Safety In Numbers

East Coast Fraud & Risk Management Group


view:  full / summary

BACK TO THE FUTURE - How Software Enhances Risk Management

Posted on 19 November, 2021 at 13:35 Comments comments (0)

BACK TO THE FUTURE – How Software Enhances Risk Management

By Darrell Smith CFE, ARM, CIM, FCSI


In 1985 two accountants from Bedford, Nova Scotia developed the Bedford Accounting Software program. Later, Bedford was sold and became Simply Accounting and then Sage Accounting, as it is known today.

Before computerized accounting, transactions had to be entered manually into sixteen column journals. When you made a payment on an account using the double entry system, you credited cash and debited the account payable. This was very time consuming and required a lot of manpower to process the large number of transactions. Once all transactions were posted, the information was used to produce financial statements to assist in decision making.

What the software did was streamline the accounting process, making it less labor intensive. It gave management access to profit and loss statements daily and allowed individuals who were not trained in accounting to do the work with just training on the accounting software.

Having worked in accounting using sixteen column journals, I know I can speak for every accountant when I say there is no way they would want to go back to a manual system.

Just like the accounting process, risk management involves tracking a large number of transactions and assets, with the goal of producing reports for management that inform and enhance decision making.

This begs the question, why do organizations still use manual paper and file systems in their risk management departments?

Nowadays there are Risk Management Information Systems (RMIS) available, a risk management database for claims and incident management, insurance policy management, certificate and contract tracking, asset management (buildings, equipment, vehicles), crisis management, and more. An RMIS helps ensure you are compliant with various rules and regulations and provides access to powerful analytics and management reports. RMIS systems identify trends to help reduce the frequency and severity of losses.

Let’s take a look at just one area of a Risk Management Information System, claims management. According to the American Institute for Chartered Property Casualty Underwriters, the objectives of Claims Administration is to:

1. Enforce contractual obligations,

2. Gather claims data,

3. Reduce the frequency and severity of claims,

4. Estimate the amount of the claims,

5. Promote equitable compensation.


For the benefit of readers who do not work in claims, the most common claims include:

• burglary and theft,

• water and freezing damage,

• wind and hail,

• fire,

• slips and falls,

• customer injury,

• property damage,

• workers compensation claims.

Every claim involves a large volume of paperwork, including incident reports, statements, pictures, and other supporting documents that need to be recorded and shared with all relevant parties.

Consider the number of claims an organization may have in the run of a year. For example, a company with a fleet of vehicles, could have dozens or hundreds of first-party claims (involve organizations own property), or third-party claims (losses suffered by another party). The high volume of claims alone justifies the investment in a Risk Management Information System. Now, consider compliance by tracking vehicles, insurance, drivers, and maintenance and you can see the large volume of data that needs to be documented and monitored.

A Risk Management Information System not only provides a centralized hub for document management, but also powerful data analytics and reporting functionality. Automated data entry and workflows reduce the time spent on administrative tasks by up to 85%, and insights from management reports reduce the total cost of risk by up to 50%. The system is built on cloud-based infrastructure that ensures accessibility, data security and privacy, and the flexibility to integrate with third-party systems.

The purpose of the accounting system is to provide accurate, timely, reliable and cost-effective information to help management make informed business decisions. Shouldn’t this also be the objective of your risk management program?

In closing, I choose the title “Back to the Future” not in reference to the Michael J. Fox movie, but the actual meaning of Back to the Future.

Do not dwell on the past! The past has been written in ink, the future in pencil! Worries about what cannot be changed is unnecessary, focus on what you can control and try not to make the same mistakes.



East Coast Fraud & Risk Management Group is a business partner with ClearRisk of St. John’s Newfoundland, the company behind ClearRisk risk management software solutions.



Posted on 29 April, 2021 at 9:15 Comments comments (0)

Darrell Smith CFE, ARM, CIM, FCSI


There is an ongoing debate about whether an employee is an asset or a liability. Some say they are an asset because they add value, others say they are a liability because there is a cost to employing them through wages and benefits. Regardless of what position you take on this, there is one thing we all can agree on. Employees are essential for the businesses to function. So what happens when an employee’s actions or behaviours are contrary to the wellbeing of the company?

Fortunately, this is not an article to debate if an employee is an asset or liability. It is about identifying when an employee becomes a liability, the risk of that liability and what to do to manage that risk.


Before we look at when an employee becomes a liability, let’s go back to the beginning of when you hired them. Have you ever hired an employee that you wish you hadn’t? I have seen many employees hired by organizations that got the job because of a friend or family member working at the company, I have even seen an employee get hired over many other more qualified candidates because they were a great golfer. The company sponsored an annual golf tournament. When hiring new employees, you should be looking at answering three questions, 1. Can they do the job? 2. Will they do the job? 3. Will they fit into our organization? Qualifications and experience fall into these three questions and if you hire the most qualified person every time for the job. You have mitigated the risk of not only making a bad hire, but also reducing the risk of an unsuccessful candidate claiming discrimination and taking legal action. Conducting a through pre-employment screening check, will provide you with the information necessary to confirm your hire or look at the next most qualified candidate.


Because I write these articles mainly for small business and non-profits, I want to make sure that they have enough information on the whole recruitment, and selection process. As an example, some years ago I was brought in by a large national company to investigate two employees at different locations, who were suspected of theft. When we reviewed their employee file, the hiring supervisor, never checked prior work references for them as a matter of fact nothing was checked, they were just hired on the supervisors gut feeling. This company had very strict screening practices developed by their legal council, yet two locations were not following them. Turns out one of the employees was fired from his previous job because of theft. Make sure you do your due diligence on all new employee hires.


