MANAGING THE RISK OF FRAUD IN OUTSOURCED PAYROLL SYSTEMS

By Darrell Smith CFE, ARM, CIM, FCSI

Recently we completed a fraud investigation involving an employee who did the payroll for a small business. Their new accountant discovered that there were twelve expense claims made by the employee without any justification for them or supporting documentation. It turns out the employee managed to defraud their employer of $170,000.00 in fraudulent expense claims, additional salary and overtime they were not entitled to, using the outsourced payroll system.

Many companies choose to use an outsourced payroll system to process their payroll and for good reason. Outsourcing payroll is very cost effective and efficient. You go to your account and enter your employee’s payroll information; the payroll is processed, and the funds are deposited into the employee’s bank account. They provide pay stubs and year end tax T4’s, do records of employment, there is only one withdrawal made from the company bank account and they provide all the journal entries for the accountant to process. I have used an outsourced payroll company for years and highly recommend them.

However just like any payroll system whether it’s inhouse or outsourced there is a risk of fraud when a motivated employee decides to use the payroll system as their own personal ATM.

The Association of Certified Fraud Examiners in their 2022 “A Report To The Nations,” states that Expense reimbursement fraud accounts for 11% of fraud with a median loss of $40,000 US and Payroll fraud accounts for 9% of fraud with a median loss of $45,000 US.

Let’s look at the investigation, the findings and how to prevent this from happening to your company.

We began the investigation by reviewing two filing cabinets full of financial records and nine banker’s boxes of financial data, going back for five years. The object was to determine if there was expense forms, receipts, invoices or other supporting documentation for the twelve expense reimbursements. We did not find any supporting documentation; however, all the other employees expense reimbursements were found according to company policy with the expense forms completed, the reason for the expense and receipts attached.

As I began my investigation of the payroll records, very quickly I noticed several red flags, 1. There were numerous additional pay runs made, beyond the normal bi-weekly payroll runs. 2. Even though the employee was claiming expenses the year-to-date balances was declining. With every expense reimbursement the totals should have been increasing.

I then began a review of all payroll information for the past five years. It was discovered that most months there was from two to seventy-six extra pay runs. When the manager would inquire about the extra pay run, they would be told it was because employees were late getting their hours or their expense reimbursements in. On the extra pay runs the employee would use the run to pay themselves. On every extra pay run the employee would claim from two hundred to twelve hundred dollars in false expense claims, with some as high as two thousand dollars.

I was also able to determine that the employee was going into the payroll system and deleting the Year-to-Date expense reimbursement totals. With every expense claim the total balance should have increased yet they were decreasing, with the balance always being reset to zero. This helped conceal the fraud from management.

With any payroll system whether it’s outsourced or in house, the payroll administrator needs to have the ability to correct or change the payroll information. This makes perfect sense because totals can be calculated wrong, additional hours or expenses may need to be added and changes may need to be made because of human error. In most payroll systems just about any information entered in the system can be changed or deleted.

Like any type of employee fraud when an employee has the Motive to commit fraud, they will find the opportunity and justify it. Usually, the opportunity comes from weak internal controls or a break down in those controls.In this case there were several red flags that went undetected and when any questions were asked management were given a reasonable explanation. As I always say get evidence not explanations.

Let us look at the red flags. The first one was all the extra pay runs made, some months it was two or three and the most active month there was seventy-six. Every time there is a payroll processed, there would be a withdrawal from the company’s bank account by the payroll company. With the explanation given, there still should have been a closer look.

The other red flag was the changes made in the system, mainly deletions of totals. By deleting the Year-to-Date expense balance, it prevented management from detecting the fraud. Also, the manager who set up the payroll system and was on the account as the Administrator was taken off the account, so the payroll officer was the only one in the company to have access to the payroll system. To delete some payroll records, such as expenses, tax and employee records there is usually a two to three step procedure that leaves an audit trail that can be reviewed.

So, what allowed this to occur.

The first thing is that the employee had access and control over every aspect of the payroll system. Just like any type of internal control there should be segregation of duties. Such as the payroll officer can enter the payroll information however any corrections, additions, changes, or deletions would have to be made by the administrator. In a perfect world this would work just fine, however this can become cumbersome at times because of the tight deadlines that payroll has and the availability of the Administrator to make changes. Companies with high employee turnover or a larger company with a lot of employees, having the administrator making the changes just requires more planning, it can be easily done.

You cannot just rely on segregation of duties as your internal controls, you must also audit each payroll for accuracy and fraudulent activity. Then you must go into the system and review each change, such as new employees added, expense reimbursement deleted, or tax records deleted.

The next item is the high number of extra pay runs, one month there was seventy-six of them. This should have been a huge red flag for management. But again, they had an explanation, and it was never verified. As mentioned earlier every payroll run there is a withdrawal from the company bank account, along with the withdrawal there would have been fees charged to the company.

So, when doing the bank reconciliation report this should have triggered an investigation which would have resulted in the fraud being discovered years sooner. I believe part of the problem here was the payroll officer protected their domain like a mother bear protecting her cubs. When anyone asked about something they would use bullying and intimidation to get them to back down. Even when the employee was on vacation, they still insisted on doing the payroll, which is a huge red flag.

Finally, there is the deletion of expense totals, tax records and extra pay and overtime payments. There would have been a record for all deletions and changes in the system, they were just never properly checked.

So how can you prevent this from happening in your company?

1. Segregation of Duties in the Payroll Department: As I mentioned having the administrator the only person authorized to make changes or deletions, while the payroll officer can only add the hours and expenses.

2. Extra Pay Runs: Extra pay runs were used because it allowed the employee to give the manager a copy of the regular payroll, but they did not give the manager a copy of the extra pay runs. In my opinion companies should not allow extra pay runs. In this day in age with scanners, email, texting and cell phones that can take pictures of payroll records and send them. There should be a clear policy that if employees don’t get their time sheets and expense claims in by the cut off date, then they will get paid on the next pay period. Everybody wants to get paid so they will learn very quickly if they don’t meet the deadline and must wait. Of course, you must follow Labor Laws.

3. Deletion of Balances and Records: Most outsourced payroll companies have a System Warnings page and a Deletion section that will show any deletions or changes made in the system. This needs to be reviewed every pay period, but don’t rely on your Outsourced Payroll Company to detect fraud for you. You still must do your due diligence with every payroll.

