by Brian Davidson
CDH PCA is an IMA B2B Partner…
Kroll has released its 10th annual Global Fraud and Risk Report. The report is a sobering reminder that fraud, cyber, and security risks continue to grow and continue to negatively impact businesses and their employees and stakeholders around the world. In short, all categories of risk show increasing rates of occurrence and, with few exceptions, all types of incidents (e.g., misappropriation of assets, virus infestation, etc.) also show increasing rates of occurrence
In this article, I will focus on a few specific takeaways from the report and consider implications for manufacturing and distribution companies.
Data is valuable and needs to be handled with care. 2018 is the first time that physical theft is not the most frequently reported type of fraud. The most frequently reported type of fraud is information theft, loss, or attack.
The first question to be asked with regard to information is whether or not the business has evaluated the information used in the business and identified how such information is used and where it might be vulnerable. Manufacturing companies, for example, may have proprietary formulas that are used for purposes of production and both manufacturing and distribution companies would have confidential customer lists. Who has access to such information and how do employees with access use the information? What about vendors and suppliers? Is access appropriately restricted? Where is the information stored and retained? Do certain employees carry this confidential information on laptops when traveling for business? These are all examples of the types of questions that must be answered in order to develop an appropriate risk posture for the business with regard to a specific information asset.
When was the last time your business took a hard look at its information assets?
Cyber security is not possible without employee engagement. A staggering 51% of reported cyber incidents involved employees in some way – error, manipulation of controls, and employee malfeasance.
It should go without saying that employee engagement is critical to the success of any business. There are two key ways a business engages employees from a control perspective. The first is by establishing a sound overall control environment. This requires a connection between upper management and employees. Employees need to recognize that management takes risk seriously and that compliance with policies and procedures is expected and monitored. At the same time, management needs to demonstrate integrity in working with employees and communicate effectively the higher purpose of the business. The second way a business engages employees in internal control is by educating employees about risks affecting the company that relate to their job and responsibilities. Since most employees will require some level of computer and system access to perform their job requirements, employee training on cyber security and information protection is something that can bring benefits both to the company and to the employee.
When was the last time your business assessed the internal control environment or provided training to employees regarding cyber risk and employee best practices?
It is imperative to have an active response to risk. The Kroll report surveyed executives in twelve different countries or geographical regions around the world. Of the twelve countries / geographical regions, six reported internal audit as the primary means for discovery of fraud and six reported communication from a whistleblower as the primary means of discovery.
Proactive leadership in this area requires risk assessment, risk response, and continuous monitoring. Begin by creating an action plan for the business that addresses each of these elements and then follow through on the execution of the plan just as you do on your business or sales plan. Consider leveraging external resources as part of this process as external resources can bring fresh perspective and knowledge that is not available internally to your risk management efforts. Once the plan has been executed, review and assess and start again. This should be an annual process.
One challenge in this area that merits mention is that return on investment in risk management may not always be clear. Management, in its ongoing efforts to reduce costs and improve the bottom line, may be tempted to see risk management as an area for cutting costs. After all, there is no way to determine the fraud or cyber incidents that are prevented as a result of effective controls and ongoing monitoring and assign a dollar value to those events. The Kroll report should smash such ideas. If anything, the Kroll report reveals that risk is a constant and is dynamic, not static. The cost of risk management programs should be considered more as a cost of doing business rather than a discretionary cost that can be cut back when managing the bottom line requires such cuts.
To view the original article, click here.