Ok so let’s get to why you clicked on this article. First of all what is the definition of a liability? According to Oxford English Dictionary “A liability is a state of being responsible for something especially by law” or “A person whose presence or behavior is likely to cause embarrassment or put one at a disadvantage.” Not only could the employee be a liability to your company, but your actions on how you deal with the wrongful behavior could also be a liability. As an example, accusing someone of theft without any evidence to back it up, can be a liability to the company. Another example would be to ignore a complaint about bullying or discrimination. Many general liability insurance policies do not cover employee law. So it is a good idea to ask yourself, can I be held liable in this employee law situation. Which is another reason to consult your legal counsel before taking action.


When does an employee go from being a Human Resources asset to a Human Resources liability? There are many reasons, they could become unproductive and their performance fall below other workers, they could also be violating company policies, become a liability by not following OH&S or environmental policies, disrupting the work place through harassment, discrimination or bullying. They could be stealing assets, committing fraud, using drugs or alcohol on the job or using company assets to post inappropriate comments on social media.

Of course not all of the above are cause for dismissal, if a good employee has suddenly become unproductive, there may be reasons for it such as physical or mental health issues or perhaps they are dealing with a traumatic event such as a divorce or the death of a family member. It is your responsibility as a small business owner or manager to identify the problem and take appropriate measures. However, some of these violations are clearly reasons for dismissal and need to be dealt with.


When you have information regarding an employee problem, you must determine the nature of the problem and decided action. As I have mentioned in a previous blog, evaluating Intelligence requires you to look at the source of the intelligence and the quality of the intelligence.


First thing is to ask why I think there is a problem?

Is it in the numbers, is productivity or sales down or is it because of another employee or customer made a complaint. How reliable is your information?


What type of violation or offense is it?

Is it a breach of Human Resources policies or procedures, is it a Code of Conduct breach. Is the behaviour a Criminal Code offense, such as theft, fraud, or assault? The type of violation is going to determine the seriousness of the complaint.


How does the violation or activity affect the company?

Does it affect employee morale, does it put an employee in danger, or will it hurt the reputation of the company? Is there a financial cost to the company?


Are people at risk of injury or physical harm?

This could be an Occupational Health and Safety issue, or it could be a physical threat or Workplace Violence.



Let’s be perfectly clear, this is not an article to provide you with Legal Advice. Its purpose is to give you guidance on identifying and analyzing potential employee problems. Every situation is unique and the only way to ensure you are taking the right course of action is to contact your legal advisor for advice. I understand that in this Covid 19 business environment that money is tight. But after you have identified the problem seek legal advice to ensure you are taking appropriate action. Finally make sure you follow the lawyer’s advice and don’t do something else.


Once you have determined that a potential violation exists, you need to act on it right away. Thinking in terms of the Who, What, Where, When Why, How and Action Taken. Will provide an investigation template to document your findings.


1. Who: Who are the victims, who are the witnesses, who is the subject of the complaint?

2. What: What is the offence,

3. Where did the offense occur? Location, department.

4. When did it occur? Time and Date.

5. Why did the offense occur? Reason for the offense being committed.

6. How did the offense occur? Lack of internal controls or something else.

7. Action Taken: After conducting your inquiry, are you referring it to a manager or the HR department for follow up and how will it be treated. Are you requesting outside help such as a Private Investigator, Lawyer, Police or another specialist.



Once you have conducted your initial fact finding and have determined that there is cause for concern. You then have to decide a course of action. Is there enough evidence or cause for concern that it requires immediate attention?

Two of the biggest mistakes I see when it comes to employers investigating complaints and violations is:


A. That the employer fails to act on the information immediately. This delay can increase the seriousness of the violation, causing it to escalate and create greater liability to the organization or increase its financial losses.

B. Owners and Managers fail to document the complaint and information gathered at the beginning and during the course of the investigation. This is critical for evidence purposes and to show you took action right away. Your personal notes may even be allowed as evidence in the court room, if you had to testify.


Some helpful Prevention Tips:


1. Have a code of conduct and ethics that lays out the expected behaviors of employees and the consequences for breaching those rules.

2. Have a Whistleblower Hotline so employees can report wrongdoing anonymously. Such as our

3. Pre-screen all employee before hiring.

4. When it comes to investigating complaints get evidence not explanations.

5. Don’t hesitate to get outside help if needed. Such as Lawyer or Private Investigator. Hiring a third party can ensure an unbiased investigation.

6. Only share the information with other managers on a need to now basis. This is not to only protect the investigation, (Loose Lips Sink Ships) but also to protect the employee’s privacy. If an employee is doing something wrong and they learn they are being investigated, it could escalate their behaviour putting people in danger or destroying evidence.

In closing, Covid 19 has changed the way we work, with more people working from home. But this will not change human behaviour, some employees will cross the line. Be vigilant and diligent, manage your assets and reduce your liabilities.




Posted on 5 March, 2021 at 9:55 Comments comments (0)


Darrell Smith CFE, ARM, CIM, FCSI


In November of 2019, we ran a digital ad “How to Prepare Your Business for the Coming Recession”. While a number of people who responded to the ad had genuine concerns, the interesting thing was a lot of business owners said that their business was doing the best ever and that their company was sound and the economy was great. Five months later everything has changed. It’s not that I had a crystal ball and knew things were going to get bad. There were signs that the economy was slowing down, with record low interest rates and record high corporate and consumer debt. I mention this to illustrate how quickly the business environment can change and the importance of strategic and risk management planning. Business need to have a strategic plan, with the flexibility to identify the risks it faces and to react accordingly.


A strategic plan establishes where your organization is going and how it will get there. It is essentially a blue print for your organizations success. It is developed by Senior Management and the Board of Directors. It consists of a Vision Statement; where is the company going, A Mission Statement; why does our organization exist, Strategy Statement; what will we do to get there and a Strategic Plan; how will we do it.


