Disclaimer: Portions of this conversation have been edited for length and clarity, and certain locations and details have been modified for privacy reasons.

In business, the concept of the Long Tail implies that an organization can find significant financial benefit selling small volumes of hard-to-find items to many niche customers.  What began with statistical models in the 1950’s was popularized for a modern audience in a 2004 Wired Magazine article that highlighted the advantages of a digital economy where scale was just a matter of server space.  Early adopters of a Long Tail business strategy included Netflix, Apple and Amazon.

The Fraud Triangle brings together Pressure, Opportunity and Rationalization to explain WHY fraud happens; on the surface, it does not share overt similarities with the traditional definition of a long tail. However, in #OurStory this week, Keith Gray blends insights from an epic eight-figure fraud with a few lesser examples to highlight how both people and process actually ALLOW fraud to happen within what could arguably be described as the Long Tail of the Fraud Triangle.  If we replace “small volumes of hard-to-find items to many niche customers” from the Long Tail definition with “fraudulent micro-actions within SOP gaps against specific financial entities,” we begin to see fraud’s own little economy where all the money is made.

Generally speaking, the primary frustration for organizations threatened by fraud is understanding which side of the triangle poses the most risk to their human capital. We know that strong cultures of workplace compliance resistant to fraud are not born overnight, and in 2020, nor are they forged in iron. The modern workplace (similar to the modern digital economy referenced in the Wired article) is no longer driven by a one-size-fits-all mentality (or “Top 10 mega hits,” as the head of the Long Tail is viewed). Updated social norms, evolving demographics and highly personal subjects like equity, justice, ownership and other influencing factors have actively changed our places of business. To create a compliance driven culture in today’s environment (COVID included) where security protocols become second nature may require organizations to do some deep thinking about how to apply these less “tangible” (but no less human) concepts to avoid the Long Tail of the Fraud Triangle – whatever that happens to look like for your organization.

For more tips, stories and insights about workplace security, you can visit our blog, check out our Resources page, follow Lowers & Associates on LinkedIn or contacts us.

In our work, we’re often called in to evaluate and investigate the aftermath of fraud.  Is there anything that surprises you when reviewing these fraud cases?

Keith Gray: I wouldn’t say it’s surprising, but I think it’s always very interesting the lengths that people will go to in order to commit or sustain a fraud, complex or not.  The Association of Certified Fraud Examiners has heavily researched the impact fraud has on the world economy, and it’s not insignificant.  And unfortunately, what we see a lot, is that trust can lead to a lot of fraud.  It’s unfortunate to present it that way, but a lack of controls and just the trust that people have with their employees often leads to opportunity to commit these frauds.  Especially any time there are hard economic conditions, natural disasters, or pandemics like we’re dealing with now, that’s when it’s worst.  It’s twofold, though: tough times provide an opportunity to commit fraud, but they’ve also actually helped us uncover fraud.

Case in point, around the time of the Great Recession, the owner of a large privately held company had been orchestrating a large, ongoing fraud.  When the economy was booming, this person was able to move funds around, misappropriating entrusted funds for personal gain through real estate, financial investments, vehicles, various things.  When the economy was doing well, this person could always cash out to make things right, it was always in their back pocket.  What allowed this to happen was that this person was also able to manipulate the vaults and move money around, essentially playing a shell game with the vaults contents to pull the wool over the bank’s eyes or anyone that came in to audit the vault.  There wasn’t a good, coordinated effort to come in and do full vault counts or things like that.

It’s also hard to imagine the recession being particularly helpful to any of this person’s investments, so why would doing a full vault count be important?

Keith Gray: As an independent auditor, we can go in and do a full vault count to get the whole picture.  It’s exactly the type of thing we push for.  An individual bank can go in, but they are only going to see their funds, allowing the opportunity for the fraudster to play a shell game.  In this case, the economic downturn aided in the discovery of the fraud.  When the country sank into a recession, much of the value in those investments disappeared, so this individual could not make up what was taken.

During this timeframe, one of the bank customers did get a little uneasy, alerting the authorities, and bringing the situation to light. The next thing you know, $90 million dollars is deemed to be missing.  I spent about a year working that on behalf of a couple of clients, just trying to recreate it from the claim side.

