Conduct risk creates massive, unnecessary disruption in businesses large and small. WIthout the right due diligence on employees, vendors, and executives, company leaders put themselves at risk of legal and business problems. Justin Recla discusses how to approach managing conduct risk, how to approach due diligence, and reveals a number of powerful business insights along the way.
Music: The Lachy Doley Group, Gonna Make it Up
from the album Conviction | Used with permission
Like the music? Get a free 7-track EP of The Lachy Doley Group
Engineering, editing, post production: Mark S A Smith
© ℗ 2018 The Bija Company, LLC All rights reserved
MSP to BSP: Pivot to Profit from I.T. Disruption
New book by Mark S A Smith
For a limited time get your free digital copy.
Executive Strategy Summit
Discover the insights, tools, and workshopping you need to be a confident, enthusiastic, efficient, and effective executive leader. Next event in Denver, June 8-9, 2018.
View Show Transcript
Avoid Conduct Risk, Prevent Disruption
Mark S A Smith: Our guest today is Justin Recla who has 14 years of experience and advanced training with the U.S. Army and government defense contractors, on making sure the people in the organization do what they’re supposed to do and aren’t bad actors. He’s a subject matter expert in tactical questioning, wait a minute, I think I’m supposed to be doing the questioning today, surveillance, counterespionage threat, and vulnerability assessments. He helps companies make sure that the people that are part of their organization have the right background and aren’t going to cause problems. He brings his skills from the military sector and delivers them to the boardroom to help business owners protect their most valuable assets time, money, and intellectual property.
This is so cool. He is the owner and co-founder of Clear Business Directory, which helps create essentially a military-style clearance for the corporate world, and he runs the CryptoBit Verified cryptocurrency list. If you’re looking at cryptocurrencies, he will tell you if this is a red flag, you need to take a look at or not.
Welcome, Justin, to the show.
Justin Recla: Thanks for having me on, Mark, I appreciate it.
Mark S A Smith: Well, it’s a real delight.
One of the biggest issues that we face today in business is conduct risk which means that the people in your organization don’t act the way they’re supposed to act. In fact, according to some research that I’ve been recently reviewing, conduct risk has more than a three times potential of impacting your business than a cybersecurity attack. You might have a firewall, you might have antivirus, but boy, if you haven’t done the due diligence on hiring your people right, you have a much higher risk. Tell me about what you’re seeing with your clients today.
Justin Recla: We’re seeing still the broad spectrum of risk out there. What a lot of people don’t realize is that risk in the form of conduct risk comes from people. It’s really the biggest area that most people overlook because of our relationships that we build with service providers, the people that we bring into the organization, the people that are going to work for us. We always like them, and we tend to overlook the fact that they may not necessarily be a good fit for the organization.
Mark S A Smith: We really want to like them, and-
Justin Recla: Yeah.
Mark S A Smith: … we get fooled. Come on, the best scam artists are your best friends until they pull the trigger.
Justin Recla: Absolutely. We break the due diligence down into two different areas of due diligence. One is what is the intuitive due diligence. That is the, do you like the person? Do you communicate well? Are they a good fit for the team? Do they like everybody? Are you going to be able to get along? That’s where most business owners tend to make the decisions.
They find out the hard way, three months later that the person just wasn’t able to do what they brought them in to do, or they weren’t a good fit, or they didn’t do the critical thinking. The next thing you know the company’s lost time and money on onboarding them.
The other side of the house is the mechanical due diligence. That’s digging into their backgrounds, making sure they’re not criminals, making sure that they have the aptitude and ability to actually deliver what it is they’re going to do.
Mark S A Smith: Interesting. I never heard the word mechanical due diligence before. That’s a new one for me.
Justin Recla: That’s the really wanting to look into people’s backgrounds, assessing and analyzing their experience. That’s where most people stop is because they don’t know what that looks like. They might think, “Well, we did a background check.” Well, background checks are only good, if the person’s been caught.
Mark S A Smith: Oh, that’s a really important point. You got that, listener? Background checks only are good, if they’ve been caught.
