By Chris Hollands
18 May 2017
One of the biggest issues you face when trying to work out if your controls around fraud are actually working is knowing how much fraud you have in the first place! You need to ask yourself if there is there any point in designing a new control to combat a perceived threat when, in reality, that threat does not exist. There is little point in putting in a control for the sake of it, so it is paramount that you have the necessary processes in place to capture fraud data and then to analyse it.
Going back to my ACFE studies, I think there are some 12 or more different types of fraud - from financial statements, bribery and corruption, and securities through to the public sector or around contracts, purchasing and procurement. Each of them is different and each requires a different approach. The data you need to collect is different, the only consistent factor is, sadly, the problem persists and for every control that is put in place, the fraudster will find a way round it, it is just a matter of time.
What this tells us is that there is no single solution to the problem, each organisation is unique, even within the same industry segment. Their systems are different, even if their clientele is the same. Indeed, it is a constantly evolving process and requires continuous updates.
For example, while working on an Anti Money Laundering project a few years ago I recall identifying the sudden uptick in business some suspicious client accounts experienced in the first six weeks they came on line and in response we put in a control to “identify” this. We caught several culprits, but word soon got out to the market and they either moved to another bank or ran the account normally for three months before introducing illicit funds. It did not take long for the fraudsters to identify a new solution to their problem.
There is a suggestion in some quarters that “Zero fraud” is somehow achievable, but I disagree and have had some heated discussions with senior managers over the years on this. There comes a time where the cost of additional fraud reduction is more than the benefit and when you reach that point you need to direct your extra energy and resource elsewhere. BUT and it is a big BUT, the message that you must convey to the public at large is that you have no appetite for loss at all. You also need to convince your staff that they should be focused on zero losses.
However, this is where you hit a problem, particularly if you start to penalise your staff for not achieving the unachievable (if you will excuse the double negative). There is nothing more dispiriting than being judged a failure or receiving criticism when it is not within your power to prevent it. A degree of balance is required here to keep the staff motivated
If we accept our intention is to reduce fraud to an acceptable level, defined once we have all the relevant information, how might we best go about it? Should we be focused on prevention or cure, are we concerned about the repetitive loss of small amounts or should we be focused on the bigger game?
That’s when you get into the inevitable 80/20 discussions, assuming that 80% of the frauds perpetrated generate only 20% of your losses. (I’m not sure if this rule specifically applies to fraud, but on the basis that it works for most things there is a fair chance it does.)
What this tells me is that we should be directing our resources at minimising the effects of the 20% of professional, determined attacks on our firm, while at the same time using a more generic “sheep dip” approach to the 80%. For these we should perhaps be using vendor software, with regular updates, run across accounts and transactions to spot anomalies and amateur attempts to steal from us.
I think it is the 20% who really need our attention, to deter the type of people (possibly nations such as the DPRK) who hacked the bank in Bangladesh or the Carbanak cyber gang.
While these cyberheists are considered very sophisticated, most of them start with some sort of phishing, be it spear, whale or otherwise. Phishing is one of the most preventable attacks and one of the most affordable to deter. Indeed, you will have read my article recently where the FCA is suggesting that staff who spot and report such attacks should be rewarded.
That said an effective approach to fraud needs both preventative and detective elements. Sometimes an intensive prevention solution works best but in other cases prevention actually costs more and is less effective than detecting and mitigating fraud when it occurs. It depends on the fraud and in almost every situation, some combination of prevention, detection, mitigation, investigation, and deterrence will be needed.
Frankly, I am a great fan of deterrence because it is based solely on the criminal’s perception of risk. If you create an environment where the perception of risk is high, where fraud controls and enforcement efforts are visible, then the benefit of deterrence is realised constantly without any additional expense or effort.
Such deterrence may reduce the amount of time and effort a criminal will exert to overcome a fraud control because it impacts the criminal’s assessment of cost and benefit, which comes down to the amount of time and effort needed to overcome a control and successfully commit a fraud.
That said, there needs to be a visible investigation and enforcement component to your fraud control strategy such that the fraudster can see what happens if he/she gets caught - arrest, imprisonment, large fines etc.
I once read that “a deep moat will discourage people from approaching you, but that by filling it with piranha fish you will more double that effect” It is all about perception, that is the beauty of deterrence. The only problem is that it will never prevent a determined attack.
Whilst I think we have agreed that it is unlikely that a company’s fraud controls will be perfect, there is a view that they just need to be better than those at the other firms, so the criminals will go elsewhere. A fallacy I think. It is widely accepted that the people responsible for the Bangladesh heist have attempted at least 11 other attacks and this proves that the professional fraud groups (those 20% of criminals who commit 80% of fraud) sustain themselves, gain experience, and build capacity over the long run by shifting from target to target.
Where does this leave us?
I believe that the most important step is to identify exactly what the threats to your organisation are and I accept you may need to seek professional help to do this. Once this has been achieved you should categorise those threats, assess the risks and determine how to allocate your resources. You will need to look at relevant industry experience and developments to perhaps optimise this.
You then need to start to monitor and measure the amount of fraud you are experiencing in order to determine if the controls you put in place are working, remembering that just because you don’t have any fraud doesn’t mean your controls are perfect!
Finally, you need a crisis plan. If you believe in the Pareto Principle (80/20 Rule) it is a statistical certainty that at some point those 20% of sophisticated hackers are going to come and try and take a big chunk of your assets. They will probably use a unique approach (after all, your risk assessment will have all the normal bases covered!), one that will require a lot of resource to address it. A well thought out contingency plan will go a long way to helping solve the problem. Such crisis plans can often mitigate the biggest risk of all ……….. and that is reputational.
Article by Chris Hollands, a director of TomJak Ltd, a company which specialises in audit training and consultancy