5 Places Where the Human Element of Risk Rears Its Ugly Head

By Lowers & Associates,

5 Places Where the Human Element of Risk Rears Its Ugly Head

A perfect storm of human errors — six of them to be exact — caused the biggest nuclear accident to date, the Chernobyl disaster in 1986. An IT mistake prompted 425 million Microsoft Azure users to experience 10.5 hours of downtime. Lack of communication between maintenance crews caused what would have been a simple fix to, instead, lead to the crash of a 1.4 billion dollar stealth bomber.

While there are many sources of enterprise risk, probably the most dynamic and difficult to contend with are those driven by or otherwise impacted by human capital — that is, people. The fact is, most risks start and end with people. The decisions people make, how they perceive situations, how closely they follow policies and procedures… these and other human-driven factors can significantly influence how risks are identified, managed, and addressed.

In our work in the realm of human capital risk, we see many areas where people have the potential to positively or negatively impact the organization from a risk management standpoint. Unfortunately, when people fail, they sometimes fail in big ways. Here are some of the places where human capital risk can rear its head, causing damage to people, brands, and profits:

1. Cybersecurity

Staying secure goes beyond technology (think servers, network, firewalls, etc.); it requires the aid of humans to maintain that secure digital environment. And while most employees get some degree of IT security awareness training in the course of their jobs, mistakes still happen.

IBM estimates the average number of records lost to data breaches annually to be 25,575, and the average cost per breach of USD $3.92 million. Social engineering, malware, and phishing attempts continue to pay dividends for the fraudsters who deploy them. We all know we’re not supposed to click on that link or divulge sensitive information over the phone, but still, people do it. Lapses in judgment, failure to follow a process, having a sense of overconfidence or the feeling that it won’t happen to them, whatever the reason, humans have the ability to sidestep even the strongest cybersecurity protocols.

2. Occupational Fraud

Risk doesn’t always stem from human error; sometimes it’s the result of deliberate actions by employees. Common types of occupational fraud include asset misappropriation, corruption, and financial statement fraud. In 2017, these types of fraudulent activities resulted in $7 billion in losses, according to ACFE’s 2018 Report to the Nations.

When the workplace lacks internal controls, fails to have separation of duties, or neglects to invest in data monitoring and technologies that could flag anomalies, unscrupulous employees see their opening.  Bookkeepers set up fictitious employees in payroll systems in order to cut checks, executives find ways to alter records and financial statements, and line workers take home company property for personal use. These incidents have a median per-loss cost of $114,000, as noted in the ACFE Report.

3. Physical Security

Check with most workplaces and you’ll find they have certain security protocols in place or at least policies that address physical security. Visitors may be asked to check-in at a front desk, employees might be required to wear ID badges, and doors might be required to be locked at all times.

Unfortunately, over time, employees become complacent and policies become outdated. People forget, or simply choose to ignore, the basics they’ve been taught. They leave doors propped open, inviting strangers to come in the building. They neglect to report a broken lock or missing lightbulb. They forget to keep up their annual emergency exit drill schedule. Or, they fail to log off a computer just as someone else decides it’s okay to let a guest circumvent the front desk sign-in because they “know this person.”

These small, but meaningful, errors in judgment often mean the difference between a workplace that remains physically secure and one that opens itself to the risks of theft, data breaches, or even active shooter situations.

4. Workplace Violence

Workplace assaults resulted in 18,400 injuries and illnesses and 458 fatalities in 2017. Assaults range in severity from threats and verbal assault to stabbings, rape, and intentional shootings. In fact, mass shootings at workplaces, schools, and public venues have become the new norm with an average of at least one happening per day in the United States.

We can’t always know which employees are at high risk for engaging in workplace violence, but experts have begun to identify the behaviors that often precede events like these. They include the inability to focus, crying, social isolation, threatening behavior, concerning posts on social media, or complaints of unfair personal treatment. A sudden change in behavioral patterns, or in the frequency or intensity of these behaviors, is also a red flag.

