Decreasing ROI and Bottom Line – 7 Deadly Business Sins
The “F” word…Fraud. Have you ever stopped to think about the “F” word’s eerie correlation to the word apathy? Apathy: “A lack of interest in, coolness or indifference to” (Random House) fraud, fraud losses and fraud risk mitigation efforts.
Businesses in this country are losing money hand over fist due to fraud, computer intrusion (data breaches are at an all time high), the theft of data and personally identifiable information (PII). Yet, strangely enough, for many companies, fraud, risk and loss mitigation ideals are just “lip service.” Given the tidal wave of tsunami like criminal events we’re witnessing there really isn’t any other plausible explanation.
Quite honestly, for some organizations, saying that they care about preventing fraud, risk or data losses, prior to their occurrence, is solely an effort to appease shareholders, regulators and the public. Oh sure, when the “spin doctoring” starts post event, in an attempt to sway public sentiment, everyone’s a good corporate citizen and cares tremendously.
However, the reality is that pre-event there are businesses, and their executives, who don’t really care about fraud at all as revenue generation trumps operational costs. For these folks, being a good corporate citizen only starts post event.
In support of these comments, the 7 Deadly Business Sins explains how we’ve arrived at a place where there are executives in our country who are apathetic about fraud, risk and loss mitigation at the public’s expense.
Sin # 1: The “Just Good Enough” Attitude – We’re Compliant with Minimum Standards
In the business world, if you’re a merchant accepting credit cards, you must be PCI compliant (compliance with PCI Security Council standards). PCI compliance establishes much-needed minimum computer standards and best practices that businesses possessing covered information (Consumer PII) must maintain. Yet, if PCI compliance is the “minimum standard” required that’s all that many businesses will do.
These businesses could do more but why should they? The general rule seems to be that only a small percentage (10%), go beyond what’s required. The 10% rule holds true in other “life areas” as well. It seems that 10% of the people in a volunteer organization do 90% of the work and 10% of all fishermen catch 90% of the fish etc.
Applying that principle to business, when it comes to fraud/data/risk prevention, the majority of companies only do the minimum. Why? Because that’s what’s statutorily required of them. The 10% of businesses that go significantly beyond the minimum are less attractive targets to bad actors who will inevitably go elsewhere. This is the “low hanging fruit” concept.
Historically, criminals pursue the most obvious business targets because they can score quick hits and easy victories. These targets are very easily achievable, seldom challenging and require little effort. Criminals rarely attack heavily fortified targets. When was the last time you heard about a gold theft from Fort Knox? Frankly, it’s too much work and too high of a risk, with the significant possibility of getting nothing, ending up behind bars or death in a “hail of bullets.”
Businesses are no different. The businesses who do more than the minimum required are less attractive targets than the ones with the blinking neon “attack us” billboards outside because they’ve only done the minimum required.
Moral: Doing the “minimum required” is seldom good enough for most things and rarely good enough to prevent the kind of epic fraud and data incident losses we’re currently seeing today.
Sin # 2: Focus on Sales, not Operations
For profit companies are in business to make money. Sales people sell the company’s products and services because it’s their job. They get paid to sell, making commissions and bonuses for the products and services they sell. Do they need to do more than sell? No. What happens on the operational back-end is someone else’s job.
So, if business sold up front is riddled with fraud and just bad business, “that isn’t the sales persons problem” so we’re told.
Further, whenever we have corporate layoffs or reductions in work force, the first people laid off are more often than not, operational employees as they’re non revenue generating.
Moral: Not all business sold is good business.
Sin # 3: “Cost of Doing Business” Attitude
One of the biggest business sins is thinking of fraud and data loss as the “cost of doing business.” While fraud may very well be the cost of doing business, thinking of it in that framework is errant. When companies talk about fraud in that context what they are really saying is “we’ve resigned ourselves to the fact that fraud occurs and have identified an acceptable loss amount from it. As long as losses are contained at that amount, we’re still profitable.”