4. Audit Your Payroll: Whether you receive your payroll package by courier or have to go online and print it off, you must audit the totals. The Executive Summary makes it easy to do this. The Master File Changes will show new employees added or terminated from the system. This should be checked against time sheets and department records. It will also show any changes to hourly pay rates or salary, that should also be verified. Also, the report will show a breakdown of the total hours paid, regular time and over time. I recommend verifying each employees’ regular hours and overtime against the Payroll Registry, that show each employees hours, expense reimbursements Gross and Net Pay and Year-to-Date Totals for each pay period. The total regular hours paid should match the time sheet totals. The same with expense reimbursements, overtime hours and salaries. Finally, compare all your totals for increases in weekly hour totals and increases in expenses. If they don’t match time sheet totals, ask why. In this case when I interviewed the employee’s manger, they told me that it is highly unlikely the payroll officer would ever have had to pay personally for a company expense.

For most organizations the payroll represents their largest expense, that can be hundreds of thousands or millions of dollars a year. We are aware of employees submitting false time sheets and expense reports, but rarely think about the actual payroll officer committing fraud against the company. We believe in people and want to believe everyone is good and trust them. Don’t just rely on your payroll company to detect fraud for you, they provide the reports but it’s still up to you to have internal controls and checks and balances. Make sure the supervisors and department heads who submit timesheets and expense claims to the payroll department, check and verify them before submitting them to payroll. Give them additional training so they know what to look for. Better yet have a Certified Fraud Examiner come in and do a seminar on fraud prevention.

THE ART OF CONDUCTING EMPLOYEE REFERENCE CHECKS

In risk management one of the four main categories of loss is Personnel Losses. Personnel losses include losing employees through death, disability, retirement or resignation. Because hiring the right employees is critical to the overall success of an organization and the challenges in today’s job market of finding qualified people. I recommend to make hiring the right employee part of your risk management process. It has been estimated that hiring the wrong employee costs the organization from one to three times the employee’s salary to recruit, hire and train another employee. Hiring the wrong employee not only costs the firm money but it can also create liability issues and reputation risk. Making it part of the risk management process will reduce the overall risk of a bad hire.

Whenever I run a training seminar to teach screeners how to do reference checks. I always ask them, how many people believe that reference checks is part of the background investigation? They almost always raise their hands and say yes. I tell them no it’s not and explain that checking employee references is the most important part of the hiring process, because you want to determine based on conversations with past employers how they performed their jobs. If I may quote the disclaimer the Mutual Fund Industry uses “Past Performance is not a Guarantee of Future Results.” However checking with past employers is still your best indicator if this person can do the job, will they do the job and will they fit into your organization. So reference checks are to determine the persons work abilities, background checks such as Criminal Records Checks, Credit Checks, Education Verification and Google searches provide verification that this person is who they say they are and have not lied about anything.

HOW TO MANAGE THE RISK OF DOING REFERENCE CHECKS

The risk of not doing reference checks or incomplete checks is far greater than the risk of doing them. The risks includes additional hiring costs, low productivity, time and money spent on recruitment and training, low employee morale, damage to reputation and lost customers. From a legal liability it is either being accused of discrimination and not hiring someone or obtaining information that the candidate did not authorize or consent to.

To manage the risk of conducting reference checks and Privacy Issues, the most important thing to have is an Express waiver signed by the prospective employee. An Express Waiver is a signed release by the candidate that allows you to conduct the reference checks. This illuminates’ any doubt about the intentions of both the candidate and the employer.

The next mitigation tool is to ask only questions that are relevant to the job. I’m very confident that HR people know what can and cannot be asked, however department supervisors and other non HR employees may not be as clear. Rule of thumb do not ask any question that is not directly related to the job. Such as age, race, religion, sexual orientation, medical, disabilities or marital status. Never ask personal questions, they have nothing to do with how the person will perform their job.

CHARACTERISTICS OF A GOOD INTERVIEWER

All good interviewers share certain characteristics. Above all, they are "people persons," and are talented at human interaction. Successful interviewers are the type of people with whom others are willing to share information, most interviewers tend to get too little, rather than too much information, a good interviewer does not interrupt the respondent with unnecessary questions. During the interview, much pertinent information results from volunteered information, as opposed to responses to a specific question. A good interviewer includes all pertinent information and excludes irrelevant information. From the outset, it should be determined what information is relevant and that information should be sought. Irrelevant facts complicate the gathering and analysis of the information and should be avoided.

GETTING PREPARED TO DO THE REFERENCE CHECKS

Do you have an up to date job description that people actually doing the job has had input into the development of it? This is critical to understand the skills and attributes a candidate will need to do the job.

Take control of the reference check process right from the beginning. Have you instructed the candidate to give you three references from people who they worked with on a daily basis within the last five years? It is important to get references from people they have worked with, how else can they comment on the candidate’s job performance and skills if they did not work directly with them. If you get put through to the HR Department, they would have a record of the candidate’s evaluations, overall job performance and reason for leaving. But they have not worked directly with this person so they would not be able to answer many of the questions you need answered. You need to speak to three of their colleagues such a supervisor, a co-worker and a junior employee or some combination of the three. Teachers, Professors, Coaches, Neighbours and Friends can comment on the candidate’s personality but they cannot comment on their job skills and work ethic.

Do you have your reference interview questionnaire with standard reference interview questions with any additional questions pertinent to the position?

Have you decided how to conduct the references? By email, in person or telephone. In person is best because you can read their body language and facial expressions. Sixty percent of communication is non-verbal. Zoom meetings can also work well and the advantage is you can book the date and time with the person giving the interview. Telephone is the next best and most widely used, it is quick and easy and allows you to still listen for verbal cues.

CONDUCTING THE REFERENCE CHECKS (This is the art part of reference checks)

Make sure you introduce yourself to the person giving the reference and tell them why you are calling. As an example: My name is XXXX from XYZ Company and I’m calling about Amy Smith who worked for you and has applied for a position with our company as an office administrator.

You should be professional and instill confidence and trust, stay focused during the interview and have enthusiasm and polish.

Be unbiased and open minded when you call the references. Sometimes we can make it personal because, I had a good vibe about this person or they have exactly the qualifications on paper we are looking for. This can provide obstacles to overlooking information provided, either in a positive way in a less favored candidate or negative information on your preferred candidate.

When you are speaking make sure you speak in a slow, clear voice with proper volume so the candidate can understand you. Practice, use your phone to record your voice when you speak and listen to how it sounds.

