5 Reasons Why Enterprise Risk Management Programs Tank!

Managing Risk
Failing @ enterprise fraud risk management damages your brand

Managing Global Risk: Trillion Dollar Annual Losses Present Unique Mitigation Challenges

Managing Risk: One of the core components of enterprise fraud risk management programs involves understanding the size and scope of the problem. For starters, it’s important to note that fraud is an equal opportunity crime, which occurs in all industries, business sizes, and global locations. Financially, cross-industry, global fraud now causes trillions of dollars of losses annually.

It’s important to note that global loss figures don’t account for dollars spent on back-end, operational (programs, people or technology) costs. The complexity of the crime, and the speed in which the fraud landscape rapidly shifts, bring the magnitude of the problem quickly into focus.

Managing fraud risk involves holistic, multi-faceted, prevention, detection, analytic and investigation efforts, which are absolutely necessary for the war against fraud. However, failure on the battlefield takes many forms. This article features five reasons why enterprise fraud risk management programs tank.

# 1: Major Fraud Events Aren’t Included in Business Continuity and Disaster Recovery Plans

Managing Risk
When it comes to managing risk, failing to plan for
Major Fraud Events is planning to fail. That’s a very costly mistake!

Wait. What? If you don’t think MFE’s qualify as disasters, think again. The reality is that MFE’s have more impact on brand reputation than fires, floods, or other natural disasters. Yet, businesses plan for those types of incidents.

Therefore, if MFE’s aren’t in included in corporate BCP’s and DRP’s, one should seriously question why. It’s not a matter of “if” MFE’s will occur but “when.” A comprehensive business plan to mitigate the damage done from financial disasters of this magnitude is required. Absent the right plan, let the good old fashioned, behind the corporate woodshed, financial ass whooping, commence.

# 2: Lessons Learned Policies are Lacking or Non-Existent

Managing Risk
Failure to deploy your lessons learned team immediately post-event
is like asking to be clobbered with a baseball bat – a 2nd time.
It’s gonna hurt!

When businesses have been ripped off by one of the many global organized crime rings, or individual lone wolves, management might be surprised to learn that bad actors aren’t simply going to leave them alone. The reality is that once businesses have been victimized there’s a target on their back, which doesn’t go away any time soon.

Many sophisticated rings use the same techniques against victims a 2nd or 3rd time. Its called “reloading.” Reloading occurs until victims prove that they’ve either mitigated a specific weakness or strengthened their security posture significantly thus preventing criminals from succeeding.

This is where corporate lessons learned policies are invaluable. Once an MFE occurs, representatives from the appropriate business units (Think: Knights of the Roundtable) should immediately meet to review the event. The team’s goal isn’t to play the “blame game” but identify the issues, vulnerabilities, processes, people or control deficiencies, which contributed to the incident.  

Once causation has been identified the team transitions to managing risk. The first step is evaluating and prioritizing risks, followed by a discussion of potential risk fixes. Then, the team deploys the appropriate controls, people, processes, policies or technology to prevent future acts of this type. Education and increased awareness across the enterprise is a critical component of any post-event debriefing.

Absent an immediate, and robust, post-event, “lessons learned” debriefing, businesses are destined to make the same mistakes again. The failure to conduct root cause analysis and take immediate steps to mitigate present and future risks are costly.

# 3: Consulting the Fraud/Risk Departments After Launch

Managing Risk
Never rely exclusively on the opinions of a team whose paychecks are tied to commissions.

Enterprise fraud risk should always be factored into operational plans before new products or services are released. Those assessments should come from fraud/risk management professionals. Opinions coming from the sales team come with a certain amount of bias. Salespeople “sell,” and any back end operational processes, risks or potential losses that potentially interfere with selling are diminished as unnecessary or inconsequential.

Meaning, Sales teams are unlikely to paint a true picture of risky business activity, customer impact or revenue sailing out the back door because it rips money from their pockets. Unbiased, professional opinions are critical to business success.

Getting a “real” answer means making sure that employees who understand the nuances associated with fraud and risk are at the product development table early on. That is before products are released or new services introduced.

# 4: After the Fact Activity

Managing Risk
Managing risk: running in the back of the pack is NOT where you want to be

Successful enterprise fraud risk management programs are defined by a “bias for action.” Analyze the corporate anti-fraud program to determine how heavily weighted it is too reactive response.

Corporations are always reacting to some type of anomalous behavior, and there’s no way around that. Earning an “A” grade means the majority of fraud mitigation efforts (85-90%) should be dominated by proactive initiatives.

While nothing guarantees that MFE’s won’t happen, one thing is certain. The failure to lead the race means always following your competitors and that definitely isn’t a winning formula.

# 5: Failure to Recognize That Fraud Programs Present Excellent PR Opportunities

Promote fraud prevention
Promoting fraud prevention, due diligence and robust controls
enhances brand value to consumers and shareholder alike

When it comes to fraud, uninformed management fails to promote the good, conversely burying everything bad. These are missed opportunities as there’s value in robust, enterprise fraud risk management initiatives.

However, Mar-Comm departments that recognize the value in promoting the company’s anti-fraud efforts derive positive PR, and brand recognition, some of which include:

  • Anti-Fraud Deterrence, Mitigation, Prevention News
  • Brand Awareness
  • Consumer – Shareholder Confidence
  • Conveying Operational Trust
  • Core Company Competencies
  • Employee Expertise
  • Fiscal Responsibility
  • New Hire News
  • Operational Excellence

Managing Risk: The Bottom Line

Challenging times call for creative measures.
Challenging times call for creative measures.
And there’s nothing more challenging than a trillion dollar, annual global loss epidemic which directly affects the bottom line.

Fram Oil Filters 1972 “you can pay me now or you can pay me later” ads resonated well with car owners. The implication being that performing less expensive maintenance today prevents more costly repairs tomorrow.

In addition, the “fix it now before it gets out of hand” analogy to enterprise fraud risk mitigation is undeniable. Think creatively. Analyze your anti-fraud efforts across the enterprise. Take steps to get out in front of nefarious activity now before costly, brand-damaging, and budget-busting business failures are featured in the Wall Street Journal later.

See our last article, The President’s Golf Game…And Other Deceptive Behavior @ fraudsolutions.com


Dan Draz is a fraud risk management consultant, keynote speaker, industry trainer and published author. Draz is an often-quoted fraud and investigations expert in industry, trade, online and news publications. Draz is the principal of Chicago-based Fraud Solutions, and consults with clients across industry verticals, providing enterprise fraud risk management consulting, GRC strategies and ethics assessments and training. He has a Masters in Economic Crime Management, is a Certified Fraud Examiner (CFE), a Fellow at the Governance and Accountability Institute and a 2018 “Top Thought Leader in Trust” recipient. He writes and records unique business and consumer multimedia public awareness material under the name of “Detective Dan.” For more information: info@fraudsolutions.coManaging Global Risk: Trillion Dollar Annual Losses Present Unique Mitigation Challenges