While that may be true, you’re really acknowledging that you’re fine with a percentage of fraud being committed against your business which is the wrong attitude to have from a business operations and fraud prevention standpoint. Studies generally show that the cost of doing business attitude translates to acceptability, fraud prevention ineffectiveness and board room indifference.
Let’s get real here for a minute. Preventing 100% of fraud isn’t possible as there’s always going to be some committed against your business if you have data, information or revenue that criminals want. However, that said, “zero tolerance” should be your goal and not the “we’ve factored fraud losses in at 6% of total revenue” attitude.
Moral: Businesses that calculate an acceptable fraud loss amount and then fail to take the steps to contain it at that amount will likely find that their “actual losses” are double or triple their predictions as criminals quickly learn where the “low hanging fruit” is.
Sin # 4: The “It Won’t Happen Here” Attitude – Ignorance
This one may not seem like much but it’s one of the more deadly business sins. Believing that you’re above attack or victimization, that you have nothing the bad guys want or are adequately protected (because of your size) and cannot be victimized is pure fallacy.
Businesses of all sizes, shapes and geographic locations are targeted for fraud, revenue and data thefts and the deployed defenses, or staffing capabilities, are completely irrelevant if you have something of value to someone else.
Moral: Sticking your “head in the sand” rarely achieves the kinds of anti-fraud results you’re looking for.
Sin # 5: Technological Ineptitude – Don’t Understand
In previous blogs, we’ve talked about the “technology solves everything mindset,” which is a dangerous precedence. Simply spending money and deploying anti-fraud technology, absent a holistic approach (people, processes and procedures), doesn’t necessarily prevent fraud yet this sentiment is pervasive in many businesses who mistakenly think otherwise.
Moral: Understanding the technology required for your business, purchasing the right technology, deploying it correctly, staffing it appropriately and creating policies and procedures around it is imperative.
Sin # 6: Fraud’s a “Pass Through” Cost – Dumping it On Your Customers.
“Pass through” losses are exactly what they sound like: large losses that are simply passed through to the consumer in the form of increased costs, rates, charges, or fees.
Companies who view fraud as a “pass through” cost are really indifferent to fraud losses as they are only incurred by the business in the short-term.
Losses that aren’t real to the business aren’t taken as seriously as those which directly affect profitability, ROI and the bottom line.
Moral: Thinking that you’ll always be able to pass fraud costs through to your customers is a dangerous operating model and an operational mistake. Customer’s will only tolerate a finite number of rate increases before they depart for the greener pastures of other businesses with more competitive rates.
Sin # 7: Costs – Hiring the Right People and Having the Right Framework
The “It Won’t Happen Here” attitude translates to other operational areas as well: staffing shortages, a lack of capital investment in an effective anti-fraud framework and technology tools.
Moral: A deficiency in one or the other of these areas is problematic but when a combination of them are present across the enterprise, the odds of being defrauded increase dramatically.
The Bottom Line
Some people are just better than others at individual activities. There are a lot of reasons why but some of the differentiators include: God-given talent, hard work, perseverance and practice.
Likewise, businesses are no different. Some companies are “head and shoulders” above their competition when it comes to fighting fraud and the 7 Deadly Business Sins addresses some of the common sins which often lead to failures on the fraud front.
Sins which impact no one but the individual who committed it are one thing. However, businesses don’t get a “do nothing pass” on any of these. We know that the types of business sins referenced here not only impact the business directly (profit, loss, ROI, operational effectiveness, shareholder return, lawsuits, negative PR etc.) but citizens around the globe who weren’t involved in the P&L of the business in any way, shape or form.
7 Deadly Business Sins… the kind of mistakes that often result in your company being featured on the front page of the Wall Street Journal. To prevent epic failure and the kind of lethal financial damage and negative publicity associated with these sins, the time to repent, and take action, is BEFORE you get clobbered, not AFTER.
Those are our insights…what are yours?