Strategic risk management is a process of identifying, analyzing and managing risks that could prevent your organization from achieving its strategic goals. It could be either internal or external risks and its goal is to protect shareholder value and is part of the Enterprise Risk Management (ERM) process. An example would be Project Failure, where new software is installed, only to have it become obsolete or not do what it was intended to do.


So let’s look specifically at the main strategic risks your company will face and can prepare for:


1. You Lose Customers: Customers have ever changing tastes, needs and preferences. Losing customers reduces sales and profits. Losing too many customers to quickly can result in the business shutting down. Staying connected with your customers and understanding their changing needs will help you prevent surprises. Working with them will help you understand their business and make you more valuable to them.


2. Your Brand Loses Its Customer Appeal: While many brands retain their customer appeal for ever (Think Coke) others lose the appeal over a period of time (Think Blackberry). Brand erosion occurs over time because of changing customers. Some reasons for brands losing their power are; poor or declining product or service quality and poor customer service. Brands can also become boring and uninteresting to the customer.


3. Your Big Project Fails: According to the PMI, more than 14% of all projects fail. With 37% of the reason for failure was a lack of clear vision and goals. A PWC study of over 10,640 projects found that only 2.5% of companies complete their projects 100% successfully. The rest either failed to meet their original target or missed their original budget or deadline. Think about the financial cost of time and materials that go into a failed project and the opportunity cost. Ask how is this project going to help us achieve our strategic goals? What are our chances of success? How can we increase those odds?



4. Your Company Sales Stop Growing: When sales stop growing, it affects cash flow and profits to the shareholders. You start losing key employees and may have to pass on other opportunities. How do you keep sales growing without creating more risk?


5. Your Business or Industry Becomes a No Profit Zone: Many industries are losing their ability to generate a profit such as retail or manufacturing. This can be because of increased competition or customer power that demands lower and lower prices. Is your industry heading this way? What opportunities are available to counteract the process?


6. An Unstoppable Competitor Enters Your Market: Think of an owner of a small town grocery store, where a Wal Mart opens up down the road. They have vast financial resources, purchasing power with suppliers, top notch Management Information Systems and a world renowned brand. How do you compete with them? You can and businesses have done it.


7. Your Industry Reaches a Fork in the Road: Technology, Customers, Economics, Regulatory or Political events can be the reason for having to choose between two possibilities. An example would be an armoured car company, assessing the fact that cash transactions will soon become obsolete. Do they move into other markets or focus on getting new customers. When an industry is transformed up to 80% of businesses fail to adapt and make the transition, (Think Blockbuster).



So as a business owner or manager, how do you assess your strategic risk? Start by identifying and quantifying your risks by going through each one of the seven types of Strategic Risks I outlined above. As an example using number 1. Ask yourself are you losing customers? What is our customer turnover ratio? Why are we losing customers? If you are increasing your customer base, then why? Track your work by putting it into a simple Strategic Risk Chart.

Risk Odds of Occurrence in% Impact in$ Action/Countermeasure % Complete

Lose 15% of 75% 30% of Sales Reduce Expenses by 10% 40%

Customer’s $300,000 Hire customer service staff

So now you have analyzed the seven strategic risks, next you need to take the top three to five risks with the highest impact on your business and develop your action plan to mitigate the risks.

Two of the goals of strategic risk management is to deflect the smaller day to day risks and to mitigate the larger risks you cannot avoid. There is a whole list of risk avoidance and risk management techniques that companies can use. Everything from reducing your fixed costs, have effective business intelligence systems to gather information that affects your customers and competitors, have early warning systems on customers’ needs and changing tastes and a whole list of other techniques.



Statistically, 20% of new businesses will close in the first year and 50% of business will have closed by their fifth year. So the odds of surviving your first year is 80% and your fifth year 50%. So from a Strategic Risk Management perspective Covid 19 has increased the odds of business failures. The Restaurant Association of Nova Scotia completed a study and said that 10% of restaurants in Nova Scotia closed this year so far and another 40% could close by March 2021.

Companies that are highly leveraged will not be able to service their debt, consumers will spend less because of higher unemployment. Yet some companies will survive and prosper and other companies will start up and beat the odds. Luck may play a part but eventually your luck runs out, that’s why you need to ensure that your Strategic Plan Is sound and you identify the risks that can get in your way.


I have simplified the process a little to make it easy to understand and to keep it short. I find the most effective way of doing a Strategic Risk Assessment is through a company workshop. I offer half day workshops on Strategic Risk Management to companies involving their executives and senior managers. They are fun to do and there is always a number of key takeaways that help the client right away.


Feel free to reach out to me if you have any questions about how to get started.



Posted on 5 March, 2021 at 9:50 Comments comments (0)


Darrell Smith CFE, ARM, CIM, FCSI

Most small businesses are run by one or two entrepreneurial owners, with most day to day business decisions being made by the owners and senior managers. The external stakeholders, do not have an active role in the decision making process.

The stakeholders are, shareholders, lenders including banks and family, employees, suppliers, contractors regulatory agencies, government, customers and the general public. Many decisions made by organizations have consequences beyond the organization itself. Therefor in decision making a small business must take into account how it affects all its stakeholders. This approach is called social responsibility.


When we look at the definition of Governance, I like Ray Dalio’s definition from the Bridgewater Group. “Governance is the process that checks and balances power to assure that the principles and interests of the community as a whole are always placed above the interests and power of any individual or faction.”


Compliance is the process of making sure your company and employees follow the laws, regulations, standards and ethical procedures that apply to your organization.


Compliance does not constitute risk management, however the risks of non-compliance is countless. An organizations social license to operate requires more than just following the laws and rules of their environment. Risk Management is an essential part of the program, because not knowing the risks faced by the organization and the cost of those risks, make a Compliance program less effective.