Make sure you listen to what is being said by the candidate, once you ask your question stop talking and listen till they have finished answering the question. What is being said is important but how it is being said is also important such as tone, pitch and volume. Listen for pauses and sighs and other non-verbal clues. Then follow up by asking “I noticed you sighed when I asked this question, do you mind if I ask why?"

Ask open ended questions where possible and when you get a one word answer such as “good”. Ask follow up questions such as on a scale from 1 – 10, with 10 being the highest where would you rate the candidate. Then ask the reasons why they rated the candidate so high, low or average and what could they do to improve. An interview is a continuous flow of questions and answers.

THE THREE STEPS TO ANALISING AND APPLYING THE INFORMATION OBTAINED

The first thing is to evaluate the information obtained regarding past job performance. You want to look for consistency in the answers given, the main tool we have for this is asking all references the same questions. Then look for patterns of employee and career growth and any areas of changes in employee performance, good or bad.

Keep in mind that some people, their main talent is to sell themselves to other people. So while they may have done great in the face-to-face interview with you, do not let this prejudice how you conduct the reference questions. Then you can compare the answers the references gave you with your own experience interviewing the prospective employee. A candidate may have done terrible in the interview but has glowing references and vice-versa.

Next you need to compare past job performance with the actual job requirements. The thing to keep in mind here is that even if the title of the job at the last employer is the same as your title EG: Accounts Payable Clerk. Different companies do not operate in the same way. Even if the job descriptions are the same the people, processes and corporate culture will be different. You need to understand the requirements of the traditional job description that outlines the requirements of the job. Then you need to understand the practical job description, which is how the job really works and is usually not in writing. This is how the job works from the inside based on the people, politics and attributes.

Next you need to use the information to develop a career development program based on the reference checks, to help the employee grow and prosper in the position. By having one of your reference questions something like “What do you think the employee needs to continue to grow and develop in their career?”

So for the record, my firm and I have conducted thousands of reference checks, we have also done thousands of investigations on client’s employees regarding workplace violations and criminal acts. We are the parent company of the Workplace Violations Hotline our Whistle Blower hotline and we get to see every day the reports that come in from clients employees reporting wrongdoing. So we know what we’re talking about, hiring the wrong employee is not just about lost productivity resulting in additional financial costs. It is a risk that can and should be managed by organizations by asking the question. Why are we hiring so many wrong candidates? Most of the time the reasons are clear once you analyze it. You cannot control who applies but you can hire the best candidate of the group, it may not always be the candidate that looks great on paper.

It’s not as important how well a bookkeeper knows the accounting software, they can be given additional training on the job. What matters is their professionalism, productivity, interaction with other people, communication skills and management style. It’s not about what they did but how well they did it. Some employees who start a new job and quit after a short period of time, leave because they know that the new firm is not the right match for them. You need to figure that out before you hire them.

I mentioned in a past post on intelligence gathering (that’s what reference checks are conducting an investigation) you look at the source of the information and the quality of the information. That’s why focusing on references that have worked directly with the candidate is going to give you the most valuable information.

WHAT HAPPENS WHEN VENTURE CAPITAL STOPS INVESTING IN YOUR START-UP?

Recently I read a local article that said a sixteen year old had raised $700,000 for his start-up. In my day when I was sixteen I would not have been able to raise $700. Of course he must be an amazing young man with a great idea and I’m sure that he has very qualified and experienced people working with him. I mention this only to illustrate the state of the venture capital industry, where cheap money has created a proliferation of investment capital looking for investment opportunities. Everyone is looking for the next big investment to make them rich or richer.

I have seen companies raise 80 to a 100 million dollars in venture capital only to have the investors turn off the taps and stop putting money into the company and they cease to exist. The founder’s greatest strength of these start-ups is not their vison and strategy, it is their ability to convince investors to put their money and clients’ money into their firm. I have provided consulting services and mentoring to a number of firms and know some of them personally and I’m seeing the financial stress some of the owners are going through. I remember how it feels.

I know one start-up in the tech industry, where the founder and CEO took a full time job and laid off all their staff except for one and will work on the project nights and weekends. It might take a little longer but she will get there.

There are some very dark and troubling storm clouds gathering over the economy right now. Such as increasing interest rates, inflation, big drops in the stock and crypto markets. While the housing market is only starting to be affected, higher interest rates will play havoc with housing prices and mortgage rates. When assets have depreciated people feel less wealthy and may be more careful with where they invest their money. Hedge funds and Venture Capital funds may take a more conservative approach to investing or not have as much money to invest. Many of these funds are using borrowed money. Also the valuations may be lowered due to higher interest rates and investors being more risk adverse. So your next round of venture capital may be at much lower valuations.

What makes it more challenging for start-ups is that they have no revenue or not enough cash flow to sustain the company. They rely on investors replenishing their cash with additional equity investments.

There are dozens of Unicorn companies listed on stock exchanges with market values of over one billion dollars with little or no revenues. Their survival depends on investors continuing to put money into the company. I wonder what Ben Graham would say about this? He was the author of the Intelligent Investor and the employer and mentor of Warren Buffett.

A rule of thumb for start-ups is that for every ten companies three or four will fail completely, another three or four will lose some money or only return the original investment and one or two will produce substantial returns. I know that the reason a lot of companies fail, is they run out of money first and not passion, vision or hard work. Venture Capital is about taking big risks for big gains.

Many of the start-ups provide employment to a large number of employees, especially young employees and contribute substantially to the local economy.

To ensure your company continues to survive and prosper, you need to start planning now for bumps in the economy and make sure you have adequate working capital.

Here are some ideas to help you plan for this:

PREPARE A CASH FLOW FORECAST: A cash flow forecast is to take your existing cash balance add in any additional cash flows from revenues, investment capital or government grants, subtract all your fixed and variable costs and then determine any excess funds or shortfalls. Many companies will do a monthly forecast but for start-ups and newer firms I like to see a weekly forecast, to identify any mismatches in cash requirements. Any business owner who has to meet bi-weekly payroll, knows what it’s like if all your receivables or cash flow come in at the end of the month, and they come up short. A weekly cash flow forecast will help identify shortages so you can meet your cash requirements.

DETERMINE YOUR BURN RATE: Your burn rate is how much cash you have on hand and subtract your monthly spending. So if you have $ 900,000 cash and you are spending $90,000 a month then your burn rate is 10 months. ($900,000 / $90,000 = 10 months). Again thinking in terms of weeks is helpful so your weekly burn rate would be 40 weeks. (10 X 4 =40). If you have existing sales even if you are losing money on the sales then you would add that to your weekly cash.