5. Negligent Hiring and Retention

Exercising due diligence in hiring is the best line of defense against negligent hiring and retention lawsuits. Background checks, of course, are the first course of action in rooting out applicants who might disproportionately introduce risk into the workplace. Gathering criminal background records, doing drug testing (as appropriate), and verifying references and credentials are all critical to mitigating your hiring risks.

Beyond background checks, organizations need to have effective fraud detection methods in place. This is particularly relevant considering 96 percent of fraud perpetrators had no prior fraud conviction, and fraudsters who were employed for more than five years stole twice as much, $200,000 vs $100,000 for newer employees! They need to understand the elements of human risk that can be an early indicator of fraudulent activity, including employees who live beyond their means, are experiencing financial difficulties, or have an unwillingness to share job duties.

Manage Your People, Manage Your Risk

Humans are, well, human. They introduce a spectrum of risk into any workplace, from purposeful criminal behavior on one side to unintentional, garden-variety mistakes on the other.

Managing those risks is an ongoing challenge, particularly when it’s difficult to pinpoint the precise human factors that contribute to failures. If you’d like help identifying those areas in your organization that are most susceptible to the human element of risk – whether it’s your cybersecurity program or your hiring processes — request a meeting with a risk management professional.

 

  Category: Risk Management
  Comments: Comments Off on 5 Places Where the Human Element of Risk Rears Its Ugly Head

2019 Fraud Week Wrap-Up

By Lowers & Associates,

We were proud to join the Association of Certified Fraud Examiners’ (ACFE) 2019 Fraud Awareness Week as an official supporter. Saturday, November 23, 2019 will conclude a weeklong effort by the ACFE to minimize the impact of fraud by promoting anti-fraud awareness and education.

Companies lose an estimated 5% of their revenue annually as a result of occupational fraud, according to the 2018 ACFE Report to the Nations. It turns out, the risk of occupational fraud is much higher than many managers and leaders realize. Each case results in a median loss of $130,000 and with cases lasting a median of 16 months, fraud is something organizations of all sizes must take care to detect and deter.

In support of Fraud Week, we produced several informational articles, which are summarized here for easy reference:

2019 Fraud Week Series: How Technology is Helping in the Fight Against Fraud

How Technology is Helping in the Fight Against Fraud

The key to catching fraudulent actions before real damage is done is having systems in place to ferret out anomalies and report suspicious activities early. This means being equipped with tools like automatic monitoring, artificial intelligence, and anomaly detection protocols. For instance, surprise audits and data monitoring are a powerful combination in reducing fraud loss. Though only 37% of the companies examined in the ACFE  study used them, those that did got fraud cases under control in approximately half the time and reduced fraud losses by more than 50%.

Read the full post

The ACFE’s 5 Big Fraud Tips You Should Act on Now

The ACFE’s 5 Big Fraud Tips You Should Act on Now

As part of the 2019 International Fraud Awareness Week, the Association of Certified Fraud Examiners (ACFE) distributes information and training to help anti-fraud professionals reduce the incidence of fraud and white-collar crime. A recent ACFE publication, 5 Fraud Tips Every Business Leader Should Act On, spells out five ways organizations can work to prevent and minimize fraud in the workplace. We’ve paired their recommendations with the research-based actions you can take to achieve these aims.

Read the full post

Recovering Fraud Losses: What the Numbers Reveal

Recovering Fraud Losses: What the Numbers Reveal

Losses from occupational fraud topped $7 billion in 2017, according to the Association of Certified Fraud Examiners’ (ACFE) most recent global study on occupational fraud and abuse, 2018 Report to the Nations. The median loss for all cases in the study was $130,000 USD, yet a full 22 percent of companies lost $1 million or more. To add insult to injury, only 15 percent of businesses that experienced fraud were able to fully recover their losses.

