employees and fraud risks - uitm masters in accounting special lecture
DESCRIPTION
TRANSCRIPT
EMPLOYEES AND FRAUD RISKSCNI’s Journey, Mistakes, and Lessons Learned
Kenny OngCNI Holdings Berhad
Contents:
A. Case Study
B. Formula for Risk in CNI
C. Defining Risk Mitigation
D. Reducing Fraud risk Probabilities
E. Decreasing the Impact
F. Successful Risk Management programs
G. Researchable fraud areas
This was what happened…
Fraud Case Studies:• Lost Tickets• Over claims• Undercutting• F/L-Leader pact• Swiss cash
Intro and Background
Different Business, Different Frauds
Intro: CNI
1. 18 years old
2. Core Business: MLM
3. Others: Contract Manufacturing, Export/Trading, eCommerce
4. Malaysia, Singapore, Brunei, Indonesia, India, China, Hong Kong, Philippines, Italy, Taiwan
5. Staff force: ± 500
6. Distributors: 250,000
7. Products: Consumer Goods and Services
Intro: CNI
CNI’s Business Model background
Factory CNIEDC
SPLeadersCustomers
A. Risk Mitigation in CNI
No Business, No Risks.
No Business, No Risks.
• Ironically, our success is the cause of risk• More success, more money, more fraud• Easiest way to reduce fraud is to reduce
business• Don’t laugh. This is what most FAC and HR
people do, unintentionally
Fraud Risk Mitigation? (1/2)
We follow standard Fraud definitions:
What is Fraud?
1. Someone is Lying
2. Someone is Benefiting
Both Conditions must be met in order to be considered Fraud.
Fraud Risk Mitigation? (2/2)
We follow standard Fraud definitions:
Risk = Likelihood x Impact
Risk Mitigation =
↓ Likelihood, or
↓ Impact
Def: “Likelihood”
Likelihood Definition
5. Very high 99% likely to happen, has occurred within last 12 months
4. High 75% likely to happen, has occurred within last 12 months
3. Medium 50% likely to happen, has occurred within last 24 months
2. Low 20% likely to happen, has occurred within last 5 years
1. Very Low 5% likely to happen, hasn’t occurred within last 5 years
Def: “Impact”
Impact Sub A Sub B Sub C Sub C
5. Very Serious
>1.0M >100K >30K >60K
4. Serious 501K-1M 51K-100K 21K-30K 41K-60K
3. Moderate 101K-500K
26K-50K 11K-20K 21K-40K
2. Minor 11K-100K 6K-25K 3K-10K 5K-20K
1. Insignificant 0-10K 0-5K 0-2K 0-4K
CNI Risk Categories
Four Categories of Risk in CNI:• Operational Risk• Compliance Risk• Financial Risk• Strategic Risk
How CNI Implemented Risk Management
1. Concept for BOD Approval (please refer to slides Risk and Crisis Management - CNI BOD presentation v3.ppt)
2. Implementation Plan (please refer to slides FRAMEWORK PRESENTATION.ppt)
Examples of CNI Risks and Calculations
• Please refer to Handouts
Examples of Fraud Mitigation Actions:
Fraud Risks
Where are the Fraud Risks?
Industry
Management
Staff
Frontline
Sup
plie
rs/V
endo
rsR
etail Front
Industry Risks
• Get-Rich-Quick Schemes (Skim Cepat Kaya)• Direct Selling myths• Bad Hats• Imposters• Products on Shelves
These Fraud risks affect all Direct Selling organizations but cannot be controlled by us.
Only in joint efforts by drafting & pushing new regulations
Real Fraud, Real Risks
1. DC Fraud
2. Staff Fraud
3. Management Fraud
4. Distributor
5. DC Assistant
6. SP
7. Payroll
8. Undercutting
9. Purchasing
10.Credit Card
11.Ghost Staff
12.Ghost Distributor
13.Financial Reporting
14.Theft
15.F/L
16.eCommerce
17.Tickets
18.Share manipulation
B. Reducing Fraud risk Probabilities
Prevent. Deter. Kill.