So now you know your weekly cash requirements and how many weeks of cash flow you have. What to do next?

This doesn’t mean that all companies looking for venture capital will not be able to raise additional funds. Many will be able to regardless of the economy because of the strength of their idea or product. I’m just saying that it makes sense to prepare for uncertainties and have a plan B. If someone is on unemployment benefits and they run out in three months, you don’t start looking for a job after the benefits run out. You start three months or more before they run out.

Here are some risk mitigation strategies you can follow to reduce the risk of running out of cash;

1. Reduce Your Expenses: Expenses are categorized as fixed and variable, fixed are things like rent and computer equipment, while variable are salaries, marketing and expenses that can be reduced. I just read on Yahoo Finance that several large tech companies are laying off ten percent of their work force. Reducing your expenses early will conserve cash and give you more time to develop your product and get it to market.

2. Increase Your Revenues or Start Generating Revenues: This is easier said than done, because many start-ups are not at the revenue generating stage. Be creative perhaps there is a way to generate revenue with existing employees to hire them out to other companies. I know of a company doing this with one of their IT people. To start generating revenues means you have to speed up your development process, this may take additional funds.

3. Raise Additional Capital Now: Instead of waiting for your next round go to one of your backers and offer them additional equity. As someone once said to me, “I would rather own 51% of a ten million dollar company than 100% of a million dollar company.” Even if you have to reduce the price of the equity offering it buys valuable time.

4. Apply for a Loan: This is my personal experience when I applied for a business loan years ago to set up my first company. The loans officer told me to sit down and asked me how she could be of assistance. I told her that I was there to apply for a loan to set up a business. She looked at me and started to get up and as she did her skirt rode up some. She started laughing almost hysterically and walked over to the window. I thought she was laughing because of her skirt riding up, which wasn’t really a big deal. She turns from the window and says “Darrell no bank is going to loan you money to start a business.” I ended up using the money I was saving to buy a sailboat.

Later on as we started generating revenues and had 28% sales growth, the bank was much more accommodating. The moral of the story is that banks aren’t that interested in lending money to start a business unless you have lots of collateral. There are some government programs offered through credit unions and other financial institutions that can provide loans for working capital or asset purchases.

But there are many individuals including friends, family, business people and mentors that went through the same thing. Who may be willing to give you a loan at zero or a low interest rate? Don’t be afraid to ask them all they can do is say no. I know some of them and they love to be involved in bringing new companies to market.

5. Factoring: If you have existing revenues then you may be able to factor them. Factoring is when a factoring company lends you money against the amount of your invoices and takes a fee for doing it. It usually is a percentage of the invoice 2-3%, depending on how long it takes to get paid from the company. The fees may work out to being close to offering early payment discounts E.g. 2% net 30 days. You need to determine the overall cost and if it works for you. I know of a company owner who was waiting months to receive payment for invoices and was cashing them at a Payday Loan type company. Ouch that hurts.

The purpose of this blog is not to tell you how to run your business and I’m probably not telling you anything you don’t already know. It’s to get you thinking about the future and taking a risk management approach to identify and manage potential net income risks that you may face, the most severe being running out of cash. To encourage you to manage your cash flow so you don’t run out of money before achieving your dream. Every start-up is different and unique so you have to start thinking about this now and have a plan B. All start-ups matter!

When I was in my early twenties and going to university a friend of mine’s father who was a very successful business man gave me some advice on Christmas Eve, he said;

“To be a successful business person you have to have the ability to make decisions. You’re not always going to be right but you have to be able to make those tough decision.”

To this day I think it was the best business advice anyone has ever given me.

ENTERPRISE RISK MANAGEMENT–EXPECT THE UNEXPECTED

Whenever I hear the word “ENTERPRISE” It always reminds me of the U.S.S. Enterprise the space ship on the Startrek series we use to watch as kids on Saturday mornings.

The actual meaning of Enterprise is 1. A project or undertaking that is especially difficult, complicated or risky 2. Readiness to engage in daring or difficult action. So I think the creators of Startrek appropriately named their ship the Enterprise. What could be more difficult or daring than to explore outer space? The same could also be said about the creators of ERM.

I decided ERM would be my next topic from comments and feedback I had received from my previous blog “Managing Net Income Loss Exposures.” What I heard from readers is, how do I manage all the risks facing my business without hurting the bottom line or going crazy trying to do it?

The answer is having an Enterprise Risk Management system. ERM is an organized approach that allows an organization to manage all of its risks, threats and to exploit opportunities that may present themselves.

Traditional Risk Management deals with hazard and operational risk which are called pure risk that is risks that can be covered by insurance to compensate for the loss. ERM includes the risk categories in Traditional Risk Management plus financial and strategic risk, known as speculative risk.

ERM’s goal is to improve an organizations strategic management decision making, by gathering and analysing key information to enhance executive decisions. An ERM system should have an Economic Intelligence and Business Intelligence aspect to gather data pertinent to your business, industry and geographical location.

Why should you adopt an Enterprise Risk Management System?

1. Higher Profits: Using ERM allows an organization to make better strategic decisions at all levels of the organization, which improves efficiency and profits.

2. Enhanced Organizational Decision Making: ERM enables an organization to manage all of its risks and determine the most beneficial solution and to seek out opportunities that will improve profits.

3. Increases the Chances of Attaining Your Strategic Goals: ERM involves all of the organization becoming active in achieving the strategic goals as opposed to just managers and executives.

4. Reduces Financial Volatility: By identifying risks and opportunities in advance, it allows organizations to determine their cash flow needs to ensure there is adequate capital available.

5. Better Risk Management Communication: By making ERM a team approach with all employees it empowers them to identify obstacles that may prevent the organization from achieving its goals and to communicate the risks to the risk owner.

6. Improved Management Agreement: ERM provides management with the information necessary to make informed decisions based on the upside and downside of risk and creates a decision making process based on facts instead of the top down management approach.

7. Broader Stakeholder Acceptance: ERM becomes the glue that holds the pieces together and creates a culture of cooperation within the management ranks that then instills confidence in the employees, customers, and investors.

ERM is not just for business, it offers the same benefits to all levels of government and non-profits.

So why is there so many organizations that don’t have some kind of an ERM program?

