College Admissions Scandal: Are We too Quick to Blame the Institutions?

By Lowers & Associates,

College Admissions Scandal

The college admissions scandal has caused quite a stir in the media over the last few weeks. The stories have varied, the fraudsters are unique to each situation, but in the end it’s the same old tale; the rich use money and power to influence the morally weak and advance those closest to them to undeserved positions of grandeur. The key in this case is that schools across the US are being brought down to the same level as the criminals and fraudsters that perpetrated the crime in the first place.

Yale University, founded in 1701, has graduated five U.S. Presidents, and prides itself on its motto, ‘Lux et veritas’ or in English “Light and Truth.” However, a Yale soccer coach was able to pull off a scholarship-based fraud in which a student was accepted without merit. Is this Yale’s fault? Perhaps in part, but I would like to blame it on a much larger, systematic fraud scheme that can easily be discovered and rectified with appropriate planning and execution.

Other schools were involved in Title IX fraud, SAT proctoring schemes, and direct fraud from payoffs or bribes. Each school left a back door open for a fraudster to come barging through and in the end, will be sued for millions of dollars. These lawsuits, some frivolous and others merited, will need to be tried and tested. What can your institution do to avoid situations such as this?

In our experience, fraud is perpetrated in larger educational institutions and corporations when the controls breakdown or are antiquated. There are simple ways to enhance controls and become a much more aware organization.

Some important tips that we feel will mature your organizational fraud prevention controls are below.

Enhance Internal Controls

When looking at sophisticated organizations such as a university, one might think that internal controls are deployed across the enterprise. However, this was not the case in athletics, where some of the fraud was perpetrated. Entities should implement enterprise wide systems of internal “dual control” whereby a minimum of two people are involved in the decision-making process/function. The purpose of dual control is to deter fraud, provide a properly documented audit trail, maintain quality assurance, and prevent extortion. This dual control process creates a system of “checks and balances” in which a single person (authorized person(s) within a department) does not have the sole authority to decide without the verification and approval conducted by a secondary and separate department (authorized person(s) within that department). This helps to mitigate the potential for collusion. These obvious changes can deter fraudulent actions and lead to much more effective fraud deterrence. Internal control is vital when trying to ensure that protocols and regulations are carried out according to policy.

Make your organizations aware, and force reporting

Create a fraud risk policy with demonstrative cases that establish consequences for perpetrators. It sounds simple, but this is a critical step in setting up the consequential deterrence that is sometimes needed to stop amateur fraudsters. If individuals in the organization are aware that management is looking for certain types of fraud, they might think twice before acting.

An additional aspect of organizational awareness is to implement reporting. In any instance where there is a violation of policies or an employee feels there is a violation by someone else, encourage reporting. Anonymous reporting/tip lines have historically been the number one means by which occupational fraud is discovered. These reports and tips need to be vetted and followed up to ensure there are consequences. As the fraud risk policy matures, there should be a noticeable difference that will help secure organizations from becoming victims of fraud.

Know Your People

Fraudsters tend to demonstrate behavioral traits that can indicate they have committed or are candidates to commit fraud. Comprehensive background screening can be the first step in ensuring that there are no concerns prior to offering employment. However, initial background checks are not enough.

Employers and leaders need to listen to what employees are saying. If there are divisional leaders, or in this case coaches and deans, that are deeply respected or far too entrenched in the internal control environment, they can create circumstances that could lead to fraud. For instance, USC, who saw their senior athletic director implicated, was victim to the college admissions scandal when the water polo coach recruited a student who didn’t even play water polo! Had USC screened each scholarship athlete and ensured there were controls and reporting in place, this could have been avoided. Now, USC is at the mercy of the judicial system.

In conclusion, it is amazing that these events transpired in today’s digital environment, but it clearly demonstrates a lack of understanding when it comes to the willingness of fraudsters to attain what they want. Legacies are now tarnished over the acts of bad actors and their accomplices.

Lowers Risk Group prides itself in delivering solutions to our clients that rectify these types of situations.

Contact us to learn more.

  Category: Risk Management
  Comments: Comments Off on College Admissions Scandal: Are We too Quick to Blame the Institutions?

The Crypto Conundrum: What Are We Insuring?

By Lowers & Associates,

With the surge of cryptocurrencies, mainstream investors are looking at them as alternative vehicles for transactions and the storage of value. Despite their relative volatility, they have advantages in permitting transactions of any size on-demand, growing worldwide acceptance, anonymity of stakeholders, and independence from traditional financial institutions.

The security of the blockchain is inherent in its technology. Each step forward in time, when a new block is added to the chain with the guarantees of either the power of work (POW) or power of stake (POS), the transparency and permanence of transactions is theoretically immutable, as long as the private encryption keys are secure.

Every unit of cryptocurrency is exposed to investment risk, just like any other commodity that is traded in a market. Investors may seek hedges in the market against loss, but this kind of loss is not insurable in the ordinary sense.

So, the general answer to the question “what are we insuring?” is against the loss of value due to institutional failure or theft. But in the case of cryptocurrency, how is the value determined?

The institutional structure of cryptocurrencies is a wild west of new businesses emerging to manage the flow and storage of value. The most prominent type of business in this ecosystem is the exchange, where the market value of crypto can be traded for a traditional fiat currency. You can sell your Bitcoin for U.S. dollars, products or services, or almost any other currency.

Unfortunately, the exchanges have proven to be insecure. Billions of dollars’ worth of cryptocurrency have been stolen by hackers who break into the online system. In an odd feature of the blockchain, it has been possible to see which accounts received the stolen money, but without the encryption keys it cannot be recovered.

Shifting the risk offline.