Read the full post

7 Must-Haves for Occupational Fraud Prevention

7 Must-Haves for Occupational Fraud Prevention

These seven fraud prevention strategies, drawn from the 2018 Report to the Nations by the Association of Certified Fraud Examiners (ACFE), will go a long way in fortifying your organization against the conditions that can facilitate occupational fraud at the workplace.

Read the full post

We hope you have taken some time this week to think about your 2020 fraud prevention programs and strategies and how you’ll build early fraud detection and proactive prevention into your processes.

No company is immune to fraud.

7 Must-Haves for Occupational Fraud Prevention

By Lowers & Associates,

7 Must-Haves for Occupational Fraud Prevention

As the ACFE’s 2019 Fraud Awareness Week comes to a close, it’s a good time to create your plan for fraud prevention in the year ahead. These seven fraud prevention strategies, drawn from the 2018 Report to the Nations by the Association of Certified Fraud Examiners (ACFE), will go a long way in fortifying your organization against the conditions that can facilitate occupational fraud at the workplace.

1. Tone from the Top

A robust anti-fraud program that is embraced from the top of the organization to the bottom creates a culture of honesty and fairness. A solid program starts with a code of ethics, signed by all employees, and continues with anti-fraud policies, training, internal controls, and periodic employee surveys which help gauge the extent to which employees believe management acts with honesty and integrity. Many organizations also include fraud prevention objectives as a part of their employee performance goals.

2. Anti-fraud Training

Practical, hands-on training that educates employees on how to detect fraud, what to look for, how internal controls work, and how to report fraud are instrumental to any anti-fraud program. For instance, make employees aware of the research that demonstrates how fraudsters attempt to conceal their activities, such as through the creation of fraudulent documents, altered accounting transactions, or fraudulent journal entries.

3. Clear Reporting Methods

Fifty-three percent of fraud cases in the ACFE’s 2018 Report to the Nations were reported by employees, and the research also revealed that hotlines were effective in encouraging such reporting. So, whether you create a dedicated fraud hotline, or rely on emails, web forms or in-person reporting, do be sure that all employees know their options for reporting suspected fraud.

4. Proactive Detection

Commit to having anti-fraud efforts remain at the forefront of your organization. This means sending out regular messages to the team, conducting surprise audits, performing regular account reconciliation, and implementing continuous monitoring software to detect anomalies. Organizations with proactive detection methods like these caught fraudulent activities months earlier than those with passive detection. For example, frauds detected actively by IT controls tended to last five months and cause a median loss of $39,000, compared to schemes detected passively (e.g., through notification from law enforcement), which tended to last two years and cause a median loss of almost $1,000,000. If you’re not sure where to start, begin with a fraud risk assessment to identify and mitigate any vulnerabilities you find.

5. A Strong Auditing Team & Internal Controls

The one-two punch of a strong auditing team and solid internal controls will mean the difference between sleeping well at night or potentially having massive losses. Your auditing team should have adequate resources and authority to operate effectively and without undue influence from senior management. In addition, the ACFE’s 2018 study found that weaknesses in internal controls were responsible for nearly 50 percent of all fraud cases! Anti-fraud controls are paramount to preventing or detecting fraud. Here are a few of the most important controls:

  • External audits of financial statements
  • Internal audit department
  • Management certification of financial statements
  • External audit of internal controls over financial reporting
  • Management review
  • Reporting hotline
  • Code of ethics and anti-fraud policy
  • Proper separation of duties
  • Job rotations

6. Diligent Hiring Practices

Background checks should always be a part of any hiring practice, and attention to criminal history, credit reports, and reference checks are particularly important in the context of preventing fraud. However, since 96 percent of fraud perpetrators in the AFCE study had no prior fraud conviction, the next step is understanding the behavioral red flags associated with fraudsters. Eighty-five percent of perpetrators displayed at least one of these red flags: living beyond means; financial difficulties; unusually close relationship with vendor/customer; control issues, unwillingness to share duties; divorce/family problems; and a “wheeler-dealer” attitude.