That’s an eye-popping number.  Is that what sticks with you most about this fraud?

Keith Gray:  Well, our Director of Global Operations, Neil Watson, alluded to it in a previous blog but, as we do our work, every team member is informed by our experiences.  As we go along, we continue to gain knowledge and it helps us evolve, sharpens our skills.  For me, this case reinforces that going in, you can’t assume anything, you can’t believe anything until it’s confirmed or you’ve seen it with your own eyes.  It reminds me to essentially be a sponge, to constantly be absorbing information as I go.

A lot of the time, you can find out there’s issues just by listening; people will give themselves away!  For example, companies will ask us to come in on the back-end vault side, there may not be an absolute fraud, though a lot of times it is, but there’s clear process and control failures. On inspection, they might present something that shows they’re in balance at an individual branch location, but once you really dig in, it’s clear the data is being presented in an inconsistent way, perhaps leaving out some pieces.

For example, we have cases where our team will go in and count a million dollars, and they will then show us documentation to support that they’re holding a million dollars for 10 entities. On the surface it appears that they have physical control of the full value for which they have been entrusted; however, you then ask about the other two banks that aren’t being disclosed – which might be another half a million – so really, they’re short half a million dollars. But the way they present the information to corporate or ownership or management, they’ve been able to conceal that.

So, you just have to be independent, objective, not take anything for granted, listen and then start asking those questions to see if the whole picture makes sense. That’s big for us and our team’s approach.

What is the mentality of the people that commit these frauds?  Do you find that the people have anything in common that drives their desire to perpetuate fraud?

Keith Gray: The Fraud Triangle is the why, but the how is the breakdown in controls or the misplaced trust.  The commonality in that the thief or fraudster is given the opportunity.  Greed is a real thing, and once they realize there’s an opportunity and they can get away with something a few times, I’ve seen a lot of frauds that have lasted 4 – 5 plus years without being discovered.

It usually starts when someone’s in a pinch, and the mindset is usually ‘I can make this right, I just need to pay a bill’ or something like that, and they plan to put it back with, say, a tax return.  If that works out, maybe they don’t do it again, but in most cases, they do it again, and it’s still easy, and it evolves over years if left unchecked, from thousands of dollars to multimillion-dollar losses. It’s amazing how long and how much some fraudsters can get away with when there is zero independent oversight or SOPs.

What can you do in those situations?  It seems like you really need to know who your employees are.

Keith Gray: Exactly.  You have to make sure you know the person who has the keys to the castle – facility keys, alarm codes, vault combinations, CCTV access.  A dedicated bad actor can manipulate anything, and once the SOP breakdowns start, greed takes over and they’ll go to any lengths at that point to conceal what they’ve done to their own company, peers and even clients.

One thing to look for is false reports to their customers. An individual might manipulate his or her employees, maybe take away responsibility saying, ‘Hey, I’ll take care of that’ or ‘It’s too confusing and hard to explain, so don’t worry about it.’  They’ll mess with people’s minds.  To get around this, one of my first questions is always, ‘Can I see the HR records, the leave records, to see if they do take days off?’ And these people will go five years and never take a day off because they have to cover up their scheme.  If they are in an accident and hospitalized or something, then it will come to light what they’re up to.

Whether it’s a long or short-term fraud, would you categorize these folks as “broken” people? Do they live in a different reality?  Or is it as simple as, opportunity is as opportunity does?

Keith Gray: I wouldn’t necessarily say they were broken from the start. Frank Abagnale Jr., who spoke at our SCTA conference a few years ago, is a perfect example.  What we see with him is that his mindset is educated and evolving. And most of these criminals have a similar mindset of gaining education as they go on and as they see how it works. And they get better and better at getting what they want.

So, whether they’re broken, they happen into it or they just got desperate, the why definitely evolves; some of these fraudsters like Frank are highly successful at being able to perpetrate schemes and have a genuine ability to hide or make the fraud look legitimate.  It’s not what we’d see from organized crime, but rather just an average person looking for an opportunity.