Implementing Compliance and Governance with Risk Management, provides for a better understanding of threats and opportunities.


So in a small business or start up, many decisions are made daily, including decisions that affect all stakeholders. So it is important to have a decision making process that incorporates having adequate information to make the decision and implement it.


Good Governance provides a structure to protect the interests of shareholders and stakeholders, because they are not actively involved in running the company.


The advantages of having a Governance, Risk Management and Compliance Program (GRC) is not just following regulatory and legal conditions, related to your business and industry. But developing a strategic plan to achieve your business objectives, ensuring that your business goals do not exceed your risk appetite, developing a culture of accountability and transparency and having a reporting structure that designates responsibilities for compliance issues to the most qualified persons.


To build a Compliance Program, the first thing you need to do is set up an independent board of directors. I know what you’re probably thinking, I’m a small business or start up barely able to pay my bills. How can I afford a Board of Directors? The great thing is that there are many experienced business people, accountants, lawyers or retired professionals that would be happy to serve on your board. Not only do they bring valuable experience to your company, but they also have business contacts. The key is to have an independent board of directors.


Once you have selected your Board and have called your first board meeting. The first order of business is to develop a strategic plan of what your goals and objectives are for the company and then communicate it to all employees.


My experience working with and sitting on a number of boards is that management has great vision and strategy for their organization. However they have not put it into writing, what their goals are and how they will achieve them. Don’t confuse a strategic plan with a business plan. A business plan lays out the financial, marketing and operational goals of your business, a strategic plan states what your goals are for the business and how you’re going to get there. A business plan is usually developed by the owner, their accountant and perhaps several key employees. The strategic plan is developed by the board of directors. A strategic plan is an essential part of your overall business plan. Not having a strategic plan is like hiking in the woods without a compass or a map. After a very short time hiking, you get disorientated and you cannot tell what direction you are going, where you are or how to get back on the trail. A strategic plan maps out your objectives and the activities needed to get you there and provides you with the checks and balances to keep you on track.


Develop a Code of Conduct and Ethics: Whether you have been in business for 20 years or you are the only person in your start-up. Having a code of conduct and ethics is essential. A code of conduct governs decision making and how its employees and management should behave. A code of ethics governs actions and have five key areas, Integrity, Objectivity, Professional Competence, Confidentiality and Professional Behaviour. Typically they would be two separate documents, but many organizations do combine them.

I am a big believer in all firms having a code of conduct and ethics, regardless of their size and how long they have been in business. I have worked for companies where problems were identified and after implementing a Code of Conduct, communicating it to all employees and having them sign off on it annually. Behaviours such as theft, harassment, discriminations, and unproductive employees were reduced significantly. As a start-up it gives you a guide to good decision making by following the companies values.


Document all Job Descriptions, Processes, Policies and Procedures: Everything should be included, such as HR policies, financial, marketing and operations. The employees doing these jobs should be part of this documentation process. They can add valuable input, because they are the ones doing the job. The advantages of having everything documented are; Sets a standard for quality control, everyone is following the same procedures. Makes it easy for new employees or new locations to understand and follow company procedures. Provides an audit trail, as part of a risk assessment review. Are company policies being followed? As the business grows it maintains a level of consistency, reducing liability and financial issues, makes change management a lot smoother.


Have an Employee Handbook: Including the company history, mission, vision and the company goals. Your core values and culture, employee benefits and all policies and procedures. You should also have an orientation session with each new employee, to go over the items in the handbook and give examples of actual occurrences of how the policies apply to them. This step is extremely important as it helps to shape your corporate culture.



Perform Regular Risk Assessments: Conducting regular risk assessments will help you identify risks to your organization that can have negative consequences. By identifying them early, you can develop a risk mitigation plan to manage the risk. Traditional risk management looks at property, liability, and net income and people risks. Conducting regular risk assessments will also allow you to identify potential opportunities. Ask yourself, what are the three greatest risks facing my company? Ask your managers what are the three greatest risks facing their department?


Review Internal Controls: Internal controls are the guardians of your business. They are the methods, rules, and procedures used to maintain the integrity of the financial and accounting information. For any size business, the financial information is critical to managing the business. Protecting that information from fraud and theft, is essential to not just managing the business but the survival of the business. In my experience as a Certified Fraud Examiner, the number one reason that the perpetrator was able to commit the fraud. Was the complete lack of, or a breakdown in internal controls. Keep in mind that individuals who steal and commit fraud, are spending a lot of time on how to do it and not to get caught. They are looking for weaknesses or a lapse in the controls.

So it is essential that you spend enough time reviewing and testing your internal controls.


Have a Reporting Mechanism: As I have written about before, I am a big believer in having an anonymous reporting hotline. Where your employees, customers and suppliers can report potential wrongdoing to your company. See our Blog: “Not Having A Whistle Blower Hotline Is Like Leaving The Doors Unlocked At Night.” Having a reporting mechanism will result in wrongdoing being reported sooner, saving you time and money. It also sends a message that the company is serious about promoting moral and ethical behaviour in the company.


As a small business or start-up, here are some of the common issues that I have seen. Paying Income, Sales or other taxes, making payroll remittances, use of government funds and grants, Occupational Health & Safety, product and service liability, legal liabilities including discrimination and harassment, regulatory issues unique to your own industry, Anti Money Laundering regulations, conflicts of interest, protecting confidential customer and employee information.


So let’s look at the reasons why small businesses and start-ups need a compliance and governance program.


1. Having a CRG program provides the information necessary for management to make good business decisions and to be better leaders.

2. Better mechanisms in place to monitor and manage risk and identify potential opportunities.

3. Stakeholders will have more confidence in the owner and the business, by knowing that the business is being run in a responsible and ethical manner. If you’re looking for bank financing or to secure your first round in seed capital, and you have a GRC plan in place. This is going to probably work in your favor, compared to a company that does not.