Justin Recla: That’s really where the biggest risk is when it comes to conduct risk, is that if a person’s been out there defrauding and scamming folks, if they haven’t been caught … Especially, if it’s somebody that they’re bringing into the organization, maybe it’s a service provider, or somebody that’s just coming in to do a one-time project. They’re coming in, they do $15,000, $20,000 worth of work. Well, if they don’t deliver, but they’ve already collected that 20 grand, the reason why they’re not caught is people know, it’s going to cost you 100 grand to get back that 20.
Mark S A Smith: You do the legwork to find out if they’ve been bad actors.
Justin Recla: Absolutely, because here’s the thing. Somebody always knows, on their ability to perform, on if they’ve ripped people off before in the past. For us, it always comes down to the questions. Because business deals don’t go bad, because the contracts weren’t written well. It’s what the lawyers are for. They don’t go bad, because the financials don’t check out. That’s what the CPA’s for. They go bad because of the people involved.
Mark S A Smith: Now that’s what you’re for.
Justin Recla: That’s what we’re for.
Mark S A Smith: Tell me about some of the things that you’ve discovered. I don’t want you, of course, to implicate any individual or any corporation. Tell me about some of the things that you’ve seen happen in businesses that our listener might find to be a wake-up call to maybe make some new choices.
Justin Recla: Absolutely. Whether you’re a company that’s in revenue or just a startup getting started, capital is the blood of any business. The amount of fraud that we uncover in the financial sector is huge. People think we’ve got our legal documents in place. We’ve got the credit investors coming on board, and everything’s hunky dory.
Well, we had a client that was doing a $16 million raise for a business expansion, and they had already raised a decent amount of money up until this point in time. They found somebody that was interested in their project. He was going to fund the entire thing, the full 16 million. They had a hunch that there was something just not right. There had to be some monies that were put into an equity account to make the deal go through and so forth.
Well, they brought us aboard, and we looked into the individual. He had claimed to be worth billions of dollars, but he actually had less than a thousand dollars to his name and had been sued three times for trying to rip people off.
The level of deception that we uncovered mirrored some of the stuff that we had seen at the espionage-level to where this individual actually had created shell companies, had studied the industry a little bit, and, actually, had targeted our client to take roughly $300,000, $400,000 from them. Because that’s how he made his living was finding small businesses who needed to be infused with capital, and making up a story saying he was going to fund them, and then ripping them off for everything that they had at that point.
Mark S A Smith: Wow. That is devious. That’s a lot of hard work.
Justin Recla: It is, and unfortunately, this guy had gotten away with it twice before. He had actually been sued for $2.5 million for taking a company’s equity. When we presented the information to our client, he actually went so far as to ask them, “How did you find this information out? I paid my attorney good money to hide it.”
Mark S A Smith: Oh, interesting, “I paid my attorney good money to hide it.” Wow, that’s an interesting response. What steps should an executive take to make sure they can minimize conduct risk?
Justin Recla: The best thing to do is to make sure that you’re implementing a due diligence process into your business. Having different processes in place for employees is a level of risk negation you have to consider. Making sure you’ve got a full employment screening process in place. What you can ask an employee versus what you can ask somebody that’s coming in as a service provider is two different things.
Mark S A Smith: Go a little deeper in that, please.
Justin Recla: Yeah. In the employment screening sector, the laws that are on the books are really designed to protect the employee. They’re not really designed to protect the business. They’re really out there to make sure the employee gets a fair opportunity of employment. The things that you might want to really know about an employee, you’re not always able to ask. Former employers aren’t able to answer certain questions.
Beyond doing just a background check with an employee, there’s not much more that you can do, other than we always advocate for making sure you’ve got a really good interview process in place. The interview’s not just with one person, but it’s with multiple people that are going to be on the team to make sure that it’s a good fit energetically and intuitively. Because on the employment screening side of the house, there’s not a lot you can do mechanically to really go into somebody’s background beyond a background check.
Mark S A Smith: Well, what about key employees though? Where you have you’re hiring executives? Can you go deeper in those situations?
Justin Recla: Absolutely. That’s a whole ‘nother level of due diligence that should be done. Especially, if you’re bringing in a new executive officer. Typically, at those executive levels, there’s different agreements that are in place beyond just a regular employee setting. There’s additional due diligence that we highly, highly recommend.
