Until recently, Continuous Monitoring was, at best, theoretical.  Why?  Because true Continuous Monitoring required real-time access to court records in order to make actionable, informed decisions on employees involved in legal matters.  Arrest record data and other sources were ok, but to truly get the whole picture, court records were required.  Thanks to progressive advances in automation, true Continuous Monitoring is now very real and can, today, provide organizations the opportunity to actively manage employees that operate in high-risk, high-compliance environments.

True Continuous Monitoring is crucial in the modern workplace because it brings efficiencies to risk mitigation immediately after an event occurs, especially if it’s non-jailable or an unreported offense.  With businesses right now running lean and looking for any advantage as they right-size, re-strategize and build towards a post-COVID-19 economy, they need their people to be who they say they are.  True continuous monitoring enables this.

But what about before something bad happens?  That, as they say, is where the rubber meets the road.

Predictive technology absolutely exists in the mainstream already – it drives the engines powering social media, music streaming, news feeds and online retail, to name a few.  But these insights are typically gleaned from prior activity or stated preferences to predict what a person might next want.  Whether you subscribe to Maslow’s ‘Hierarchy of Needs’ or any other human behavior model derivative, when a need is unmet in a person’s life, it’s true that the behaviors that follow are also (usually) predictive; but the technology that works for Spotify playlists and Amazon purchases doesn’t quite meet the litmus test required to anticipate (and mitigate) workplace violence, fraud or other activities that can profoundly impact a business and the people that work there.

Businesses need predictive insight to identify when a behavior pattern becomes a concern, or at the very least, be able to alert a managing authority to deviations that are outside what’s considered “normal and safe” behavior by an employee in order to mitigate the risk exposure.  The algorithm to perform said task does exist, but it’s still very much analog.

What is this old-fashioned engine that can help predict and manage risk-related behaviors, you ask?

Simply put, it’s communication.  More specifically, it’s employees in high-risk or high-compliance environments at all levels using standardized processes to communicate proactively about, well, anything and everything.  When it comes to mitigating risk, proactive communication’s predictive capacity is less about mind-reading and more about behavior-reading.  It enables a framework that employees can use to identify and communicate red flags before those red flags turn into bad behavior and a court case, or worse, yellow caution tape.

In the final entry of #OurStory series, Jon Groussman crystalizes the ’before and after of risk‘ using an example of a client that took a massive hit to employee morale and reputation that, had proactive communication and continuous monitoring been options, might have been avoidable.

This particular incident occurred at a research and manufacturing facility and involved a supervisor and an employee.  Can you tell us what happened?

Jon Groussman: I remember I’d gotten to the office a little bit early that day to do some catching-up.  My phone rang right around 830, it was an executive from a client’s facility letting me know that they had an incident the night before at around 11pm.  A supervisor on the overnight shift had brought a handgun into the facility, put the handgun to the head of one of the workers and threatened to blow the co-worker’s head off if he ever spoke to the supervisor again.  The police were called, the supervisor was arrested for aggravated assault and possession of a firearm, banned from the property and then, of course, taken into custody.

Clearly, the executives were rattled and couldn’t understand how this could happen at their facility.  I was able to get over to the facility the same afternoon that I received the call, walked through the facility and met with the executives.  Unfortunately, the executives didn’t really know much about what actually went on during this 3^rd shift which, for all intents and purposes, was an overnight shift. A lot of times, not only in this environment, but in other environments that have shift workers or that are open 24 hours, the more senior management doesn’t know what’s actually happening during those hours.  What develops then is a communication gap.  From a safety and security standpoint, that gap can become a real vulnerability because you’re not getting tipped off to issues that may be occurring in situations like this one.  So, I started to interview people.

Of the 16 or so people I spoke with, a common theme started to emerge. The primary one was that they were understaffed. They had a hard time finding employees with the skill set to meet their demands and so they were more tolerant of, not something like this incident, but we’ll say, inappropriate behavior.  The second was that being understaffed, the demands of the business had put them in a position where ignorance was bliss until reality hit – the lack of awareness and how to report inappropriate behavior was a huge issue.

You mentioned a pattern began to emerge.  Were there red flags that went overlooked?