4. It allows management to stay on track, because they have a plan to follow. If they lose their way the just go back to their strategic plan, values and mission statement.

5. It provides the framework for an organization to expand rapidly. By having a strategic plan, and all processes documented. If you open another branch or hire a lot of new employees, you have everything documented for them to follow. Allowing you to focus more on growth and less concern for compliance.

6. Reduced legal liability, by knowing what your greatest risks are and managing them.

7. Enhanced reputation in the business community, this is an advantage to getting customers, employees and financing.


I hate to use the old cliché, “they didn’t plan to fail they just failed to plan.” But when it comes to managing your small business or start-up effectively, growing sales and making a profit, you need to have a plan. Especially now with Covid 19 changing the way we work and do business.


While getting started may seem a little overwhelming, it’s not. Start with little steps, make a list of people you would like to have on your Board of Directors, review other companies Codes of Conduct, and think about what challenges and opportunities are ahead for your organization. The great thing with all of this is it doesn’t costs any money, unless you contract some of the work out. It just takes time, that will be well spent.



Posted on 5 March, 2021 at 9:45 Comments comments (0)


Darrell Smith CFE, ARM, CIM, FCSI

You wouldn’t finish your work day and then go home and leave the doors unlocked to your business. Of course you wouldn’t. Not only would the unlocked door create an enormous security risk, you probably wouldn’t sleep that well. So not having an employee reporting hotline is like leaving the doors unlocked and hoping that you’re lucky enough that no one comes by and finds it open. Because if they get inside your business it could be very costly.

Even with modern security technologies, your first and most important line of defense is your locked doors. Alarm systems, and Closed Circuit Television Systems are just part of your overall security program.

My point is that even with modern security technology there are shortcomings that do not identify what I will refer to as the “intangible” occurrences of a criminal, regulatory, and human resources nature. What I mean by intangible occurrences are activities that are not apparent in the day to day operations of the organization. Such as an employee claiming expenses that they are not entitled to, an employee being discriminated against, an employee dumping toxic waste into the sewer system or a buyer taking kickbacks from the supplier. These events would probably not show up on a security camera, however your employees and even sometimes your customers may have evidence of these violations.

Employees who work in the specific area may have knowledge of such incidents, either through direct or circumstantial evidence. Yet they may hesitate to report the incident because of fear of reprisal or not knowing how or to who to report it too.


Organizations that do not have a reporting mechanism, have higher dollar losses because it takes longer for the event to be discovered, run the risk of legal, regulatory and criminal actions, have lower employee morale and risk damaging their reputation.


So What Is A Whistle Blower Hotline?


A Whistle Blower Hotline is an anonymous means for employees to report wrongdoing, knowing the report will be taken seriously and investigated. It is not for employees to report disagreements between themselves and their bosses or fellow employees.

Some hotlines are to just report fraud or environmental issues, while others allow any kind of violation to be reported, such as Fraud, Theft, Discrimination, Harassment, Bullying, Corruption, Sexual Harassment and any other violation.

Reports can be made by telephone 24/7 or online.


Why Is a Hotline So Important?


Studies have shown that if employees do not have an anonymous means of reporting workplace violations, they will either not report the violation, quit, go to the media or go to the police. By not reporting it, this causes additional financial losses to the company, can result in legal or criminal charges, and can cause unrepairable harm to the reputation of the business.

According to the Association of Certified Fraud Examiners 2020 Report to the Nations; The Duration of a Fraud Scheme, has a direct bearing on the median loss an organization incurs. The median loss is $50,000 for a fraud that lasts for 6 months and $740,000 for a fraud that lasts 60 months. It’s clear that the longer a fraud goes undetected the higher the losses. While this is just for fraud, I’m certain that this would be the same for any other kind of a violation. Whether it’s a criminal, regulatory or human resources in nature.


What is the Value of the Information Received from a Hotline?


Considering that all of your employees have knowledge of your operations and can see, hear or have physical evidence of potential violations. Why wouldn’t you want to make every employee an intelligence operative for your company? If you have 100 employees, that’s one hundred sets of eyes and ears gathering information, looking out for the companies best interests.

In the intelligence community, when evaluating intelligence information. You look at the source of the information and the quality of the information. So it makes sense that an employee would be in a position to have knowledge of violations. Even your customers and subcontractors would be in a position to have important information.


So Why Do So Many Businesses Not Have A Hotline?


In my experience with our in house hotline, I have heard many reasons for not having one. We are too small, the unions don’t want us to have one, the bosses don’t want any more headaches or we have a reporting mechanism already. This is my favorite because, they think that having a policy where information is to be reported to their immediate supervisor will work. The problem with this is that the employee cannot remain anonymous, they fear repercussions from the individual they are reporting or their employer. The one thing that all organizations can rule out for not having a whistleblower hotline is cost. The cost can be as little as a dollar per employee per year, with usually a minimum subscription. So a small business with 100 employees would pay $1000 per year, for a hotline service. I have just quoted a price for our Workplace Violations Hotline, other hotline prices may vary.


As Part of a Compliance Program.


A whistleblower hotline forms the basis of a compliance program, along with a Code of Conduct and Ethics and the ability to investigate all complaints in a timely manner, the tracking of all complaints to determine trends and for additional follow up. So every business regardless of size or financial condition can have the three cornerstones of a Compliance Program. By having a Hotline it tells all your employees that you take all violations seriously, and by creating a culture of “it’s the right thing to do” by reporting wrongdoing in your organization.


So in this post Covid 19 environment, where revenues and profits are down and many employees are working from home. Implementing a hotline is not only a prudent move, but will provide an excellent Return on Investment and peace of mind.