One of the main reasons for that is, is if we’re bring in an executive to fill in a new position, you’ve got to take in things into consideration such as, what were their former relationships? What type of reputation did the individual have? The businesses that they were involved with prior, how well did they do, and what was their impact in that business? Were they the cause of the failures? Were they the cause of the successes? Where do they come in?
Then on the reputation side of the house, you bring an executive in that has connections to, reaching out of the blue here, to somebody in the mob, and that person’s fairly high profile, well, you now inherit all of the reputation risks that are associated from that relationship.
Mark S A Smith: Yes, indeed. Well, when I wrote my book, Security in the Boardroom, back in 2004, part of my research unveiled the fact that the mob was active at placing some of their operatives within financial organizations. Specifically, they could become embedded and then steal information about those clients. That still is a potential issue today, and we have more mobs than ever before, thanks to immigration laws. What have you seen in that area?
Justin Recla: The corporate espionage piece is one of those things that unless you know it’s going on, unless you’ve done a decent amount of due diligence, unless you remain active in it, it can be very easy for somebody to take your IP, your intellectual property, and your business secrets and sell them to somebody else and give them to somebody else.
For us, it’s always been about making sure that if you have intellectual property, making sure that the information is segmented out. That it is secure to where you’re training your folks on what to talk about, how to talk about it, when to talk about it, who to talk about it about. Because even if the person is not embedded in the company, social engineering-
Mark S A Smith: Yes.
Justin Recla: … when you’re out at the bar and talking, people can get information. Especially, if you’re fairly high profile.
The social engineering piece is super, super important to understand, how it works, why it works. Because if you’ve got one employee talking about A, B, and C, and they may even be talking in generalities, somebody’s going to be able to put that together with conversations from somebody else, even in talking in generalities.
We see this all the time. We’ve got clients that come to us that are building up a new product idea. They find out the hard way that their product is now live on the shelves in China, and they don’t understand why. Well, it’s because they brought somebody into the organization who was talking to somebody else and shared the idea. Next thing you know, somebody over in China has beat them to the market.
Mark S A Smith: Because of the number of people I’ve talked to in my career, I have a wide variety of knowledge about a lot of topics. When I’m on airplanes, I frequently freak out my seatmate by knowing more about their product than they ever expected anybody to know. It’s astounding, how much they’ll share once I give them the right buzzwords and ask the right questions. I say, “I don’t know for sure, but I can imagine it’s … ” And then I will put forward a projection and their jaw drops, and then they start adding details.
While I’m not doing this maliciously, I’m doing this to build up my story base. I’ve also heard, Justin, more than one interesting piece of information sitting in a bar and on an airplane. The conversation was a little louder and a little more proprietary than it should have been in that environment.
Justin Recla: That’s the things that most people don’t think about. Unless you’re reinforcing that level of training within your organization, it’s going to happen. You’ve probably heard of the concept, need to know.
Mark S A Smith: Yes, right.
Justin Recla: One of the biggest mistakes that we see businesses make, is they bring in an executive, let’s say a CFO. They give that CFO all the details about the product or the service, down to the full description level of how things are done.
Well, the CFO doesn’t need to know that. The CFO needs to be able to know where all the numbers and the costs and stuff that are coming into consideration are for his decision-making purposes. How things are being manufactured or the trade secrets or the product design, the CFO doesn’t need to know. Because now in that CFO knowing, if he’s not familiar with it, they go out and start talking about it. They’re essentially giving up the intellectual property of the company, and it puts the company at risk.
Making sure that the information is segmented out will help prevent that. Being in awareness of who needs to know what, and then reinforcing the training to make sure that people are not talking about their jobs and the products and the services that they’re working on outside of company time.
Mark S A Smith: Yeah. That’s really important. One of the things that I run across frequently in the Executive Strategy Summit that I conduct on a regular basis is where founders of organizations out of the goodness of their heart want to have transparency with their organization, and they end up sharing way too much information with their team. That is a potential conduct risk. A substantially risky situation to be in because of what you just described.