A response to the risk of storage of value on a crypto exchange (in a “hot wallet” online) is to move the currency to a “cold wallet” that is offline. In other words, you download the value onto private keys.

Therefore, the insurable event is when either the encryption key or the currency value, or both, are stored offline. Whenever this happens, you are no longer in the purely digital world of the blockchain, and the risk of loss through theft arises.

Insurers will want to replace the fiat currency system’s security rules with procedures and processes that duplicate their functions. For instance, they will want to replace ‘Know Your Customer’ regulations with procedures that identify the owners of the currency and/or encryption keys. They will also want to see custodial procedures that safeguard the offline items with security commensurate to the value.

There is some irony in the fact that the blockchain, which was devised to do away with all the cumbersome regulations of fiat currencies, maintain anonymity, and offer a high level of confidence, is now evolving toward systemic guarantees much like fiat currencies already have.  There is a cost for having secure transactions and storage.

For much more information about cryptocurrency storage and transportation, see our new white paper, Custodial Crypto Transportation and Storage: Understanding the Risks.

  Category: Custodial Crypto
  Comments: Comments Off on The Crypto Conundrum: What Are We Insuring?

4 Step Approach to Building Your Business Continuity Plan

By Lowers & Associates,

To stay prepared, organizations must expect the unexpected. Business Continuity Planning (BCP) addresses the need to have contingency plans in place to deal with potential threats that can turn an organization on its head. Continuity planning is a necessary part of coming out on top in the face of the most challenging circumstances such as a natural disaster, a significant market crash, or a serious hit to a company’s brand or reputation.

As a risk manager, CEO, or any party responsible for the long-term success of an organization, you need to have a plan in place to clearly outline what you would do if the worst were to happen tomorrow. Here are four phases to putting your BCP in place.

1. Business Impact Analysis (BIA)

The first step to building your company’s BCP is to consider the potential impact of each type of disaster or risk event that your company may face. For example, a company in the finance industry may consider the role of the stock market, data breaches, or the possibility of a fraud scandal. The BIA helps you discern which processes are the most critical to recover or initiate in a state of a disaster and assigns a monetary value to the protection of assets involved in specific business processes.

Key goals of the BIA should include:

  1. Identifying the impact of uncontrolled events
  2. Prioritizing critical functions
  3. Establishing maximum tolerable outages

2. Risk Assessment

Upon identifying the impact of the risks facing various functions across your business, the next step is to determine the potential magnitude of these risks. This is a critical assessment to perform, as it helps establish which risks should be most emphasized in the BCP. Priorities can be established by looking at which risks are most likely to occur to determine the breadth of coverage for your company’s BCP. To do this, you can run a gap analysis to compare your company’s current contingency plans against that of the proposed risks to identify any holes you need to fill. With knowledge of these gaps, you can analyze various threats to identify their respective impact.

To aid in this process, it is helpful to work from a list of potential emergencies or viable threats as well as the likelihood and impact of such events such as to personnel, assets, or monetary impact. These can help formulate different scenarios to plan for, such as natural disasters or terrorist threats, as well as minor events such a power outage.

A best-practice risk assessment report should cover the following:

  • Summary of Business Operations
  • Risk & Vulnerability Analysis
  • Critical Support Infrastructure
  • Physical Environment
  • Recovery Time Objectives
  • Business Recovery Strategies & Priorities

3. Business Continuity Plan Preparation

During this step, the BCP is developed, taking into account the likelihood, magnitude, and potential impact of the risks that were identified in the previous step. The BCP preparation stage will take it a step further by documenting strategies and procedures to maintain, recover, and resume critical business functions as quickly as possible. Part of this preparation will entail a list of procedures to address priorities for critical and non-critical functions, services, and processes.

The BCP should include:

  • Business Operations
  • BCP Organization
  • Plan Activation & Operation
  • Preparation & Readiness Checklists
  • Emergency Operations
  • Facility Restoration & Relocation
  • Emergency Communications
  • Emergency Forms & Terms
  • Incident-Specific Response Checklists

4. Business Continuity Plan Testing and Table Top Exercises

Once a plan is established, it’s time to put it to the test with table top exercises. During this final step, key staff members and management will come together to simulate their response to various emergency situations that were identified as likely risks. Using the procedures outline in the BCP, these exercises will identify gaps in the plans to improve them in a controlled setting. This process can also help establish the different roles and responsibilities across team members.

When it comes to risk mitigation, hope for the best but plan for the worst. Take your risk planning to the next level by getting started with your Business Continuity Plan. Talk to a risk mitigation expert today.

  Category: Risk Management
  Comments: Comments Off on 4 Step Approach to Building Your Business Continuity Plan

Threat Assessment: Knowing Your Risks

By Lowers & Associates,

threat assessment

The ultimate goal of any security program is to manage and mitigate risks. What do we mean by risk? In its broadest sense, risk can be defined as the likelihood of loss of anything having value, including people, facilities, information, equipment, and reputation. In a sense specific to security and loss prevention, risk is the probability that a particular threat will exploit a given vulnerability, leading to an unwanted result.

Knowing your risks is the obvious first step. But what is the best approach? And where do you go from there? Here are some key considerations:

Identifying Threats

First and foremost, identifying the threats to your business is instrumental. It is likely that your institution already has experience with a number of risk factors, but it is important to understand the rate in which new threats arise. It is crucial, therefore, to monitor emergent threats targeting your industry. This can often be accomplished by reading trade publications, engaging in discussions at industry conferences and loss prevention forums, and by obtaining case studies. Also, a number of sources provide crime metrics, some of which are industry specific, and can be very beneficial in identifying threats. … Continue reading