Tag Archives: enterprise risk management

Regulators & Silos

I was reading last week on LinkedIn about a large, highly regulated, financial institution that was defrauded over a long period of time by two different companies, both of which where its suppliers. To add insult to injury, subsequent investigation by a CFE revealed that the two vendors were subsidiaries of a third, which proved also to be a supplier of the victim concern; all three cooperated in the fraud and our victim was completely unaware prior to the investigation of any relationship between them; the kind of ignorance that can draw intense regulatory attention.

This is not as uncommon an occurrence as many might think but it is illustrative of the fact that today’s companies are increasingly forced to expend resources simply trying to understand and manage the complex web of relationships that exist between them and the organizations and people with which they deal; that is, if they want to avoid falling victim to frauds running the whole gamut from the simple to the complex. Such efforts involve gaining perspective on individual vendors and customers but extend far beyond that to include sorting through and classifying corporate hierarchies and complex business-to-business relationships involving partners, suppliers, distributors, resellers, contacts, regulators and employees.

These complex, sometimes overlapping, relationships are only exacerbated by dynamic geographic and cross-channel coordination requirements, and multiple products and customer accounts (our victim financial organization operates in three countries and has over 4,000 employees and hundreds of vendors). No fraud prevention program can be immune in the face of these challenges.

Financial companies that want to securely deliver the best experience to their stakeholders within intensified regulatory constraints need to provide themselves with a complete picture of all the critical parties in their relationships at the various points of service in the on-going process of company operations. The ability to do this requires that organizations have a better understanding of the complicated hierarchies and relationships that exist between them and their stakeholders. You cannot manage what you cannot see and you certainly cannot adequately protect it against fraud, waste and abuse.

The active study of organizational hierarchies and relationships (and their related fraud vulnerabilities) is a way of developing an integrated view of the relationship of risk among cooperating entities such as our CFE client companies between their affiliates, customers and partners, across multiple channels, geographies or applications. The identification of organizational relationships can help our client companies clearly and consistently understand how each of their affiliates, business divisions and contacts within a single multi-national enterprise fit within a broader, multidimensional context. Advanced organizational management approaches can help organizations track when key people change jobs within and between their related affiliates, vendors and companies. Advanced systems can also identify these individuals’ replacements feeding a database of who is where, vital to shifting patterns of enterprise risk.

Our client financial companies that take the time to identify and document their organizational relationships and place stakeholders into a wider hierarchical context realize a broad range of fraud, waste and abuse prevention related benefits, including:

• Enhanced ability to document regulatory compliance;
• More secure financial customer experiences, leading to enhanced reputation, increased loyalty and top-line growth;
• More confident financial reporting and more accurate revenue tracking;
• Reduction of over-all enterprise fraud risk;
• More accurate vetting of potential vendors and suppliers;
• More secure sales territory and partner program management;
• Improved security program compliance management;
• More accurate and effective fraud risk evaluation and mitigation.

The ability to place stakeholders within hierarchical context is invaluable to helping companies optimize business processes, enhance customer relationships and achieve enterprise-wide objectives like fraud prevention and mitigation. Organizations armed with the understanding provided by documented relationship contexts can improve revenues, decrease costs, meet compliance requirements, mitigate risk while realizing many other benefits.

As with our victimized financial enterprise, a company without relational data regarding vendors and other stakeholders can be unknowingly dealing with multiple suppliers who are, in fact, subsidiaries of the same enterprise, causing the company to not only inadvertently misrepresent its vendor base but, even more importantly, increase its vulnerability to fraud. Understanding the true relational context of an individual supplier may allow a company to identify areas of that vendor’s organization that represents enhanced internal control weakness or fraud risk. Conversely, an organization may fail to treat certain weakly controlled stakeholders strategically because the organization is unaware of just how much business it is doing with that stakeholder and its related subsidiaries and divisions.

Risk management has always been a core competency for organizations in general and for financial institutions in particular. However, integrated enterprise risk management (ERM) practices and corporate governance disciplines are now a regulatory imperative. Any institution that views corporate governance as merely a compliance exercise is missing the mark. Regulatory compliance is synonymous with the quality of the integrated ERM framework. Risk and control are virtually inseparable, like two sides of a coin, meaning that risks first must be identified and assessed, and then managed and mitigated by the implementation of a strong system of internal control. Accurate stake holder relational data is, therefore, critical to the effectiveness of the overall ERM process.