Jon Groussman: There are almost always red flags; this kind of thing generally doesn’t happen out of the blue.  In speaking with people working that 3^rd shift, I was told that the assailant took longer breaks than everybody else.  As he was a supervisor, people didn’t question it because he also got his job done.  The problem was, we found out he was leaving the site – using the only camera that was well-positioned and functioning – to visit a neighboring community that was very well known for selling drugs.  We could see his car come and go at the times when his colleagues said he would be on longer breaks, and this began happening more frequently in the months prior to the attack.

With that revelation, we went to law enforcement to see if he had a record or had any weapons issues beforehand.  It turned out he’d been in court numerous times within that past year for purchasing drugs in the community I mentioned, but this client and facility didn’t have a system in place to know that. Now remember, this was a person in a supervisory role with access to assets within this facility that a loss or accident could have been very bad.  The materials and trade secrets were also very valuable on the secondary market, had he been desperate enough to need money for drugs or been coerced into stealing them.  Had this client and facility utilized some type of continuous monitoring and had a disciplinary policy, this incident would have likely never happened because he would have been gone long before it happened.

You mentioned that even with continuous monitoring in place, there wasn’t a mechanism to be able to report that information, let alone red flag behavior.  Was this a lapse in SOPs or a culture problem?

Jon Groussman: Everyone on that 3^rd shift acknowledged the assailant was unusual – he would go and dance on the roof, for example.  But, to your point, the environment at the facility was one where security and minimizing conflict was not part of the culture.  They didn’t have SOPs that addressed ways to communicate any perceived efficiencies, let alone any threats that somebody may perceive against the people or physical assets at the facility.  There was no standardized method to report much of anything.

So, it was clear we had to implement better access control measures.  We wanted to know when people were coming in and going out, and adding physical security equipment like CCTV to compliment it.  But one of the biggest things we had to do was change the culture.  In the security world, it’s sometimes easy to talk about standard operating procedures and physical security equipment, but all those things are only as good as if people are willing to follow it and buy into the program.

The other piece of culture change is that it requires people that are accountable. This facility didn’t have anybody responsible for security.  They didn’t have a threat assessment team. They didn’t have a facility security manager.  Their primary focus for security was that of the machines that did the manufacturing and research.  It was a deadline driven environment.  To get the work done, there was a willingness to overlook certain human capital elements when it didn’t have to do with occupational safety.  As long as the machines were running properly, the place was considered very safe.  But when it came to a potential insider threat, that wasn’t part of the culture. And that’s why I think it took everybody by surprise.  But that 3^rd shift was an island unto itself.  Nobody had eyes on it, and they didn’t have the protocols in place to try to capture the red flags.

You’ve seen a lot of things in your career.  Did anything about this experience shock you?

Jon Groussman: Unfortunately, no.  Most of the calls I get are when things are going well until they’re not.  The comparisons that always come to mind are insurance and lawyers – nobody wants to pay for either until they need it.  I think it absolutely surprised the executive team within this particular company that this happened.

The problem was that it wasn’t just the guy who had the gun held to his head that experienced the trauma; it was all the co-workers who witnessed the event.  They were fearing for their lives in that moment.  If that gun went off, even accidentally, who’s to say he wouldn’t have kept shooting?  And this was long before there was such heightened awareness about active shooters.

But this scenario still happens, and it happens because of a lack of communication that, had their communication been better, could have been prevented.

Besides more proactive communication, how did this experience become a teachable moment for you?

Jon Groussman: Most of what I do, and much of what security professionals do when they do assessments, whether it’s a post-event assessment or pre-event, is understanding what the threats are and understanding where the vulnerabilities are, and how you can operationalize the mitigation efforts. And for me to help a business change its culture to become more proactive around its security, I have to have an understanding of the way that business operates before making recommendations on how to minimize those risks.  In the process, you have to prioritize the risks.  And then you have to make sure that the business can still function with the recommendations that you’re putting in place, because you’re not there to create a prison.  You’re also not there to spend money unnecessarily that a company doesn’t have.  And, you’re not there to reduce the efficiency of their business.

In this case, there were some very simple things that we were able to do through an awareness campaign, through a 24-hour anonymous call center – which is very simple to do.  Improved access controls, new cameras.  We instituted continuous monitoring for those employees that had certain access to materials and information, and created oversight protocols for management.  We designed a reporting structure and also a disciplinary structure together so that, if somebody wasn’t doing their job or was behaving in an unusual way, you could address those issues.

We basically just connected the dots.  It took a long time for morale to improve, but it eventually did and proactive communication was really the driver of it all.

