Detection or Prevention?

Risk managers are faced with difficult decisions during the course of establishing an effective internal risk management program. Do they focus limited financial and internal resources on prevention, or do they ensure there is an effective detection and investigation program in place? In fact, it is often advised that they can and should do both.

FRAUD ASSESSMENT

Employee malfeasance usually represents the largest single factor of risk exposure for a company or organization. It can take a toll in dollar terms, but it can also negatively and severely impact a company’s brand and reputation, resulting in potential costs several times those of the illicit act itself.

Many organizations throughout North America have been very proactive with their risk management and anti-fraud programs. Most recently, the Sarbanes-Oxley Act of 2002 initiated some extremely onerous and legal responsibilities on company auditors and management. Based on the act, the U. S. Securities Exchange Commission developed a set of “Final Rules.” In section (II)(B)(3)(d), the rules state: “The assessment of a company’s internal control over financial reporting must be based on procedures sufficient both to evaluate its design and to test its operating effectiveness … and controls related to the prevention, identification and detection of fraud.”

In this global economy, if public companies in Canada want to do business south of the border, they cannot afford to be complacent or fail to develop protocols and procedures necessary to help them comply with the new reporting laws and rules in the United States. Although Canada does not yet have legislation as powerful as the Sarbanes Oxley Act, it is only a matter of time before similar principles are legislated in Canada. For those organizations involved in North American trade, compliance is already a requirement.

Today, conducting a comprehensive fraud risk assessment is more than just a sound business practice; it is now mandatory in the United States. Public companies must now perform them on an annual basis. Such assessments within an organization should not simply be restricted to the more obvious forms of fraud — i. e. employee theft, embezzlement or vendor fraud. They should also encompass a far broader spectrum to include every aspect of the business operation from senior management, to external vendors, to supply chain management.

Once risks have been identified, antifraud programs and controls need to be designed, implemented, monitored and investigated. It is fundamental to the success of the plan to show that the programs are adequate and that they meet the overall objectives of reducing the financial risks and exposures to an organization.

Recent articles in the press and on the Internet promote the importance of proactively protecting assets from a loss based on the argument that recovery after the loss makes little financial sense. Costs can be significant when adding up the costs of reporting the loss, adjusting the loss and investigating it. The same argument notes that in the event of property or product recovery, there are issues surrounding refurbishing, employee handling, reshipping, warranties, product safety, etc. The original wholesale costs could be dwarfed by the additional costs noted above. It is therefore considered easier to make an insurance claim and move on. In fact, many manufacturers or retailers do not even carry the necessary insurance coverage and simply absorb the costs as the price of doing business.

During my tenure with the metropolitan police in London, England in the 1980s, I investigated many frauds. One in type of fraud in particular demonstrates the prevailing corporate philosophy about fraud that existed as recently as the 1980s. An electronics store had a very popular program providing customers with an instant, on-the-spot credit of _1,000 pounds (about Cdn$x, 000). To be eligible, customers needed only two pieces of identification showing their “address.” No photo ID was required. Thieves would steal a wallet or break into a house, steal utility bills to prove their address and then would walk out of the store with _1000 pounds worth of electronics.

As a result of a fraud investigation, I apprehended one suspect and requested a representative from the store to come down to the police station to press charges. The store declined. The success of their promotion had been phenomenal; the costs of attending court — lost employee time, legal fees, etc.– were seen as throwing money away. Furthermore, since the program had a “shrinkage” or fraud allowance built into it, the store was not interested in charges, recovery or prosecution.

Ignoring the problem does not make it go away. Initially it may make financial sense not to pursue investigation or recovery. However, in the long term, an organization may be subjected to reputational risk, employee theft, loss of market, loss of equipment, product tampering, loss of client relationships, higher insurance costs, product liability issues, as well as warranty and refunds on products they never actually sold. In addition, the organization may also be the victims of organized crime — they may inadvertently be involved in money laundering.