If a local community non-profit needs a Treasurer, for example, and that role doesn’t pay anything, they might volunteer someone because s/he is a CPA who should be able to handle it. Well, yeah. It’ll get handled right out the door. It always shocks people how often that happens, but it happens because people want to like and trust other people.  Regardless of that goal, if there’s not oversight or there’s not a real relationship with the person in that position or strong culture of compliance in place, that’s where organizations really run into trouble.  It’s unfortunate we have to think that way, but it’s reality.

Disclaimer: Portions of this conversation have been edited for length and clarity, and certain locations and details have been modified for privacy reasons.

Standard Operating Procedures (SOPs) are exactly what they say on the tin – a calculated and tested directive used as a foundation for an operation or individual tasking.  At L&A, we often use a tree as an example of the mechanics behind an SOP: the roots provide the foundation from which the procedure grows; the trunk is the day-to-day actions and the branches are the end deliverable result.

However, a tree will grow wild if permitted.  And left unchecked, SOPs will do the same thing.  Unfortunately, the question we most often run into when assessing a business and its SOPs speaks to the reason why avoidable risk exists in the first place: If the SOP isn’t broken, why should we fix it?

As with everything we do in risk mitigation, questions are good, but the bottom line here is that there is no single answer as to “why” fix an SOP.  For an SOP to remain viable, it needs to remain malleable while also staying strong in the face of adversity.  This means SOP’s need to be challenged, as the current times, technology and industry attitudes constantly change around it.  Periodic and systemic reviews and tests are just as integral to the SOP as the original calculated and tested directives that comprise the SOP itself.  Some businesses might excel at the review and update process, but even then, they can sometimes fall short by failing to communicate those documented SOP changes to all relevant staff.

As part of #OurStory series, Daniel Cootes, AIExpE and Client Relationship & Operations Manager for Lowers & Associates UK office, shares some insights into his experience assessing an operation in Asia whose SOPs weren’t so much incorrect but existed in an environment where uncertainty was not a risk the insurer was willing to ignore.

So, somewhere in Asia, there’s an operation.  The insurer of this operation, our client, needs to determine what type of coverage the operation (their client), needs, so they ask you to assess the active threats in the area.  It turns out these threats include local gangs, natural disasters and ISIS.  Walk us through securing a facility like this for the insurer – where do you start?

Daniel Cootes
The thought process here begins with how to answer one question, really: Could an attacker cross this facility’s perimeter, suppress the security onsite, get to the vault, breach that vault, take what they want and then get back out?  Intelligence leads us to believe that, yes, this sort of attack is possible, but you also ask, is it likely?  Where this mine is located, it’s certainly possible, but most of this type of gang activity is in the bigger Southeast Asian cities.  Also, this insured has a fantastic piece of nature looking after them, because we’re talking about an operation in the middle of a jungle where it’s pretty much two roads in and two roads out with hours of driving required through dense trees. But you start by recognizing, yes, there is a possibility of this scenario happening, obviously, and go from there.

With an understanding of the facility’s threats, the landscape around it, the likelihood of an attack, the personnel involved, what kind of recommendations did you end up making and how did you reach those conclusions?

Daniel Cootes
Given the parameters and all the different angles that they had, I made some recommendations of what we thought was acceptable, the operation then came back with what they thought was acceptable based on their operational and cultural perspective.  Ultimately, it’s about being realistic, and how easy would it be for the operation to implement the updates.  Something like this didn’t need to be nuclear bomb proof, so we looked first at the gate and fencing that they had, for example.  It was all about 10 years old and in the jungle, things get rotten quickly – it’s hot, wet and horrible, right?  And so, they had to commit to review that fencing every six months.  We talked about upgrading their roving patrols. We also looked at upgrading their CCTV.  Technology nowadays is so inexpensive, there’s no excuse to not have it.  There are some other very specific things we did for them that I won’t go into, but a good deal of it comes back to their standard operating procedures and making sure their people are following those.

SOPs are incredibly important, and you were able to assess this facility’s risk entirely through a remote process – how did you do that?

Daniel Cootes
Lots of questions. I kind of like to start from the outside and work my way in.  If I turned up at the site, I tried to build the picture of what was in front of me, and what would stop me from getting in.  I mentioned the gates already, but I also had questions about their guys on the gates, which guys had access to the CCTV or any alarm systems and how the gates locked – some of these gates might be left open during the day, some of these sites run 24 hours as well.  It again comes back to being collaborative and flexible and understanding what’s realistic for them to be able to lock the gate and which of their guys on the gate is involved in that process.  Really, you just keep peeling back as many layers of the onion as possible and what it takes to get to the good stuff in the vault.