Disclaimer: Portions of this conversation have been edited for length and clarity, and certain locations and details have been modified for privacy reasons.

In business, the concept of the Long Tail implies that an organization can find significant financial benefit selling small volumes of hard-to-find items to many niche customers.  What began with statistical models in the 1950’s was popularized for a modern audience in a 2004 Wired Magazine article that highlighted the advantages of a digital economy where scale was just a matter of server space.  Early adopters of a Long Tail business strategy included Netflix, Apple and Amazon.

The Fraud Triangle brings together Pressure, Opportunity and Rationalization to explain WHY fraud happens; on the surface, it does not share overt similarities with the traditional definition of a long tail. However, in #OurStory this week, Keith Gray blends insights from an epic eight-figure fraud with a few lesser examples to highlight how both people and process actually ALLOW fraud to happen within what could arguably be described as the Long Tail of the Fraud Triangle.  If we replace “small volumes of hard-to-find items to many niche customers” from the Long Tail definition with “fraudulent micro-actions within SOP gaps against specific financial entities,” we begin to see fraud’s own little economy where all the money is made.

Generally speaking, the primary frustration for organizations threatened by fraud is understanding which side of the triangle poses the most risk to their human capital. We know that strong cultures of workplace compliance resistant to fraud are not born overnight, and in 2020, nor are they forged in iron. The modern workplace (similar to the modern digital economy referenced in the Wired article) is no longer driven by a one-size-fits-all mentality (or “Top 10 mega hits,” as the head of the Long Tail is viewed). Updated social norms, evolving demographics and highly personal subjects like equity, justice, ownership and other influencing factors have actively changed our places of business. To create a compliance driven culture in today’s environment (COVID included) where security protocols become second nature may require organizations to do some deep thinking about how to apply these less “tangible” (but no less human) concepts to avoid the Long Tail of the Fraud Triangle – whatever that happens to look like for your organization.

For more tips, stories and insights about workplace security, you can visit our blog, check out our Resources page, follow Lowers & Associates on LinkedIn or contacts us.

In our work, we’re often called in to evaluate and investigate the aftermath of fraud.  Is there anything that surprises you when reviewing these fraud cases?

Keith Gray: I wouldn’t say it’s surprising, but I think it’s always very interesting the lengths that people will go to in order to commit or sustain a fraud, complex or not.  The Association of Certified Fraud Examiners has heavily researched the impact fraud has on the world economy, and it’s not insignificant.  And unfortunately, what we see a lot, is that trust can lead to a lot of fraud.  It’s unfortunate to present it that way, but a lack of controls and just the trust that people have with their employees often leads to opportunity to commit these frauds.  Especially any time there are hard economic conditions, natural disasters, or pandemics like we’re dealing with now, that’s when it’s worst.  It’s twofold, though: tough times provide an opportunity to commit fraud, but they’ve also actually helped us uncover fraud.

Case in point, around the time of the Great Recession, the owner of a large privately held company had been orchestrating a large, ongoing fraud.  When the economy was booming, this person was able to move funds around, misappropriating entrusted funds for personal gain through real estate, financial investments, vehicles, various things.  When the economy was doing well, this person could always cash out to make things right, it was always in their back pocket.  What allowed this to happen was that this person was also able to manipulate the vaults and move money around, essentially playing a shell game with the vaults contents to pull the wool over the bank’s eyes or anyone that came in to audit the vault.  There wasn’t a good, coordinated effort to come in and do full vault counts or things like that.

It’s also hard to imagine the recession being particularly helpful to any of this person’s investments, so why would doing a full vault count be important?

Keith Gray: As an independent auditor, we can go in and do a full vault count to get the whole picture.  It’s exactly the type of thing we push for.  An individual bank can go in, but they are only going to see their funds, allowing the opportunity for the fraudster to play a shell game.  In this case, the economic downturn aided in the discovery of the fraud.  When the country sank into a recession, much of the value in those investments disappeared, so this individual could not make up what was taken.

During this timeframe, one of the bank customers did get a little uneasy, alerting the authorities, and bringing the situation to light. The next thing you know, $90 million dollars is deemed to be missing.  I spent about a year working that on behalf of a couple of clients, just trying to recreate it from the claim side.

That’s an eye-popping number.  Is that what sticks with you most about this fraud?