In today’s environment, the compliance onus rests with the regulated. In a regulatory environment where client enterprise ignorance of the situation in the client’s own overall enterprise is no longer a defense, responsibility for compliance now rests with the board and senior management to satisfy regulators that they have implemented a mature fraud prevention framework throughout the organization, effectively managing risk from the mailroom to the boardroom.

An integrated control framework with more integrated risk measures, both across risk types and economic and regulatory capital calculations, is warranted. Increased demands for self-attestation require elimination of fragmentation and silos in business and corporate governance, risk management, and compliance.

Compliance needs to be integrated into the organization’s ERM base fraud prevention framework, thereby making the management of regulatory risk a key part of effective overall compliance. Compliance needs to be seen as less of a function and more as an institutional state of mind, helping organizations to anticipate risk as well as to avoid it. Embedding compliance as a corporate discipline ensures that fraud prevention controls are entrenched in people’s roles and responsibilities more effectively than external regulations. The risk management function must not only address the compliance requirements of the organization but must also serve as an agent for improved decision making, loss reduction and competitive advantage within the marketplace.

Organizations can approach investments in corporate governance, relationship identification, risk management practices and regulatory compliance initiatives as one-off, isolated activities, or they can use these investments as an opportunity to strengthen and unify their risk culture, aligning best practices to protect and enhance stakeholder value. A silo-based approach to fraud prevention will not only be insufficient but will also result in compliance processes layered one upon the other, adding cost and duplication, and reducing the overall agility of our client’s business; in effect, increasing risk. This piecemeal reactive approach also leaves a gap between the processes designed to keep the organization in line with its regulatory obligations and the policies needed to protect and improve the franchise. Organizations are only as strong as their weakest components, like the links in a chain.

The ACFE tells us that people tend to identify with their positions, focusing more on what they do rather than on the purpose of it. This leads to narrowed vision on the job, resulting in a myopic sense of responsibility for the results produced when all positions interact. ln the event of risk management breakdowns or when results are below expectations, it is difficult for people to look beyond their silo. The enemy is out there syndrome, a byproduct of seeing only one’s own position, results in people quickly blaming someone or something outside themselves, including regulators, when negative events like long running frauds are revealed and retreating within the perceived safety of their fortress silo. This learning disability makes it almost impossible to detect the leverage that can be used on issues like fraud prevention and response that straddle the boundary between ‘us’ and ‘them’.

However, it is particularly disconcerting that the weakest numbers by industry sector, including financial services, occur in the ACFE studies measuring organization wide accountability and people’s understanding of their accountability. My personal feeling is that much of the reason for this low score is the perpetuation of organizational silos resulting from management’s failure to adequately identify and document all of its stakeholders’ cross-organizational relationships.

Fraud, ERM & Wells Fargo

wells-fargo_2Could a fully functional Enterprise Risk Management (ERM) program have prevented or otherwise somehow mitigated the Wells Fargo fraud?

As a concept Enterprise Risk Management (ERM) is almost four decades old now and has been repeatedly battle-tested in both private and public organizations around the world as a proven approach to addressing risk in organizations of all sizes by effectively and efficiently concentrating management’s attention on the areas of highest risk to the critical business processes of the enterprise. I don’t have to tell readers of this blog that today’s fiscal realities call for continual and increased efforts to both reduce costs and still deliver optimal customer service; both objectives have a direct impact on fraud prevention because they increase the pressure on management, especially financial and marketing management to meet ever higher sales and earnings performance standards.  The ongoing debacle at Wells Fargo is a case in point of such pressures out of control at seemingly every level of the organization.

ERM was introduced as a management concept in 1974 when a Swedish state risk manager, Gustav Hamilton, identified four elements that are inextricably connected in a risk management process: assessment, control, financing and communications. He called this comprehensive view “the circle of risk” and the concept has continued to evolve in the years since. In September 2004, COSO issued, Enterprise Risk Management—Integrated Framework, a method to systematically consider and manage risk across an enterprise. COSO’s premise is that value is maximized when management sets strategy and objectives to strike a balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. COSO’s bottom line is that ERM helps an entity get to where it wants to go and avoid pitfalls and surprises like what has overtaken Wells Fargo along the way.  The ultimate goal of ERM for fraud prevention is two-fold: remediate risks (especially the risk of fraud, waste and abuse) to acceptable levels, and eliminate unnecessary controls, processes and ideally, costs. Potential benefits, such as improved service delivery, increased control and cost savings are just some of those documented in the literature. At the heart of ERM is a holistic, integrated, future-focused and process- oriented approach that facilitates the management of risk across an enterprise as opposed to looking at it only within siloed organizational entities. The ERM process focuses on “the right things” and can identify processes and procedures that do not measure up to performance, cultural standards and cost-benefit ratios defined by the entity.

