In general, compliance is conforming to particular expectations, standards, or behaviors, where risk is an exposure to potential loss or injury. When we think of compliance in the security arena, it often means that you are following prescribed standards, which could be regulatory, industry best practices, or standards that are otherwise customized or company specific.
While compliance and risk often follow the same path, a compliance audit or survey is often performed with a one-size-fits-all “compliance only” approach, as opposed to one that requires more complex reasoning.
Some may question the rationale of compliance if risk is not a constant consideration. Lack of experience, industry knowledge, or even simply lack of time can hinder the ability to take a more risk-based direction. After all, taking a compliance only approach simplifies the security audit process by allowing for uniform application, reduced subjectivity and error in assessment, and strong performance metrics capability.
Is the added complexity of a risk-based approach worth the effort? … Continue reading
Preventing organizational fraud demands systematic planning and implementation. This entire process, from inception and assessment to performance evaluation is complex, even in smaller organizations. Yet, the payoff for the effort can be huge.
In this post, we offer an overview of the elements of a fraud prevention program that would be useful in any organization. Summarized from, Managing the Business Risk of Fraud: A Practical Guide, produced by a consortium of associations, the guidelines point to specific steps managers can take to implement an effective fraud prevention program. … Continue reading
Occupational fraud is a huge drain on organizations’ resources, costing an estimated global loss of $3.7 trillion dollars annually. And according to the Association of Certified Fraud Examiner’s (ACFE) 2014 study, just 14% of defrauded organizations are able to fully recover their losses.
Fraud is a very real threat to the bottom line of almost every organization in our economy. But it can be prevented, or at least mitigated.
There are 3 steps in setting up a fraud prevention program in your organization:
- Understand what fraud is and how it is likely to emerge.
- Identify potential sources of fraud in your organizations.
- Take steps to prevent fraud through processes or controls.
Ultimately, a healthy anti-fraud corporate culture that permeates from the top down will make your organization more crime resistant. This will take time to nurture, and it will take continuous effort to sustain, but in the end you can make occupational fraud an extinct disease in your workplace.
… Continue reading
What do NSA and Target Corporation have in common? They both have enormous databases of sensitive information about individuals that have been penetrated by the likes of Snowden, Wikileaks, and worse criminal conspiracies. According to James D. Ratley, President and CEO of the Association of Certified Fraud Examiners, cybercrime is one of the biggest emerging fraud threats in 2014.
Ratley mentions hacking schemes like the one that shocked Target, as well as other malicious activities like malware and phishing schemes. He rightly says that these schemes can be foisted on individuals, small or large businesses, or any type of organization.
But we think there is a very good reason why cybercrime could be the biggest emerging fraud threat for years to come. It is rooted in the fact that organizations will not forego the tremendous power of networked computers and huge databases, and these are rapidly evolving. Every innovation in automated business processes creates new opportunities for hackers. The prize at stake is huge. … Continue reading
It’s that time of year when we have resolved to do better. Most business owners or managers have probably resolved to increase revenue and profits in the New Year. We urge you to include improving your risk management performance, too. By identifying and mitigating the risks you face, those bottom line resolutions you make are more likely to come true. You need to reduce losses as well as increase revenue.
First, Have a Risk Management Plan
The first resolution has to be to have a risk management plan, and implement it. We sometimes get so immersed in our own work that we forget that there are managers and companies who do not take adequate steps to identify and manage the risks to their businesses. And others have a mistaken belief that they have a risk management plan just because they bought some insurance.
Some recent research by Chubb Group of Insurance Companies shows that both public and smaller private companies have significant gaps in risk management. A 2012 survey of public companies found that 2 out of three companies still do not have cyber insurance even though an electronic breach of data was seen as the most pressing risk. Similarly, 42% of these companies reported experiencing an employment practices liability event, yet some of them still do not have risk management tactics in place to mitigate this risk.
A related study conducted in 2013 found that smaller private companies may have invested even less in risk management despite the fact that 1/3 of them experienced a loss event in the past 3 years. Those that do take risk mitigation steps, like background screening, often mis-use the tactics. Some key findings from that research include:
- Most firms believed their general liability insurance protected them from most of the risks they face, including cyber losses, fiduciary liability, and employment practices liabilities.
- 42% of the companies had broad exclusionary policies toward criminal backgrounds, exposing them to legal action by the EEOC or other agencies.
- 68% of companies use social media, but only 12% have usage policies for employees.
- Many companies use cloud providers for data storage, but only half of these have plans in place for cyber breaches.
There is a lot of room for improvement. … Continue reading