Ah, complacency. That quiet sense of security or satisfaction with the status quo that prevents a person from acknowledging the potential dangers or risks around them.

We become complacent about internal controls, believing our employees have always been trustworthy and therefore we can eliminate extra steps in the process. We slack off in our security training, thinking “surely our team knows not to click on an unfamiliar link.” Or, we fail to conduct a background check because the applicant is the nephew of one of our fellow executives.

In our recent blog, 4 Culprits of Complacency, we highlighted some of the underlying factors that lead to complacency. In this blog, we bring forth five stories that expose the negative fallout and damage that can occur when organizational complacency takes root.

1. The Law Firm with Weak Accounting Controls

A law firm specializing in intellectual property let complacency derail its internal controls. The firm has five offices throughout the United States, and the satellite offices normally forward their customer payments to the corporate office for processing. Recently, however, customers from at least one of the five locations notified the firm that their previously cashed payments were being duplicated, forged, and re-cashed, leading the customer to have fraudulent withdrawals taken from their bank accounts. Fraudsters left some of the personalized information on the check, such as handwritten notes in the memo line, but had replaced the recipient name, date, and check number with false information and deposited it remotely through an ATM. Rather than keeping customer payments in a secure, locked location, the firm’s complacency in its failure to follow its own internal controls led to this embarrassing and costly mistake.

2. The National Political Committee Duped by Social Engineering

It was the hack heard round the world, all perpetrated by a simple case of spear phishing made possible by complacency. Hackers sent an email to members of the committee that looked like it had been sent by Google and requested them to click a link to reset their passwords due to malicious activity on their accounts. Several members took the bait, and with the new credentials in hand, hackers subsequently breached (and later published) more than 150,000 emails stolen from the Gmail accounts of committee members.

3. The Nursing Home That Failed to Check Employee Backgrounds

A Texas nursing home employee was caught on video physically assaulting an 83-year-old resident, who had advanced Alzheimer’s disease and could barely move, talk, or understand what was going on around her. The family sued the nursing home for $1 million for its negligent hiring of a 23-year-old employee who had previous arrests for fraud, marijuana possession, and criminal mischief on his record. Had the facility not succumbed to complacency, it would have required all workers to undergo a background check before being hired.

4. The Business Merger That Skipped Due Diligence

Two regional telco companies that had been in competition with one another decided to take the plunge and merge, with Company A doing the actual acquiring and Company B being the one acquired. The executives of both teams had been collegial over the years and knew each other’s respective businesses fairly well, so Company A opted to forgo a formal due diligence process. It was only four months into the new merger that Company A realized Company B had inflated the size of its client base and the average revenue per subscriber (ARPS) for each of those clients. Yes, Company B had 800 clients in their account records, but a full 200 of those clients had discontinued service at some point in the preceding timeframe, leaving only 600 active clients. The true value of revenue, then, wasn’t ARPS x 800 clients, it was ARPS x 600 clients, a reduction of about $600,000 in revenue a year than had been presented in the pre-merger discovery process. Once again, complacency reared its ugly head.

5. The Medical Diagnostic Company Lacking Sound Loss Prevention Strategies

We like to think that all of our employees are honest, but even with good internal controls in place, people find ways to cheat their employers. In this case, a manager set up a series of fake companies, invoices and expense reports to reimburse himself for more than $1.2 million in false expenses. His deception was ultimately uncovered through mismatched addresses used on his falsified documents. While loss prevention tactics can’t necessarily filter out every deceitful action, it’s far better to be proactive than remain complacent, as this company did.

Is complacency a risk factor in your organization?

Lowers and Associates works with a wide range of industries, including financial institutions, healthcare providers, casinos, couriers, and insurance companies, to protect their people, brands, and profits. We offer a full range of services, from cash-in-transit evaluations to venue security to IT risk assessments.

If you’re concerned your business is at risk of being complacent, let’s talk. We’d love to help.

“Complacency is the last hurdle standing between any team and its potential greatness.”

Pat Riley, former NBA Coach and Player

You’ve done the important legwork to protect your business against undue risk. You’ve conducted a threat assessment, reviewed security measures, fortified your IT infrastructure, put controls into place, built a business continuity plan, and trained your people. So now what?

Though you’ve taken great measures to prevent and/or mitigate losses, if people fail to consistently follow through with the day-in day-out responsibilities required to keep risks in check, it is all in jeopardy.

Complacency – that sense of quiet pleasure or security, usually accompanied by a lack of awareness of potential dangers or deficiencies – is the enemy of excellence and can be the single largest threat to any business.

Complacency can lead to massive failure. Consider the now infamous example of the Deepwater Horizon explosion which killed 11 people, injured another 126, and caused an oil spill that took three months to get under control. The catastrophe was “the result of poor risk management, last-minute changes to plans, failure to observe and respond to critical indicators, inadequate well control response, and insufficient emergency bridge response training,” according to a federal report. In a nutshell, complacency.

Once complacency takes root in an organization, it’s hard to change course. In this blog, we’ll explore four common causes of complacency and show you how to steer clear of them.

1. Foregoing a “Moment of Insight”

Insights, or those “eureka moments,” abound in our personal lives, in society, and in the workplace. We experience a sudden understanding of something that was previously unknown or incomprehensible. The answer to a puzzle abruptly becomes obvious. A series of seemingly unrelated incidents suddenly reveals a clear pattern.

