Liseli Pennings, last year’s speaker for our Central Virginia Chapter’s training event, ‘Investigating on the Internet’, made the comment during her presentation that on-line investigative tools are outstanding for working unforeseen fraud events. When a potential fraud risk has been identified through routine risk assessment, what its effects would be can be discussed and hypothetically anticipated to some degree as part of the assessment. However, Liseli pointed out, when catastrophic fraud events occur without warning, seemingly out of the blue, and no mitigation has been discussed or is even immediately possible, the results can be devastating to our clients. When these types of sudden, unforeseen fraud events occur, rapid information gathering can be critical to a successful investigative outcome and that’s where skillful use of the internet comes in.
Liseli’s comment got me to thinking about a key question. Are these types of fraud events truly unforeseeable or are they caused by a failure to gather adequate information on the front end to anticipate them and their effects? Unanticipated fraud events and their effects typically are associated with financial factors. However, as we’ve often discussed on this blog, some of the most catastrophic events can be non-financial in nature, such as damage to reputation, which also can lead to financial losses. As part of their proactive risk assessment processes, fraud examiners can play a vital role in monitoring the client’s environment and providing valuable information to management to help identify and mitigate these types of risks. If an organization is not prepared for these types of sudden, catastrophic fraud events, the losses can sink the organization; only look at what happened to Martha Stewart Enterprises because of her trading scandal and to Target because of the overnight revelation of the hacking of its customer accounts as well as to a host of others.
Viewed narrowly in hindsight, there seems to have been little these companies could realistically have done on the front end to mitigate the effects of such unforeseen events. The only way to manage such events effectively is to convert them from unforeseen to foreseeable events with potential for catastrophic losses that can be mitigated through anticipation and preparation. Anticipating the potential for such events is critical, requiring information that is current, forward-looking, frequent, comprehensive, reliable, and diversified and available, to an ever-growing extent, to the CFE on the public internet. Systematic use of the internet to broaden the scope of fraud risk assessment is a trend only now firmly taking hold.
Fraud prevention and mitigation related decision-making takes place in the present and affects the present but, more importantly, it affects the future. Historic information is valuable for some decisions but, to be effective, the information gathered for most decisions must be current and updated continuously. In this respect, CFE’s and risk managers should consider the nature of the information source and the frequency with which it is updated. For example, printed encyclopedias become dated quickly. Web and mobile sources may be considered the most current, but, as Liseli pointed out last year, this is not always the case. The very abundance of internet related resources requires of those gathering on-line information that they exercise extra care in specifying how information is verified and how often as well as when and under what circumstances it is updated. To have comprehensive and diversified information, examiners must accept that some information they uncover won’t be completely reliable. Knowing that, they must have a methodology for evaluating the degree of reliability of each source, gathering corroborating and refuting information, and discerning the truth among the conflicting information.
When assessing the probability potential for unforeseen fraud events within the context of a client environment, CFE’s and loss prevention managers should avoid the tendency to plan and act based solely on past events and risks. Internet based scanning and assessment systems and processes ideally should be developed to anticipate the next wave of risks that might be carrying unforeseen events ever closer to the organization. It would be simple if dealing with one unforeseen fraud event eliminated all others but fraud examiners especially are aware of how often one fraud spawns another.
In casting a wider, on-line based, risk assessment net forward looking examiners might ask questions like:
–What is the next wave of technological, societal, industrial, and environmental changes that could affect my client organization, and what will be their implications for the organization?
–Have organizations that have a “bring-your-own-device” policy for cell phones, tablets, and other devices considered all the potential implications of such a policy, including privacy issues and the potential risk to proprietary information?
–What information on these devices is discoverable in legal cases?
–Are these sources included in the fraud assessment process?
–How quickly are events changing within the organization and its environment?
How do CFE’s sift through this deluge of information to glean what is relevant to the organization? What filters are available within the media in use? Which sources have features available that push the information to the user based on chosen criteria?
Some such sources are …
–Industry and trade organizations, especially including websites, magazines, newsletters, forums, and roundtables.
–News outlets such as print, Internet, and cable television.
–Think tanks and consultants.
–Governmental and quasi-governmental organizations.
–Personnel using cutting-edge technology.
Unforeseen financial related fraud events most often arise from a lack of information. To be effective, information gathering must expand beyond those sources that are most familiar to risk assessment professionals and to others like CFEs involved in risk management; the more diverse the sources, the more effective the information gathering. Gathering information from only neutral sources may seem on the surface to be the most effective strategy; but this can create a severe deficit of information. Information from sources in competition with or in opposition to the client organization should be included. This will include information from sources that have a different political stance, moral compass, or divergent viewpoint. Gathering information from governmental organizations should include a wide variety of domestic and international sources. Information gatherers must evaluate the political purpose behind the information, its slant, and the reliability of the information.
Unforeseen fraud events can be devastating to an organization, not just because they are catastrophic, but because they are unexpected and initially mysterious in nature. But like all events, if they can be better understood and anticipated, their effects can be managed and mitigated so they will not be as damaging to the organization. The use of as many information sources as possible, including those internet based, is key to assessing their risk and potential impact.