Daniel Draz | Fraud Solutions
Two of the most often asked questions by businesses looking to gage their fraud risk management efforts are “how do we know if we’re adequately prepared for investigations and audits,” and “are we doing the right things?” The reality is that your company shouldn’t be waiting for investigations or audits to occur to determine how fit you are to deal with major fraud, compliance or regulatory related events.
Investigations are generally “after the fact” situations and there’s really not much you can do to prevent that. The reality, however, is that your company must be prepared for the events leading to the investigations significantly before they occur. So, the time to determine how ready you actually are is not “post incident,” when the chips are down, but significantly before the event ever occurs. The analogy here is to disaster readiness exercises which are routinely conducted by city, county, state and federal agencies. The training happens to assess the overall readiness of the community to handle a large scale disaster before the event it occurs.
In looking at the issue of investigation and audit readiness, there are a myriad of criteria which need to be evaluated across the enterprise to assess operational anti-fraud strength but that’s an exhaustive list. So, rather than focus on the larger list, the purpose of this article is to hone in on five core themes which will assist your company to be prepared and operationally ready: regularity, fraud management team functionality, lessons learned, vulnerabilities and proactivity.
There are a number of commonalities between physical fitness and fraud fitness. Aside from watching what you eat, a major part of excellent physical fitness routines is regular exercise.
Similarly, corporate fraud risk management, investigation and audit programs are no different. The regularity in which you assess your anti-fraud efforts and make adjustments is paramount. Yet, despite the incredibly fluid nature of the global fraud landscape in 2014, and the significant risks for large scale losses, liability, brand damage and shareholder lawsuits, many companies only evaluate their fraud, ethics and investigations policies, processes and procedures either on an annual basis or even more infrequently than that.
Case in point, if your company is “blowing the dust off” the fraud policy and the last revision date was more than five years ago, the odds of being successful are extremely slim. The irregular nature of fraud, audit or investigative assessments is the first indicator of potential failure and certainly the global nature of fraud dictates that companies engage more frequently in all elements of their program.
Management Anti-Fraud Team Functionality
Several keys here are to create a holistic management anti-fraud team, including members from key business units with the authority to make decisions for their departments and that’s imperative. Individual members who continually have to get approvals from other decision makers before reporting back to the management anti-fraud team foster an ineffective anti-fraud atmosphere.
The important distinction to be made with this theme is that this isn’t a reference to the functionality of the fraud department’s management but the independent management team tasked with oversight for the company’s overall anti-fraud efforts.
The effectiveness of the management anti-fraud team can be increased through: regular meetings, the establishment of a companywide anti-fraud agenda, communicating
across the enterprise, debriefing after major fraud events, addressing control breakdowns and perhaps most importantly implementing corrective actions post incident.
Two of the major criteria we routinely examine are whether your company has a “lessons learned” policy and how effective it is. If your company doesn’t have a lessons learned policy you might be surprised to learn you’re not alone. We’ve found that many companies don’t have a policy of this nature despite regulatory language in many verticals which references it as a best practice for effective fraud risk management efforts.
The lack of a lessons learned policy often causes businesses to be re-victimized, or “reloaded upon” by the same fraud scheme, or vulnerability, more than once. This, of course, is completely preventable through post mortem event investigation, analysis and action as defined in your lessons learned policy.
So, one key step is to evaluate the effectiveness of your lessons learned policy or alternatively if one doesn’t exist then it’s imperative to create one immediately.
Your company can not only enhance the robust nature of your anti-fraud operations by evaluating your own handling and miscues post event but the miscues of others as well. And there’s no better way to do this than by monitoring news feeds and evaluating the regulatory enforcement actions posted about the mistakes other companies made post event. Since most regulatory documents and filings are usually public knowledge, there’s an excellent opportunity to learn from others before your company makes the same, avoidable and costly mistakes.
If your company is serious about preventing fraud and eliminating risk, you have to ask yourself the following question. When was the last time we conducted a vulnerability assessment, evaluating critical weaknesses and liabilities?
Perhaps, you’re not even sure how to go about starting this exercise? Well, for starters, at Fraud Solutions we like to advise client’s they have to “think like a criminal.” To do so, ask yourself “how would I attack this company if I were on the other side of the fence?”
This is one place where most businesses get an F on their fraud fitness checkup. If you want to know how criminals are going to attack your company then you have to think like one. So, flip it around, think like a criminal, identify weaknesses and plug the holes before a major fraud event occurs.
While fraud is fluid, dynamic and constantly changing, the anti-fraud operations we see in most businesses are heavily reactive and are often dealing with most issues “after the fact,” versus doing what most organizations with healthy anti-fraud efforts do and that’s “getting out in front” before there’s an issue.
One of the keys to being audit and investigations ready is to first assess your overall anti-fraud strategy. Take a snapshot and see what it looks like.
Your anti-fraud and investigations efforts should always be far more proactive than reactive in nature. Use the 70% barometer to gage your efforts. If the majority of your corporate investigation and anti-fraud efforts are heavily reactive (70% or above), then you’re in the red, your program is unhealthy and needs immediate attention.
If, however, the majority of your anti-fraud efforts are proactive (70% or above) then your program is in the black and more likely healthy. Given the nature of major fraud events, there is always a reactive component but that should NOT be the major emphasis of your anti-fraud program.
It’s imperative to determine if your company is fraud fit or ready to flat line. Being fraud fit and adequately prepared for investigation, fraud, compliance and audit events is a factor of how engaged your company is on a regular basis throughout the year and not on a once a year basis which, unfortunately, is the trap most businesses fall into.
However, being fraud fit also involves readiness exercises, fraud training, employee awareness campaigns, effective management team interaction, program analysis and technological interaction which must be an ongoing process with regular assessment and robust enhancements made based on lessons learned and the changing nature of the global fraud landscape.
The alternative to fraud fitness is flat lining which could mean the death of your business through: increased losses, decreased investor confidence, negative publicity, significant liability, increased shareholder lawsuits, brand damage and decreased ROI. So, what’s it going to be?