Fraud: Taking Strategic Risk Measures

Strategic measures against crime are a waste of time and money, some say. Nothing will stop the criminal who has decided to carry out a fraudulent scheme. Besides, as a risk manager, one only needs to list the number of employees, the type of operations and required coverage to get insurance protection for a reasonable premium, right? This may be the usual, but it is certainly not correct.

Another common myth: we carry very little cash, all payments are by cheque or wire transfer, we do not have company credit cards and we trust our employees – they have been with us for many years. Remember that those most trusted have the best chance of defrauding your company. As a CEO, CFO or risk manager, you should trust your staff, but do not act carelessly, and do not tempt them with inadequate controls. Employees at all levels within an operation commit fraud.

Crime surveys and proper controls can be done quite economically and have been known to uncover ongoing fraud schemes. Certainly, some operations should have millions of dollars of coverage, not the standard $100,000 to adequately protect them against long-term fraud.

The fraud formula

Employee fraud = opportunity + need/greed + property. Some excerpts from a Canadian work force fraud study done about a year ago show the extent of the problem:

25% of employees admit to either committing or having witnessed fraud;

34% reported a fraud;

80% say they have been defrauded;

50% of fraud was committed by staff with over 5 years seniority;

25% of fraudulent acts were ongoing for at least 10 years;

30% of fraud was committed by management; and

29% of all fraud losses are recovered while the recovery value is often higher than insurance carried.

Another survey found that employees committed over 80% of all money frauds, and the average fraudulent act is valued at about $1million. This number excludes associated and hidden costs to the company such as loss of resources and time diverted to investigation and implementation of remedial controls. Then there are the “human loss elements”, namely diminished trust in others, reduced morale, and staff stress from believing their associates no longer trust them.

Finding vulnerabilities

As a risk manager or corporate executive, what can you do to evaluate your exposure to employee fraud, and what risk controls measures should you be taking?

First identify and then evaluate all direct or indirectly related risk from operations. Identify all of your company’s operations. Conduct vulnerability surveys for risks associated with each operation. Look at all areas, inside and outside of the firm, from where assets can be converted. Check on your lawyers, consultants, agents, suppliers and contractors. Is there an employee benefit plan or family trust for which there should be protection too?

You have to think like a thief to understand the devices of the fraud artist. Overlook nothing. Who knows where a thief will strike? The most ingenious schemes are often the simplest. Keep asking, “what can be compromised?”.

To measure fidelity risks, think long term, say five to 10 years. Fraud artists generally take small amounts to disguise discovery of their work. Often, the fraud starts out being small “loans” to cover an error or to deal with a temporary financial problem. It is not until control of the situation is lost that the fraudulent cover-up takes on a different face.

Determine the highest value of money and securities on your premises. Consider petty cash, securities in safes on premises or at the bank that you own or for which you are legally responsible. Then, ask yourself what is the highest value of company assets, such as cash, that could be in transit at any point, namely conveyance to/from the bank, customers, etc.

Consider the exposure to fraud from the maximum authorised limit for company issued cards or those owned by employees and used in the firm’s business operations. What is the long-term exposure to “depositors’ forgery?”. Exposure is the likelihood that cheques, draft promissory notes, or similar orders to pay money, are fraudulently altered by someone other than an employee. With the ease of technology today, this threat is growing. Washed payees or amounts payable with the signatures and everything else left intact is not extraordinary. How much could you lose if there was an ongoing payroll scheme?

What are your foreign exchange or counterfeit currency exposures? What is the probability of an extortionist successfully holding your products, goods, premises, staff members? Can your firm survive a significant ransom payment? Furthermore, do not overlook computer and e-commerce exposures. Consider your electronic, facsimile and/or voice transfer, for potential virus and hacker exposure. Once again, the objective is to identify your loss potential.

Counter measures

Having identified your company’s exposures, the next step is to consider counter-measures. Such considerations would have to be seen against physical, moral and psychological implications. For existing controls, you must determine that they are functioning adequately, reviewed on timely basis and flexible enough to change and grow with your operations.

Fix the areas where the controls are non-existent or loose. If the “fix” cannot be immediate, take interim measures. Ask staff what controls, internal or otherwise, could be implemented to eliminate or reduce the risks identified. Do you trust your managers and long-term staff too much – when was the last time their functions were audited? In this respect, it is critical to implement dual controls, for instance, signatures on cheques and key documents. Separate duties, authorities, transactions, initiations and recording for crucial positions.

Randomly rotate certain tasks. Be strict about the use and changing of passwords. Check the backgrounds and references of all prospective employees, and instill fraud awareness within the firm – often co-workers are the first to notice changes in lifestyles or excessiveness when someone is living beyond their means. Is there undue delay in providing requested information in areas under investigation? Check into any excessive or sudden volume of corrections or adjustments in customers’ accounts. Insist on staff taking a minimum of two consecutive weeks vacation annually. Perpetrators fear detection when they are not about and will take work home to be on top of things. Generally it is when they are away that their schemes are exposed.

Do not overlook the warehouse, shipping/receiving, purchasing, sales staff, and material handlers/technicians. Question and verify expense accounts, and randomly audit amounts below the authority levels for discretionary accounts. Rotate team members, the internal individuals who deal with agents and other suppliers, and watch for evidence of kickbacks for fixed pricing and other collusion.

Cash measures

Common sense says to keep the location of valuables – money and securities – known to as few employees as possible. Also, the person making bank deposits should not be the person doing account reconciliations. Try to vary times and routes of messengers to avoid being predicable or establishing a pattern of behavior.

Check your bank statements regularly, at least within 30 days, otherwise your bank may not be held responsible for fraud. Watch out for cheques that are lost or not returned, they are likely the ones to have the payee or amount payable “washed”.

Accept only currencies with which you are familiar, preferring North American. Remind staff to check their credit card accounts within 30 days of receipt of the statement for transactions that they did not make. Attendants can double swipe the card at the time of transaction to pay for another purchase.

Insurance alternatives

Decide how to treat the ongoing (primary or contingent) risk either through self-insurance via deductible, retention, pool, reciprocal/captive, or through buying insurance – primary and/or excess. Crime insurance is fairly inexpensive, and is probably the most cost-effective treatment currently avail
able. Take the premium credit for a higher deductible and buy higher limits or broader coverage.

To choose the limits to purchase, go back to the value you had established when the risk was measured, then subtract the value of the risks you have sufficiently eliminated or controlled. When unsure, err on the high side, and make the amount identified the minimum limit purchased.

Do you understand the coverage you have bought? Do not rely on highlight sheets put out by insurers as marketing tools. They are designed for expedient reference. Read the contract wording as the scope of coverage may be significantly different to what you had thought.