One of the reasons I hear a lot is it is too complicated or will take up to much of our time. Yes there are many moving parts in the ERM process but it only has to be as in-depth as you want it and you can start small and build on it over time.

So How Do You Integrate ERM Into The Strategic Management Process?

By following a risk management process organizations can adopt an ERM program into their strategic plan.

A. Develop ERM Goals: The Board would develop the goals they want to achieve such as the risk appetite, reasons for establishing an ERM program, the organizations need for a ERM program, the scope of the program, the expectations of how the program will help to meet their strategic goals and how the culture of the organization will affect the implementation of the ERM.

B. Identify Risks to The Organization: This step will divulge a large number of risks, it is then necessary for the organization to assess and evaluate these risks to narrow down the field to identify those with the highest severity and frequency.

C. Analyze Critical Risk: The board will then examine internal and external threats to the organizations strategic plan. The threats are identified by noting events that can compromise the organization and changes that could be potential opportunities. Areas to review are competition, demographics, the economy, regulatory and technology.

D. Select the Appropriate Response: This would be to avoid the risk, to accept the risk, transfer the risk to a third party such as an insurance company and mitigate the risk, by taking appropriate measures to reduce the frequency or severity of the risk. Lastly, you can exploit the risk by taking advantage of the risk to maximize profits.

E. Monitor the Risk: Risks to the organization must be monitored by following events, trends and red flags.

To help in the design of the program, there are a number of Risk Management Frameworks to act as a template to develop your ERM. Such as the ISO 31000, BS 31100, COSO, and AS/NZS, it is my experience and observations that most organizations pick one as a template and adapt them to their own organizational requirements.

ERM can be a large undertaking or it can be as simple as you want it. ERM uses a lot of analytical tools such as the Exposure Spaces Model, SWOT Analysis (Strengths, Weaknesses Opportunities & Threats), and Performance Management Score Cards to name a few. I encourage every organization to conduct a SWOT analysis. Or you can keep it simple and talk to your managers and identify the number one risk facing your organization and start with that.

Regardless of how you approach it, the most important thing is to get started. Implementing an ERM program for your organization will truly pay dividends for years to come. I have been told that the actual ERM process itself has benefited the organization. By increasing the awareness of risk in the organization, helping various departments identify and break down data silos, improve communication between the various departments and divisions and to enhance the reputation of management in the employees eyes.

One HR Director even told me that it helped improve their working relationship with their union. I think they actually found some common ground. By identifying risks and opportunities it would preserve existing jobs and create new ones. Disclaimer; There is no guarantee ERM will improve your relationship with your unions. (My lame attempt at humour)

We have looked at what is ERM, how your organization will benefit by implementing it and basic steps to get started. I want to just point out a few tips to help you get started on your Enterprise.

1. Try and get the CEO and Board Approval: It helps to have the CEO on board for many reasons, sometimes you have to put on your sales hat and convince them. Having them onboard will help sell it to the organization and provide necessary human and financial resources. If you can’t then you could still implement it into your own department or division.

2. Start Small and Think Big: A work breakdown schedule allows you to take a big project and break it down into smaller pieces. Find a manager or department that is having problems and is desperate for help. Once you help resolve the problem you will get some credit for it and hopefully be noticed by senior management.

3. Keep It Simple: Don’t worry about ERM terminology and advanced analytical techniques. Focus on a single risk and ask what if questions, and cause and effect relationships. Because your managers work around this every day, they will be the experts on the risks and their cause and effects. Then you can determine an appropriate risk mitigation strategy.

4. Monitor the Plan: Like any good plan it needs to be monitored to ensure it is working and to tweak certain areas to adapt to changes. If you have an Internal Audit Department then they would be a great choice to monitor the program. Internal Auditors are very knowledgeable about their organizations because they are familiar with all departments and divisions.

So if your organization has any kind of a strategic management planning process, which most organizations do, then I recommend that you set up an ERM program. The tangible and intangible results will be worth it. It allows you to plan for uncertainties and benefit from opportunities that may not have presented itself without ERM.

If I may quote a line from the movie Field of Dreams “If You Build It They Will Come.” Meaning if you start small and identify the most urgent risk to your organization and help mitigate that risk. People will notice and you can build on that foundation. Then one day when you are presenting to the Board of Directors your ERM update on how the program identified critical risks early on and discovered an exceptional opportunity for the company. After you have finished the presentation and you’re walking out the boardroom door, maybe, just maybe the CEO will turn to you and say “Hey Rookie You Were Good.” I love that movie!

MANAGING NET INCOME LOSS EXPOSURES

Back in December of last year, I woke up one morning to find that I had no water because of a water main break. Without H2O it really limits your activities, you cannot shower, flush toilets, cook or get a drink of water. My water cooler in the kitchen was empty and I had forgot to fill up the water jug in the fridge. The only water I had was about 2 litres in a 4 litre bottle I use for working out. As a risk manager I had backup systems but failed to maintain them.

I decided to go out to try and get some water and was surprised to find that the grocery stores in my area were open but the restaurants and many other businesses were closed. It seems we are totally unprepared to deal with an interruption let alone a catastrophic event. While most organizations can survive a couple of days in a crisis, what would happen in an extended period of partial or a full shutdown? This got me thinking about how organizations can prepare for and manage net income loss exposures.

There are so many things going on right now in the world, we have the war in the Ukraine, Covid 19, Inflation at levels not seen in forty years, record low interest rates that are increasing, record high consumer, business and government debt levels, supply chain shocks with transportation bottle necks, lack of raw materials and finished goods, labor shortages, high oil and gas prices and the list goes on. The automobile business has been affected by a shortage of microchips and as a result there has been a substantial decrease in auto sales. It shows how the Just in Time inventory management system is risky if the risk management system does not predict and plan for high impact and low probability events such as microchip shortages.

With everything going on in the world I think Vladimir Lenin said it best “There are decades where nothing happens; and there are weeks where decades happen.”

Net Income Loss Exposures are unexpected reductions in an organizations net income, usually because of a decrease in sales or an increase in expenses. Net income could be lower than projected because of the business environment or an inadvertent event, such as a hurricane or pandemic such as Covid 19. Of course net income could also unexpectedly increase, which would be a good thing.

There are three types of Net Income Loss Exposures, Property, Liability and Personnel.

Property Loss Exposures: are damage to the organizations property that hinders or prevents the organization from operating. Such as a manufacturing plant fire that shuts down manufacturing or severally reduces the production output. It could also be damage to property owned by others such as an environmental hazard.

