures must regularly be taken here and, in order to avoid unwanted publicity, the internal special investigation must be weighed up against the involvement of the criminal prosecution authorities or the state data protection authority or the Federal Cartel Office. At the same time, the rights of data subjects must be protected.
Indications of breaches of due diligence by management and/or supervisory bodies require an analogous approach. Possible breaches of the fiduciary duty of shareholders are also regularly the subject of special investigations (such as competitive activity, betrayal of secrets and similar matters).
The challenge of an internal special investigation regularly lies in the fact that large amounts of data must be searched in a targeted manner and background information on the persons and companies involved must be obtained in order to prove “close relationships”. And finally, it is important to proceed in a legally sound manner when interviewing employees and those affected in order to avoid a subsequent ban on the use of evidence. This is what distinguishes forensic special investigations: They are designed and documented from the outset in such a way that they are “court-proof”.
Cyber security
No company is safe. According to the Allianz Insurance Group’s annual risk barometer, 45% of companies surveyed now consider cyber attacks to be the greatest threat. On average, a successful attack leads to three weeks of downtime. According to BITKOM, the annual damage in Germany alone recently amounted to around 300 billion euros and averaged 1.8 million euros for the companies affected. With 270,000 new malware variants every day, the systems are often overwhelmed with the defense. In addition to system overload, there is also the human factor: around 60% of successful attacks were based on phishing, visiting infected websites or infected e-mail attachments.
Now that large companies have reacted accordingly, medium-sized companies are increasingly being targeted by attackers. Their motivation ranges from “sporting” ambition to economic and competitive espionage to simple blackmail using ransomware – otherwise the IT will be paralyzed or confidential data published. In the case of a medium-sized automotive supplier, where production could only be maintained for a few hours with manual pick lists after an attack and the failure of critical IT infrastructure, the penalties due for the subsequent delivery stop almost cost the supplier its existence.
With the Cyber Resilience Act and the NIS2 Directive, the EU has now created a framework that will affect around 40,000 German companies by fall 2024. It is now urgently recommended that a corresponding security architecture be set up and also certified in accordance with ISO27001.
Investigation of insolvency cases
Insolvency administrators are now faced with a large amount of data to be analyzed in order to determine the date of insolvency maturity and the corresponding knowledge of the management as well as the search for asset transfers before the insolvency date or other fraudulent acts, where “manual” evaluation is often ruled out for reasons of efficiency and time. At the same time, files that may have been deleted must be restored and digital evidence on mobile devices, including chat histories, must be secured and made readable.
This is where professional support in the form of eDiscovery with data analytics techniques comes in handy in order to make the key findings quickly and efficiently.
Follow us on