Fraud Root Causes
• Policy problem• People problem• Unavoidable problem
Risk Mitigation Strategies
Culture
Mitigation
Identified Fraud Risks
StructureResources
Leadership
Person
Alignment: Framework
• Org Structure• Job Design – C.Fraud.O.• Policies & procedures• Governance, Internal Controls• Management Systems, SOPs• Central• Special Task Force• Internal Audit, Surprise Audit, Regular Audit
(Surveillance)• Levels of Authority, Power Balancing*
Structure
*Power Balancing
1. Propose
2. Approve
3. Execute
4. Monitor
BOD Set 1 BOD Set 2
Approval/Verification
Alignment: Framework
• Tools• ICT Systems• Rules detection• Whistle Blower• PED• Profiling/Assessment Tools• Budget for Investigation,
Litigation
Resources
Strategy: Framework
• PED• Involuntary Role Modeling• Personal accountability and
Commitment • 10 Ants Values• Watch out: Current people promoted
to Key Positions• Promotional criteria
Leadership
Alignment: Framework
• New Employee Background checks
• Willingness to Punish• Root Cause Analysis (Mager &
Pipe)• Rotation• PED• Fraud Detection & Analysis
Competency• High Risk Jobs• IT breaches through Frontline
Person
The Four Desperates
1. Desperate Competition
2. Desperate Consumer
3. Desperate Achievers
4. Desperate Changes
• PED
Possible General Root Causes for Fraud
1. "Everyone does it."
2. "It was small potatoes."
3. "They had it coming." – the revenge syndrome
4. "I had it coming." – the equity syndrome
GENERAL STRATEGIES AND POLICIES
• B1. Classification of Behaviors– B1.1 Disrespectful Workplace Behavior
– B1.2 Progressive Discipline
– B1.3 Zero Tolerance
GENERAL STRATEGIES AND POLICIES
• B2. Recruitment and Selection• B3. Exit• B4. Employee Assistance Program• B5. Anonymous Hotline• B6. Communication and Feedback• B7. Training and Education• B8. Formal Complaint and Grievance
GENERAL STRATEGIES AND POLICIES
• B9 Leadership– 1. Leaders act as role models whether
consciously or unconsciously
– 2. Leaders determine the working environment
GENERAL STRATEGIES AND POLICIES
• B9 Leadership– 1. Educate– 2. Involve– 3. Teach – 4. Eliminate
SPECIFIC STRATEGIES AND POLICIES
• C1. Theft and Fraud – Root Causes– Profile: 68.6% - no prior criminal record, Aged
26-40 years old, Annual income between RM15k-RM30k, 2-5 yrs of service
– Struggling financially or large purchases • difficult time in their lives• gets out of hand
– Merger and acquisition or reorganization activity.
• ‘I don’t have a career here’ attitude.
SPECIFIC STRATEGIES AND POLICIES
• C1. Theft and Fraud - Prevention– Background checks– Duties segregated– Anonymous hotline – Share the wealth– Communicate successes– Make a big noise when discovered– Video surveillance equipment
SPECIFIC STRATEGIES AND POLICIES
• C2. Violation of confidentiality or security of company information - Prevention– a. ICT Security Policies*– b. Ownership of Intellectual Property– c. Inside Information and Trading of CNI
shares
*ICT Security and Fraud (1/3)
Biggest ICT risks to CNI
1. Security – All matters relating to the ‘coming-in’ and ‘going-out’ of all systems and information
2. Backup - including Storage of critical and non-critical information and Disaster Recovery
3. Continuity – Availability of systems and information at a 24x7x365 standard
*ICT Security and Fraud (2/3)
The following are threats faced by CNI from ‘inside’ the company:
• Current Employees, • On-site Contractors, • Former Employees, • Vendors/Suppliers, • Strategic Partners, and • OEMs
*ICT Security and Fraud (3/3)
1. Web browsing and Internet Access
2. Username and passwords
3. Instant Messaging
4. E-Mail
5. File access permissions
6. Backups
7. Crisis management, Disaster recovery and Business Continuity
8. Physical
9. PCs and laptops
10.Remote access
11.Servers, routers, and switches
12.Internet / external network
13.Wireless
14.PDA and cell phone
15.Documentation and change management
ICT Security, Backup, and Continuity Strategies 2005-2008:
C. Decreasing the Impact
We failed. Now what?
Why Impact?
1. Escaped prevention• Policy or Procedure• Performance
2. Cannot reduce likelihood - unavoidable
Levels of Impact (Fraud)