Liability Loss Exposures: are financial losses that result from legal action taken by someone who is claiming damages and looking for financial compensation. Examples could include product liability or negligence resulting in bodily injury.

Personnel Loss Exposures: are losses suffered through the resignation, death, disability or retirement of a key employee. Such as the death of a software engineer developing a new program or the resignation of your top salesperson who moves to your competitor.

If we consider my examples above about things going on in the world, they would reflect general business risk. Which could reduce net income or increase expenses, by creating price risk or production risk. So for this article we will focus on just General Business Risks.

The impact a Business Loss Exposure has on your organization depends on a number of factors;

1. The Duration of the Business Interruption: This is one of the most important determining factors, the longer it goes on then the greater net income decreases or the additional expenses continues to increase.

2. The Extent of the Business Interruption: While the duration deals with timeframe, the extent deals with the overall impact on the organization. Can you continue at a reduced capacity or are you totally shut down?

3. Changes in Revenues: This can be calculated based on the decline in sales and/or the net income changes.

4. Changes in Expenses: How much does the Business Loss Exposure increase expenses such as the cost of raw materials and labor?

5. Restoration to Normal Income: How long will it take to get back lost customers or restore the organizations damaged reputation? This simply means to restore net income to where it would have been if the event did not occur.

Drawing on the list I mentioned earlier of events going on in the world, we will separate them into General Business Risk and Specific Business Risk. General Business Risk affects all firms in the economy while Specific Business Risk affects one firm or a group of similar firms.

GENERAL BUSINESS RISKS:

INCREASING INTEREST RATES: How does this affect your organization? Many organizations were forced to take on additional debt to get through the Covid Pandemic. What affect will increasing interest rates have on your Net Income? For every one percent increase in interest rates your payment will increase by approximately five to ten percent depending on the amortization term. Now is the time to pay down debt or lock in lower interest rates.

INFLATION: Inflation is running around seven percent right now, some experts believe it is a lot higher. The biggest affect inflation has on businesses is that it reduces both business and consumer purchasing power. This will reduce consumer demand for goods and services and increase the cost of raw materials and labour in your business. Can you pass the price increases on to your customers?

RECESSION: Nobody knows what will happen in the economy, but there is a risk that with everything going on there could be an economic slowdown. How would this affect your net income if sales dropped by 10, 20 or 30 percent? The financial industry does stress testing and develops scenarios of events to determine the likelihood of an event occurring and the impact on their business. What is your Break Even Point and how can it be lowered without impacting your firm’s ability to fully operate?

SPECIFIC BUSINESS RISKS:

SUPPLY CHAIN DISRUPTIONS: I just read on Reuters News that in England there is a cucumber shortage, because of the high prices of natural gas the greenhouses could not afford to grow them. This illustrates the cause and effect relationship between increasing gas prices and growing cucumbers out of season. Supply chain disruptions are unique to every organization and need to be identified and managed.

CREDIT RISK: Many organizations extend credit to customers when they purchase their goods or services. If that company cannot repay the money then your organization has suffered a loss. By not being able to collect on your accounts receivable, this creates a net income loss.

INCREASED EXPENSES: Different events can cause an organizations expenses to increase that may not be able to be passed on to customers. The increased expenses create a net income loss. Such as increased food costs for a restaurant chain or higher labor costs.

INHOUSE ACTIVITIES: Poor or uninformed decisions made by management can affect net income. Such as expansion just before a recession or eliminating or adding a new product or service. Decisions should be based on up to date information.

We have discussed the types of Net Income Loss Exposures, the impact they may have on your business and looked at both General and Specific Business Risks. So what is an action plan that you can get started on for your organization?

Because of Covid 19 over the last two years, many organizations have had a rude awakening when it comes to crisis management and having to deal with Net Income Loss Exposures. The U.S. Department of Labour estimates that forty percent of Businesses do not recover from a disaster. They are referring to all types of Loss Exposures including Property and Liability, so as a reminder we are just focusing on Business Net Income Loss Exposures for this article. So how can an organization prepare for the next crisis or the next phase of the existing crisis?

You need to start by looking at your organization and identify your most important customers, your top suppliers, understand your financial situation and determine how much room you have to maneuver. Ask yourself if we lost our best customer how would that affect our Net Income and how could we mitigate the risk. Then look at your suppliers and do the same thing. Could we find another supplier for the goods or services, what would the difference in price be, is it higher, lower or the same? Will this create liability loss exposures, increase customer service or warranty costs or reduce customer satisfaction with the product or service. Get your managers or division heads involved from finance, production, sales and human resources. Ask them what they think are the greatest Net Income risks facing the organization.

To reduce the impact of Liability Net Income Loss Exposures, you start with having adequate liability insurance coverage to reduce the impact and get back to where you were before the event. Unfortunately, you cannot buy insurance coverage for most Business Related Net Income Loss Exposures. You need to identify the risks and develop risk mitigation strategies to ease the burden. Get all departments involved and if you don’t feel up to the task, hire someone to do it for you. Finally every organization has its own unique Net Income Loss Exposures, so it is imperative to start planning now before it’s too late. Remember having a plan is better than not having any plan.

THE OTHER PANDEMIC – EMPLOYEE FRAUD

I’m writing this to raise a red flag to employers in regards to the amount of employee fraud occurring during the Covid 19 pandemic. Last year we worked on three large employee frauds, all well over a hundred thousand dollars (I am being vague because these are all active cases). Two were accounting frauds and one was embezzlement of an organizations assets. I am also aware of two other companies that had a large employee frauds that we were not involved in.

You’re probably thinking that three frauds do not make a pandemic, but consider we are just one local company and though we specialize in accounting and financial fraud, we normally only know about the frauds we work on or read about. I’m also not including the smaller employee frauds that we worked on such as expense account fraud, payroll fraud, and asset misappropriation fraud to just name a few.

There are also a lot of frauds that go unreported for various reasons by organizations. Research has shown that for every fraud that is discovered there are three additional frauds that go undetected. This means that based on just our own experience there are nine additional frauds out there that have not been discovered. Could your organization be one of them?

Some facts about the frauds;

• All of the frauds were perpetrated by productive and highly regarded employees that had never been in any kind of trouble before.

• One fraud was discovered by a CPA, one was discovered by an employee and one was discovered by a customer.

