Threat, Fraud and Risk Management – What does it Really Mean?
Threat, Fraud and Risk Management – What does it Really Mean?
I. Risk Management –
The “definition” of Risk Management has been slowly, but steadily compromised over the past two decades. Most don’t even understand what it means and uses the phrase improperly to define other disciplines which have been also slowly, but inevitability converging into one discipline. The four (4) disciplines are:
- Threat Assessment
- Fraud Assessment
- Risk Assessment
- Security Assessment
There is NO question that these disciplines are going to reach a point where they will fall under ONE name, which will be comprised of these four categories, but let there be no illusion that the conversion will take place.
We now have companies and government agencies that utilize the C-Management designation of CSO, or Chief Security Officer. This name was originally recognized with “physical security” only; however the surfacing and overlapping of the other categories is now being integrated into what the CSO will ultimately be.
As with data processing in its infancy, it was assigned under “Finance” and governed ultimately by the CFO. As it grew, it spread out, like colonies under a country, where as the technology became more powerful, and other departments and divisions became more “dependent’ upon its capabilities and what it could supply, the age of the IT Division became a reality. It gained independence from finance and was recognized as a C-Management Division, governed ultimately by a C-Management executive.
The same will take place with the CSO. It is just a matter of time. Regardless, we will look at what comprises these disciplines and how we, RSI, deals with it, both from a strategic point of view, and from our own methodologies/policies developed over three (3) decades and beyond:
Risk Management is a structured approach to managing uncertainty related to a threat, a sequence of human activities including: risk assessment, strategies development to manage it, and mitigation of risk using managerial resources.
The strategies include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk.
Some traditional risk managements are focused on risks stemming from physical or legal causes (e.g. natural disasters or fires, accidents, ergonomics, death and lawsuits). Financial Risk Management (FRM), on the other hand, focuses on risks that can be managed using traded financial instruments.
It is also important to keep in mind the distinction between risk and uncertainty. Risk can be measured by impacts x probability.
The Basel II framework breaks risks into market risk (price risk), credit risk and operational risk and also specifies methods for calculating capital requirements for each of these components.
Establish the Context
Establishing the context involves:
- Identification of risk in a selected discipline of interest
- Planning the remainder of the process/operation, in detail
- Mapping out the following:
- the social scope of threat, fraud and risk management
- the identity and objectives of shareholders
- the basis upon which threats, frauds and risks will be evaluated, as well as the constraints
- Defining a template for the activity and an agenda for identification
- Developing analysis of threats and risks involved in the process
- Mitigation of risks using available technological, human and organizational resources
- Form a Timeline of events, scheduling points, projected goals, etc.
Identification of Threat, Fraud and Risk Management
After establishing a detailed framework, the company will want to identify potential threats and risks as well as the “degree” of such threats and risks. Threats and risks address events that, when triggered, WILL cause problems. Therefore, threat and risk identification can start with the source of problems, or with the problem itself. You can also count on the fact that it WILL happen.
- Source Analysis – Threat, Fraud and Risk sources may be internal or external to the system that is the target of over-all risk management.
- Problem Analysis – Risks are related to identified-threats. For example, the threat of losing money, the threat of abuse of privacy information or the threat of accidents and casualties. The threats may exist with various entities, most important with shareholders, customers and legislative bodies such as the government.
When either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated. For example:
Shareholders withdrawing during a project may endanger funding of the project; privacy information may be stolen by employees even within a closed network; an emergency stop of a passenger train which potentially could make all people onboard immediate casualties; or a single laptop containing 200,000 credit card information matrixes is left in the backseat of a taxi by an employee racing to catch a flight.
The chosen method of identifying threats and risks may depend on culture, religion, industry practice and compliance (especially when looking at the international forum). The identification methods are formed by templates or the development of templates for identifying sources, problems or events. Common threat and risk identification methods are:
- Objectives-based risk identification – Organizations and project teams have objectives. Any event that may endanger achieving an objective partly or completely is identified as risk.
