Managing the risk
“If you want to prevent fraud you have to know what causes it”
So let me turn briefly now to talk about dealing with this risk and managing this risk. I said at the outset that I thought we collectively believe it to be an unmanaged risk. This is my second homily. If you want to prevent something, you better know what causes it because it’s work on those causal factors that will help you manage that risk.
Awareness
In order to manage risk, people have to be aware of its existence. There has to be the publicity. There has to be some reasonably valid way of communicating the incidence of this activity in our society. And I think above all there has to be objective valid measurement because as long as you don’t have objective measurement of the scale of the activity, it’s very, very easy for people to say “oh well, you know, it may be that big but it doesn’t apply in our case and those statistics are pretty poor.” When I tell you that 80% of Canadian respondents to an Ernst & Young survey said that they’d been a victim of fraud last year, you would say “yeah, OK, where’d you get the sample from? Well look at the people who... this is a bias sample.” Well you’re probably right it is. And so I can’t use it. I can’t use it to say, you’ve got to deal with this problem.
I tell you in measuring this problem I’m going to give you a very simple example of a case we ran into about four years ago of a marketing manager who walked, this was an audit client at my firm, who said look, and there is an issue there and you can talk about it in your ethics as to whether auditors should actually investigate fraud in their own audit clients. But in this case it was a fairly small level of activity that couldn’t have had a material impact on financial statements and if it had we probably would have stepped back from it, this is a guy cheating on his expense account. Somebody called and said look can we have a look at this because we think there is something funny going on here. We had a look at the guy’s expense accounts and you can see the signs of this stuff. You know, those tear off tabs at the bottom of restaurant bills have a little number on it saying like $135. That was in there. Those little yellow visa statements with the names of the vendors cut off so you couldn’t see what it was the guy was buying. It was, you know, Efrim’s Massage Parlour but the name’s cut off. So you look at those things and you look at copies of credit card statements. You see photocopies of invoices and you say OK all of the warning signs are here. So we put out a, we did a sting with this fella. It appeared that he was going to some restaurant on a regular basis so I went down, saw the guy at the restaurant, said look you give me a call the minute this guy steps in your restaurant the next time and we will be around. And I explained to him on pain of death that he shouldn’t tell this guy which of course probably meant that he did but anyway. He called me. We went round. The fella had been there. He had just left. I wanted to know who he was with. He was with another fella that also comes in here very often who the guy knew because sometimes he signs credit card slips as well and we identified that there were two people from the same company both having lunch together. OK. Have you got the bill. Yes. We’ve got the bill. We went back then, back home and said to the company, you call us when this guy puts his expense account in again, his expense report. So we go back. Right enough. Here is the date that he was out at this lunch. We have the bill. The bill is $48, now, actually it was more it was like $75 and it was like six martinis on this bill. And so we go back out and we look at the ... and here it is $138 for lunch with some marketing consultant or other. This fellow was a marketing manager. Well cut to the chase. We nailed this fellow. He was fired. We then came to this associate. He was nailed and he was fired and our client said, you know, I wonder what happens. It’s the question that goes through everybody’s mind is if this guy was doing this, what else could he have been up to. Is there anything else that we could be missing here. Well what else does he do? And again to get to the end of the story shortly, we found that he had been taking kickbacks from a marketing consulting firm that was actually running his sales promotional, you know, if you are a sales person you get points for making your targets and things. You redeem these points for trips to Hawaii or barbeques or whatever. People didn’t like the trips to Hawaii and the barbeques so it seemed because there was a whole bunch of gift certificates going through this account. I’ll tell you where the gift certificates were going. They were going into his pocket. We then sent a bill, and this is the point of this exercise, we sent a bill to our client. The client says “man that’s expensive. What was this guy up to I mean hell, he wasn’t ...” I said “ look he was stealing about $500 a week on average from you on these two things, cheating on his expenses and taking kickbacks.” “$500 what’s this $80,000 here.” And I said “well look, wait, wait, wait, wait. How old was this fellow? 40, 45? He was marketing manager. He had been in that position for probably six, seven, eight years. How old do people retire in you company?” “Sixty-five.” “That’s twenty, twenty-five years we’ve got going here. $500 a week. Arithmetic. That’s something like $600,000. OK lets discount it at some nominal interest rate and say it’s $450 - $500,000. How much of your top line goes to your bottom line? Maybe $4 out of 100. How much do you have to sell to fund this guy’s activity over the next 25 years. It was 10 or $15,000,000. If you capitalize the value of the money that’s going out of the door, and it will continue, I can guarantee it will continue. This guy would have continued doing what he was doing as long as he was in the position, they kept the same sort of infrastructure, that there were routine but not sort of cataclysmic changes in personnel and he was lucky enough not to get promoted. So if he would have continued doing that we estimated the cost that this company would have to sell an additional 10 to $15,000.000 worth of stuff just to fund this one guy’s activity. So multiply that by every organization in Canada. And this is a very simple unsophisticated type of activity. It’s a lot of money.
