“I knew him for years. He was like family. How could he do this to me and my business?”

It’s an all-too-familiar question after a long-term or trusted employee is caught or suspected of stealing from a company. So, what happens that makes it all go so wrong?

Simply put, cash is the great attractor – while we all interpret that lure differently, its visceral, kindly promise of freedom occasionally becomes too irresistible for human nature to ignore. Many businesses are not aware of, or at least, are not able to consistently identify, hire, educate and train around this fact. In CIT and Security, the breakdown is most often in one or more of The Three P’s (Policy, Process, and Procedure), but it’s certainly not an isolated phenomenon. Retail establishments, financial institutions and more all struggle with it.

The Three P’s are designed to reduce and control both the likelihood (risk probability) and severity (risk impact) of loss relating to risk; in this example, employee theft. For context:

• Policy is a rule or set of guidelines;
• Process is a high-level set of criteria that must happen in order to ensure compliance with a policy; and
• Procedure is a specific, detailed series of actions that staff members must take in order to implement a process and comply with a policy.

With the recent COVID-19 pandemic, business transactions and revenues are down, and we have seen a surge in employee terminations, furloughs and the like. As a result, many businesses are operating with lean staffing, which can cause breakdowns in segregation of duties, intentional or not. Where two persons may have been required by policy pre-COVID to perform an action, e.g. accessing the safe or vault, conducting physical inventory audits or daily cash reconciliation and balancing, the reduction in staff has caused those policies to become lax in order to continue operations. In doing so, many dual control and custody procedures have led businesses to allocate more access control capabilities to those “long-term” or “trusted” employees. Which can lead to situations like the ‘Not him!’ referenced above.

So, what can be done with limited staffing during these times to protect people, brands, and profits? Below are a few best practices that can be applied across any business, large or small:

• Review your internal policies and processes and provide management oversight to ensure that procedures are being adhered to per company policy and that no one person has too much access to a particular asset or function, including:
  • Access device (key, card, combination, code) controls .
  • Dual control/custody system of checks and balances.
    • Ex: verification of deposit preparation, either 2^nd person or virtual (FaceTime, CCTV, Zoom, etc.), bank pick-ups and deposits in person (no night drops if only one person can perform) and confirm deposit or examine credibility of tamper proof deposit bag before leaving (bringing back deposit slip for verification and documentation).
  • Utilize both Employment Background Screening, regardless of the relationship or previous work history, and a true continuous court records monitoring solution to get the whole picture.
  • Require job-specific training that is documented and acknowledged via signature of the trainer and trainee to ensure adequacy, accuracy and completeness.
  • Incorporate random and unannounced internal and external audits, testing the aforementioned policy, process, and procedure with staff. Examples may include:
    • Cash drawer audits, to be performed by employee and management at the beginning and end of shift; cash drawers should be assigned to one user only.
    • Cash drawer documentation, in the event more cash is needed or removed a verifying document should be signed by two people, i.e. employee and management.

These best practices are intended to provide some potential resolutions to but a fraction of the challenges that businesses face in fighting theft. By improving potential vulnerabilities and understanding the importance of applying essential policies, processes, and procedures, businesses can – and do! – reduce the likelihood and severity of loss relating to employee theft.

Remember, cash may be king, but it’s still your kingdom.

Every day there are things that can go wrong in organizations. And sometimes they do, often taking an organization by total surprise. Assessing what threats exist from the HR perspective can give an organization a far greater chance to minimize and even prevent the potential loss. When unforeseen threats transform into a situation, the effect can ripple from those directly involved all the way out to customers or even beyond the organization’s operations altogether and into the realm of reputation.

“People are at the core of each major risk. If not as part of the problem, then as part of the solution.” — DELOITTE, 2012 REPORT

Understanding the threats and managing the associated risks are imperative at every level of an organization – because it’s the people (the human capital) who are supporting the organization at every level. Risks can present in different forms such as: complacency, turnover, occupational fraud, catastrophic workplace events, and negligent hiring and retention. In fact, human capital is one of the most pressing corporate risks, evidenced by its continuous presence on the Government Accountability Office (GAO)’s high risk list. Human capital risk should be on your radar too.

… Continue reading

As we look toward 2016, we thought it might be useful to get a quick big picture on organizational fraud for context. We have been posting about the causal factors driving fraud and urging you to develop an effective risk-based prevention program. Now, here’s the why: 16 facts about fraud drawn from the 2014 ACFE Report to the Nations that should make it relevant to you. … Continue reading

Ordinary people can do extraordinary things, including committing fraud. The question is, what motivates an ordinary person to morph into a fraudster?

“Pressure,” or motivation, is one of the three causal factors of Donald Cressey’s Fraud Triangle, along with opportunity and rationalization. A quick summary of the theory is that a person commits fraud when under difficult or threatening personal circumstances (pressure) and he or she has access to a valuable target for personal gain (opportunity) that they can justify internally (rationalization).

The pressure factor in fraud risk is idiosyncratic and dynamic. Individuals’ circumstances are as highly varied as their perceptions and reactions are to them. The main thing is that the propensity for fraud emerges when a person’s circumstances create perceived pressure that leads him or her to exploit an opportunity when it appears. In other words, every person in every organization has the potential to commit fraud under the right combination of circumstances. … Continue reading

As part of the annual fraud awareness week, we wanted to bring you a quick summary of the principles of fraud risk management. These points are based on an extensive review titled Managing the Business Risk of Fraud: A Practical Guide.

As the Practical Guide emphasizes, “An organization should strive for a structured as opposed to a haphazard approach.” The Guide is a good place to start developing a fraud prevention and detection program as part of your overall risk management efforts (or structuring a review of an existing program). But as always, diving into the details of organizing and implementing a program like this requires significant effort. Skipping steps or making assumptions about risks and mitigation practices without systematic assessment will often lead to gaps or weaknesses in the plan. … Continue reading