F’d Up

6 Areas Where Businesses Get Catawampus

F'd Up! Mismanagement results in increased risk, brand damage and revenue loss
“When mismanagement results in brand damage and revenue loss – own it!”

Blueprints for business – risk mitigation success are as varied as the types of businesses themselves. Likewise, there’s more than one way for management teams to “body slam” both new and existing businesses into the ground. We’re examining some of the common ways organizations get it wrong, diagnosing ailments and writing prescriptions for the cure. Fortunately, with the right treatment plan, most business mistakes can be fixed before they have fatal brand or bottom line consequences.

Death by Meeting(s)

Risk -The failure to act quickly may be lethal
The failure to act quickly may be lethal

Dx: Severe Case of “Analysis Paralysis” –

WARNING:

Highly Contagious!

No one’s biased for action. There are a ton of meetings, yet nothing ever gets done. When the only decisions coming out of high-profile risk or fraud event discussions are the next four meeting dates, the criminals are going to win – every time!

Back in 2014, I wrote a piece in the Fraud Solutions Blog titled Forward Thinkers: Organized Crime where I stated that “organized crime rings are full of forward thinkers, perhaps even more so than most businesses.” I received a lot of flak for that blog, people said things like “I can’t believe you wrote that, Draz.”

But, whether you like the statement or not, the reality is it was true then and it’s still true today. Organized crime rings are constantly reinventing themselves, looking for the next big score. When businesses shut down one vulnerability, bad actors quickly adapt, improvise and overcome, moving on to another technique. They aren’t waiting around for the next scheduled meeting, not when obscene amounts of money are on the line.    

Prescription: Significantly shorten evaluation – decision – solution deployment time.

Non-Existent, Inadequate or Static Fraud or Risk Mitigation Initiatives

Dx: Afterthought-itis

Risk - Success or failure often depends on how proactive management is
Success or failure –
often depends on how proactive management is

Failing to plan is planning to fail. This applies to all types of businesses – old and new, large and small.

I recently looked at 20+ new business plan templates and surprisingly didn’t find one asking for a description of the entities risk management program.

The failure to assess risk in advance creates significant vulnerability, whether you’re a startup or an established enterprise. Think you have nothing that bad actors want? Think again!

Prescription: Buy a ticket now – board the ship – before it sails!

Risk – The Redheaded Stepchild

Risk - Is bigger really better? No, not really!
Is bigger really better? No, not really!

Dx: “What we have here is a failure to communicate” – Strother Martin (Cool Hand Luke, 1967)

Many people errantly assume that bigger businesses have it easier when it comes to risk mitigation. Their reasoning? Greater revenue + more employees + increased technology tools = fewer risk challenges.

I.e. Large businesses have more resources available to them, so they must have their risk, InfoSec, fraud prevention act together versus smaller organizations who don’t. That stands to reason but it isn’t necessarily the case.

Another challenge that organizations, of all sizes, have is that marketing and sales occur before risk evaluation. I.e. Risk is an afterthought. See Marketing Mayhem: Ready to Market but Not Market Ready

Solving these critical problems means that gaps must be identified between business and risk organizations. C-level execs must ensure that risk employees understand business needs. Conversely, the business side must understand risk. Ultimately, mitigating fraud losses is dependent on the collaboration of these two business units.

Everyone (not just risk teams), needs to think about risk…sales and marketing inclusive. With C-level execs now being held personally responsible (with the possibility of jail time), by the government for the actions (or inactions) of the corporation, the repercussions for getting it wrong have never been greater.

Prescription: Destroy silos – fostering open communication about business risk amongst all employees.

Everyone Wants Data Science Team

Dx: Wheel Recreation Rash

Risk - Data science doesn't solve all problems - strategic business alliances are key
Data science doesn’t solve all problems –
strategic business alliances are key

So, your business just created and staffed a data science team. There’s value in that but the truth is – “the juice isn’t always worth the squeeze.”

Fraud and financial crime have been around so long that the data’s already out there via shared repositories. So much can be leveraged that’s already been built that you don’t have to spend time, energy, and money on the creation of that hip, new data science team.

There’s always going to be analysis that organizations can do themselves. However, in lieu of reinventing the data science wheel, businesses have opportunities to strategically partner with other organizations in the space who already have the relevant data.

