Business Continuity Plans (BCPs) are funny things.

At their most basic, BCPs are the real-world response to the old “Hope for the best, Plan for the worst” adage.  It’s honest recognition that being stuck between a rock and hard place is better with a hammer, albeit with no guarantee that the hammer is big or small enough to be helpful.

Nonetheless, a well-conceived BCP provides peace of mind, like insurance does, with the added satisfaction that only authorship (or ownership?) brings.  The rub, of course, is that every BCP is, at the end of the day, still just a plan.  As boxer, actor, felon, playwright and corporate strategist ’Iron‘ Mike Tyson once famously said, “Everyone has a plan until they get punched in the mouth.”

Indeed.  Because sometimes pipes break in the 2^nd floor ceiling of your office and leak antifreeze everywhere.  And because, other times, there’s COVID-19.

The benefit of having a BCP plan in place to manage either situation is that, well, there is at least a plan.  And despite what Kid Dynamite says, the real truth is that any company with a plan retains, at the very least, a fighting chance to get back up after they’ve been hit.

For Lowers Risk Group, like many others, COVID hit our industry, our business – our people.  We were fortunate, though: our Business Continuity Plan was 5 years in the making.  It didn’t matter, until it did.

Back in 2015, CTO David Lowers, Chief Security Officer Joe Labrozzi and Director of IT and Security Chris Sosnoski recognized the need for our growing staff to have partially, if not fully, remote capabilities.  What was initially driven by space concerns evolved with the access to and the ability of new technology to support fully secure, remote work that reduced cost, increased efficiency and enabled greater flexibility that could support new business opportunities within Lowers Risk Group.  With this foundation in place, Lowers, Sosnoski and Labrozzi were able to take the organization’s global footprint of over 550 people (spread over 3 continents) to fully remote in less than 2 weeks with zero business interruption when COVID hit.

And though Facilities might disagree, being fully remote due to COVID made the impact of that leaky pipe one less headache to manage when stress levels are already elevated.

We asked Labrozzi and Sosnoski to tell #OurStory of transition to a fully remote work environment.  We asked them what made it possible and to share a few insights that could help other organizations with the creation and implementation of their own BCPs to author their future resilience.  Below is a transcript of our conversation.

On behalf of the entire organization – thank you both for your efforts and keeping the organization on its feet as COVID hit.  How did your teams manage this transition?

Sosnoski
Our ability to go remote during COVID was strategic and began 5 years go.  Wholesale Screening Solutions, our largest division at Lowers Risk Group, was beginning to test our space limitations.  At that time, the VA HQ had about 400 people on-site.  Additionally, the Wholesale team recognized a need that they had to hire in different areas, not just in VA HQ.  We were tasked with how to support that, and it was clear we had to embrace the cloud.  Buy-in from David and other executive leadership there was the first step.

Labrozzi
What really drove the process was what was happening in Wholesale’s Georgia office, our first off-site campus.  We needed a base to get our people into the courts to do research.  That organically began to create resiliency in our operations – rather than rent out trailers, for example, in the event of something happening, our second location offered redundancies as technology matured.  As we gained more experience managing this remote location in GA from our VA HQ, we saw it was possible to have and manage a remote workforce while still doing secure work.  We then built a series of processes around this concept that laid the foundation for more remote work, and we’ve been working at that ever since.

Sosnoski
Right before COVID hit, for example, we launched phase 1 a Unified Communications as a Service (UCaaS) initiative with plans to roll-out Phases 2 and 3 in the coming months.  What would have been a much more measured roll-out was accelerated by COVID.  But, had we not been building towards that – not just with the UCaaS launch, but all the work leading up to the launch – it would not have been as easy or seamless.  However, we had our BCP in place and were able to activate it,.  Our teams stepped up and, again, the full support of leadership helped make it happen.

What were the steps you were taking to build that initial foundation over 5 years?

Sosnoski
The goal was always to keep the working experience as secure and as available as possible, so it was about taking small bites at the apple.  Exploring, testing, and implementing remote training, for example.  Cloud-based email.  Our UCaaS environment.  We were able to leverage cloud resources like Microsoft, Adobe, Salesforce, AWS and Zscaler to achieve this.