Accountability – make someone own the risk
The next issue is making people accountable. You have to have somebody own this risk. You know when you do an investigation into this stolen stuff, 99 times out of 100 people will say somewhere towards the end after you got through the fear and uncertainty part, how do we stop this happening again. That’s the risk management question.
I used to wonder why is it that they say how do we stop it happening again. Again. Why do they say again? Why didn’t they say at the front end how do we stop it happening? Do you know why? Because there’s one thing that an investigation tends to do and that is it tends among others things, to identify who owns the risk. And it’s the guy, woman, the collective people who have the equity in the risk, they are the people who say how do we stop it happening again? If you can demonstrate to them before hand that there is an accountability structure, that it is happening, you shouldn’t have to say how do we stop it happening again. We should be able to say from the beginning how do we stop it happening. Because you know that it is happening in your organization. So if you know this, if you are aware, if you can make people accountable, what do you actually do? There are only three things and I’m sure a lot of you will be familiar with this.
The predisposing factors
Three things that have to happen for fraud to occur:
- People have to be motivated to do it. There has to be an incentive.
- There has to be the opportunity to do it.
- And you have to be able to rationalize that it’s OK.
If all of those three things are present, then you will have a fraud. You will not have a fraud if any one of them is not present. You know you can see how if you go back to how the Federal Government dealt with cigarette smuggling four or five years ago now, they reduced the tax differential so you couldn’t sort of arbitrage on a smuggling transaction anymore. It didn’t make any sense. They took away the incentive. No motivation, it doesn’t happen anymore. They don’t lose a lot of stuff from Fort Knox but you can’t afford to run your business like Fort Knox.
And rationalization is real interesting to me because this is the issue of ethics. How is it that people are able to say it’s OK to do this? What is it that enables them to say it’s OK to steal from Revenue Canada sorry CCRA but it’s not OK to steal from my friend at work. I wouldn’t reach into your pocket and take something out of your wallet but I would do it sort of like taking from Revenue Canada. Now the fact that I’m actually reaching into your pocket and taking a little fraction out of your wallet doesn’t seem to connect somehow. The reason is, I think, is the same reason I can’t steal from myself. That’s a contradiction in terms. I can’t steal easily from my children. Why? Because I have a very, very, close value alignment with my children. Do I have a close value alignment with CCRA? Who knows what they are? It’s much more easy to rationalize that it’s OK when there isn’t a clear alignment of value systems.
What influences then?
I once did a piece of work with a former Premier of Ontario. Bright guy who has now passed away. And we were looking at an issue relating to the proposed change of boundaries of municipalities in Ontario. And he asked me to come along to a meeting that he was having with some of the heads of some of these municipalities who were opposed to this notion. And he said to me, or he said to the people, look there are three levers you can pull here. You can pull an economic lever, say it doesn’t make sense in economic terms to do this because there is going to be a disadvantage. You can pull a legislative legal lever, say you’re not allowed to do it. Or you can pull a political lever which says people don’t want this.
I thought to myself man those are the same levers that we pull when we’re talking about how fraud works. We’re talking about the motivation which is an economic issue. We’re talking about the opportunity—the framework of regulation that makes this opportunity available. And we’re talking about rationalization—how people think it’s OK to do things.