Keith Gray:  Well, our Director of Global Operations, Neil Watson, alluded to it in a previous blog but, as we do our work, every team member is informed by our experiences.  As we go along, we continue to gain knowledge and it helps us evolve, sharpens our skills.  For me, this case reinforces that going in, you can’t assume anything, you can’t believe anything until it’s confirmed or you’ve seen it with your own eyes.  It reminds me to essentially be a sponge, to constantly be absorbing information as I go.

A lot of the time, you can find out there’s issues just by listening; people will give themselves away!  For example, companies will ask us to come in on the back-end vault side, there may not be an absolute fraud, though a lot of times it is, but there’s clear process and control failures. On inspection, they might present something that shows they’re in balance at an individual branch location, but once you really dig in, it’s clear the data is being presented in an inconsistent way, perhaps leaving out some pieces.

For example, we have cases where our team will go in and count a million dollars, and they will then show us documentation to support that they’re holding a million dollars for 10 entities. On the surface it appears that they have physical control of the full value for which they have been entrusted; however, you then ask about the other two banks that aren’t being disclosed – which might be another half a million – so really, they’re short half a million dollars. But the way they present the information to corporate or ownership or management, they’ve been able to conceal that.

So, you just have to be independent, objective, not take anything for granted, listen and then start asking those questions to see if the whole picture makes sense. That’s big for us and our team’s approach.

What is the mentality of the people that commit these frauds?  Do you find that the people have anything in common that drives their desire to perpetuate fraud?

Keith Gray: The Fraud Triangle is the why, but the how is the breakdown in controls or the misplaced trust.  The commonality in that the thief or fraudster is given the opportunity.  Greed is a real thing, and once they realize there’s an opportunity and they can get away with something a few times, I’ve seen a lot of frauds that have lasted 4 – 5 plus years without being discovered.

It usually starts when someone’s in a pinch, and the mindset is usually ‘I can make this right, I just need to pay a bill’ or something like that, and they plan to put it back with, say, a tax return.  If that works out, maybe they don’t do it again, but in most cases, they do it again, and it’s still easy, and it evolves over years if left unchecked, from thousands of dollars to multimillion-dollar losses. It’s amazing how long and how much some fraudsters can get away with when there is zero independent oversight or SOPs.

What can you do in those situations?  It seems like you really need to know who your employees are.

Keith Gray: Exactly.  You have to make sure you know the person who has the keys to the castle – facility keys, alarm codes, vault combinations, CCTV access.  A dedicated bad actor can manipulate anything, and once the SOP breakdowns start, greed takes over and they’ll go to any lengths at that point to conceal what they’ve done to their own company, peers and even clients.

One thing to look for is false reports to their customers. An individual might manipulate his or her employees, maybe take away responsibility saying, ‘Hey, I’ll take care of that’ or ‘It’s too confusing and hard to explain, so don’t worry about it.’  They’ll mess with people’s minds.  To get around this, one of my first questions is always, ‘Can I see the HR records, the leave records, to see if they do take days off?’ And these people will go five years and never take a day off because they have to cover up their scheme.  If they are in an accident and hospitalized or something, then it will come to light what they’re up to.

Whether it’s a long or short-term fraud, would you categorize these folks as “broken” people? Do they live in a different reality?  Or is it as simple as, opportunity is as opportunity does?

Keith Gray: I wouldn’t necessarily say they were broken from the start. Frank Abagnale Jr., who spoke at our SCTA conference a few years ago, is a perfect example.  What we see with him is that his mindset is educated and evolving. And most of these criminals have a similar mindset of gaining education as they go on and as they see how it works. And they get better and better at getting what they want.

So, whether they’re broken, they happen into it or they just got desperate, the why definitely evolves; some of these fraudsters like Frank are highly successful at being able to perpetrate schemes and have a genuine ability to hide or make the fraud look legitimate.  It’s not what we’d see from organized crime, but rather just an average person looking for an opportunity.

If a local community non-profit needs a Treasurer, for example, and that role doesn’t pay anything, they might volunteer someone because s/he is a CPA who should be able to handle it. Well, yeah. It’ll get handled right out the door. It always shocks people how often that happens, but it happens because people want to like and trust other people.  Regardless of that goal, if there’s not oversight or there’s not a real relationship with the person in that position or strong culture of compliance in place, that’s where organizations really run into trouble.  It’s unfortunate we have to think that way, but it’s reality.