- Scenario-based risk identification – In scenario analysis different scenarios are created. The scenarios may be the alternative ways to achieve an objective, or an analysis of the interaction of forces in, for example, a market or battle. Any event that triggers an undesired scenario alternative is identified as risk – see Futures Studies for methodology used by Futurists.
- Taxonomy-based risk identification – The taxonomy in taxonomy-based risk identification is a breakdown of possible risk sources. Based on the taxonomy and knowledge of best practices, a questionnaire is compiled. The answers to the questions reveal risks.
- Common-risk Checking – In several industries lists with known risks are available. Each risk in the list can be checked for application to a particular situation.
- Risk Charting/Documenting – This method combines the above approaches by listing Resources at risk, Threats to those resources Modifying Factors which may increase or decrease the risk and Consequences it is wished to avoid. Creating a matrix under these headings enables a variety of approaches. One can begin with resources and consider the threats they are exposed to and the consequences of each. On the other hand, one can start with the threats and examine which resources they would affect, or one can begin with the actual or potential impact(s) (e.g. direct effects, side-effects, media impact, and collateral consequences) and determine which combination of threats and resources would be involved for it/them to take place. A simple example of charting and establishing a basic company/agency matrix would be as follows:
- Catastrophic – Massive Level of Casualties and Deaths, or All Deaths
- Critical – High Level of Casualties and a Moderate Level of Deaths
- Marginal – Moderate Level of Casualties and a Low Level of Deaths
- Negligible – Minor Casualties and No Deaths
The probability of harm occurring might be categorized as:
However it must be considered that “projected” low probabilities may not be reliable, especially if there are many variables existing which have little to no analysis available on.
As an example, in a high-risk environment, or one with serious exposures to threats, frauds and risks, such a sample “conservative” matrix could look like this:
The company or organization then would calculate what levels of Risk they can take with different events. This would be done by weighing up the risk of an event occurring against the cost to implement safety and the benefit gained from it.
Potential Threat and Risk Mitigation Methods
Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:
- Avoidance (isolate and eliminate)
- Reduction (isolate and control)
- Mitigation (use best, reasonable effort to provide the best damage control)
- Transference (outsource, insure or sub-contract)
- Retention (accept and budget)
The most effective use of these strategies may not be possible. Some of them may involve trade-offs that are not acceptable to the organization, agency or person(s) making the risk management decisions.
Another source, from the US Department of Defense, Defense Acquisition University, calls these categories Avoid, Control, Accept, or Transfer (ACAT). This use of the ACAT acronym is reminiscent of another ACAT (for Acquisition Category) used in US Defense industry procurements, in which Risk Management figures prominently in decision making and planning.
Once risks have been identified, they must then be assessed as to their potential severity of loss and to the probability of occurrence. These quantities can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in the case of the probability of an unlikely event occurring. Therefore, in the assessment process it is critical to make the best educated guesses possible in order to properly prioritize the implementation of the AFPFO and/or ATPTO plan and subsequent strategies, policies, systems and procedures.
In Enterprise Risk Management (ERM), a risk is defined as “a possible event or circumstance that can have negative influences on the enterprise in question”.
Its impact can be on the very existence, the resources (human and assets), the products and services, the vendors and suppliers, the investors or financial institutions that financially back or support the company/agency/institution, or the customers/clients of the enterprise, as well as external impacts on society, markets, or the environment.
In a financial institution, enterprise risk management is normally thought of as the combination of credit risk, interest rate risk or Asset Liability Management (ALM), market risk, and operational risk.
In a broader sense, every credible risk can have a pre-formulated “proactive” plan to deal with its potential consequences (to ensure a “proactive contingency” if the risk becomes a true and real liability).
Risk Management is simply the practice of analytically selecting the most “cost effective” approaches for mitigating the effect(s) of a threat/risk/fraud realization to the organization.
All threats/frauds/risks can never be fully avoided or mitigated simply because of financial and practical limitations. Nor can they be avoided by modern technology by designed counter-measures to foresee or anticipate such events. Therefore all organizations have to accept some level of direct/residual threats, frauds and risks.
Whereas risk management tends to be pre-emptive, business continuity planning (BCP) was invented to deal with the significances of recognized remaining risks. The necessity to have BCP in place arises because even very questionable events will occur if given enough time or opportunity.
