Category Archives: Enterprise Risk Management

Regulators & Silos

I was reading last week on LinkedIn about a large, highly regulated, financial institution that was defrauded over a long period of time by two different companies, both of which where its suppliers. To add insult to injury, subsequent investigation by a CFE revealed that the two vendors were subsidiaries of a third, which proved also to be a supplier of the victim concern; all three cooperated in the fraud and our victim was completely unaware prior to the investigation of any relationship between them; the kind of ignorance that can draw intense regulatory attention.

This is not as uncommon an occurrence as many might think but it is illustrative of the fact that today’s companies are increasingly forced to expend resources simply trying to understand and manage the complex web of relationships that exist between them and the organizations and people with which they deal; that is, if they want to avoid falling victim to frauds running the whole gamut from the simple to the complex. Such efforts involve gaining perspective on individual vendors and customers but extend far beyond that to include sorting through and classifying corporate hierarchies and complex business-to-business relationships involving partners, suppliers, distributors, resellers, contacts, regulators and employees.

These complex, sometimes overlapping, relationships are only exacerbated by dynamic geographic and cross-channel coordination requirements, and multiple products and customer accounts (our victim financial organization operates in three countries and has over 4,000 employees and hundreds of vendors). No fraud prevention program can be immune in the face of these challenges.

Financial companies that want to securely deliver the best experience to their stakeholders within intensified regulatory constraints need to provide themselves with a complete picture of all the critical parties in their relationships at the various points of service in the on-going process of company operations. The ability to do this requires that organizations have a better understanding of the complicated hierarchies and relationships that exist between them and their stakeholders. You cannot manage what you cannot see and you certainly cannot adequately protect it against fraud, waste and abuse.

The active study of organizational hierarchies and relationships (and their related fraud vulnerabilities) is a way of developing an integrated view of the relationship of risk among cooperating entities such as our CFE client companies between their affiliates, customers and partners, across multiple channels, geographies or applications. The identification of organizational relationships can help our client companies clearly and consistently understand how each of their affiliates, business divisions and contacts within a single multi-national enterprise fit within a broader, multidimensional context. Advanced organizational management approaches can help organizations track when key people change jobs within and between their related affiliates, vendors and companies. Advanced systems can also identify these individuals’ replacements feeding a database of who is where, vital to shifting patterns of enterprise risk.

Our client financial companies that take the time to identify and document their organizational relationships and place stakeholders into a wider hierarchical context realize a broad range of fraud, waste and abuse prevention related benefits, including:

• Enhanced ability to document regulatory compliance;
• More secure financial customer experiences, leading to enhanced reputation, increased loyalty and top-line growth;
• More confident financial reporting and more accurate revenue tracking;
• Reduction of over-all enterprise fraud risk;
• More accurate vetting of potential vendors and suppliers;
• More secure sales territory and partner program management;
• Improved security program compliance management;
• More accurate and effective fraud risk evaluation and mitigation.

The ability to place stakeholders within hierarchical context is invaluable to helping companies optimize business processes, enhance customer relationships and achieve enterprise-wide objectives like fraud prevention and mitigation. Organizations armed with the understanding provided by documented relationship contexts can improve revenues, decrease costs, meet compliance requirements, mitigate risk while realizing many other benefits.

As with our victimized financial enterprise, a company without relational data regarding vendors and other stakeholders can be unknowingly dealing with multiple suppliers who are, in fact, subsidiaries of the same enterprise, causing the company to not only inadvertently misrepresent its vendor base but, even more importantly, increase its vulnerability to fraud. Understanding the true relational context of an individual supplier may allow a company to identify areas of that vendor’s organization that represents enhanced internal control weakness or fraud risk. Conversely, an organization may fail to treat certain weakly controlled stakeholders strategically because the organization is unaware of just how much business it is doing with that stakeholder and its related subsidiaries and divisions.

Risk management has always been a core competency for organizations in general and for financial institutions in particular. However, integrated enterprise risk management (ERM) practices and corporate governance disciplines are now a regulatory imperative. Any institution that views corporate governance as merely a compliance exercise is missing the mark. Regulatory compliance is synonymous with the quality of the integrated ERM framework. Risk and control are virtually inseparable, like two sides of a coin, meaning that risks first must be identified and assessed, and then managed and mitigated by the implementation of a strong system of internal control. Accurate stake holder relational data is, therefore, critical to the effectiveness of the overall ERM process.