Prescription: Leverage services, leverage partners, leverage data and knowledge.

Successful in Spite of Themselves

Dx: “Always Done It” Syndrome

Risk - Because we've always done it that way isn 't really an answer
Because “we’ve always done it that way”
isn’t really an answer

We’ve all seen it – businesses that do very little to change policies and processes or invest in technology upgrades – deploy tools to empower employee performance. Their reasoning? “We’re making money – why should we?”

When asked why things are done in such a “backasswards” manner, the standard response is “it’s the way we’ve always done it.” Most outsiders wouldn’t consider those processes to be the right way, just the antiquated, “old fashioned” manner in which they’re done.

Nothing wrong with that – but when bad actors identify business vulnerabilities, profits suddenly go “poof.” With static policies, processes, technology, and lax or non-existent controls, it’s not a matter of “IF” they’ll lose money but “WHEN.”

Prescription: Create fluid and holistic fraud and risk prevention processes that adequately address the constantly changing global threat environment. Your business livelihood depends on it!

Defective Due Diligence

Dx: “Half the Story” Flu

Rsk - The employee you hire may not be the person you think they are
The employee you hire
may not be the person you think they are

It’s true that employers should never “blindly trust” their employees. Those that do usually end up on the short end of a very catastrophic, “brand busting,” financial loss situation as many businesses have unfortunately discovered.

However, the belief that some people have that online screening, in and of itself, constitutes a fully reliable background check, is a completely flawed notion.

Some of the reasons include the limitations and reliability of “big data,” a lack of centralized court & municipal repositories – which don’t cover the entire U.S. and restrictions in data coverage dates when information’s sold by the original source. 

To be more effective, background checking today should be much more than just keystrokes. It must involve new age searching and old school, on the street, detective work.

Remember, database information is only a lead. No information is considered “factual” until it’s been verified through multiple (3x), independent sources. And that’s what we teach new investigators who want to rely solely on data found on the net. 

Case history is littered with scenarios where someone’s been cleared in an online-only background check and hired, only to later determine that the individual had a criminal history that was unknown to the employer. 

Prescription: Implement a more robust online – in person background screening program or accept the fact that you have no clue whom you’ve hired.

From the Case Files

Terminate for stealing without criminal action? 
You pawned your problem off on someone else
Terminate for stealing without criminal action?
You pawned your problem off on someone else

Real Story: Question on a pre-employment background screening consent form: Have you ever been convicted of a felony? The candidate, who was later suspected of stealing money, answered “no.”

After the pre-employment background check turned up nothing, the employee was hired. It was later determined that he hadn’t, in fact, been convicted of a (one) felony – he’d been convicted of four felonies (and two misdemeanors).

Semantics aside, this IS NOT an isolated incident and happens all the time to employers around the country.

Another real story: An employee embezzles large sums of money. They get terminated upon discovery but the employer wants to avoid embarrassment and public humiliation so they opt not to have the individual arrested or prosecuted. I.e. no official record of the theft exists – anywhere.

The individual moves to another city and applies for a job in the same money handling capacity as the one they just stole from. They leave off addresses and employers which reflect having lived in other cities and answer “no” to the felony question.

The former employee gets hired in the new role because the background check fails to find addresses, employers or a criminal record in other jurisdictions for anyone to check. Now, the unknowing employer has a fox in their financial henhouse! Guess what happens next?!

See last week’s blog: Marketing Mayhem: Ready to Market – but Not Market Ready

About Dan Draz

Dan Draz is an enterprise fraud risk management consultant, keynote speaker, industry trainer and published author. Draz is an often-quoted fraud and investigations expert in industry, trade, online and news publications. Draz is the principal of Chicago-based Fraud Solutions. He consults with clients across industry verticals, providing enterprise fraud risk management consulting, anti-fraud strategies, fraud risk, GRC, and ethics (code of business conduct- employee hotline) assessments, fraud collateral (whitepapers, blogs, articles, newsletters, product/fact sheets, lead gen pieces, etc.) and fraud training. Draz has a Masters in Economic Crime Management, is a Certified Fraud Examiner (CFE), a Fellow at the Governance and Accountability Institute and a 2018 “Top Thought Leader in Trust” recipient. He writes and records unique business and consumer multimedia public awareness material under the name of “Detective Dan.” For more information: info@fraudsolutions.com.