When I hear the word “progress” used in a commercial context, I do sometimes wonder whether the giant leap forwards it refers to, will actually represent progress at all in reality. Certainly, over the last decade, the drive towards compliance has led each corporate function from Treasury and finance to audit and IT to ‘make progress’ by defining precise standards and setting up professional bodies to oversee adherence to draconian rules. However, the creation of these bastions of functional best-practice might actually prove to be a counter–productive move, as they are seen as a welcome development by fraudsters keen to exploit any gaps. At UKFraud, we always set out to deal with as broad a spectrum of departments as possible and we always like to think that in general the UK is winning the fight against fraud. However, we were shocked to learn that the National Fraud Authority claims, that in the UK, fraud levels have risen significantly from £38bn in 2011 to £68bn in 2012. One of course wonders whether this meant either that the NFA was better at identifying fraud or that the battle was being lost or both. With this in mind, and reflecting a growing fraud industry clamour that organisations were increasingly at risk from more complex frauds, we set up an independent cross-functional SIG (Special Interest Group) to study if the silo mentality could be a contributory cause of this significant jump. The SIG is composed of both fraud experts and executives from industries affected by fraud such as insurance, local government, banking and online retail.
Having studied a number of individual industry sectors over the last 6 months they discovered that the situation, both in terms of enterprise and financial sector fraud, was more profound than they had first thought. Compliance, risk management, IT security, fraud prevention, treasury, finance and audit were all seeking to define their own particular silos and budgets but without taking note of how to communicate with the other silos in the organisation around them. Often this compartmentalisation of skills is the result of a desire to be more robust and professional with each of these areas growing their own specific practitioner firewalls. However, ensuring ‘effective fraud prevention’ say the SIG should depend heavily on ‘the formal re-integration of an eclectic mix of these skill sets’.
Amongst the SIG’s key findings were the following conclusions:
• The nature of corporate fraud (and indeed wider risks overall) has changed and is changing. It is no longer just the corrupt office manager or small ‘weights and measures’ issues with suppliers. Rather, it is now more often a highly sophisticated skill, usually involving cutting-edge information technology and managed by highly intelligent fraudsters. These are often international teams of professional criminals and IT hackers. The fraud techniques used against companies now range from scams targeting customers, data theft and compromise, through to supplier, procurement and major collusive internal frauds. Then there is also international internet based cybercrime fraud.
• Consequently, fraud is getting far more complicated to manage and requires an eclectic mix of skills that need to be integrated to deliver an effective deterrent. These include: compliance, IT, risk management, legal, compliance, fraud and audit skills.
• There are often ‘risk teams’ / operational risk people, corporate risk reduction people and so on that are simply new and additional silos. Often these newcomers add to the confusion for most of the other departments – especially as they often talk in a language of first / second / third ‘lines of defence’ that are introduced by important (AKA expensive) consultants, that simply create ‘a new silo’.
• As fraud may be perpetrated through customer processes, e-commerce, card payments, IT systems, bogus internal controls or the supply chain, the complexity of large organisational processes have started to grow faster as such disciplines move further apart.
• That the solution is to merge some of these skills into fraud prevention committees with expertise drawn from across the organisation as needed. This multi-skill approach means that it is crucial to have the CIO involved as much as it is the head of accounts, compliance manager or the company lawyer. The CEO should always be involved too and committed to the process. They should drive a corporate single point of contact through the organisation for operational /strategic fraud ownership, which will start to ‘bring things together’.
Malcolm Gardner, the CEO of fraud prevention consultancy Freevision Ltd. is a member of the SIG. He believes that the challenge of overcoming the silo mentality is extremely complex. In his view, “Organisations now have fraud people, compliance officers, risk advisors, IT security specialists, legal teams, treasury officials, financial managers, auditors and even private investigators involved. All of these skills are required to deliver a full and effective anti-fraud strategy; yet it is still comparatively rare that the fraud prevention strategies deployed will involve all these departments.
“The number of people, with different functional responsibilities, tasked with defending the organisation from fraud are tripping over each other because of this lack of integration and allowing the fraudsters to slip in through the gaps. We need to encourage the corporate mandarins running these silos to form new cross-fertilising enterprise-wide committees or units that can integrate these functional skills into a seamless and joined-up response.”
“…We need to encourage the corporate mandarins running the silos to form new cross-fertilising enterprise-wide committees or units that can integrate these functional skills into a seamless and joined-up response.”
Whether it’s a financial scam or a pure IT security issue, fraud within large organisations seems to grow whenever business departments start to move into these silos. To me, the problem is growing ever more demanding too as even the anti-risk / anti-fraud functions are growing-out into the same types of silo. This is because the risks are now so huge that it is impossible for them to be managed in one place. Once the silos are firmly in place though, the whole thing slows right down to a crawl, whilst each silo works out how to talk to the next one. This process can then be even further aggravated as pernicious inter-company politics take over, and things start to drift.
Unfortunately, fraudsters and other criminals operate much more lithely, quickly and adeptly in changing their modus operandi. Companies need therefore to maintain an ‘act quickly’ approach to defeat them. This simply can’t be done when such diversification of departmental responsibilities exist. It really does need some ‘common sense’ to be applied to get everybody working together to counter it. By establishing the SIG we aim to redress this balance; by advocating that organisations take a holistic view to addressing the threat of fraud, and gather support to fight harder together to oust some of these ‘silo supporting’ coprorate tactics. Initial interest levels in the SIG’s findings are high; so hopefully the fight back starts here.
By Bill Trueman, CEO of UKFraud.co.uk([email protected]) (www.ukfraud.co.uk)