They need to keep the details to the level of information and really understand the concept of need to know. Not only is that from preventing a social engineering issue or in a small organization that person being stolen away by their competitor, and they walk out with all the trade secrets, if they’re not protected. And then the issue around people like being in the know, and they feel like they get power by revealing secrets to others to gain their favor. That social engineering can absolutely destroy an organization.
Justin Recla: Well, it can actually kill an entire organization. We’ve seen it happen. We had a client that came in. They brought in an operations officer, friend of the CEO. Guy had known him for 18 years, talking about a $500 million contract that was on the line. He brought his best friend in from 18 years as the operations officer.
Unfortunately, what he found out the hard way … Because he didn’t do any mechanical due diligence, he didn’t do anything beyond the, “I know the guy, and I like him.” Six months later, all of their investors were now on his list. The best friend was claiming that the CEO had actually stolen the idea from him. It was actually his company and not our client’s. There was literally a $500 million contract on the line with a very large major player in their industry because of all the drama, the contract fell through. He’s still playing clean up with the investors that this guy badmouthed and made all these false accusations from.
Unfortunately, he found out after the fact that his best friend had done this with three other companies-
Mark S A Smith: Oh my goodness.
Justin Recla: … prior to. Got hired and then tried to take over the business to make it his own and destroyed those previous companies.
Mark S A Smith: Yeah, those people are called pirates. They do exist. We actually talk about them in the Executive Strategy Summit, being aware of that people come in and will take over organizations. You’ve got to find out with the basic due diligence, mechanical due diligence, to find out if this person has that propensity.
One of the things I want to point out, and we talk about this in the coaching that I do with executives is, never hire somebody that you can’t sue. Part of the reason why is not that you expect to sue them, but the fact if you can’t sue them, either psychologically, or you’re prevented to do so, because they’re part of the family, you are at risk to their conduct risk, because you won’t do the due diligence. You won’t do what’s necessary to find out if they’re a bad actor, because they might be, and you just can’t do that psychologically.
You’re much, much better off finding somebody that you can hire and then fire, if something goes wrong. Hiring people you cannot fire is a massive mistake I see on regular basis in businesses that are attempting to grow. That can be the beginning of the end.
What have you seen in your work with organizations in that close relationship hiring situation?
Justin Recla: Well, just like you describe. We’re quick to overlook the faults of our close friends and family. It’s not always the best fit for business. They either underdeliver or overpromise or do things half-assed, knowing that you’re going to not do anything about it, because you’re close friends or your family.
The biggest hindrance that we’ve seen in that is it slows the entire pace of the business down. It completely kills it, because while you’re having to figure out how you’re going to get that person out of that position, the business is still going on. Now you’re dealing with twice as many headaches, just because you’ve got a friend or a close family member that does whatever it is you need them to do, or whatever it is that you’re looking to fill, doesn’t necessarily mean it’s the best fit business-wise because of the potential risk.
Now, that’s not always true. There are some relationships out there that are solid, but they have been built on a foundation of business first, and then the friendship came second. We’ve seen that work. However, hiring friends and family just because they have a certain skill set, just because they’re friends and family, is always a bad choice in my opinion.
Mark S A Smith: I have to agree with you from personal experience.
Let’s go back for a moment. We talked about the full employment screening process, and I started down the difference between doing a due diligence on vendors versus due diligence on employees versus due diligence on executives, and we got sidetracked. I want to come back and talk about a due diligence strategy on vendors.
Justin Recla: Prior to our firm coming along, there wasn’t a whole lot of due diligence actually being done on vendors. You can’t do a background check on a B2B transaction. You need a social security number to do an actual background check on somebody.
However, with our process we come in, and we look at vendors from who are the principals involved, what services do they provide, how long they’ve been in business. Actually looking at the business entity, you’ll be surprised at how many businesses are out there that are actually operating under a suspended license or don’t have a business entity at all. That in itself provides huge risk when doing work with a contractor or a vendor. Because if they don’t actually have a business entity, and you’ve entered into an agreement, and then they don’t follow through, and they don’t deliver, you’ve got nobody to sue. You have nobody to go after, because the business entity that doesn’t exist on paper, it’s not seen as a legal entity. That’s a huge risk.
