In general, compliance is conforming to particular expectations, standards, or behaviors, where risk is an exposure to potential loss or injury. When we think of compliance in the security arena, it often means that you are following prescribed standards, which could be regulatory, industry best practices, or standards that are otherwise customized or company specific.
While compliance and risk often follow the same path, a compliance audit or survey is often performed with a one-size-fits-all “compliance only” approach, as opposed to one that requires more complex reasoning.
Some may question the rationale of compliance if risk is not a constant consideration. Lack of experience, industry knowledge, or even simply lack of time can hinder the ability to take a more risk-based direction. After all, taking a compliance only approach simplifies the security audit process by allowing for uniform application, reduced subjectivity and error in assessment, and strong performance metrics capability.
Fraud is a very real threat to the bottom line of almost every organization in our economy. But it can be prevented, or at least mitigated.
There are 3 steps in setting up a fraud prevention program in your organization:
Understand what fraud is and how it is likely to emerge.
Identify potential sources of fraud in your organizations.
Take steps to prevent fraud through processes or controls.
Ultimately, a healthy anti-fraud corporate culture that permeates from the top down will make your organization more crime resistant. This will take time to nurture, and it will take continuous effort to sustain, but in the end you can make occupational fraud an extinct disease in your workplace.
What do NSA and Target Corporation have in common? They both have enormous databases of sensitive information about individuals that have been penetrated by the likes of Snowden, Wikileaks, and worse criminal conspiracies. According to James D. Ratley, President and CEO of the Association of Certified Fraud Examiners, cybercrime is one of the biggest emerging fraud threats in 2014.
Ratley mentions hacking schemes like the one that shocked Target, as well as other malicious activities like malware and phishing schemes. He rightly says that these schemes can be foisted on individuals, small or large businesses, or any type of organization.
But we think there is a very good reason why cybercrime could be the biggest emerging fraud threat for years to come. It is rooted in the fact that organizations will not forego the tremendous power of networked computers and huge databases, and these are rapidly evolving. Every innovation in automated business processes creates new opportunities for hackers. The prize at stake is huge. … Continue reading
All organizations are vulnerable to occupational fraud, and that fraud costs an enormous amount of money ($652 billion a year in the US according to ACFE research as summarized in this occupational fraud infographic). As a result, a comprehensive fraud risk management policy is an essential component of an overarching enterprise risk management plan.
Your fraud risk management policy stems from the risk analysis that must underlie the policy. That is, identifying the concrete organization-specific fraud risks that must be mitigated.
Systematic planning and implementation across these five basic areas will put your fraud risk management program on the path to success.
1. Identify a “risk owner” in your organization.
Upper management must be engaged in policies aimed to mitigate risk. Part of this is that responsibility has to be clear – wishful groupthink won’t cut it. With respect to fraud risks in particular, a member of upper management should be charged to organize and carry out the risk analysis, including how identified risks should be managed. As with every important management function, this function will include process definition, goal setting, measurement, and reporting on a timely basis. … Continue reading
According to ACFE estimates, fraud costs organizations fully 5% of annual top-line revenue. This enormous cost is serious enough, but it is compounded by the fact that fraud is a hidden crime that erodes an organization’s capacity from within.
Consequences can go beyond monetary losses to inflict damage on morale, trust and transparency. These kinds of costs endure far beyond the triggering event.
Recognition is the First Step in Fighting Fraud
In 1973, criminologist Donald Cressey first published his theory about fraud, highlighting the now famous “fraud triangle”, which says fraud occurs when the fraudster feels financial pressure, his or her organization presents an opportunity, and the person can rationalize the theft.
The first few words of his hypothesis capture the essence of this crime, and why it is difficult to confront: “Trusted persons become trust violators…” In other words, there is an internal conversion that turns an employee (at any level) into a thief.
The value of the fraud triangle is that it helps us to look at the objective factors that have to be present for fraud to occur. Recognizing these objective factors helps to define actions you can take to help prevent fraud, partly through organizational policy controls and partly through managing the relationship with employees to encourage openness and trust.
Our latest infographic summarizes the factors that must be present for fraud to occur, and gives you a few ideas about how to combat it.