Risk management and BCP are often incorrectly viewed as rivals or overlapping practices. In fact, these methods are so closely secured together that such separation seems artificial and appear as one.
For example, the risk management process creates important inputs for the BCP (assets, impact assessments, cost estimates etc.). Risk management also proposes applicable controls for the observed risks.
Thus, risk management addresses multiple areas that are vital for the BCP process. However, the BCP process goes “beyond” risk management’s pre-emptive proactive approach and moves on from the supposition that the disaster WILL TAKE PLACE at some point.
II. People Management, Particularly in a period of growth –
The theory and methodology that many consulting companies, government agencies and financial institutions embrace is the “100% utilization of personnel methodology”.
Without question, it does not work. It does not take into account “burn-out” caused by no variation in tasks (redundancy), and lack of learning and applying learning skills. It does not take into account “administrative duties and responsibilities that are performed on a day-to-day basis. It does not take into account non-utilization duties which would include, but not be limited to research, continuing education (which is mandatory with many agencies and businesses alike).
Education – Continuing Education – Continuing Education (CE) is the “foundation” to the organization’s success. It applies to “all” operations, and in all forums, from government to private institutions, whether they be national or international. It is also the most overlooked, under-rated and non-addressed focus of all.
It is treated as “a requirement that is more of a nuance than an important, proactive benefit. To most companies and agencies it is a matter of just meeting “minimum standards and compliance to be met”.
Our approach incorporates components of each historical client’s project examples were used, where weaknesses existed (and can/were identified) as well as areas that are more intricate and multifaceted (e.g. in complexity and details, more variables, etc.). By concentrating on these areas, it develops true “confidence” and respect for the type of work to be performed, regulations to be addressed and complied with, safety standard to be followed and so-on.
Motivation – Allowing them to “Intern” on projects where there skills are not developed enough (e.g. lack of practical experience) yet, or work “practice” assignments to expose them to new techniques, analysis methodologies, systems and procedures, develop their skills. A “realistic” challenge to them that allows mistakes to be made without any liability to the client.
To perform regular project and work reviews (both one-on-one, or as a group), taking into critical account in a “group environment” that it is not the issue of “competition”, but that of working as a group “collectively” where the entire group receives the credit. This allows both stability and a uniform “personnel quality control” as well as identifying weaknesses and holes in skills of specific members in the group, or the group as a whole. Further, it identifies individual and group progress as well as a “go-no-go” indicator of whether the staffing is ready for more advanced projects and the eventuality of working with “real” clients.
Growth is represented by consistent successes which allow the acquisition of more projects, either from new sources or from established clients that refer potential clients to your company. The potential proposed projects can represent various skill/expertise background(s).
An analysis and final assessment is made to undertake new or additional work taking into account:
With the “present” existing staff level:
1. Is there enough time to allocate to work a new project?
2. Are the resources available?
3. Are the skill levels of the company’s employees, at a minimum, acceptable to be able to perform the required tasks and services?
4. Will it require more management, slowing the on-going training and project work timetable?
5. Will it require additional “skilled” personnel, and if so, at what level, can it be fulfilled from in-house personnel, and will it requite sub-contacting of any kind (including outsourcing)?
6. Will acquiring new personnel require the utilization of established personnel, from any project or training requirements of other employees, potentially “retarding” the performance levels in any manner?
7. In some cases, though a potential project yield an excellent revenue return, could it could potentially hamper, interfere or damage one or more of the existing on-going projects due to degrading present operating structures already existing successfully with other existing clients/client projects?
8. If new personnel are needed, the timetable of acquiring them (e.g. interviewing process, validation process, security clearance, etc.) and then their introduction into the company, their training and eventual integration into the team “successfully and transparently” may require an extensive amount of time, and that is going on the foundation that it will be successful?
Growth Factoring Analysis (GFA) uses a formula that allows you to make pro-active decisions when to acquire additional work and hiring growth needs, rather than attempting to “react” to expansion requirements that may/may not even be realistic or valid.