When you’re looking at a vendor, you want to look at the business history, who they are, who the people are. Doing some of the basics of, how many times have they done this for people in the past, what were their experiences and doing client followups, doing referral followups. But really looking at it from the business aspect too, and making sure that the business entity is on the up and up to make sure that they’re a good fit for your organization.
Mark S A Smith: What would you consider to be the threshold of business where an executive must consider doing some due diligence or run the risk of conduct risk? Is it a contract for $10,000, $100,000? Where is the cost versus risk trade-off with what we need to take a look at this?
Justin Recla: That’s a great question. It depends on the level of business. If it’s going to cost you 10 grand, and that 10 grand is a pivotal chunk of change for your business, then you should definitely do some level of due diligence. If the project’s going to take six months to complete, you definitely want to do some due diligence.
If the project’s going to take 500 bucks, and it’s going to take four days to complete probably not that huge of a risk. The answer is it depends on the organization.
If it’s something that needs to be done right now, right away, well, you should probably already have somebody lined up. If you’re looking to bring somebody new in, then I would push back the project, regardless of how fast it needed to be completed.
If it’s something that you know is going to take some time, you want to make sure you hire right the first time. You want to make sure you bring in the person that is going to be a good fit. Because there’s nothing worse than knowing that you’re involved on a project that’s going to take you six months, only to find out that two and a half months into it, the person that you brought into the project to assist can’t get it done, because now, guess what? Your six months just became nine.
Mark S A Smith: Mm-hmm.
Justin Recla: You have to take those things into consideration and really play the “What if?” game. What if this doesn’t work out? If that’s going to be a huge deal-breaker, or going to have a huge impact on the flow of your business, then that’s really going to dictate how much due diligence you do, when you do it, and how soon you do it.
The beautiful thing is, is that if you have a due diligence process established for your business, for vendors, for executives, for employees, for anybody that you bring into your organization, once you’ve got those processes in place, putting people through that process is quick. A lot of people think that due diligence actually slows things down. It doesn’t. It actually speeds it up.
Mark S A Smith: Interesting. Tell me about the timing that’s required to do a typical due diligence. Let’s just say for each of those employees, vendors, and executives. I would expect for an employee, it would be a little bit shorter, vendor a little longer, executives a little more so because of the depth that’s required to get the job done.
Justin Recla: Absolutely. For a basic employee background check, you’re looking at anywhere between three and seven business days. For a vendor check, you’re looking between seven to ten business days, and for an executive, it can be up to a month, month and a half.
Mark S A Smith: Interesting.
Justin Recla: As you’re bringing on people into the project and your business, the executive is somebody who’s not going to be there for three weeks. It’s somebody who’s going to be around for a while. You want to make sure that you’re really, really understanding who they are, and what they do.
Mark S A Smith: They also have access to the intellectual property. They have access to the bank accounts. They have access to the investors. They have access to the customers. They have access to the contracts. Conduct risk at that level is extremely expensive. If you’re not doing some sort of a background check at that level, it can cost you your entire business. Of course, as an executive, then you’re on the hook, because you’ve made a bad decision. You are now liable for conduct risk. If you don’t protect from conduct risk, you could become accused of conduct risk.
Justin Recla: It’s one of those catch-22s. The smart businesses, the ones that really truly have a lot to lose, are the ones that are looking for new ways of doing due diligence, ways of mitigating their risk. If we had a nickel for every time I heard somebody like, “Oh, I wish I would have met you three months ago.” I wouldn’t be having this conversation, Mark. I’d be on a beach somewhere.
Mark S A Smith: That’s a lot of nickels, pal.
Justin Recla: I’m telling you, it’s a lot of nickels. Everywhere we go, we get multiple stories. The beautiful thing is, is that we’re educators by nature, and we love helping our clients establish those processes for their business, really helping them put those layers of protection in, so that they’re not open to that risk.
Mark S A Smith: It sounds like you perform both consulting to help organizations create their due diligence strategy, as well as, perform a due diligence on a one-off type of basis.