• The length of the frauds were three to four years.

• All employees had been with the company for at least five years.

• Two of the employees were working from home because of Covid. Although the fraud began before Covid there was increased activity while working from home.

• Two of the employees admitted that they committed the fraud because of an online gambling addiction and while we suspect that was the motive for the third employee, they never did admit it.

Just to illustrate my point further about an employee fraud pandemic, after completing this article on January 27. I checked the news sites and one of the headline is “Halifax Accountant charged in $1.5 million dollar fraud against his employer”. Of course in this great country of ours, one of the fundamental cornerstones of our legal system is you are innocent until proven guilty, but still $1.5 million.

According to the Association of Certified Fraud Examiners, organizations lose an average five percent of their assets to fraud annually, I will repeat that five percent. To put it into perspective a small business with one million dollars in sales will lose on average fifty-thousand dollars a year to all types of fraud, that includes employee, customer, vendor and external fraud such as credit card, bad cheques, online and telephone scams.

So what has changed? Personally, I think there are a number of factors. The ACFE says that there must be three things present for fraud to occur, they call it the fraud triangle; Motive + Opportunity + Justification = Fraud.

Let’s look at the fraud triangle to help answer what has changed?

MOTIVE: Is simply the reason the employee needs or wants the money. It could be financial distress because of debt or living beyond their means or it could be because of addictions such as drugs, alcohol or gambling.

OPPORTUNITY: This is a key factor, many employees have a need for money but if they feel that the internal controls are in place and they will get caught this may be a deterrence to commit the fraud. However, if the internal controls are weak or not being audited and monitored this is a strong motivator for fraud to occur?

JUSTIFICATION: Is how the employee justifies in their own mind to commit the fraud. It could be because they feel they are not being treated fairly or are underpaid. It could also be because they think the company owes them or they justify it because they say they will pay it back. I have interviewed many fraud suspects who have high moral and god fearing values. But are able to justify their own actions.

So to answer the question what has changed? I believe that there are increased pressures for people to come up with more money either to sustain their lifestyle or support an addiction such as gambling. With more people working from home this gives them more privacy or a comfort zone, to plan and execute their fraud schemes.

I also believe and this is the main point I’m trying to make with this article, is that many organizations have weak or non-existent internal controls and most important those internal controls are not being monitored and tested properly. Essentially, most frauds occur not because there is systemic failure in the internal controls system, but because two or three of the smaller systems in the larger system have failed. This is usually a human failure, as computers don’t commit fraud unless they are told to.

This is where I see the reason for many frauds, organizations have internal controls in place, but someone or several people are not doing their job in monitoring the internal control process. It could be because of too much work to do, someone on vacation or off sick, we don’t need to review them all the time or it is someone’s else’s responsibility. With many of the overseers of internal controls also working from home, this makes it more difficult to monitor them and stay in the loop. Let’s face it, sometimes the cost of monitoring internal controls can be a factor, it means for a small business or non-profit to have to hire another staff member for segregation of duties or to monitor the internal controls by hiring an external consultant such as a CPA or Certified Fraud Examiner. But what are the costs if you don’t do this?

As human beings we want to see the good in people. They start working for us and we get to know them and trust them, some become friends and we think of them like family. We give them more responsibility and because they have proven themselves trustworthy we relax a little and become complacent when it comes to enforcing controls.

Normally, at this stage I offer tips on preventing fraud, however I’m going to suggest you take the fraud risk assessment below from the Association of Certified Fraud Examiners Training Manual - Employee Risk Assessment Questions. Answer yes or no to the ten questions on your organization.

EMPLOYEE FRAUD SURVEY QUESTIONS

1. Does the company have a written fraud policy?

2. Are the duties related to authorization, custody of assets and recording or reporting of transactions segregated?

3. Is compliance with internal controls audited periodically?

4. Do employees have large personal debts or credit problems?

5. Do employees appear to be spending more than they are earning?

6. Do employees gamble excessively?

7. Do any employees have close associations with venders or competitors?

8. Is the company experiencing high employee turnover?

9. Are employees required to take annual vacations?

10. Is the company dominated by a small group of employees?

Depending on your answers to the above questions, your organization may be at risk for employee fraud. If you are, then my recommendation is to take a proactive approach and have a Fraud Risk Assessment done on your company. Which includes the following five steps;

1. The organization develops and communicates a Fraud Risk Management Program that demonstrates the expectations of senior management and the board of directors.

2. The organization performs detailed fraud risk assessments to identify specific fraud schemes and risks and to evaluate existing fraud control activities.

3. The organization develops and implements preventive and detective fraud control activities.

4. The organization develops a communication process to obtain information about potential fraud and investigating it.

5. The organization develops and performs ongoing evaluations to ensure the fraud risk management program is being followed.

So in closing, the one take away I want to leave you with. Is whether it’s the Accounting Department, Sales, Purchasing, Accounts Payable, Accounts Receivable, Payroll, Inventory, Expense Claims, Cash, Point of Sale, Returns, or any other department? Don’t assume that your internal controls are being followed and there are no weaknesses or gaps. Get evidence not explanations.

Remember, when it comes to small business, employee fraud is BIG BUSINESS.

V.I.P. SECURITY IS NOT JUST FOR V.I.P.’S ANYMORE

It’s time to review your personal security

After having discussions with some of my existing clients and receiving a number of enquiries lately from individuals and corporations about keeping people safe. I thought it was time to have a discussion on personal security.

While the risk of being a victim of crime has always been there, there are a lot of factors that have changed over the course of a few years to increase that risk. Such as civil unrest and protests, the political environment, economics, drugs, individuals with mental health issues and demographics with our population now at over a million people.

Examples include robbery, theft, assault, sexual assault, car jacking’s, home invasions, kidnapping, extortion, stalking, and the recipient of threats of bodily harm.

Here are some of the headlines for Halifax I took off the local news sites, for the last week of December 2021.

• Manitoba eyes security threats to politicians and not putting home addresses on filings.

• Optometrist fatally stabbed in his office, twenty-five year old male charged.

• Young woman followed by man in car. Fifty-six year old man charged with Criminal Harassment.

• Atlantic Canada sees a surge in spending on security systems and Closed Circuit Television Cameras by businesses and home owners.

• Man robbed in broad daylight by two suspects while using an ATM machine.

You get the point and I’m sure there are many more incidents that do not make the headlines and it’s the same where ever you live.