The complicating factor was the cost associated with it – we had to be willing and able to spend monthly on subscription services.  For a while, that was a barrier, but we continued to make the business case while moving from a hybrid environment to a cloud environment.  Transitioning the phone system to UCaaS, for example, was a two-and-a-half-year effort to make happen and now our teams are loving the flexibility it offers.  Our teams can do remote assessments and maintain contact with each other and clients easily.

How did you each manage the workload during the COVID transition to remote work?

Labrozzi
Teamwork.  At VA HQ, Chris and I have sat next to each other for years, so we have a great working relationship – that’s part of the culture at LRG, which is probably also a reason the transition was smooth.  But it’s about the quality of who you work with.  Chris’ IT team knows what needs to get done – they’re reliable and fast.  I focused on the human capital element, making sure that we were dealing effectively with any productivity concerns, making sure teams were staying connected.  We all operate from a leadership mindset and depend on each other to play our parts.

Sosnoski
The real risk in remote work is not technology, it’s management process.  My team trusts each other to get things done.  When COVID hit, we found a useful strategy was to use quick, daily stand-up meetings.  For the most part, these types of meetings continue in some capacity across all departments; I know upper management remains committed to finding one-on-one time for their direct reports.  Process is super important in all this, but equally so is everyone’s ability to do their job.

Any key takeaways to offer other organizations from your experience?

Sosnoski – I think there’s really three that worked for us:

• We started planning early and had already explored the risk environment, developed the processes that would provide us a path of least resistance to continuity and had leadership buy-in.
• We identified the right digital tools and had assessed, budgeted for and tested them as part of the plan strategically; having to do this during COVID would have been very difficult.
• We were all aligned on the work that had to be done to achieve the vision; for us that was finding a secure, scalable and available environment to perform our risk mitigation work.

Lowers Risk Group provides comprehensive enterprise risk management solutions to organizations operating in high-risk, highly regulated environments and organizations that value risk mitigation.  Our human capital and specialized industry enterprise risk management solutions protect people, brands, and profits from avoidable loss and harm.  With Lowers Risk Group you can expect a strategic, focused approach to risk assessment, compliance, and mitigation to help drive your organization forward with confidence.  Contact us.

By Neil Watson and Keith Gray

Insurance loss happens for many reasons.  For a business, common causes include armed robbery, theft, customer injury, floods, fires, and storm damage; but any natural disaster, large-scale event, or man-made act can bring about a claim.  When an event involves the loss of physical stock or damage to property, the loss is immediate, and it creates an urgent need for the business owner to settle the claim so that the business can resume operations and avoid further lost revenue.

This desire to quickly return to business as usual is a natural one, but in the wake of an event, it’s not uncommon for the resolution process to test the business owners’ resolve.  And while most claims post-incident are legitimate, from time-to-time, human emotions will complicate the process and create an environment that enables fraudulent activity, sometimes in unexpected ways.

Why Does Insurance Fraud Happen?

The Fraud Triangle provides all the insight required to answer this question.  Our team has written extensively on this, but Donald Cressey’s hypothesis in his book “Other People’s Money” says it all: Trusted persons become trust violators when they conceive of themselves as having a financial problem which is non-shareable, are aware this problem can be secretly resolved by violation of the position of financial trust, and are able to apply to their own conduct in that situation.”

It’s true that some fraudulent claims start out as legitimate but become ‘exaggerated’ during the claims process due to perceived opportunity.  In other cases, if the business is not doing well and is losing money, desperation can create enough pressure to commit fraud.  In rare cases, the fraud may involve large organized criminal gangs; these are often well-planned and involve multiple parties where the sole intent of the activity is a rational attempt to defraud an insurance provider.

It’s for these reasons that impartial guidance through the claims process is crucial.  As an insured, it is important to work closely with your insurance broker and the loss adjuster in preparing your claim and validating your losses.  Without this professional assistance and oversight, fraud can easily find its way into the conversation.

How Does Insurance Fraud Happen?