Posted on 4 February, 2020 at 11:25 Comments comments (4)

Darrell Smith CFE, ARM, CIM, FCSI

It’s hard not to have noticed all the corporate executives and politicians who have been accused of expense account fraud. With executive salaries, do they do it because they have financial problems? Probably not, they could be living beyond their means, but a more reasonable explanation is greed. That they felt they were entitled to fudge their expenses and they could get away with it. They have justified it by thinking this is acceptable behaviour or rationalizing everybody is doing it so why not me.
It has been estimated that 21% of all fraud committed in organizations is expense account fraud, costing millions of dollars a year. Small businesses suffer greater losses mainly because they don’t have such elaborate expense tracking systems.
There are basically four types of expense account fraud;

1.       Mischaracterized Expense Reimbursement: This is when an employee uses a personal expense and claims it is business related. EG: Employee claims office supplies for a home business they have.
2.       Overstated Expense Reimbursement: The employee overstates the amount of an expense, such as taking a $10 cab fare and claiming $20.
3.       Fictitious Expenses: This is when they create a fake expense that does not exist and a fake expense form. An example is claiming a lunch with a client that did not occur.
4.       Multiple Reimbursements: This is when the employee submits the same expense several times. Such as an airline ticket, where they put it on their credit card and get reimbursed and then they submit the airline ticket for a second reimbursement.  
1.       Historical Comparisons: Compare employee’s expense reports for the last 3 years and compare it with other employee expense reports. It helps to see each employee’s expenses in a graph and then to graph all employees’ expenses combined.
If total company employee expenses have increased by 3% but one employees expenses have increased by 20%. That is something to look at and determine why.
2.       Detailed Review of Expense Reports: This is the most effective method where the employee’s expense account is audited, with all expenses being matched by receipts. Using the employee’s digital calendar and schedule allow cross reference between where they were, who they met with and what expenses were incurred.
Expenses Account Fraud Prevention:
1.       Have a company Expense Policy outlining what expenses can be reimbursed, what is required to get them reimbursed and what are the consequences of submitting fraudulent claims. The employee should then have to sign it and be given a copy. This could be part of the Code of Conduct or a separate policy.

2.       Ensure that only expenses with an attached receipt along with the explanation for that expense will be reimbursed. For entertainment an explanation of the receipt should include business purpose, and who the customer was. Also date and time when incurred, the place and the amount. This is a common theme I see in expense reimbursements. Where an employee submits an expense without the receipt and have an excuse for not having one. They get reimbursed and that sets the tone for submitting a similar expense without a receipt.

3. The person who approves the expense claims, give them the power and authority to question any expense even senior management and give them a clear chain of command to take the discrepancy to a higher authority. Encourage the employee and praise them when they detect a discrepancy.

4. Company Credit Cards issued to employees for expenses, the statement should go directly to the accounting department.

5. Conduct regular audits to ensure the company policy is being followed and to detect any discrepancies. The audits could be on a monthly or quarterly basis and any discrepancies should be brought directly to the employee who submitted the expense. For smaller organizations who do not necessarily have the time or expertise to do audits, it could be contracted out to an outside firm. Regardless the audits must be done.

Kilometers reimbursement is an area of abuse. The employee travels and total kilometers is actually 165, yet they submit 221. At $0.45 per kilometer, that’s an additional $25 the company has to pay out in fraudulent reimbursements. This can add up very quickly if you have numerous employees submitting expenses. An easy way to check is to just use Google Maps by entering the starting point and then choose destination and see how many kilometers it is.

I once audited a sales person at a Pharmaceutical company who had claimed over 90,000 kms in mileage, when we checked his vehicle, it had 22,000 kms on it. (The vehicle was company owned). This was over 68,000 kms at $0.45 per kilometer for over   $30,600 in fraudulent mileage claims. The employee was fired, because when we checked, not only was he submitting false expenses but he was also submitting false customer sales calls. Some clients had not seen him in over 2 years. 

6. Understand your corporate culture. In some organizations there is a culture of everybody is doing it, the company doesn’t mind. So why shouldn’t I do it? To manage this you have to have clear policies and procedures, educate the staff that this is wrong and is considered fraud, and how it affects the company’s bottom line. Also ensure management and executives are leading by example.

7. Have a whistle blower hotline to make it easy and anonymous for employees to report wrongdoing. Such as our
In summary, have an expense account policy, only reimburse expenses that have a legitimate receipt, with an explanation for the expense and make sure to conduct regular audits. You may not eliminate all expenses account fraud, but with proactive policies you will reduce the frequency and severity of losses.  


Posted on 24 October, 2016 at 10:20 Comments comments (5)

Darrell Smith CFE, ARM, CIM, FCSI

Whether you are in manufacturing, retail or a service industry. Your employees steal from you for all the same reasons. Criminologists state that three elements must be present in order for employee theft to occur,

1. Motive: Employees may have financial, gambling, substance abuse problems, or may just feel they are unappreciated or under paid at work.

2. Opportunity: The lack of security control systems and clear cut policies and procedures. Make it easier to steal from you.

3. Justification: Is simply the employee justifying his actions by saying I will put it back, it's not really stealing or they want me to take it.

Once all three elements are in place you have employee theft. The 10-10-80 rule states that;
- 10% of your employees will steal from you at each and every opportunity.
- 10% of your employees will never steal from you at any opportunity.
- 80% of your employees may or may not steal from you based on motive, opportunity, and justification.

As employers we have no control of an employee's motive or justification, but we can do something about opportunity. Being pro-active to prevent employee theft is more effective, and costs a lot less than being reactive. An effective employee theft prevention program should include the following preventative measures.