7. Employee Support Programs

Employee support programs are valuable for a variety of reasons, but in the context of occupational fraud, they can help address some of the underlying issues that present themselves as “red flag behaviors.” An open-door policy that welcomes employees to speak freely about financial, family or addiction pressures can help alleviate them before they become acute or lead to destructive behaviors.

The most cost-effective way to limit fraud losses is, of course, to prevent fraud from occurring. With these strategies in-hand, your organization will be off to a strong start. If you’d like an experienced team to help create an anti-fraud program or investigate suspected fraud, please reach out at any time.

Recovering Fraud Losses: What the Numbers Reveal

By Lowers & Associates,

Recovering Fraud Losses: What the Numbers Reveal

Losses from occupational fraud topped $7 billion in 2017, according to the Association of Certified Fraud Examiners’ (ACFE) most recent global study on occupational fraud and abuse, 2018 Report to the Nations. The median loss for all cases in the study was $130,000 USD, yet a full 22 percent of companies lost $1 million or more. To add insult to injury, only 15 percent of businesses that experienced fraud were able to fully recover their losses.

Recovering Fraud Losses: What the Numbers Reveal

The common theme in the report is that, while it’s often worthwhile to pursue remedial action against perpetrators, victims will usually not be made whole. Here are three factors negatively impacting these recuperation efforts.

1. Failure to Report

After a fraud has been discovered and investigated, a case might proceed to prosecution, civil litigation, both, or neither. In its annual study, ACFE researchers tracked the percent of cases that were referred to law enforcement or resulted in a civil suit being filed for each year dating back to 2008. They found that the rate of criminal referrals has been gradually decreasing over that time, from 69 percent in 2008 to 58 percent in 2018. In contrast, the rate at which civil suits are filed has stayed consistent, ranging from 22 percent to 24 percent within the same timeframe.

There are many reasons why victim organizations might decide not to refer cases to law enforcement and therefore forego any additional recuperation of the loss that may result. The top five cited reasons are:

  1. Fear of bad publicity: 38%
  2. Internal discipline sufficient: 33%
  3. Too costly: 24%
  4. Private settlement: 21%
  5. Lack of evidence: 12%

2. The Greater the Loss, the Less Likely the Recovery

There is an inverse relationship between the amount that victim organizations lose to fraud versus what they are able to recover. So, even if the organization decides to pursue legal action, they are not likely to achieve full recovery. Here’s how the numbers panned out:

  • Losses of $10,000 or less had a 30% chance of recovery
  • Losses of $10,000 to $100,000 had a 16% chance of recovery
  • Losses of $100,001 to $1,000,000 had a 14% chance of recovery
  • Losses of $1,000,000 or more had an 8% chance of recovery

3. Desire to Avoid Fines

A third reason recovery efforts can be hampered is the knowledge that organizations may receive monetary fines from authorities for having inadequate controls in place and thus enabling fraud to occur.

Of the three types of occupational fraud – asset misappropriation, corruption, and financial statement fraud – the latter had the greatest likelihood of fines, at 17 percent. And, fines were imposed regardless of the size of the loss. For example, organizations that lost $10,000 or less were fined 14 percent of the time while those that lost $1,000,000 or more were fined 20% of the time.

At a median of $100,000 per fine, these penalties were no small matter.

An Ounce of Prevention

Given that recovery is an uphill battle, the takeaway is this: organizations should do what they can to prevent fraud from happening in the first place. Internal controls, codes of ethics, recognizing red flag behaviors, and the availability of reporting mechanisms are all tried-and-true methods for realizing that goal.

The ACFE’s 5 Big Fraud Tips You Should Act on Now

By Lowers & Associates,

The ACFE’s 5 Big Fraud Tips You Should Act on Now

As part of the 2019 International Fraud Awareness Week, the Association of Certified Fraud Examiners (ACFE) distributes information and training to help anti-fraud professionals reduce the incidence of fraud and white-collar crime. A recent ACFE publication, 5 Fraud Tips Every Business Leader Should Act On, spells out five ways organizations can work to prevent and minimize fraud in the workplace. We’ve paired their recommendations with the research-based actions you can take to achieve these aims.