Below are a few examples of insurance fraud we’ve seen over the years at Lowers & Associates:

• ‘Padding’ legitimate claims to increase the claim amount
• Including losses from previous shortages or events within a big ‘single event’ claim
• Manipulating inventory, possibly running two sets of books, to allow for the tracking of actual inventory versus the falsely reported inventory
• Exaggerating the damage suffered as a result of a natural disaster (storm), or even causing some additional damage not caused by the original disaster
• Committing arson
• Staging accidents or thefts

The current COVID-19 situation globally, coupled with other localized events (recent looting losses in the U.S. or the extreme poverty facing certain areas in Brazil), is resulting in retail sales for certain sectors falling by over 50% and as much as 100%, which is clearly not sustainable.

In such unprecedented times as these, the possibility of a spike in fraudulent claims is a real concern. There is an increase in both the pressure and opportunity factors, resulting in an increased likelihood that potential perpetrators may rationalize their fraudulent thoughts and act on them as a result. For business owners, it can be hard to find consistency and understand what their default problem-solving steps should be.  When the Lowers & Associates team is presented with uncertainty, we often lean on process and procedure to identify a way forward in our work together with clients.  This path can always be informed by intuition, experience, and empathy, but for a business, without process and procedure to provide impartiality, the risk of insurance fraud increases significantly.

What Can You Do About It?

Ideally insurers would commission a pre-risk survey to establish security protections, stock levels, and standard operating procedures to satisfy themselves that the risk meets their requirements.  While this is recommended, it is not always feasible due to time or cost restraints.

Post-event, once a claim has been filed, relying on the findings of a law enforcement investigation may not be feasible due to timing or any related circumstances related to the event (especially if it’s large-scale or a natural disaster).  And even if law enforcement is doing an investigation on an event, it may not be a priority, creating an extended period of uncertainty.  Lastly, law enforcement may also be very hesitant to provide any info that they do have knowledge of, especially when it is an active investigation.

To manage this process, business owners and insurers need independent third parties that are flexible, have experience across multiple industries and can dedicate the appropriate time required to work through a claim (i.e. gathering facts, evidence and necessary documents) to support the basis of the claim.  For truly complex fraud matters, business owners and insurers should expect the third party to have a Special Investigations Unit (SIU) with extensive experience in technical surveillance countermeasures (TSCM) and counterintelligence that regularly work on international assignments.

With enterprise risk mitigation and insurance solutions that include UAV/UAS, special investigations, forensic accounting, loss adjusting and more, Lowers Risk Group stands ready to support our clients through the claims process with the speed, accuracy and dedication you’ve come to expect from over 30 years in the business.  To learn more, contact us.

About the Authors

Neil Watson brings nearly 30 years of insurance industry experience to Lowers & Associates, where he currently serves as Global Operations Director.  With key insurance industry relationships in both the London and International insurance markets, Neil’s primary responsibility is to grow all verticals and assist in building out L&A’s claims adjusting capabilities.

Keith Gray has been with Lowers & Associates for over 15 years and currently serves as the VP of Client Relations.  In his current role, Keith provides oversight with respect to program coordination, management of a nationwide team of industry professionals, investigation, and client communication.  Keith possesses a degree in Accounting and is certified as both a Certified Fraud Examiner (CFE) and Certified Anti-Money Laundering Specialist (CAMS).

“I knew him for years. He was like family. How could he do this to me and my business?”

It’s an all-too-familiar question after a long-term or trusted employee is caught or suspected of stealing from a company. So, what happens that makes it all go so wrong?

Simply put, cash is the great attractor – while we all interpret that lure differently, its visceral, kindly promise of freedom occasionally becomes too irresistible for human nature to ignore. Many businesses are not aware of, or at least, are not able to consistently identify, hire, educate and train around this fact. In CIT and Security, the breakdown is most often in one or more of The Three P’s (Policy, Process, and Procedure), but it’s certainly not an isolated phenomenon. Retail establishments, financial institutions and more all struggle with it.

The Three P’s are designed to reduce and control both the likelihood (risk probability) and severity (risk impact) of loss relating to risk; in this example, employee theft. For context:

• Policy is a rule or set of guidelines;
• Process is a high-level set of criteria that must happen in order to ensure compliance with a policy; and
• Procedure is a specific, detailed series of actions that staff members must take in order to implement a process and comply with a policy.

