“I knew him for years. He was like family. How could he do this to me and my business?”

It’s an all-too-familiar question after a long-term or trusted employee is caught or suspected of stealing from a company. So, what happens that makes it all go so wrong?

Simply put, cash is the great attractor – while we all interpret that lure differently, its visceral, kindly promise of freedom occasionally becomes too irresistible for human nature to ignore. Many businesses are not aware of, or at least, are not able to consistently identify, hire, educate and train around this fact. In CIT and Security, the breakdown is most often in one or more of The Three P’s (Policy, Process, and Procedure), but it’s certainly not an isolated phenomenon. Retail establishments, financial institutions and more all struggle with it.

The Three P’s are designed to reduce and control both the likelihood (risk probability) and severity (risk impact) of loss relating to risk; in this example, employee theft. For context:

• Policy is a rule or set of guidelines;
• Process is a high-level set of criteria that must happen in order to ensure compliance with a policy; and
• Procedure is a specific, detailed series of actions that staff members must take in order to implement a process and comply with a policy.

With the recent COVID-19 pandemic, business transactions and revenues are down, and we have seen a surge in employee terminations, furloughs and the like. As a result, many businesses are operating with lean staffing, which can cause breakdowns in segregation of duties, intentional or not. Where two persons may have been required by policy pre-COVID to perform an action, e.g. accessing the safe or vault, conducting physical inventory audits or daily cash reconciliation and balancing, the reduction in staff has caused those policies to become lax in order to continue operations. In doing so, many dual control and custody procedures have led businesses to allocate more access control capabilities to those “long-term” or “trusted” employees. Which can lead to situations like the ‘Not him!’ referenced above.

So, what can be done with limited staffing during these times to protect people, brands, and profits? Below are a few best practices that can be applied across any business, large or small:

• Review your internal policies and processes and provide management oversight to ensure that procedures are being adhered to per company policy and that no one person has too much access to a particular asset or function, including:
  • Access device (key, card, combination, code) controls .
  • Dual control/custody system of checks and balances.
    • Ex: verification of deposit preparation, either 2^nd person or virtual (FaceTime, CCTV, Zoom, etc.), bank pick-ups and deposits in person (no night drops if only one person can perform) and confirm deposit or examine credibility of tamper proof deposit bag before leaving (bringing back deposit slip for verification and documentation).
  • Utilize both Employment Background Screening, regardless of the relationship or previous work history, and a true continuous court records monitoring solution to get the whole picture.
  • Require job-specific training that is documented and acknowledged via signature of the trainer and trainee to ensure adequacy, accuracy and completeness.
  • Incorporate random and unannounced internal and external audits, testing the aforementioned policy, process, and procedure with staff. Examples may include:
    • Cash drawer audits, to be performed by employee and management at the beginning and end of shift; cash drawers should be assigned to one user only.
    • Cash drawer documentation, in the event more cash is needed or removed a verifying document should be signed by two people, i.e. employee and management.

These best practices are intended to provide some potential resolutions to but a fraction of the challenges that businesses face in fighting theft. By improving potential vulnerabilities and understanding the importance of applying essential policies, processes, and procedures, businesses can – and do! – reduce the likelihood and severity of loss relating to employee theft.

Remember, cash may be king, but it’s still your kingdom.

As discussed in our most recent LinkedIn post, COVID 19 has forced companies to review and amend their operations top to bottom. And whether these changes are temporary or long-term, one thing is certain: the impact on both business and employee culture is permanent.

The best businesses right now are doing two things: 1) finding ways to stay open and 2) evaluating the future. And the best leaders of these businesses understand the value of employee training, especially in times like these: a safe, secure environment creates well-being for employees and customers, which enables more innovation with less interference. Given the current circumstances, employees want to be sure that their employer is looking out for them. The first step in achieving this (while also keeping the cash registers ringing so that your strategic plan has a future) begins with a wholistic understanding of the business risks. That is, surveying.

While traditional consulting and surveying is simply not plausible right now, recent advancements in technology and encrypted video have made virtual surveying a viable option.  For businesses considering a virtual survey, the team at Lowers & Associates has compiled a list of insights and considerations that may be helpful in your discovery process:

• The primary benefit of virtual surveying is that it can be conducted anytime, anywhere. With no travel, virtual surveying is one of the best ways forward-thinking businesses can control costs.
• Virtual surveys are less disruptive to the organization and provide quicker report-in-hand turn around. This can be a massive advantage for organizations pressed for time or with reduced staff capacity.
• Always a collaborative exercise and NEVER the “lesser of two evils,” virtual surveys can often provide deeper insights than those conducted in-person (sometimes business owners feel more at ease with a physical distance between themselves and the surveyor).
• Rapid advances in technology come with a learning curve. Leading risk mitigation consultants should be versed in a suite of technology applications to successfully execute a virtual survey.
• Information is information, right? Sort of.  Asking the right questions matters, knowing how to analyze the answers makes all the difference, and consistency is king.  Virtual or not, surveyors reviewing requested documentation and/or an audio/visual recording of the survey should be able to turn around the same exact results.
• Consistency is key in both business and surveying. Virtual surveyors should be able to hand over responsibilities to another surveyor if one should fall ill or become unavailable. Process can be both a businesses’ arrow and its Achilles Heel!
• Virtual surveying should include an ability to perform the following:
  • Pre- survey meetings
  • Staff competency and interviews
  • Reviews of:
    • Day to day operations
    • Site physical security
    • Insurance
    • Fiduciary Controls
    • Policy & Procedure
    • Vault construction
    • Crime and illegal activity (Local and Countrywide)
  • Facility Design Consultation
  • Follow up consultation meetings