His advice to this group of politicians was pull all three of these levers if you can. As it turned out, they weren’t all available. So they couldn’t and their initiative failed. But clearly, it just seemed really intuitive to me that if you have three levers that you can pull, pulling only one of them means that there are two more that you have missed. And the one that we tend to pull the most often is the lever of opportunity. We try to restrict opportunity. I see very little, very little initiative to deal with restricting people’s motivations by putting counter balancing sanctions in place or just removing the incentive all together. I see very little to do with rationalization.
Comprehensive risk management
So lets look at what I think a comprehensive risk management plan looks like to deal with these three aspects.
Managing motivation
How do you manage motivation? How do you reduce people’s incentive? Well I talked about removing the tax on cigarettes. That’s one clear example. But in the business world, how do you do that? How do you make it less likely that people are going to have to resolve their problem by stealing from you? Which implies, of course, that they have a problem. And they do in fact because if they didn’t, there wouldn’t be any need to steal from you in the first place. Now the problem may be one of need. I mean people talk about greed being a factor. If somebody is sufficiently motivated by greed to want to steal from you then they need to do that and I don’t think the distinction between need and greed is frankly a relevant one. You can reduce incentives by helping people resolve a financial problem by other means. You can also balance the incentive by creating disincentives or sanctions that say fine, I can do this and it may solve my problem but man if I get caught that’s going to put me back in a hole as bad or worse than the one I was in before. I think we know an awful lot about controls. We know about prevent controls, we know about detect controls.
Managing opportunity
You know, when I started in public accounting way back in 1900 and frozen to death, people used to talk about auditing. They used to talk about the deterrent effect of auditing. Somewhere along the way I don’t know whether that just got lost or became unfashionable but people don’t seem to talk about that very much today at all and that’s probably because it’s not designed to deter. Deter what? You don’t deter people from making errors. You deter people from committing fraud and I think along the way people in our profession have tried very hard to manage people’s expectations away from this notion that auditing has anything to do with finding fraud. You know, when I was back years ago, that was not quite so politically incorrect.
This whole notion of deterrents I think is a very powerful one because you don’t just have to have the controls in place. People have to know that you have the controls in place. As a matter of fact, you don’t actually have to have the controls in place, all you have to do is create the belief that the controls are in place and it will work to deter the activity.
If I go to Efrim’s vault in his house where he keeps all his jewels... I’ll find it empty because somebody else went there before me. I will think well now here, Efrim, heck look at all this stuff. He won’t miss a little few handfuls of diamonds. But if I know I can walk in that door, I can put my hand in that box, I can put those diamonds in my pocket, but on the way out his Doberman is going to eat my knee caps well, I probably wouldn’t do it. There is a deterrent factor there. I think one of the greatest examples of deterrents is the nuclear threat. It has sort of managed to be there and hanging over all our heads for 50 to 60 years but somehow it hasn’t managed to go off yet. Keep our fingers crossed. The whole focus of that acting as a deterrent is that it had to be plausible and I think it’s the same thing here. People have to believe that a deterrent is a plausible deterrent that will catch them if they do what they shouldn’t do.
Managing the ability to rationalize
Let me look now at managing rationalization. What’s the CRO? It is the Chief Risk Officer. I really believe that people need to have accountability for the management of risk I don’t think it’s something that should be dealt with by default as it generally is in my experience today. If you have somebody who is responsible for managing this risk, then you can have somebody who is responsible for administering a program to make it hard for people to rationalize that irregular behaviour is OK in your organization.
And you’ll do that by helping to bring value systems into alignment. That’s the value systems of the employee community compared to the value systems of the corporation. You will achieve goal congruence so that people are pulling in the same direction. It’s hard for me to steal from somebody that I really like. It’s a lot easier for me to steal from somebody I think is a jerk and there are a lot of employees who think a lot of their senior executives are jerks. And I can tell you that is not without justification in a lot of cases. But you are heading for a fall because those little people that you treated like dirt can really hurt you. That whole notion of value alignment and goal congruence I mean that doesn’t come from fraud risk management research, that comes from change management research and things of that sort. Those are the sorts of objectives that are put in place when people want to improve the productivity of an organization to get the organization working in sync to get all its constituent parts to work together. This is the nice thing about this is that you get a double whammy here. You not only get the reduction in the risk of somebody stealing from you because they can’t rationalize that it’s OK anymore but you also get an improvement in productivity.