Reacting to expansion will always end up with one or more serious issues/problems, or total failure. Understand this type of failure is not only exceptionally costly, but can directly affect other personnel within the company.
Consistent, successful growth also has to address the inevitable loss of personnel (e.g. employee churn) as well.
Participation – Employees need to be able to play a more active, direct part in the “direction and business plan” of the institution/agency. We are not addressing from the degree of strategic planning and policies traditionally developed and agreed upon by partners and C-Management, but to be able to “understand” and “realize” clearly, from the beginning”, the targets, goals and methodology of the business. If this is not practiced, the employees are nothing more than automatons working from project to project, which in turn, would create the perfect conditions for employee and mid-management attrition.
Participation, in the majority of cases, allows invites both creativity and motivation. Additionally, it allows transparency in the employees thinking process and understanding of correctly what the business operation is doing, what is required, where it is going and their role now and in the future what it will be.
Not making this commitment to the employees will result in reduced growth, or worse yet, misunderstanding of the directives which will be acted upon incorrectly. This can potentially result in serious consequences to the practice as well as potential clients/clients.
Middle Management – Middle Management needs to be proactive both in advancing their own work and management skills, but that of their subordinates and peers. Middle management must maintain a symbiotic relationship between their subordinates, peers and those they report to.
Giving Managers free-rein over subordinates without guidance and education will guarantee dangerous and chaotic results. It also opens the door to employee churn, which would also be guaranteed to take place. Morale would be hampered as well as respect towards managers/management, and ultimately effect the projects that the employees are working on, whether it be one-on-one, or by group.
Like predicting weather, you can always predict it “after-the-fact”. The same applies where problems and issues are usually identified after-the-fact where damage internally (e.g. morale, respect, understanding, performance standards, compliance) and externally (e.g. missed deadlines, incomplete or unacceptable work) has taken place. When this happens, the mitigation of affected issues needs to be addressed immediately compelling the use of more personnel.
“Techniques, methodology systems and procedures are critical to both define and consistently implement with staffing for consistent, controlled, regulated successful growth.”
Involvement (defined and restricted / capped knowledge or commonly referred to as “Need to Know (“N2N”). N2N is toxic to new employees because they feel they are not fully accepted into the ranks of their company and their own position. Psychologically speaking, it is a slap-in-the-face to most employees.
The fact that high-standards work practices and defined parameters (like team-working, multi-skilling, innovative selection methods and leadership training) will directly enhance business and performance capabilities.
Intern programs are established for juniors, accepted interns, trainees, veterans, and new junior employees. They should be integrated into the practice immediately, with a well-throughout, defined and documented set of policies, systems and procedures, and training programs that are clearly defined.
It should include review specifications and guidelines for self-assessment as well as the person/manager that is responsible for the review of all new personnel as well as established personnel.
Having a well-thought-out plan with clearly-defined guidelines, goals and requirements will keep the new personnel on-line and clearly focused on their responsibilities and requirements. It also allows the establishment of goal setting.
III. Project Management (including how to ensure highest quality standards)
1. Allow all staffing (at end of week or assigned day) do a formal meeting of all the projects (or as many as time will allow) allowing both interaction, feedback, suggestions and understanding of events, problems, successes and failures. It is crucial that minutes or records of these meetings take place since they can be, and WILL be paramount to the future success or failure of the training taking place.
2. Establish a formalized Project Quality Control (PQC) system to be implemented. This system is designed to work at EACH level of staffing, more than just a check list (e.g. progress/status report or report card), but the ability of tiered assessment and analysis.
What are the benefits?:
- Increases the skill-level of analysis skills
- Allows a one-on-one relationship with the employee at every level
- Reduces wasted time attempting to do it in “last minute” scheduling; batched; or the last day of the work week. In turn, this will result in the reduction of typical scheduling problems that go unattended for long periods of time, or fall between the cracks.
- Trains managers and higher) how to review, identify and rate work issues and progress.