  • Conduct pre-employment screening checks to eliminate potential employees with motive and justification.
  • Have a clear and concise corporate code of conduct outlining what behaviour is expected of your employees, and what course of action will be taken in the event of a violation.
  • Have a Whistle blower Hotline to allow employees to report wrong doing anonymously. Studies have shown that  having a whistle blower hotline, will reduce the severity of losses by catching the theft sooner. Many whisltleblower hotlines; such as our own allow all types of workplace violations to be reported.
  • Communicate this code of conduct to all new and existing employees, suppliers and contractors. Have them sign off on it every year.
  • Be consistent with enforcing policies. Treat every violator the same.
  • For younger workers with less time on the job, have employee appreciation and recognition programs. Such as a $10.00 gift certificate to a coffee shop or movie theatre.

In conclusion a proactive approach to employee theft will be more cost effective, providing a greater Return on Investment.

SHOPLIFTING-What Retailers Can Do To Prevent Theft

Posted on 17 October, 2016 at 21:55 Comments comments (6)

Darrell Smith CFE, ARM, CIM, FCSI

Shoplifters- The National Retail Federation reports that one out of every ten shoppers attempts to shoplift. There are three categories of shoplifters:
1. The average amateur shoplifter who accounts for 75% of the arrests.
2. The full-time amateur shoplifter who accounts for 20% of the arrests.
3. The professional shoplifter who accounts for 5% of the arrests.

Common Characteristics of a shoplifter:
  • Often carries a bag or backpack into the store.
  • Appears nervous or startled when approached.
  • Constantly looks around.
  • Watches your actions more than anything else.
  • Bluntly refuses assistance from store personnel.
  • Is not concerned with the price, size or colour of selected merchandise.
  • Moves merchandise from one location to another.
  • Diverts employees' attention while others steal.
  • Carries own clothing to conceal store merchandise.
  • Wears clothes that are out of season, such as coats or sweatshirts when its hot outside.
The Amateur Shoplifter: The amateur usually prefers the busier times when the store is full, and customers and employees are occupied. Many amateurs prefer the seclusion of fitting rooms or corners of the store. The amateur's actions are not premeditated, but if an opportunity presents itself, the shopper succumbs to the temptation. This is called "impulse stealing". Since they don't know themselves that they may steal, neither will you and so this makes them difficult to catch.

The Full-time Amateur Shoplifter: These are the people that your employees say, "We know these people steal". These people have a prior history of shoplifting convictions, and account for 20% of those apprehended. They're typically a well-dresses young adult. The difference between these people and the everyday citizen shoplifter is the motive.

The Professional Shoplifter: These are the real "pro's" that make up a small 5% of those that are arrested for stealing. They steal for one reason only, and that's money. The professional likes to work when employees are least alert, and are early bird, lunchtime, shift change, or last minute shoppers. Most of these people work in pairs and are well dressed and, needless to say, well trained. They are also often habitual drug users who support their habit from shoplifting your merchandise.

Shoplifting Prevention Pointers:

  • Provide good customer service
  • Speak to the customer when they come in the door
  • Provide good cash register service, it should be fast and efficient
  • Teach employees to constantly look around and watch people wandering
  • Never turn your back on a customer
  • Pay special attention to display and layout of merchandise. High priced items near the cash register where employees can see them
  • Install security mirrors
  • Video cameras
  • Special locking display cases

The best thing you and your employees can do to prevent theft, is provide exceptional customer service to customers. When shoplifters enter your store, they want privacy. When you acknowledge them and continue to monitor them. They have lost their privacy and will go somewhere else where the staff is not as alert.

Managing Business Reputation Risk

Posted on 9 May, 2014 at 21:45 Comments comments (11)

Darrell Smith CFE, ARM, CIM, FCSI

East Coast Fraud & Risk Management Group -  

Most organizations don’t give much thought to their business reputation until something goes wrong. One of the reasons is that a business’s reputation is difficult to identify, analyze and put a value on. It is an intangible asset that does not show up on the balance sheet, except perhaps as Goodwill when one company buys another company. Your reputation is what brings customers to you, keeps your customers coming back, and why existing customers will refer friends and family to your business. Your business reputation is one of your greatest assets and if not managed it could be a liability or it could also mean missed opportunities.

According to the Insurance Institute of America, the definition of Reputation Risk is;

 “An intangible Asset that relates to an organization’s goals and values, results from behaviors and opinions of its stakeholders and grows over time. It is the comparison between stakeholder’s experiences and their expectations and is the pillar of the organization’s legitimacy or social license to operate. An organization maintains a good reputation when it meets or exceeds stakeholder expectations.


The first thing you must do is recognize the value of your reputation. Intangible assets in some organizations can represent 50% or more of a company’s total value. While there are several ways of valuing reputation risk, such as the Fair Market Value approach, which would assign a value if put on the market and the Cost Approach which is the amount the organization invested to acquire their reputation. Risk Managers prefer the Income Approach which puts a current value based on discounted cash flows, the reputation would earn in a given period of time. By recognizing the value of your reputation, it allows you to think of it as an asset. If damaged it can cause a loss of key stakeholders, but there is also an upside that you can take advantage of opportunities to add value to your reputation. As an example the tainted Tylenol crisis in 1982, had Johnson & Johnson develop tamper proof pill bottles that are now used globally.


You should identify your key stakeholders and rate them based on importance, because each stakeholder’s expectations may be different. I use a rating system with a base of 100 and assign each stakeholder points based on their importance. Stakeholders can be classified as external and internal. Internal could be management, employees, and Board Members, while external could be customers, suppliers, shareholders, and government regulators.      