In today’s environment, the compliance onus rests with the regulated. In a regulatory environment where client enterprise ignorance of the situation in the client’s own overall enterprise is no longer a defense, responsibility for compliance now rests with the board and senior management to satisfy regulators that they have implemented a mature fraud prevention framework throughout the organization, effectively managing risk from the mailroom to the boardroom.

An integrated control framework with more integrated risk measures, both across risk types and economic and regulatory capital calculations, is warranted. Increased demands for self-attestation require elimination of fragmentation and silos in business and corporate governance, risk management, and compliance.

Compliance needs to be integrated into the organization’s ERM base fraud prevention framework, thereby making the management of regulatory risk a key part of effective overall compliance. Compliance needs to be seen as less of a function and more as an institutional state of mind, helping organizations to anticipate risk as well as to avoid it. Embedding compliance as a corporate discipline ensures that fraud prevention controls are entrenched in people’s roles and responsibilities more effectively than external regulations. The risk management function must not only address the compliance requirements of the organization but must also serve as an agent for improved decision making, loss reduction and competitive advantage within the marketplace.

Organizations can approach investments in corporate governance, relationship identification, risk management practices and regulatory compliance initiatives as one-off, isolated activities, or they can use these investments as an opportunity to strengthen and unify their risk culture, aligning best practices to protect and enhance stakeholder value. A silo-based approach to fraud prevention will not only be insufficient but will also result in compliance processes layered one upon the other, adding cost and duplication, and reducing the overall agility of our client’s business; in effect, increasing risk. This piecemeal reactive approach also leaves a gap between the processes designed to keep the organization in line with its regulatory obligations and the policies needed to protect and improve the franchise. Organizations are only as strong as their weakest components, like the links in a chain.

The ACFE tells us that people tend to identify with their positions, focusing more on what they do rather than on the purpose of it. This leads to narrowed vision on the job, resulting in a myopic sense of responsibility for the results produced when all positions interact. ln the event of risk management breakdowns or when results are below expectations, it is difficult for people to look beyond their silo. The enemy is out there syndrome, a byproduct of seeing only one’s own position, results in people quickly blaming someone or something outside themselves, including regulators, when negative events like long running frauds are revealed and retreating within the perceived safety of their fortress silo. This learning disability makes it almost impossible to detect the leverage that can be used on issues like fraud prevention and response that straddle the boundary between ‘us’ and ‘them’.

However, it is particularly disconcerting that the weakest numbers by industry sector, including financial services, occur in the ACFE studies measuring organization wide accountability and people’s understanding of their accountability. My personal feeling is that much of the reason for this low score is the perpetuation of organizational silos resulting from management’s failure to adequately identify and document all of its stakeholders’ cross-organizational relationships.

Talking Through the Hindrances

That control self-assessment (CSA) can be used as an effective facilitation tool to develop fraud risk assessments is, I’m sure, of no surprise to many of the readers of this blog.  But, for those of you who are not so aware … typically, a control self-assessment session to identify fraud risk is a facilitated meeting of managerial and operational staff (the business process experts) coming together to openly discuss fraud risk prevention objectives related to identified risk factors associated with one or more of a company’s business processes.

Fraud prevention objectives for the business process are identified, as well as obstacles impeding the success of those objectives.  Finally, the team suggests, for upper management consideration, ways to overcome identified obstacles and a proposed corrective action plan is prepared.  At the start of the self-assessment session, the participants adopt a Team Operating Agreement to ensure that an open and honest discussion takes place in a threat free environment.  It takes a consensus of the participants to approve the operating agreement which all the participants in the session sign; no management decisions regarding actions to be taken are made during the session.

After the Operating Team Agreement is in place, team members typically develop and approve what they perceive to be a list of fraud prevention objectives for the target business process under discussion.  Once the anti-fraud objectives are defined, the participants enter a discussion (and develop a list) of what they feel to be the existing overall fraud prevention strengths of the subject process.  Next, the team discusses and develops a list of the hindrances currently preventing the process from achieving its anti-fraud related objectives.  Finally, the team develops recommendations for overcoming the identified hindrances.  Sometimes the team ranks its fraud reduction recommendations by order of importance but this step is not critical.