Adaptation is crucial for businesses during this real-time reinvention of the workplace, and for 30 years, Lowers & Associates has pushed the boundaries of technology to keep those workplaces safe (this includes virtual surveying). #OurWork #Together has also always been collaborative, and so we encourage you to view and share the insights, stories and applicable tips that our team has been publishing at the Lowers & Associates LinkedIn page. If you have any questions, please contact us.

Even before COVID-19 created the social and economic challenges we are currently working through, brick and mortar business owners large and small understood a basic concept that most of the world wasn’t thinking much about: whenever people gather in close proximity, risk is present. The duality here, of course, is that human nature craves connection, but it also endeavors to avoid risk. Or it chooses to ignore it.

Unfortunately, many of the risks business owners face can be unseen, both for themselves and their customers, and those risks can’t be ignored. Regardless of the type of business, the moment the doors open, unique security-related policy and procedure challenges await. The best businesses implement their security-related policy and procedure measures seamlessly – they become part of the experience. This experience is created by design to ensure the health and safety of those both rendering services (staff) and those transacting payments (customers). If insurance teaches us anything, though, it’s that too often ignorance is bliss until reality hits. And if the security design is bad, the claim is worse.

As restrictions are slowly lifted and businesses around the world contemplate re-opening, every owner – from the small neighborhood grocery store with one door to the 100-floor commercial city building with 15 exits – should be using their time right now to examine what re-opening in the current normal looks like. Any measures that have been developed previously to keep customers, employees and visitors safe may need to be re-established or, at a minimum, revisited to conform with current recommendations from both scientific and governmental authorities.

It can’t be stressed enough, though: revisiting (or in some cases rethinking) security-related policy or procedure isn’t something that happens just because a huge reality event like COVID-19 creates global upheaval.  Practicing good habits requires consistency, and it’s with that in mind that our team is currently sharing a series of insights, stories and applicable tips on security that any industry can use over on the Lowers & Associates LinkedIn page.

To provide some guidance for those reevaluating their security measures or that are specifically focused on re-opening, I’ve created a list of 10 suggested actions ANY business can take to remove risk and eliminate potential for loss at any time.

1. Reassess security resource allocation based on operational need and risk.

If you have a business portfolio with multiple locations, consideration should be given to the specific business environment, nature of the threats, existence of any unusual circumstances, and the capacity of local law enforcement to respond.

2.Limit the number of entry/exit points for employees and visitors.

Tightly control ingress and egress for safety and security optimization. Examine operational feasibility before implementation.

3. Consider the reception area.

If security personnel are employed at the location, what role will they now play at the reception area to assist in the enforcement of new practices?

4. Access control measures and mechanisms dependent on fingerprint or a punch code require new safety protocols to be implemented.

This includes visitor management software and the use of tablets for registration.

5. CCTV coverage designed for cash handling or robbery identification should have expanded focal points to include more than just a face shot.

With the use of face masks becoming more frequent for the foreseeable future, at least one camera angle should include the entire body, including shoes. (criminals typically do not ditch their shoes after committing a robbery)

6. Re-evaluate security post orders.

The post orders must reflect any new duties performed and have a sound rationale for deviations. It is possible that actual security posts change based on organizational necessity. Examine any vulnerabilities that exist and how to overcome the risks.

7. Provide written notice to all employees if the security policies or procedures are being altered.

Even if these changes are temporary, this is necessary to ensure expectations are clear.

8. Initiate and document COVID-19 safety training.

Specifically, for security personnel and/or designated employees working the “front lines” of your business. This can expand to all staff as a general safety bulletin and acknowledgement.

9. Expand workplace violence policy (e.g. domestic violence prevention and response) to include all employees working from home.

Work with the Human Resources Department to provide “hotlines” or other resources available should assistance be required. In addition, identify and assess potential insider threats, as more employees and contractors are working remote.

10. Develop a brief but informative training program on basic techniques to de-escalate aggressive behavior in the workplace.

This is especially important for those business that are “customer facing” (e.g. retail/hospitality) or for businesses with a large number of on-site staff and visitors.

In 1947, my Grandma Maggie was involved in a terrible car accident. While a passenger in an automobile heading to visit family, the car ran off a mountainside road near her childhood home in West Virginia. The car tumbled down the mountain and eventually ejected Grandma Maggie from the car. The car rolled on top of her and she lay there pinned under the car for many hours before another passing motorist saw the lights from the crash site. A group of young men were able to get to her, free her and the others, and take them to a hospital.