Sources of risk to reputation can include the following;

1.      Deliver on Customer Promises: Is the company (non-profit or government entity) delivering high-quality, competitively priced goods and services?
2.      Regulatory and Legal Compliance: Is the company seen by its stakeholders and the public as law abiding and comply with all laws and regulations?
3.      Communication and Crisis Management: Does the company have an effective communications plan to manage stakeholder expectations? Are they transparent in their business dealings?
4.      Financial Performance and Long-Term Investment Value: Does the company have a steady record of financial performance and are they a good long-term investment?
5.       Corporate Governance and Leadership: Does senior management and the Board of Directors lead by example and set an appropriate tone at the top.
6.      Corporate Social Responsibility: Is the company considered by its stakeholders a good corporate citizen and does the company minimize the negative impact and maximize the positive impact of its activities on the environment and society as a whole?
7.      Workplace Talent and Culture: Does the company recruit high quality employees and treat them well? Does the corporate culture motivate employees to take pride in their work?


Identify, Analyze and Prioritize Reputation Risks: Identify the key drivers of risk by reviewing past incidents and future risks. Analyze those risks based on tangible losses or gains to reputation and put a priority on each one. As an example an investment firm that has numerous compliance issues with advisors recommending high risk investments, could result in loss of clients and assets, regulatory fines, a criminal investigation or class action lawsuit.

Develop and Implement a Risk Response: To implement a risk response to a specific reputation risk, it depends on the source of the risk, whether the risk is a threat or an opportunity, the risk appetite of the organization and whether the risk can be mitigated and the total cost of mitigating the risk (ROI).

Monitor the Results: After the risks have been identified, analyzed and prioritized and risk responses have been developed and implemented. The risks should be monitored by management for any changes in the risk frequency or severity and take appropriate action. The objective is early detection and immediate treatment.

To effectively manage your reputation, recognize reputation as an asset, that like any other asset there are risks that may affect it and there are also opportunities that allow you to improve your reputation. Many companies actually seek out risk to maximize profits and gain a competitive advantage over their competitors.

How to Use Corporate Culture to Prevent Fraud

Posted on 14 April, 2014 at 20:00 Comments comments (3)

How to Use Corporate Culture to Prevent Fraud   
Darrell Smith CFE, ARM, CIM, FCSI

Corporate Culture can be described as “The beliefs and values which are understood by employees.” Culture is like an invisible energy field that surrounds your organization and determines how people think, act and see the world around them.
Some facts about corporate culture include;
1. Culture determines the “way of life” for employees who often take its influence for granted.
2. Over time culture is fairly stable and resistant to quick changes. Once a culture is ingrained into the organization, it can resist change even with high employee turnover. 3. Culture involves both internal and external characteristics.
4. Employee’s know what the culture is and can describe its characteristics. You can measure, evaluate and perfect it.
5. Culture will develop in a random fashion, or you can manage it if a firm has incorporated it into their strategic plan that identifies specific properties and goals. 

So how can a company reduce fraud in their organization by managing corporate culture? By aligning the organizations goals with the socialization process. The socialization process is what passes an organization’s culture from one generation of employees to next.  

According to the definition of the socialization process is; the continuing process whereby an individual acquires a personal identity and learns the norms, values behaviors  and social skills appropriate to his or her social position.
The three stages of the socialization process are;  

1. Anticipatory Socialization and the Hiring Process: Begins when the employee simply considers working for a company and continues through the hiring process, where the interviewer will communicate the norms and values of the company and determine if the candidate is a good fit.  

2. Formal Socialization: Can be in the form of orientation and training programs for new employees and also through a mentoring process where values, skills and habits are communicated to the new hire.  

3.  Informal Socialization: Occur through many informal channels, through interaction with fellow employees and informal interactions with management. This is where the most effective and lasting socialization takes place. 

At the anticipatory and hiring stage, the first step is to communicate the company’s norms and values through the web site to potential and current employees, that your organization puts a high value on honesty and integrity. Then during the interview process, the interviewer will reinforce the values by making it part of the interview process by asking open ended questions and reinforcing the company values.  

The formal socialization stage is an excellent opportunity to begin the education process by making it part of the training program, through codes of conduct statements, and company policies and procedures. It is also very important to match the new hire with a mentor who will reinforce the company values in a positive reinforcing way. Use real examples of how real employees made contributions to preventing fraud.  I am a big believer in positive reinforcement and not using negative reinforcement, such as discussing how this employee was caught committing fraud. This sets a negative tone for the new hire.

  Finally the informal socialization process is where the employee will develop their values and ethics system by interacting with other employees and various levels of management. It is essential that management lead by example and follow the same rules as expected from the employees. Employees that are role models and set a good example should be given more exposure to the new employees.

  I have worked with clients who accepted that employee fraud and theft was part of their culture, and spent large amounts of money on security, CCTV, and audit programs, focused on catching and prosecuting the dishonest employee. This is really just dealing with the effect and not the cause. I have also worked with companies who tried to change the culture of fraud and theft, by managing the corporate culture. The return on investment is much higher.  

While every organization is unique, here are some helpful hints to get started;  

-  Survey your employees to understand their thoughts on fraud and theft in the           workplace.  

-  Develop a vision statement that reflects the vision of the company on fraud and  employee dishonesty. I had the privilege of doing some work for a contact center and the VP came into the class of new trainees and said I only ask two things of you; 1. Don’t use violence against each other 2. Don’t steal from the company or commit illegal acts against us. They have never had a workplace violence incident or fraud committed against them. Don’t underestimate the power of vision.  

-  Ensure senior management is on board and make sure they give a reason why the change is occurring.   

-  Establish a team to guide the change process. 

-  Set short-term wins, rather than one or two big goals. This will keep employees engaged and focused. Failing to meet a big goal or milestone will discourage employees and may mean the end of the program.  

We have discussed corporate culture and the role it plays in shaping employees thoughts and behaviors. We also discussed how the culture can be managed with the socialization process. To change your culture takes time and a lot of energy, however the end result is worth it.
At East Coast Fraud & Risk Management Group we have worked with many organizations and developed several employee surveys, you can use to survey your employees on corporate culture as it relates to fraud and employee dishonesty. Drop us a line if you would like a copy of one at