Fraud risk programs align well with ERM concepts. Fraud risk programs start with establishing the risk appetite of the enterprise and are governed by policies that articulate the goals and objectives, ethical conduct standards, roles and responsibilities, strategies and tactics of implementation specific to addressing fraud risk. As with other types of ERM programs, fraud programs include deterrence strategies, preventive internal controls, routine measurement of performance and results, as well as program accountability and transparency to stakeholders. Additionally, there is special emphasis on cyber fraud, given the reliance on information technology to carry out the mission of today’s typical organization. Partnerships between organizational and program management are strong, given the linkage between the programs and their associated fraud risks. ERM also strongly supports whistleblower programs, another area of increasing attention and stakeholder priority.

News reports tell us that those Wells Fargo employees who attempted to fill the whistleblower role at many points in the employee initiated fraud were first disciplined for their efforts and then terminated.

COSO’s ERM framework is premised on four underlying principles. How might each (and all collectively) have benefited Wells Fargo beforehand to avoid the present mess?

–Every entity exists to provide stakeholder value.
Sales goals that are all but impossible to meet and which force employees to sign up customers for services they neither ordered or needed provide no value to the customer, to the employees, to Wells Fargo stockholders or to the public at large.

–All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. This translates to making trade-offs in establishing the level of acceptable risk to assume.
By fostering a culture of corruption among its employees by firing them for not making unrealistic sales goals, it can be argued that Wells Fargo failed to accurately assess both its level of fraud risk and its appetite for such risk.

–Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to more effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.
Under the COSO model Wells Fargo failed to prioritize risks that might jeopardize its corporate mission, effectiveness and efficiency. It also appears that it lacked a mechanism to take prompt action to stop the basic employee fraud scenario from persisting and spreading to more and more employees.  Only after the fact did it halt its program of unrealistic employee sales goals.

–Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.
The application of this principle features ongoing monitoring of the performance of the risk model.  Clearly, at the first signs of the fraud, Wells Fargo would have reassessed risk, set risk to the maximum and taken immediate steps to shut down the identified fraud scenario(s).

As a fraud examiner and auditor there are a number of questions I ask my corporate clients to ask themselves that are, in my opinion, critical to both identifying the risk involved with ERM generally and the business processes vulnerable to fraud specifically.

–What keeps you up at night?
–What do we not want to see on the news or in blogs?
–What are the expectations of stakeholders?
–What do we want to make sure happens and happens well?
–What problems have developed or emerged in other organizations that could be a problem in our company as well?
–What controls are now in place? What do we know about how they are working? What do we know about their cost and benefit?
–What level of control can we reasonably afford and how do we get the most bang for the buck?
–What changes have taken place in the company or external to the it that may have introduced new risks?

Would ERM have helped Wells Fargo?  I don’t know whether the bank presently has an ERM program or not but clearly the process as defined by COSO would have helped in providing a risk monitoring and immediate remediation mechanism to reassess risk in responding to the first whistleblower call alerting to the existence of the employee assisted fraud.  And there is no doubt that the forensic accounting and CFE community can play an important role in providing needed leadership and technical assistance to any organization implementing a dynamic, ERM supported, fraud response plan.  As the Wells Fargo experience and so many other instances suggest, the time has come to use the full potential of enterprise risk management as a tool to assist in the identification and rapid remediation of frauds before the costs to all stakeholders become unacceptably high.

Effective Over sight of Emerging Fraud Risk

graduationLet’s face it. On-going change management related to the enterprise risk management (ERM) process of any medium to large organization can be a daunting, almost overwhelming task.  The challenge represented by this vital work is only compounded by the difficulty of gathering and sifting intelligence from a diverse and ever changing management team with varying levels of experience and armed with differing agendas.  We know from COSO that an overall organizational posture of good ERM management begins with the entity’s risk framework and related governance architecture sharply focused on the decision making process directing fraud risk mitigation.  But in such a heap of distinctly differing management roles and responsibilities (many seemingly codified in stone), how do we get the data we need to identify contemporaneous critical changes to the organization’s risk appetite and then manage emerging fraud risk based on that changing appetite?  For upper management and for the fraud examiner immersed in such an environment, effective risk mitigation becomes the ultimate challenge and, as we all know, you can’t do a very effective job of mitigating a threat you can’t see.

You can recommend to upper management that one way to address its problem of the lack of systematically gathered intelligence about on-going and emerging fraud risks is to implement a forum structure in which its designated business process risk owners can regularly meet to share information with management about ongoing oversight of their changing individual risk profiles.