With her pelvis and hips crushed, she was advised by the doctors that she would never walk again. At the time Grandma was 40 years old and had three kids and a husband at home. My Dad was the oldest of her children and a senior in high school at the time. Determined as ever, Grandma was not going to let the doctors tell her she could not walk. As she lay in bed recovering for nearly six months, she managed to tie a rope around her foot so she could begin to pull her legs upward (one at a time) with her arms to get them working again. There was no physical therapy, no in-home doctor visits, just a will to live and overcome.

Here’s the thing. I never knew my grandma to not walk! She was determined and that determination and grit enabled her to overcome this life changing obstacle. As a kid and all through adulthood, I never heard her mention or complain about her hips, pelvis, or anything else. I never even saw her limp. I knew her as a very active grandma who could do just about anything, including help me skin squirrels, skin and butcher a deer, and clean and prepare a wild turkey (note here: she was actually much better at these things than my grandfather).

Attitude has everything to do with outcome!

We are in a very challenging time currently as the Covid-19 pandemic has affected every corner of our lives today. All of us need to adapt to the new dynamics today and all of us need to adopt a positive attitude that will see us through to the other side of this challenging time. We simply can’t let the effects of this pandemic define us in a negative way. Just as Grandma Maggie was determined to walk again, we need to press forward with a determined attitude to overcome.

All of you continue to be in my thoughts and prayers at this difficult time. As Grandma Maggie would say, “This too shall pass!”

God Bless,

Mark Lowers

In our work in high risk industries, we routinely uncover fraud and asset misappropriations. While it may seem counterintuitive, with the US and global economy currently at a standstill due to COVID-19 shelter at home directives, organizations should be on high alert for occupational fraud during this time. The Fraud Triangle provides a framework for explaining why this is.

Formulated in 1953 by criminologist Donald Cressey, the Fraud Triangle theorizes that fraud occurs when the fraudster feels financial pressure, they are presented an opportunity, and/or the person can rationalize the theft.

With record numbers of Americans filing for unemployment and organizations operating with skeleton crews, the circumstances are ripe for fraud to take place.

A “Perfect Storm” of Conditions

Today, with organizations shut down to outside visitors (including, in some cases, outside auditors) as well as many employees, we are seeing a virtual petri dish for fraud. Two corners of the Fraud Triangle – opportunity and rationalization – are getting bent pretty hard. The third corner, incentive, in the form of extreme pressure, is bent even further. People have less supervision, more opportunity, and way more financial pressure.

So while you’re dealing with this pandemic and the resulting disruption, now more than ever is the time to be vigilant.

Opportunity

The coronavirus pandemic has driven unprecedented change in the workplace. Many employees are either laid off, have taken a pay cut, and/or are working remotely. Those who remain, whether at the workplace or from home, may be working with less supervision than before. In fact, we are seeing many instances where key risk management procedures like dual controls have been weakened or suspended entirely. For example, instead of having two or more employees independently evaluate and compare financial records, now only one employee may be responsible. Or, that supervisory signature normally required on certain transactions? It’s no longer practical given our remote locations, so we’ll just “do it this way” in the interim.

Sound familiar? The problem in these scenarios is that one small transgression that goes unnoticed has a way of snowballing into full-blown fraud.

Rationalization

When opportunity and incentive exist, people are better able to rationalize their fraudulent behavior. That couldn’t be more true than during this pandemic.  “I have to do this to provide for my family. I’ll pay it back later. My employer deserves it for laying me off.” These are some of the underlying rationalizations that turn a fraudster’s underlying thoughts into an actionable theft.

Incentive/Pressure

Financial difficulties are at the top of the list in terms of the pressures that can motivate people to commit acts of fraud. At no other time in modern history have so many people been under such financial strain as they are today.

At the highest of levels of unemployment following the 2008 financial crisis, there were 15.3 million jobless Americans. By the third week of April 2020, 26.5 million workers had filed jobless claims as a result of the coronavirus. An estimated 33 million people are currently unemployed, representing nearly 21 percent of the workforce and the highest unemployment level since 1934. Many who remain employed have agreed to accept pay cuts, work reduced hours, or take unpaid furloughs.

While the $2 trillion stimulus bill, Coronavirus Aid, Relief, and Economic Security Act (CARES), provided some short-term relief, it is likely not enough to stem the extreme financial worry being felt by many who don’t know how they’ll pay next month’s mortgage or cover their car insurance premium.

The pressure is extreme.

The Takeaway? Stay Vigilant

It may be tempting for organizations to be complacent when the world seems at a standstill, but the time to be diligent is now. Businesses should be on “high alert” and taking measures to ensure they’re keeping their operations secure. That includes double checking that access to IT systems and software has been blocked for furloughed employees or that virtual private networks (VPNs) have been created for remote workers. Internal controls should also remain in place, even if they have to be modified temporarily. For example, regularly scheduled phone calls or video conferences send the message that you’re still monitoring employees’ activities. Finally, if you haven’t already done so, it’s a good time to do an updated risk assessment for the entire organization. Asking your team where new vulnerabilities might exist, whether internal controls are still functioning as intended, and what gaps have been created are all part of mitigating the risk potential associated with the Fraud Triangle.

If you’d like help conducting any of these assessments, please reach out to us.