- C- Management and Senior managements’ PQC allows maintaining project integrity and also allows rating of performance on a real-time basis, making employee reviews and critiques much more effective/productive
Project Integrity Reviews (PIR)
PIR would be critical with the required meeting(s) to do it short, concentrated and effective. (Reducing the unnecessary, redundant meetings the utilize so much unnecessary time and employee resources)
Breaking Train-of-Thought (TOT) is the worst liability to a company or agency when it comes to redundant scheduling reviews. We consider it “Business ADD” (Business Attention Deficit Disorder). It takes an employee on the average of 20-30 minutes to get back into focusing on their assigned tasks/project after being pulled from a project for the purposes of an unnecessary, redundant meeting.
The results of reducing unnecessary meetings and having a clear agenda of the purpose of planned meeting will allow the employee to focus more on their own work assignments, resulting in:
- More concentrated quality work
- Better focus and attention
- Overlooked issues do to interruptions is reduced
Perform Risk Assessment Reviews on a project’s progress –
- What are some of the issues that should be included in a Threat and Risk Assessment review on a project’s progress?:
- Has the dynamics of specifications of the project changed?
- Has the degree/requirement(s) of skill(s) or experience for the client project (or assignment) increased or decreased?
- Is the client project (or assignment) being properly managed (adequate personnel, trained properly, able to manage their workload without being overloaded or worked on the basis of 100% handle the work, not getting lost, not losing focus)?
IV. Approach to Targeting –
Targeting of new clients?
If so, you do it from the following prospective and considerations:
- First, do it from an educational point-of-view
- Cost savings
- Client loyalty (reduction of client migration in service oriented companies)
- AFPFO© and ATPTO© Assessment, Analysis, Recommendations and Implementation of
- PPA = (Preventative) + (Proactive) + (Aftermath)
- Looking at the big picture rather than “MICRO MANAGE”
V. Key Areas of Growth –
Define the geographic specifications, focuses and disciplines:
- Both National and International (Global)
- Business Sector
- Private Sector
- Commodities (e.g. Agriculture)
- Maritime Operations and Requirements
- Defense Contacting for Overseas Operations (e.g. Military)
- Government, Infrastructure
- Governmental Agencies
- Government, Local
- Multi-National or International Business Operations
- Vertical Market, including, but not limited to Medical, Legal Financial, Technology-based and the like
- Litigation Preparation and Support
The list is quite large and very broad, and can be expanded into many sub-groups, such as:
1. Established and recognized authority / expert witness in Fraud and corruption matters / projects / cases
2. Preventative / Current Happening (event) / Mitigation specialists
3. Educating companies and institutions
4. The LARGE projects, that require serious amounts of committed time and manpower
5. Developing “smaller” clients resulting in “repetitive” clients where there is a constant flow of receivables to count on
6. Compliance Auditing and Validation Services, from Finance, Investment and Banks, to Government Agencies on all levels
7. Business acquisitions and dispositions including mergers, distress turn-around(s), etc.
8. Lectures and Seminars development with specific focuses
9. “Leased or Imbedded” Think Tank Operations (TTO) operations to clients
Strategic Planning – Formalized Marketing Plan (FMP) –
- Work with Senior Executive Management / Partner goals and objectives
Marketing Research and Development (MRD) –
True research, analysis, due-diligence and validation to be performed with all aspects of proposed marketing plans.
- Examining the liabilities and risks vs. results
- Proofing the planned marketing of what you propose
Interface between forensic technology work and broader investigations
- The premise of having just and IT driven forensic operation is invalid and will ultimately fail.
- Working such a team from an accounting point of view will fail.
- Working a manual operation will fail
- It is a consolidation of taking an automated (IT) methodology and a manual methodology to form a “balanced” CORE foundation
- Broader investigations can incorporate many skills and specialties that need to be defined in advance using BRE (Best Reasonable Effort)
Before there CAN be a successful interface, the investigation must be:
1. Environment Defined
2. Scope Identified
3. Objectives Defined and AGREED UPON
4. Client Objective clearly identified
And so on…
Consider what RSI is driving at is what we call CASE DIAGNOSIS
For a successful interface into ANY investigation or case, let alone broader venues, these questions must be answered FIRST.
How to interface –
With a documented methodology addressing the different facets required of the investigation and how the technology team can complement/ enhance such a broader investigation.