There’s no question that some fraud related risks are coming on faster than others.  Confronted with the on-going, special challenges of codifying digital system related hacking risks (especially the risk of the theft of identity related data) now across all industries, the need for management to aggressively confront the risk identification/mitigation gap has never been more acute; I would argue that periodically scheduled, internal risk identification forums are a cheap and surprisingly effective way to increase the level of upper management’s level of actionable intelligence on this increasingly critical topic.  It never ceases to surprise me just how much operating managers actually know about the threats that confront them if they’re provided with the right context for sharing the information.

A formalized emerging risk forum composed of key operating managers (risk owners in COSO terms) and (if management is willing), including a knowledgeable consulting fraud examiner, does a number of important things for your client upper management as it struggles with identifying a multitude of emerging fraud risks while lacking insight as to how to effectively deal with any of them:

–Communication is facilitated between upper management and business process risk owners who may not be in regular direct contact with one another.  Risk owners from one division or operating unit may have a partial conception of a fraud risk or scenario but not a view of the entire risk posed by the full scenarios as portrayed by the consulting fraud examiner.  The regular meetings of the fraud risk forum constitute a setting where participants can compare notes about the many different types of fraud risks which, in the opinion of participants, when taken together, might constitute a pattern or catalogue of risk types confronting the organization.   In my experience, these types of regular discussions can uncover risks, currently thought to be small, that in combination may be exposing the organization to a more elevated level of risk than anticipated and thus deserving of a higher level of attention for mitigation.

–Every organization has silos between, and even within, it’s functioning operational and administrative components. Regularly scheduled risk forums allow process owners to build strong working relationships with each other and to draw from their collective experience and expertise regarding what they individually and collectively perceive as threats to the organization.

–Risk forums provide senior management, the chief security officer (if there is one) and business continuity planning staff a platform from which to consistently communicate the big picture to business process owners about developments that may affect risk management in their individual operational divisions or subsidiaries; an example would be the movement of financial systems housed locally to a cloud based solution, occasioning a change in the overall financial risk profile of the organization.

–The contextual environment in which information is shared can be crucial for its credibility.  Allowing participants to use the collective stature and influence of the forum to present their opinions about risk and mitigation solutions lends overall weight to the deliberations for all participants. Presentation in the forum addresses the problem that individual business process owners may not have the personal stature in the organization to make fraud risk related mitigation recommendations that business unit leaders would be inclined to consider seriously.  It goes without saying that there must be no retaliation for anything said in an emerging risk forum if the exercise is to have any on-going value to management.

So, once again, we fraud examiners can perform a valuable service to our respective client organizations by recommending the creation of fraud risk control and mitigation structures like the emerging risk forum.  The fraud examiner’s knowledge of fraud scenarios and of effective ways to mitigate the multitude of risks often represented by such scenarios (combined with existing relationships with senior managers and corporate counsel)  place him or her in a powerful position to add value to the challenging process of fraud risk identification and mitigation.

Is There a Doctor in the House? Your Annual ERM Checkup

NutcrackerI’ve been working these last few weeks helping a consulting client review this year’s performance of its Enterprise Risk Management System (ERM); the system was extended a few years ago beyond the company’s financial business processes to all 150 of the remaining business processes of the enterprise.  This “annual physical” is as important for the maintenance of the health of a risk management system as it is for the physical health of your doctor’s patients, since both represent on-going, process dependent,  projects.  There are many well-documented benefits of performing such an annual project review across all your client’s ERM component business processes, including enterprise wide integration of updated risk evaluation, review standardization, enhanced fraud prevention, and the streamlined reporting of review results to upper management.

The annual ERM health check typically features interviews with key business process owners and a review of ERM documentation to determine if key related controls are functioning as intended, whether project related tasks are being completed on time and within budget, if ERM objectives are being achieved and if the risks related to those business processes critical to the ongoing success of the business are being managed effectively.

Your review should also determine if key annual prerequisites have been defined for the ERM project (e.g., business ownership, governance, and project definition).  Has the organization identified a single point of accountability for its ERM project…the answer to this questions often isn’t obvious…I’ve found that precise, overall responsibility for the ERM project is often fragmented,  constituting a significant control weakness for the organization.

You should also look for a quality assurance process for the ERM project; what mechanisms are in place to ensure that on-going risk updates and related items of critical documentation are of consistent quality; this can only be determined by some kind of consistently occurring, concurrent,  quality assurance process.