With the recent COVID-19 pandemic, business transactions and revenues are down, and we have seen a surge in employee terminations, furloughs and the like. As a result, many businesses are operating with lean staffing, which can cause breakdowns in segregation of duties, intentional or not. Where two persons may have been required by policy pre-COVID to perform an action, e.g. accessing the safe or vault, conducting physical inventory audits or daily cash reconciliation and balancing, the reduction in staff has caused those policies to become lax in order to continue operations. In doing so, many dual control and custody procedures have led businesses to allocate more access control capabilities to those “long-term” or “trusted” employees. Which can lead to situations like the ‘Not him!’ referenced above.

So, what can be done with limited staffing during these times to protect people, brands, and profits? Below are a few best practices that can be applied across any business, large or small:

• Review your internal policies and processes and provide management oversight to ensure that procedures are being adhered to per company policy and that no one person has too much access to a particular asset or function, including:
  • Access device (key, card, combination, code) controls .
  • Dual control/custody system of checks and balances.
    • Ex: verification of deposit preparation, either 2^nd person or virtual (FaceTime, CCTV, Zoom, etc.), bank pick-ups and deposits in person (no night drops if only one person can perform) and confirm deposit or examine credibility of tamper proof deposit bag before leaving (bringing back deposit slip for verification and documentation).
  • Utilize both Employment Background Screening, regardless of the relationship or previous work history, and a true continuous court records monitoring solution to get the whole picture.
  • Require job-specific training that is documented and acknowledged via signature of the trainer and trainee to ensure adequacy, accuracy and completeness.
  • Incorporate random and unannounced internal and external audits, testing the aforementioned policy, process, and procedure with staff. Examples may include:
    • Cash drawer audits, to be performed by employee and management at the beginning and end of shift; cash drawers should be assigned to one user only.
    • Cash drawer documentation, in the event more cash is needed or removed a verifying document should be signed by two people, i.e. employee and management.

These best practices are intended to provide some potential resolutions to but a fraction of the challenges that businesses face in fighting theft. By improving potential vulnerabilities and understanding the importance of applying essential policies, processes, and procedures, businesses can – and do! – reduce the likelihood and severity of loss relating to employee theft.

Remember, cash may be king, but it’s still your kingdom.

As discussed in our most recent LinkedIn post, COVID 19 has forced companies to review and amend their operations top to bottom. And whether these changes are temporary or long-term, one thing is certain: the impact on both business and employee culture is permanent.

The best businesses right now are doing two things: 1) finding ways to stay open and 2) evaluating the future. And the best leaders of these businesses understand the value of employee training, especially in times like these: a safe, secure environment creates well-being for employees and customers, which enables more innovation with less interference. Given the current circumstances, employees want to be sure that their employer is looking out for them. The first step in achieving this (while also keeping the cash registers ringing so that your strategic plan has a future) begins with a wholistic understanding of the business risks. That is, surveying.

While traditional consulting and surveying is simply not plausible right now, recent advancements in technology and encrypted video have made virtual surveying a viable option.  For businesses considering a virtual survey, the team at Lowers & Associates has compiled a list of insights and considerations that may be helpful in your discovery process:

• The primary benefit of virtual surveying is that it can be conducted anytime, anywhere. With no travel, virtual surveying is one of the best ways forward-thinking businesses can control costs.
• Virtual surveys are less disruptive to the organization and provide quicker report-in-hand turn around. This can be a massive advantage for organizations pressed for time or with reduced staff capacity.
• Always a collaborative exercise and NEVER the “lesser of two evils,” virtual surveys can often provide deeper insights than those conducted in-person (sometimes business owners feel more at ease with a physical distance between themselves and the surveyor).
• Rapid advances in technology come with a learning curve. Leading risk mitigation consultants should be versed in a suite of technology applications to successfully execute a virtual survey.
• Information is information, right? Sort of.  Asking the right questions matters, knowing how to analyze the answers makes all the difference, and consistency is king.  Virtual or not, surveyors reviewing requested documentation and/or an audio/visual recording of the survey should be able to turn around the same exact results.
• Consistency is key in both business and surveying. Virtual surveyors should be able to hand over responsibilities to another surveyor if one should fall ill or become unavailable. Process can be both a businesses’ arrow and its Achilles Heel!
• Virtual surveying should include an ability to perform the following:
  • Pre- survey meetings
  • Staff competency and interviews
  • Reviews of:
    • Day to day operations
    • Site physical security
    • Insurance
    • Fiduciary Controls
    • Policy & Procedure
    • Vault construction
    • Crime and illegal activity (Local and Countrywide)
  • Facility Design Consultation
  • Follow up consultation meetings

Adaptation is crucial for businesses during this real-time reinvention of the workplace, and for 30 years, Lowers & Associates has pushed the boundaries of technology to keep those workplaces safe (this includes virtual surveying). #OurWork #Together has also always been collaborative, and so we encourage you to view and share the insights, stories and applicable tips that our team has been publishing at the Lowers & Associates LinkedIn page. If you have any questions, please contact us.