1. Be Proactive

A code of ethics for management and employees sets the tone that your organization is committed to conducting business honestly and fairly. Fortify your commitment with internal controls around areas of the business that are vulnerable to fraud.

In its 2018 Report to the Nations, the ACFE studied nearly 3,000 incidents of fraud across 125 nations. Here are the top 10 most common anti-fraud controls they found among the organizations in the study:

  1. Code of conduct: 80%
  2. External audit of financial statements: 80%
  3. Internal audit department: 73%
  4. Management certification of financial statements: 72%
  5. External audit of internal controls over financial reporting: 67%
  6. Management review: 66%
  7. Hotline: 63%
  8. Independent audit committee: 61%
  9. Employee support programs: 54%
  10. Anti-fraud policy: 54%

The study found that weaknesses in internal controls were responsible for nearly 50 percent of all fraud cases.

2. Establish Hiring Procedures

Background checks will continue to be one of the best practices any workplace can implement, yet surprisingly, a full 96 percent of fraud perpetrators had no prior fraud conviction, according to the AFCE’s 2018 report. Therefore, understanding the behavioral red flags displayed by fraud perpetrators can help organizations detect fraud and mitigate losses. The AFCE found that 85 percent of fraudsters displayed at least one of the six red flags listed below and 50 percent of them exhibited multiple red flags.

Six Red Flags of Fraud:

  1. Living beyond means
  2. Financial difficulties
  3. An unusually close relationship with vendor/customer
  4. Control issues, unwillingness to share duties
  5. Divorce/family problems
  6. “Wheeler-dealer” attitude

3. Train Employees in Fraud Prevention

Looking for signs of fraud isn’t top of mind for most employees, but having a code of ethics and internal controls create a strong workplace culture that’s attuned to the possibility of fraudulent activity. Employers can take this awareness a step further by educating employees on how to recognize fraud in their day-to-day lives.

Here are the top eight concealment strategies used by fraudsters:

  1. Created fraudulent documents: 55%
  2. Altered physical documents: 48%
  3. Created fraudulent transactions in the accounting system: 42%
  4. Altered transactions in the accounting system: 34%
  5. Altered electronic documents or files: 31%
  6. Destroyed physical documents: 30%
  7. Created fraudulent electronic documents or files: 29%
  8. Created fraudulent journal entries: 27%

4. Implement a Fraud Hotline

Now that employees know some of the signs to look for, employers should also provide a clear means for reporting suspected fraud. The top three ways that fraud is detected are through tips (40%), internal audits (15%), and management review (13%).

Employees are responsible for reporting 53 percent of occupational fraud cases with the remaining coming from outside parties, such as customers, vendors, or shareholders.

Having a fraud hotline has proved to be instrumental in detecting fraud. In fact, 46 percent of cases detected by tips in the AFCE’s study had hotlines versus 30 percent coming from tips where no hotline existed.

5. Increase the Perception of Detection

Keeping the risk of fraud both top of mind and at the forefront of your organizational policies and practices is key to preventing, recognizing, and mitigating its impacts. In addition to having employees sign a code of conduct, make sure you’re regularly communicating to staff about anti-fraud policies. Remind them of the methods available to report suspicions of misconduct and the potential consequences (including termination and prosecution) of fraudulent behavior.

Though 42 percent of the organizations in the 2018 Report to the Nation offered hotlines to report fraud tips, other mechanisms are also readily available. They include:

  • Email: 26%
  • Webform/online: 23%
  • Mailed letter: 16%
  • Other: 9%
  • Fax: 1%

To learn more about helping your organization combat fraud, stay tuned here for the rest of our our 2019 Fraud Week Series. If you need help formulating your fraud prevention program, request a meeting with a risk management expert at Lowers & Associates.