Fraud risk management is an essential component of a holistic enterprise risk management (ERM) program which often encompasses: proprietary information, trade secrets, intellectual property, customer’s personally identifiable information (PII), account information and revenue. Yet, for reasons which aren’t immediately clear, many companies are really deficient in preventing risks associated with these areas.
You Definitely Have What They Want
When asked about the lack of robust risk prevention efforts, common responses are often categorized by a naïve, “head in the mud” attitude with statements like: “that will never happen here,” “we don’t have anything that anyone wants” or we’re (generally) in compliance with the regulation. The reality is that the “it will never happen here” attitude couldn’t be farther from the truth.
Revenues aside, companies usually have a significant amount of information in house. While that may seem innocuous to most, clearly data has incredible value as we’ve seen from the sharp rise in the numbers of monster sized data breaches that have occurred lately. Times have certainly changed as data breaches used to be the exception but unfortunately now they’re the rule.
Failing the Wall Street Journal Test
Let’s just say for a moment that you’re correct about not having anything (data, information, revenues etc) the bad guys want. While you may honestly think that’s the case, imagine the horror when you wake up one morning to discover that your company’s failed the Wall Street Journal (WSJ) test.
The WSJ test involves finding that your company is front page news for some business failure which generally everyone will find egregious. E.g. due to your failure to secure it, your computer network was the launching point for a massive offshore attack on some retailer or financial institution which resulted in billions of dollars in losses.
So, if you honestly think you have nothing that the bad guys want, think again. In business, there’s always something your company has that someone else wants and you need to protect it before it gets compromised.
External Threats from Abroad – The Black Market is Alive and Well
According to a Financial Times piece on the escalation of Europe’s black market, “a new breed of cyber criminals in Russia, Ukraine and other parts of eastern Europe (and Asia) are carrying out increasingly sophisticated online attacks on financial services groups.”
But don’t be fooled…you’re not in the clear simply because your company isn’t a financial services firm. The truth is that these groups attack anyone and anything that has something of value to them, no matter what type of business the company operates.
Hackers target specific businesses because they’ve done their homework, gathered intel and are aware of some security, or business vulnerability, which they can easily exploit in a short period of time… like late at night or during holiday weekends when staffing is minimal and few employees are working.
Further, small to medium size businesses may be attractive targets to nefarious characters because the companies aren’t overly sophisticated in their computer defenses or lack the necessary technical resources to combat a sophisticated external attack.
Beware of Foxes in Employee’s Clothing
The other important consideration in fraud risk management involves the identification of internal vs. external threats. While there are certainly sophisticated organized (external) crime rings operating overseas who are targeting your business, companies often overlook the (internal) threats closer to home.
According to the Association of Certified Fraud Examiners, annual losses due to internal employee fraud and theft are placed at $50 billion dollars. It’s interesting to note that many of the cases fraud practitioners get involved in are large scale (over a million dollars in losses) and the average detection period is around eighteen months to two years.
Twenty four months is a significant period of time for an internal fraud to go undetected, and the length of time which the fraud occurs over allows for high dollar losses which directly affect your company’s bottom line and diminishes your ROI.
Fraud Risk Mitigation
One of the things that ALL businesses should be doing on a REGULAR basis is mitigating risks which generally fall into three categories: revenue, data and reputation.
The trap here is that many companies assume that the revenue risk is going to be the biggest risk which they need to address immediately. While that’s often true, data risks or reputational risks, which don’t score as high during your evaluation process actually pose more significant risks to your business than the revenue risk.
However, before companies attempt to mitigate fraud risk, they must first conduct fraud risk assessments to identify major risk vulnerabilities. A major mistake in this area is only thinking of revenue related risks as data, information and reputational risks pose major issues for businesses as well.
The Fraud Risk Management Cycle
The risk management process begins with risk identification but that’s certainly not the end as there are many steps which must be taken. To be effective, the risk management process must not only be holistic but cyclical as well.
Figure 1. Fraud Risk Management Cycle. © Fraud Solutions, 2014
Once you’ve identified the major risk, which is the first priority that you’re going to tackle, and you’ve identified a risk mitigation strategy to address the risk, then it’s imperative that you test your solution to see if it’s likely to achieve the intended risk mitigation results.
A word of warning here: always test your potential risk solution in a “non production” environment so as to minimize any potential problems or issues which might impact your entire operational network.
Absolutely DO NOT test your risk mitigation tool in a live environment if you can avoid doing so. The results can be catastrophic and you definitely do not want your risk mitigation tool to create a major new business risk which prevents your company from doing business.
Once you’ve successfully tested the tool in a non production environment, and you’re confident it’s going to work, it’s time to deploy the tool in your live environment. But just like woodworking, where best practice suggests you measure twice and cut once, the same holds true with risk management tool deployment.
There’s nothing wrong with an added layer of research, even if it seems redundant, to ensure you’re going to be successful and achieve the risk mitigation results you’re after.
The last step is where many companies drop the ball in the risk mitigation process. After deploying the risk mitigation tool, employees often assume the measure was successful and walk away from the process.
However, evaluating your results post deployment is imperative. If you achieved the desired results then you simply repeat the process with your next largest risk.
However, if you didn’t achieve the desired results with the risk prevention method you chose, then you either have to refine that method or use a different one. Most importantly however you’re back to square one with the new process and need to execute all steps again to ensure you get it right.
As a fraud practitioner, your company’s fraud health and well being is paramount to the continued success and fiscal well being of your business. Do you know what your major risks are? I guarantee that the bad guys do!
It may surprise you as the biggest risks may not be what you logically think they are. Avoid being the WSJ’s front page story by creating an active fraud risk management environment.
There’s an Endless Supply of Risks
Think you’ll ever run out of risks to mitigate? Not while we have significant internal and external caused by a depressed employment market and a global, “information has value” underground economy.
So, the question is when was the last time your company went in for its fraud risk assessment checkup? If the answer is “some time last year” or “on an annual basis,” that may not be regular enough as bad actors are checking out your business vulnerabilities daily. Remember, the only constant with fraud is change and your business either changes with it or suffers the consequences.
[Tweet “The Fraud Factor via @fraudservices #BusinessTips”]