With staffing that are “diversified” in areas (facets) allowing to bridge INTO broader, more complex investigations.
To also say “NO” to projects that become too broad for the present staff to properly administrate and perform. Learning to say no is a major PROACTIVE step to take when contemplating a project or service to be performed. If in doubt, say “NO“.
To find common denominators between the Forensic Technology Work and the “Proposed” broader investigation.
- Do they exist?
- Can the ones that don’t be developed rather than sub-contracted?
- Are they new areas we should consider developing because of their increasing demand?
VII. Vision for a successful Forensic Technology Team –
For RSI, over three (3) decades, we have research, analyzed and designed a methodology, where policies, systems and procedures have resulted in a historically proven and highly-successful analytical/R&D operation that is well-respected nationally, as well as internationally.
It is no secret to what our success is comprised of. However, just “knowing” the areas of focus and the disciplines required does “not” assure the success we have earned and maintained to this date.
We have comprised the fundamentally-key CORE components that are “mandatory” to be able to provide the services as RSI has been able to achieve, which we believe should be the “standard” CORE” for each and every firm, agency or practice:
- Reputation, nationally
- Reputation, internationally
- Being able to work with local, state and federal government agencies and departments
- Being able to work with foreign agencies, ministries and governmental bodies
- Expansion into a cohesive, consolidated and mature division that has no true weak link
- To be a known, credible authority within prescribed industries and agencies nationally and globally
- To have a desired reputation within the legal and law enforcement forums and agencies internationally / globally
- To be chosen for projects (pursued) because of a zero-tolerance for just “satisfactory” work product and results – we demand better, or what we refer to as “Best Reasonable Results” (BRR)
- To make it one of the most desirable work environments around for employees and contract personnel
- To provide continuing education that is truly related to the disciplines of the employees and personnel on a regular, on-going basis
- To be able to adapt faster and more efficiently to the ever-changing frauds, threats and corruption methodologies
- To focus on what the REAL meaning of “Mitigation” means and exclusively focus on it from a “proactive” strategic point-of-view
- To be able to handle more sophisticated projects crossing international boundaries and boarders
- To diversify beyond established specialties (disciplines) industry-wide, on a national and international basis
- To develop a powerful “think tank” system(s) for AFPFO and ATPTO strategic planning
- To develop training systems to be imbedded into operations, opening the door to multiple solutions and methodologies making long-term relationships of clients
- To have a ZERO-TOLERANCE for fraud, internally or externally, regardless of the level it is at
- To teach, not sell
- To have clients seek us out because of our reputation of “telling clients what they need to hear, not what they want to” is what is most important
VIII. RSI’s long-term vision:
RSI’s long-term vision is one based upon over three (3) decades of experience.
When it was developed, it was the result of seeing all the mistakes made by client, other companies and of course, us.
It was a matter of implementing a true self-assessment of reasonable goals not only for the C-Management and shareholders, but also for every, single one of the employees of the company.
It also had to take into account present clients and the clients that we would potentially wish to acquire in the future.
There are many aspects of long-term planning, especially where things can change in hours. The day of the five (5) year business plan are long gone; however long-term planning can be performed in a manner where it can be done in short-term blocks and still achieve long-term plans.
This is just a sample of our own long-term planning strategy/policy:
- To research, develop and implement strategic planning for the operation.
- To teach and develop and extremely cohesive staffing
- Global recognition
- To be considered a major resource for law enforcement and government agencies, both Nationally and Internationally
- To raise the bar on the standards known presently and make the company, as a whole (from department to division – from basic management to C-Management)
- Using BRE to make RSI profitable financially
- Using BRE to make RSI an accepted standard with an unquestionable reputation, both nationally and internationally
- To direct and oversee operations from all facets of the operation
- To make RSI staffing eager for knowledge and self-improvement
- To teach and develop a methodology allowing the elimination of single-employee dependency
- To direct and train RSI interns to create an ever-growing pool of highly trained, experienced staffing that will allow the management and proper handling of increased client loads and projects
- To have RSI maintained in an advisory capacity to run/administer the formed think tank if such recommendations are accepted