Even before COVID-19 created the social and economic challenges we are currently working through, brick and mortar business owners large and small understood a basic concept that most of the world wasn’t thinking much about: whenever people gather in close proximity, risk is present. The duality here, of course, is that human nature craves connection, but it also endeavors to avoid risk. Or it chooses to ignore it.

Unfortunately, many of the risks business owners face can be unseen, both for themselves and their customers, and those risks can’t be ignored. Regardless of the type of business, the moment the doors open, unique security-related policy and procedure challenges await. The best businesses implement their security-related policy and procedure measures seamlessly – they become part of the experience. This experience is created by design to ensure the health and safety of those both rendering services (staff) and those transacting payments (customers). If insurance teaches us anything, though, it’s that too often ignorance is bliss until reality hits. And if the security design is bad, the claim is worse.

As restrictions are slowly lifted and businesses around the world contemplate re-opening, every owner – from the small neighborhood grocery store with one door to the 100-floor commercial city building with 15 exits – should be using their time right now to examine what re-opening in the current normal looks like. Any measures that have been developed previously to keep customers, employees and visitors safe may need to be re-established or, at a minimum, revisited to conform with current recommendations from both scientific and governmental authorities.

It can’t be stressed enough, though: revisiting (or in some cases rethinking) security-related policy or procedure isn’t something that happens just because a huge reality event like COVID-19 creates global upheaval.  Practicing good habits requires consistency, and it’s with that in mind that our team is currently sharing a series of insights, stories and applicable tips on security that any industry can use over on the Lowers & Associates LinkedIn page.

To provide some guidance for those reevaluating their security measures or that are specifically focused on re-opening, I’ve created a list of 10 suggested actions ANY business can take to remove risk and eliminate potential for loss at any time.

1. Reassess security resource allocation based on operational need and risk.

If you have a business portfolio with multiple locations, consideration should be given to the specific business environment, nature of the threats, existence of any unusual circumstances, and the capacity of local law enforcement to respond.

2.Limit the number of entry/exit points for employees and visitors.

Tightly control ingress and egress for safety and security optimization. Examine operational feasibility before implementation.

3. Consider the reception area.

If security personnel are employed at the location, what role will they now play at the reception area to assist in the enforcement of new practices?

4. Access control measures and mechanisms dependent on fingerprint or a punch code require new safety protocols to be implemented.

This includes visitor management software and the use of tablets for registration.

5. CCTV coverage designed for cash handling or robbery identification should have expanded focal points to include more than just a face shot.

With the use of face masks becoming more frequent for the foreseeable future, at least one camera angle should include the entire body, including shoes. (criminals typically do not ditch their shoes after committing a robbery)

6. Re-evaluate security post orders.

The post orders must reflect any new duties performed and have a sound rationale for deviations. It is possible that actual security posts change based on organizational necessity. Examine any vulnerabilities that exist and how to overcome the risks.

7. Provide written notice to all employees if the security policies or procedures are being altered.

Even if these changes are temporary, this is necessary to ensure expectations are clear.

8. Initiate and document COVID-19 safety training.

Specifically, for security personnel and/or designated employees working the “front lines” of your business. This can expand to all staff as a general safety bulletin and acknowledgement.

9. Expand workplace violence policy (e.g. domestic violence prevention and response) to include all employees working from home.

Work with the Human Resources Department to provide “hotlines” or other resources available should assistance be required. In addition, identify and assess potential insider threats, as more employees and contractors are working remote.

10. Develop a brief but informative training program on basic techniques to de-escalate aggressive behavior in the workplace.

This is especially important for those business that are “customer facing” (e.g. retail/hospitality) or for businesses with a large number of on-site staff and visitors.