Justin Recla: Absolutely. We love coming in to businesses, consulting with them, and then helping them build those processes. And then we step out, because we’ve helped them build the systems that are specific to their organization’s needs from all levels of risk. From employment screening, to vetting vendors, to vetting executives, working with the human resources department, working with the hiring managers, working with everybody within the organization to mitigate the risk from people.
And then, once we help get those processes established, and they’re up and running, we step back, and it just runs itself at that point in time. It’s coming in and adding that level of insurance and protection that will bring the organization peace of mind for anybody that they bring into their company.
Mark S A Smith: That becomes an interesting part of the intellectual property of the organization. I can also see that process itself as creating a competitive differentiation. If you’re up against a me-too competitor, and part of your value prop is that we have a due diligence strategy to help minimize the level of conduct risk to an organization, versus a competitor that doesn’t that may improve your competitive positioning. I could also hear somebody thinking, “Yeah, but hang on just a second, Mark, if I promise it, what happens if we fail?” Well, you’re going to fail, if you promise it or not.
Justin Recla: An ounce of due diligence is always less expensive than clean up on the back end. If you want to look at from an insurability perspective, let’s say you do bring somebody into your organization that causes some harm, that causes some liability to the company. Having a due diligence process in place can give you that extra layer of protection, because you can say, “Yeah, we did our due diligence, and … ”
Mark S A Smith: Yes, of course. In fact, the courts recognize the fact that you have processes in place to protect is way stronger than no processes in place, which becomes negligence, and therefore, treble damages.
Justin Recla: Yup. The SEC’s gone so far as to even say that for companies that are raising capital, back in September of 2013, they came out with what’s called the “Bad Actor” Regulation.
Mark S A Smith: Right.
Justin Recla: That says that if you are raising capital, and you have anybody that’s directly involved in that raise that is a bad actor, and you do not self-disclose that, and it is discovered or complained against, basically, your company’s shut down from the ability to raise capital for five years.
Mark S A Smith: Wow.
Justin Recla: That’s huge. But they came out also during that same time when they put out the regulation that said that if you can show that you’ve done due diligence, and it still wasn’t uncovered … That you can show that you did everything in your ability to verify the people involved in the raise, then that’s a defense.
Mark S A Smith: Very good to know. That’s a great piece of information.
All right, let’s do a pivot and talk a little bit, in the time we have left, about cryptocurrency, and the work that you have done to verify cryptocurrency with your CryptoBit Verified cryptocurrency list.
Justin Recla: The cryptocurrency world right now is like the wild, wild west, literally like the wild, wild west. There’s a lot of money to be made. There’s lots of opportunity. The technology involved in it is absolutely amazing. The amount of frauds and scams that are out there for people to get involved with are unreal.
To date, we’ve uncovered over 300 frauds and scams. As a matter of fact, we just added five new ones to the list this week. There are businesses and business opportunities that are just not legitimate. They’re either Ponzi schemes. They’re hybrid Ponzi schemes, or they’re ICOs that are raising millions of dollars out there that are some kid in their mom’s basement who’s got a computer, and he’s put together a website, and he’s raising money.
Mark S A Smith: Amazing. Boy, don’t let go of your dollars without doing the background checks on crypto, friends. That is not a good idea. Don’t get me wrong, crypto is a very powerful tool. Blockchain is going to change the world. We’ll talk more about that later. Do not look for the get-rich-quick scheme today.
Justin, how can people get access to your CryptoBit Verified cryptocurrency list?
Justin Recla: They can actually come join us inside of our free Facebook group. You just search Facebook for cryptocurrency due diligence. We’re constantly putting out great information there, or they can actually go to duediligenceclub.com. I know you’ll probably have in a link in your list in there.
Mark S A Smith: I sure will. On the show page, we’ll have a link to both duediligenceclub.com, as well as, the Facebook group for due diligence.
This has been a great conversation, Justin, absolutely revealing for me. I have new insights. Even though I’ve written a book on security, you have provided me with new ideas that we now have to share with executives to protect their organization, to ensure that they’re not disrupted, here on the Selling Disruption Show.
How can people get a hold of you otherwise?
Justin Recla: Find us at clearbusinessdirectory.com, or they can reach me at justin@reclagroup R-E-C-L-A group.com, or reach out to me on social media.