A CSA for fraud prevention is akin to a risk assessment brainstorming session.  For example, the scope of such a session regarding a financial reporting related business process might be tailored to the risks of financial statement fraud and misstatement as well as to the issue of management override of controls over financial statement reporting.  The objective of the CSA is for the team to identify and discuss fraud risks, fraud scenarios and mitigating controls followed by the preparation of a set of recommendations for referral to management.

For each risk factor identified the CSA team should:

–try to identify what would cause a fraud to occur, or detail the risk factor itself;
–determine the specific fraud risk;
–determine potential fraud schemes or scenarios associated with the risk;
–identify affected financial accounts;
–identify staff positions that could potentially be involved;
–try to assess the type, likelihood, significance and inherent risk involved;
–formulate the controls that could mitigate the risk;
–classify the controls by type (i.e., preventative, detective, entity, and process level);
–identify and assess residual risk.

Certified fraud examiners (CFE’s) have an active role to play in tailoring the CSA format for use in risk identification and mitigation as well as in performing actual facilitation of the CSA sessions.   Specifically, CFE’s can help client staff develop a more detailed, in-depth understanding of complex fraud risks that management and operational staff sometimes only vaguely perceive.  Armed with the knowledge developed during the CAE session(s) and coupled with their risk assessment and group facilitation skills, CFE’s can assist management and the audit committee of the client to identify, assess, and develop final fraud risk mitigation strategies to strengthen the fraud prevention program of the organization as a whole.  Following what are sometimes multiple CAE sessions, CFE’s can assist the team in detailing the menu of anti-fraud measures developed during the individual sessions in a report to client management embodying the anti-fraud recommendations of the CAE session members to the Executive Management Team and to the audit committee for their consideration.  It’s up to top management to decide which of the CSA team’s anti-fraud recommendations to implement and which of the team’s identified risks to accept.

Just a few of the advantages of conducting fraud prevention related CAE’s for critical client business processes include:

–building fraud risk awareness among those middle level managers charged with day-to- day management of our client companies business processes;
–mapping organization wide fraud prevention efforts to specific business processes;
–establishing links between information technology (IT) systems development projects and the broader fraud prevention program;
–identifying, documenting and integrating fraud prevention skill sets across all the business processes of the organization;
–support for the construction of a strong, management supported fraud prevention program that enjoys full management and board support company wide.

Finally, consider the advantages that the self assessment process brings to the ethical dimension of the utilizing enterprise.  The values that a corporation’s managers and directors wish to instill in order to motivate the beliefs and actions of its personnel need to be conveyed to provide the required guidance.  Usually such guidance takes the form of a code of conduct that states the values selected, the principles that flow from those values, and any rules that are to be followed to ensure that the appropriate values are respected.

The code of conduct itself is a worthy subject for a series of separate control self assessment sessions composed of representative levels of company staff such as the management team, lower level management and the operating staff.  The results of these sessions can be analyzed and a final comprehensive report produced documenting the comments (and even suggested revisions) that CSA participants have made regarding the code during their respective sessions.  This exercise is, thus,  an excellent vehicle to build “ownership of the code” among the staff comprising all levels of the enterprise.

Fraud, ERM & Wells Fargo

wells-fargo_2Could a fully functional Enterprise Risk Management (ERM) program have prevented or otherwise somehow mitigated the Wells Fargo fraud?

As a concept Enterprise Risk Management (ERM) is almost four decades old now and has been repeatedly battle-tested in both private and public organizations around the world as a proven approach to addressing risk in organizations of all sizes by effectively and efficiently concentrating management’s attention on the areas of highest risk to the critical business processes of the enterprise. I don’t have to tell readers of this blog that today’s fiscal realities call for continual and increased efforts to both reduce costs and still deliver optimal customer service; both objectives have a direct impact on fraud prevention because they increase the pressure on management, especially financial and marketing management to meet ever higher sales and earnings performance standards.  The ongoing debacle at Wells Fargo is a case in point of such pressures out of control at seemingly every level of the organization.