In the context of risk mitigation these “aha moments” happen all the time. Businesses connect the dots between the events happening around them (e.g., wide area disasters, data hacking incidents) and make the adjustments they need to make in their own operations to stay protected (e.g., creation of disaster recovery plans, beefed up cybersecurity).

So why, then, do some people fail to act despite a clear moment of insight? It often comes down to a lack of leadership or sense of urgency. Often, they are focused on what’s in front of them – the objectives, processes, and budgets before them – rather than presenting a compelling vision for the company. This is especially true during times of change, the thinking being, “The crisis isn’t imminent, and we already have so much on our plates.”

Brent Gleeson, the author of TakingPoint, says, “Most organizations that continue to succeed and innovate have a culture poised for positive change and taking a risk. They don’t wait for the ship to spring a leak. They proactively and constantly set aggressive goals. They sometimes even intentionally develop a sense of urgency.”

2. Maintaining a Sense of Overconfidence

Another reason why organizations stay in a state of complacency is due to an excessive sense of self-confidence, which can express itself in different ways.

Sometimes overconfidence stems from a false sense of security or well-being. “We’ve never had anything bad happen before, and the probability is so small that we can let our guards down.”

Whether it’s a statistical calculation, the illusion of preparedness, or outright arrogance, people operating with this mindset are inviting problems.

Someone leaves the door propped open while they run an errand, crisis communication plans become outdated, or passwords aren’t decommissioned when an employee leaves the company. Teams might even take their cue from management and begin letting practices and policies slide.

3. Having a False Sense of Reality

It’s human nature to be lulled into complacency, especially if you’ve lived the same basic existence in the same company for years on end. You come to believe you’ve lived pretty much every scenario and can reliably predict the outcome of most situations. When we believe we know the answers, our creativity and ability to proactively plan for potential threats become stagnant.

The key in these situations is key to have a learning mindset, to be curious, ask questions and think more deeply. Jeffrey Simmons, President and CEO of Elanco, says it’s helpful to “find people who make you feel uncomfortable, who help you learn a new skill or broaden your perspective.”

4. The Tendency to Make Excuses

Similar to having a false sense of reality, complacency thrives with people and in environments where excuses are made and accepted. Some of the common excuses that lead to inaction, for example are, the failure to conduct quarterly safety trainings, the absence of consistent background checks, or the failure to conduct due diligence with a new business partner.

• The likelihood of a disruptive event (e.g., tornado, data breach, active shooter, embezzlement) happening is so low it’s not worth our time to protect against it.
• We’ve done business with this company for a dozen years, so we don’t need to investigate them as a part of this merger.
• We’ve been very successful so far, so we must be doing something right.
• Our team has very little turnover, so even if something were to occur, most of us were trained at one time on what to do in the event of an emergency or major incident.
• We’re already doing all we can to protect our business from risk, we don’t have the bandwidth to do more.

How to Avoid Complacency

The military has a mantra that “complacency kills.” In fact, signs with this message are often posted at their bases and outposts. They know that complacency in combat may mean the difference between life and death.

In the business world, companies that fail to continuously evolve face obsolescence, at worst, and significant financial or reputational loss, at best.

Here are seven strategies recommended by American Express for warding off business complacency:

1. Be clear on your long-term vision (no more than two years out) and your short-term goals needed to make that vision a reality.
2. Have a specific plan for each day.
3. Give yourself specific time each week—no more than one hour—to think strategically and evaluate where you are and if you are heading in the right direction.
4. Challenge your team to think.
5. Encourage and reward innovation.
6. Create a formal process to learn from mistakes.
7. Invest time and money to improve your skills and knowledge.

Lowers & Associates works with a wide range of industries, helping organizations with a full range of solutions, from assessments to loss mitigation to recovery. Contact us for a consultation to understand what unknown threats you might be facing and how to address them, so that you don’t become a victim of the four culprits of complacency.

One way to think about risk management is as a set of procedures designed to mitigate risks identified in a threat assessment. In this view, the risk management program contains a set of rules that can be taught to the right people who can implement the procedures to reduce or eliminate risk.

Humans are good at inventing routines to make repetitive tasks easier or faster to complete. In the beginning, we spend a lot of time and energy working out how the parts of the puzzle fit together, what causes what, what can go wrong, and how to achieve the goal most efficiently, in this case, to mitigate risk.

Once the routine is designed properly, we test it.  If it works, we implement it and then begin the second phase of embedding the routine into a body of standard procedures.

… Continue reading

Most crimes of occupational fraud are motivated, at least in part, by some kind of financial pressure. And while committing a fraud, the perpetrator will frequently display certain behavioral traits associated with the stress or fear of being caught.

These “red flags” are behavioral and system-based clues that can be picked up by attentive managers, colleagues, internal auditors, or subordinates. In turn, these clues can put an organization “on notice” that a trusted individual may be engaging in some form of improper or fraudulent conduct.

The Association of Certified Fraud Examiners (ACFE) in its 2012 Report to the Nations pinpointed the most common behavioral red flags associated with occupational fraud. The ACFE examined the frequency with which certain behavioral red flags were identified during a fraudulent scheme. … Continue reading