• small impact• BIG impact
TangibleMonetary Loss (>1,000,000) inc. capital, share priceLocality
IntangibleReputation, ImageCompetitivenessConsumer confidence
small Impact
1. Escaped prevention– Policy or Procedure– Performance
2. Cannot reduce likelihood - unavoidable
• CAR/PAR• Mager & Pipe
• Study Trends• PAR
Real Fraud, Real Risks
1. DC Fraud
2. Staff Fraud
3. Management Fraud
4. Distributor
5. DC Assistant
6. SP
7. Payroll
8. Undercutting
9. Purchasing
10.Credit Card
11.Ghost Staff
12.Ghost Distributor
13.Financial Reporting
14.Theft
15.F/L
16.eCommerce
17.Tickets
18.Share manipulation
Real Fraud, Real Risks
1. DC Fraud
2. Staff Fraud
3. Management Fraud
4. Distributor
5. DC Assistant
6. SP
7. Payroll
8. Undercutting
9. Purchasing
10.Credit Card
11.Ghost Staff
12.Ghost Distributor
13.Financial Reporting
14.Theft
15.F/L
16.eCommerce
17.Tickets
18.Share manipulation
Investigation: Principles
1. Preserve Evidence = documents, computers, laptops, voicemails, emails, phone logs, security camera tapes etc.
2. Focused on Facts3. Avoid (or try to avoid) legal exposure e.g.
defamation, unlawful dismissal etc.4. Verdict/Punishment only after investigation is
complete and results obtained5. Precedence6. Limit number of people7. Involve Professionals/Third Party whenever
possible
Investigation: Process
5. Public Disclosure
6. CAR/PAR
4. Management Decision
External Legal
2. Investigating Office (I/O)
External P.I.
1. CaseTip Off
3. Internal Inquiry
IndependentPanel
BIG Impact
• Crisis Management Plan• Crisis Communications Plan
Crisis Management Plan
Business Function Crisis:
Before(readiness for
crisis)
During(sound crisis
management)
After(profiting and
learning)Policy and
Planning
Process Owner: [dept. accountable]
Communications
Logistics & Info Systems
Crisis Communication Plan
• Crisis Communication Team (to determine small or BIG for communications purposes)
• Crisis Media Plan– Media Management– Media Centre– Crisis Spokesperson & Interview– Press Release
• No case study from CNI on Crisis Communications arising from Fraud
• Not yet happened (fingers crossed)
D. Tracking and Reporting
“Asking the people responsible for preventing
a problem if there is a problem is like delivering
lettuce by rabbit"
Norman Augustine
CEO & Chairman, Lockheed Martin
Tracking: Who? How?
1. Centralized monitoring: trends, patterns, flag unusual, symptoms
2. Regular reporting
3. BSC, KPI and PMS embedded
4. RWC – RMC
5. Industry comparison
6. IAD, MSD, RD, SDD
E. New Fraud Risks
We need help.
New Fraud Opportunities: CNI
Change in Business Model: InexperiencedeCommercePartner MerchantsFranchiseConventional retailM&A Targets
eCommerce Frauds
AccountTakeover
Pharming
Counterfeit Advances
Phishing
Application
Lost/Stolen Credit Cards
eCom Frauds?
Latest Fraud topics: General
1. Whistle Blowing compensation: tied to $$ amount of fraud exposed
2. New US law -> Not allowed to sue Accountants, Auditors, Lawyers. What implications?
3. Credit Crunch = Tighter Cash Flow = More desperate people = more Fraud?
4. Sub-prime crisis + Société Générale = Transparency, Disclosure, Relationship Transparency
Fraud: Research Options?
1. Profile of a Fraudster in Malaysia
2. New Fraud Risks in the 21st century business environment
3. Internet, eCommerce, and ICT related Fraud risks and prevention
4. Company Culture and its influence on Fraud Risks
5. HR practices that can decrease Fraud in a company
Risk Management: Research Options?
1. New Strategic Risks faced by businesses
2. Embedding Risk Management into Strategic Planning
3. New Risks in the 21st century business environment
4. Risk Management in Small and Medium sized companies in Malaysia
5. The role of Risk Management in Mergers & Acquisitions
End Points
Dangers of Direct Incentives
1. lessen internal motivation, 2. switch to mercenary mode, 3. do something and do not do something else, 4. easier for competitors to recruit, 5. lessen teamwork & helpful culture, 6. less and less impact for same value, 7. mockery of base salary and employment
contract, 8. rebellion from non-incentivised staff, 9. end up incentivising everyone for everything?, 10.bribe and fraud culture,
Mistakes and Lessons Learned
1. Price to Pay for Fraud/Risk Mitigation => Business Flexibility
2. Control vs. Growth
3. Rules vs. Humanity/Motivation
4. Not tackling the root cause i.e. Motive + Opportunity i.e. Humans
5. Focus on FAC vs. Sales/Marketing => who has control?
6. Relationship Role vs. Enforcement Role e.g. SDD/Ticketing, FTF vs. RD
In the end…
• Great Wall of China– humans are the weakest link– bad treatment of staff will lead to weak link i.e.
easier to bribe, easier to con, etc; – bad treatment examples: insulting, lose face,
broken promises, no dignity, public criticism, restructure without communication
Thank You.
soft copy of slides: www.totallyunrelatedrandomanddebatable.
blogspot.com