When you get to the vault, the questions become things like what were they doing to prevent attackers from getting into that space, how well-trained and well-armed their guys were, are the guards their own guys or an outside security company, how are they actually screening these people.  You just keep pulling the wool at the jumper and ask all these types of questions.  At the same time I’m asking these questions, I have to try and be realistic.  I might want them to have a military response, but it’s about understanding what they’ve got and how they can deploy it. I again would go back to the SOPs, who wrote them and how – was the person accredited?  How old are the SOPs, what’s changed since then?  Have those updates been made and communicated?

All this assumes a breach by people, bad actors.  How do you go about mitigating the risk of a natural disaster?

Daniel Cootes
For us and our work, we must think specifically about what insurers are actually insuring.  Most have their policies they write for people of course, but in this instance, the high-value goods are what they’re focused on.  So, the primary question we need to be able to answer here is: If there is a natural disaster, will this be a total loss with respect that it will never be seen ever again?

For example, let’s say there was a fire in the Louvre gallery and there were no fire suppression systems. Once the Mona Lisa has been burned to smithereens, it’s gone.  However, with something like a precious metal, there’s a good chance we can salvage that after a mudslide through excavation or the like, depending on where it ends up.  Ultimately though, you can’t really mitigate a mudslide, right?  And that’s what insurance is for, those unforeseen, unfortunate circumstances.  What you can think about, though, is how the valuables are stored.

When we talk about vaults with cash inside, fire is a risk, so you ask questions about fire suppression systems – what’s in place, what do we need to put in place.  For a mudslide, what we can be conscious about is trying not to have the goods scattered all over the place once the slide is over and do our best to keep it in at least a defined area.  Because as long as we can get to the vault, it’s not a total loss.  So, it was more about how they controlled the inventory – once it comes out of the mine, it’s processed, heads straight into the vault, it’s labeled and locked, check that off the list.

So, talking then about ISIS, how does that factor into the risk mitigation process?  That seems like it would bring a whole outside set of geopolitical and other type of problems.

Daniel Cootes
What we’ve seen ISIS do in Africa, is something that could happen at this operation’s location.  We asked the operation if they’d thought about a branch attacking them to, not just steal from, but take over the operation.  They had, fortunately, and were doing things to keep tabs on the local gangs, they also had access to the military with a few guys onsite, in addition to a few policemen.  These were people that were trained in weapons systems, could fight back while a call for more help went in.  From there, we dug into questions about their communication capabilities, ran down the list of who controlled those processes, how many satellite or cell phones were available, internet capability, back-up power and generators, and just, again, kept pulling at the thread.

For this operation, ISIS presented a viable threat and was something they needed to include in their SOP, and my assessment was that they needed to refresh some things around that.  The likelihood that they could get in, launch an attack, steal something and either leave or occupy to some degree was slim, but it’s good for both the operation and the insurer to be thinking about.

What about this experience was impactful for you personally or for the client?  Clearly the whole process resonated with you.

Daniel Cootes
As I mentioned, the SOP’s were dated, in fact the person who had written them was no longer there.  Over time, things had clearly changed in their operations, so while the SOPs weren’t wrong per say, they had to update them in line with the way the business was operating currently.  They were looking to potentially hold more stock, for example. So, we didn’t reinvent the wheel, the SOPs were written by a pretty competent person, but what they realized they needed to do was pull them out of the drawer more often and compare them to what was going on in the world. What problems are out there and keeping their procedures relevant?

For me, there’s always two benefits to this type of work.  One, you’re pleased you’re helping keep people safe, and two should a loss happen, I did everything on the insurers’ behalf possible to mitigate the risks and insure these high value goods, to mitigate every conceivable threat in that respect.  For us, the client is always primary, we want to make sure they aren’t hit with any kind of major loss.  If we’ve done our jobs right, we can avoid that.  For me, SOPs are key, keeping them relevant.  They’re awesome to have, but if they’re stuck in a drawer and don’t see the light of day for 10 years or until there’s a problem, that’s not going to work out for anyone real well, is it?