ERM was introduced as a management concept in 1974 when a Swedish state risk manager, Gustav Hamilton, identified four elements that are inextricably connected in a risk management process: assessment, control, financing and communications. He called this comprehensive view “the circle of risk” and the concept has continued to evolve in the years since. In September 2004, COSO issued, Enterprise Risk Management—Integrated Framework, a method to systematically consider and manage risk across an enterprise. COSO’s premise is that value is maximized when management sets strategy and objectives to strike a balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. COSO’s bottom line is that ERM helps an entity get to where it wants to go and avoid pitfalls and surprises like what has overtaken Wells Fargo along the way.  The ultimate goal of ERM for fraud prevention is two-fold: remediate risks (especially the risk of fraud, waste and abuse) to acceptable levels, and eliminate unnecessary controls, processes and ideally, costs. Potential benefits, such as improved service delivery, increased control and cost savings are just some of those documented in the literature. At the heart of ERM is a holistic, integrated, future-focused and process- oriented approach that facilitates the management of risk across an enterprise as opposed to looking at it only within siloed organizational entities. The ERM process focuses on “the right things” and can identify processes and procedures that do not measure up to performance, cultural standards and cost-benefit ratios defined by the entity.

Fraud risk programs align well with ERM concepts. Fraud risk programs start with establishing the risk appetite of the enterprise and are governed by policies that articulate the goals and objectives, ethical conduct standards, roles and responsibilities, strategies and tactics of implementation specific to addressing fraud risk. As with other types of ERM programs, fraud programs include deterrence strategies, preventive internal controls, routine measurement of performance and results, as well as program accountability and transparency to stakeholders. Additionally, there is special emphasis on cyber fraud, given the reliance on information technology to carry out the mission of today’s typical organization. Partnerships between organizational and program management are strong, given the linkage between the programs and their associated fraud risks. ERM also strongly supports whistleblower programs, another area of increasing attention and stakeholder priority.

News reports tell us that those Wells Fargo employees who attempted to fill the whistleblower role at many points in the employee initiated fraud were first disciplined for their efforts and then terminated.

COSO’s ERM framework is premised on four underlying principles. How might each (and all collectively) have benefited Wells Fargo beforehand to avoid the present mess?

–Every entity exists to provide stakeholder value.
Sales goals that are all but impossible to meet and which force employees to sign up customers for services they neither ordered or needed provide no value to the customer, to the employees, to Wells Fargo stockholders or to the public at large.

–All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. This translates to making trade-offs in establishing the level of acceptable risk to assume.
By fostering a culture of corruption among its employees by firing them for not making unrealistic sales goals, it can be argued that Wells Fargo failed to accurately assess both its level of fraud risk and its appetite for such risk.

–Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to more effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.
Under the COSO model Wells Fargo failed to prioritize risks that might jeopardize its corporate mission, effectiveness and efficiency. It also appears that it lacked a mechanism to take prompt action to stop the basic employee fraud scenario from persisting and spreading to more and more employees.  Only after the fact did it halt its program of unrealistic employee sales goals.

–Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.
The application of this principle features ongoing monitoring of the performance of the risk model.  Clearly, at the first signs of the fraud, Wells Fargo would have reassessed risk, set risk to the maximum and taken immediate steps to shut down the identified fraud scenario(s).

As a fraud examiner and auditor there are a number of questions I ask my corporate clients to ask themselves that are, in my opinion, critical to both identifying the risk involved with ERM generally and the business processes vulnerable to fraud specifically.

–What keeps you up at night?
–What do we not want to see on the news or in blogs?
–What are the expectations of stakeholders?
–What do we want to make sure happens and happens well?
–What problems have developed or emerged in other organizations that could be a problem in our company as well?
–What controls are now in place? What do we know about how they are working? What do we know about their cost and benefit?
–What level of control can we reasonably afford and how do we get the most bang for the buck?
–What changes have taken place in the company or external to the it that may have introduced new risks?

Would ERM have helped Wells Fargo?  I don’t know whether the bank presently has an ERM program or not but clearly the process as defined by COSO would have helped in providing a risk monitoring and immediate remediation mechanism to reassess risk in responding to the first whistleblower call alerting to the existence of the employee assisted fraud.  And there is no doubt that the forensic accounting and CFE community can play an important role in providing needed leadership and technical assistance to any organization implementing a dynamic, ERM supported, fraud response plan.  As the Wells Fargo experience and so many other instances suggest, the time has come to use the full potential of enterprise risk management as a tool to assist in the identification and rapid remediation of frauds before the costs to all stakeholders become unacceptably high.