Are the right people, devoting the right amount of time, to work involving the ERM project?  Often, by necessity, the on-going completion of ERM related tasks is assigned as one or more collateral projects to business process owners whose primary jobs are something else; that’s fine if the product is ultimately reviewed by some higher level of management.  I look for some kind of competency frame-work to assure that those working on ERM related assignments represent the best human capital the company can muster given the risk expertise related requirements of the assignments.

Is there evidence that the enterprise even manages change well enough generally to be able to identify changing risks to its business processes?  Change management is a professional discipline and risk assessment is a major component of that discipline.  The discipline of change management is now well established and must be somehow integrated into your client’s ERM project by someone having authority with both the ERM project team and with senior levels of client management; this is critical for the success of the project.

With the foregoing as general background, your annual check-up of the health of your client’s (or employer’s) ERM project might include getting answers to the following (or similar) general questions:

–Is the ERM project properly sponsored by the highest levels of management?
–Is there a business case and defined budget for ERM?
–Is there a documented, formal approach to manage ERM included risks, risk scenarios, fraud scenarios and related issues and communications?
–Is there a detailed ERM annual work plan that is actively monitored by business process owners and by compliance professionals like internal auditors, fraud examiners and fiscal controllers?
–Are ERM human resource related roles and responsibilities defined clearly?
–Is the ERM project delivering what was requested of it by management at its inception?
–Is infrastructure in place to support daily project operation?
–Have all ERM project milestones been achieved to date?

When the check up is complete, be sure to evaluate the performance of the check-up itself by performing and documenting a short check-up critique.  This step is important since, hopefully,  you’ll being doing another check up next year.  What went well with the check up and thus could be leveraged to improve the process in the future?  What process related issues were encountered and how were they resolved?

Your annual ERM checkup will provide independent  corporate governance oversight to help keep the ERM project on track and, ultimately, could make the difference between long term ERM project success or failure.

Privacy Impact Analysis

WrenchesI was a participant in a security forum last week in Northern Virginia on the topic of data privacy in general and its implications for fraud examination specifically.   One of my fellow speakers made a very forceful case for the performance of privacy impact analysis by any corporation holding large amounts of customer data.  Her argument was that a privacy impact analysis should be a key component of every corporate security management program.  The objective of this type of assessment is to ensure that the risk of exposing personally identifiable information is contained at every level of  the organization… every business process composing the enterprise needs to be separately assessed for its vulnerability to privacy threats, not just the business functions directly related to information management.

By identifying vulnerabilities throughout the entire book of business processes constituting its enterprise, an organization can significantly reduce the possibility of identity theft occurring at different stages of its business cycle and safeguard the client information entrusted to its care.  My colleague argued that a privacy impact assessment creates a structured process for analyzing non-technical and technical privacy requirements and compliance with relevant regulation, all of which can be dovetailed neatly into the organization’s enterprise risk management (ERM) effort.

For the risks identified by the privacy impact analysis found to be above an acceptable level, our speaker recommended three additional steps. First, conduct the necessary research and fully, not partially, implement appropriate prevention techniques, tools and corporate policy changes.  Second, make sure that there’s a sound, tested recovery plan in place in case of a successful attack involving loss of personal information. Third, develop an effective incident response plan well in advance of an actual attack.  Those of you involved in ERM will be familiar with each of these steps; taken together they demonstrate due diligence and should lessen legal liability somewhat should an unpreventable  breech occur.  This is important because customers and investors alike quickly lose confidence in proportion to any negative corporate news but especially when it’s perceived that the due diligence required to safeguard customer information was absent.  A major event can cause a corporation to lose credibility and business to a competitor  This obviously effects share price which in turn can lead to a sell-off by investors.  Such an occurrence can be devastating to a corporation , possibly to the extent that it cannot recover.

Public policy, embodied in current law, requires that organizations must notify their customers and clients when privacy breeches occur.  These notifications are usually accompanied by a year of free credit bureau oversight or credit watch services so customers can monitor their credit reports for evidence of identity theft; all this remediation is costly and embarrassing and just the sort of situation the privacy impact analysis is designed to prevent.

A final point has to do with employees.  Knowledge is power.  If employees are aware of how identify theft of customer data occurs and succeeds, they can take many steps, as part of their routine daily duties, to prevent it.  So don’t exclude the privacy awareness level of the work force as a critical score element from the privacy impact analysis; if there are identified privacy related weaknesses involving corporate staff, don’t hesitate to address them and quickly.  The ACFE has emphasized in study after study that work force fraud awareness training is one of the most effective fraud deterrence tools there is.