LIMITS TO FRAUD AUDITS: SUPPLYCHAIN THEFT

Risk managers might not even consider one additional issue: supply chain theft or frauds. Consider this example: a national company, “Widgets ‘R Us,” operates a chain of retail outlets. Each store is individually owned and operated. Widgets ‘R Us distributes all products through its head office and central warehouse operation. They receive products from a variety of manufacturers and distributors; they do not pay for manufacturers’ or distributors’ products until they have been physically received at the head office/warehouse facility. Once Widgets ‘R Us reships the product, it is then “owned” by the retail outlet.

If the distributor experiences a cargo theft en route to Widgets ‘R Us, the distributor or shipper is usually financially responsible for the loss. They notify Widgets ‘R Us that there was a delay in shipping the product and promise to reship soon. Unless there is a contractual obligation for the shipper to notify the client of an actual theft or robbery, Widgets ‘R Us may not even be aware that their product or branded product had been stolen and is likely being sold on the black market.

For all of the reasons discussed above, failure to investigate could result in significant financial losses to Widgets ‘R Us, even though their own internal audit and anti-fraud program has not been compromised.

Taking this example further, the retail outlets might now be issuing warranty repairs or refunds for products they never actually sold. They are not aware of the manufacturers’ loss; therefore, they are not on the lookout for this product entering their store. Further still, if a store encounters a theft problem — i. e. major thefts after recent shipments — and they do not disclose this fact to Widgets ‘R Us, the retail outlet may not be made aware of a theft ring operating in that area, where other stores are also being hit.

As illustrated in the above example, the manufacturer or distributor may have its own internal anti-fraud program. Widgets ‘R Us and the retail stores may also have their own internal anti-fraud programs. Even so, Widgets ‘R Us may never know the true extent of fraud and loss the company absorbs. Companies must think outside of the box to counter the significant effects of not managing their risks effectively.

To successfully manage these risks, companies must ultimately reduce the opportunity and incidents of malfeasance. So how do they balance the limited finanpg36,38,39Fraud_ cial and internal resources on prevention and make sure there is an effective detection and investigation program in place? This is the ultimate risk management question.

Risk managers of the future will need to know not only how to identify
and assess risk, and develop the protocols and procedures to combat it, but they will also have to arm themselves with the latest information about how to go about detecting and investigating, post-loss. Should they conduct the investigation themselves? Is this effective? If so, do they have the necessary skills? Should employees in positions of authority within organizations place themselves in situations in which their own impartiality and biases might be called into question?

By engaging the services of external forensic auditing investigators or special investigators, risk managers ensure impartiality and a definite purpose of identifying and reporting the facts of the loss.

Hiring an outside agency should be based on a due diligence process. Does the company have qualified staff to conduct such an investigation? Clearly define the budget, the expected parameters and the outcomes of the investigation: is it designed to identify the perpetrators? If so, is the company prepared to go through the judicial process? Are they trying to identify the factors that allowed the loss to occur? If so, are they developing additional programs and protocols to prevent further instances?

Vendors can assist with some of the external investigation tasks such as:

• employee interviews;

• witness interviews;

• vendor interviews;

• interviewing police officers and liaising with their investigation;

• employee background checks;

• scene documentation and preservation of evidence;

• recorded interviews;

• CCTV reviews;

• security reviews; and • overall risk assessment.

The overall costs involved with detection and investigation can be effectively managed to produce a significant return on investment if the objectives are clear, the parameters for the investigation are understood and the results are communicated clearly in an unbiased and court-ready document. This emphasizes the requirement for risk managers to have clear protocols, procedures and objectives in place so that when a loss or incident does occur, the organization is already in a position to deal effectively with the situation and minimize its exposure, risk, damage to its reputation and loss of its financial and employee resources.

In summary, it is simply not enough to identify and assess the risk by implementing procedures to prevent an occurrence. There must be a clear and defined process in place in the event the unthinkable does occur. Prevention therefore should and must be conducted in concert with detection and investigation. You can’t afford not to.