No one plans on being a victim of a crime. However some individuals are at higher risk because of their position or status. Such as Business Executives, Wealthy Individuals, Politicians, and anyone who has said something on social media that someone did not agree with.

This group could be targeted because of who they are, there is also the chance of just being a victim of a random crime. In other words being in the wrong place at the wrong time.

If you walk down the street in the bad part of town by yourself at 3:00am, then you are at a greater risk than someone who doesn’t.

Security awareness and keeping safe should be everyone’s concern, including V.I.P’s., fortunately, most people including V.I.P.’s do not need a bodyguard. But they do need a personal security plan to address specific risks.

The purpose of a personal security plan is threefold;

1. Is to teach you how to keep out of dangerous situations by learning situational awareness and assessing potential risks.

2. Is how to get out of situations that are or have the potential to be a security risk?

3. Is how to respond to a situation you find yourself in, where you may be in danger and have no means of escape or calling for help?

So what can you do to keep you and your family safe?

• Review your security for your home and office. Specifically do you have good locks on doors and windows, is the area around your home well lit, do you have an alarm system and security cameras? Do you have a plan in place for an intruder?

• Don’t be predictable, change your daily routine. Leave for work at different times of the day and take a different route to get there.

• Become street smart and learn situational awareness. In other words be aware of your environment. Always be aware of people around you to detect possible threats, when driving keep looking in your rear-view mirror to see if you are being followed.

• Take a preventive approach by asking yourself can this action put me in physical danger. An example would be going to the store at 1:00am to pick up something that could wait till morning or jogging alone at night.

• Have a conversation with your family and your employees about giving out personal information, such as where you are going. As an example; while conducting a Risk and Security Assessment for a corporate client we called their home to see if we could get information about their whereabouts. Their teenage daughter told us what restaurant they were at and who they were with.

• Tell someone where you are going and when you will be back.

• Take all threats and suspicious circumstance seriously. If you receive a threat on social media or by telephone document it and report it to the police. Especially if it threatens you with bodily harm or death threats.

• Take a self-defence course.

At East Coast Fraud & Risk Management Group we have many years’ experience providing VIP Security Services to Executives, Politicians and Wealthy Individuals. One of our most requested services is our Executive Risk and Security Assessment. Where we spend a week with the executive conducting covert and overt surveillance to understand their routine. We conduct a Security Risk Assessment of their home and office. We train family and staff how to deal with requests for information and dealing with problem situations, to increase their situation awareness and enhance their ability to identify personal security risks and risk mitigation strategies. Along with self-defence training, evasive driver training and how to manage stressful situations.

When I first began writing  this article I had the intentions of making it about V.I.P Security also called Executive Protection. However after thinking about some of the conversations I have had with spouses and parents. I realized that to our families we are all Very Important People. When it comes to our health we normally don’t think about it until we have a health issue, then we go to the doctor. Your personal security is also like that, we don’t give it much consideration until we become a victim or one of our family members does.

Just like any kind of a risk assessment, you identify the potential risks, analyze the risks and develop risk mitigation strategies and monitor them.

If you get one takeaway from this article is to use common sense when making decisions that affect your personal safety. Remember one of the most effective risk mitigation strategies is risk avoidance.

BACK TO THE FUTURE – How Software Enhances Risk Management

By Darrell Smith CFE, ARM, CIM, FCSI

Back in 1985 two accountants from Bedford, Nova Scotia developed the Bedford Accounting Software program. Later, Bedford was sold and became Simply Accounting and then Sage Accounting, as it is known today.

Before computerized accounting, transactions had to be entered manually into sixteen column journals. When you made a payment on an account using the double entry system, you credited cash and debited the account payable. This was very time consuming and required a lot of manpower to process the large number of transactions. Once all transactions were posted, the information was used to produce financial statements to assist in decision making.

What the software did was streamline the accounting process, making it less labor intensive. It gave management access to profit and loss statements daily and allowed individuals who were not trained in accounting to do the work with just training on the accounting software.

Having worked in accounting using sixteen column journals, I know I can speak for every accountant when I say there is no way they would want to go back to a manual system.

Just like the accounting process, risk management involves tracking a large number of transactions and assets, with the goal of producing reports for management that inform and enhance decision making.

This begs the question, why do organizations still use manual paper and file systems in their risk management departments?

Nowadays there are Risk Management Information Systems (RMIS) available, a risk management database for claims and incident management, insurance policy management, certificate and contract tracking, asset management (buildings, equipment, vehicles), crisis management, and more. An RMIS helps ensure you are compliant with various rules and regulations and provides access to powerful analytics and management reports. RMIS systems identify trends to help reduce the frequency and severity of losses.

Let’s take a look at just one area of a Risk Management Information System, claims management. According to the American Institute for Chartered Property Casualty Underwriters, the objectives of Claims Administration is to:

1. Enforce contractual obligations,

2. Gather claims data,

3. Reduce the frequency and severity of claims,

4. Estimate the amount of the claims,

5. Promote equitable compensation.

For the benefit of readers who do not work in claims, the most common claims include:

• burglary and theft,

• water and freezing damage,

• wind and hail,

• fire,

• slips and falls,

• customer injury,

• property damage,

• workers compensation claims.

Every claim involves a large volume of paperwork, including incident reports, statements, pictures, and other supporting documents that need to be recorded and shared with all relevant parties.

Consider the number of claims an organization may have in the run of a year. For example, a company with a fleet of vehicles, could have dozens or hundreds of first-party claims (involve organizations own property), or third-party claims (losses suffered by another party). The high volume of claims alone justifies the investment in a Risk Management Information System. Now, consider compliance by tracking vehicles, insurance, drivers, and maintenance and you can see the large volume of data that needs to be documented and monitored.

A Risk Management Information System not only provides a centralized hub for document management, but also powerful data analytics and reporting functionality. Automated data entry and workflows reduce the time spent on administrative tasks by up to 85%, and insights from management reports reduce the total cost of risk by up to 50%. The system is built on cloud-based infrastructure that ensures accessibility, data security and privacy, and the flexibility to integrate with third-party systems.

The purpose of the accounting system is to provide accurate, timely, reliable and cost-effective information to help management make informed business decisions. Shouldn’t this also be the objective of your risk management program?

In closing, I choose the title “Back to the Future” not in reference to the Michael J. Fox movie, but the actual meaning of Back to the Future.

Do not dwell on the past! The past has been written in ink, the future in pencil! Worries about what cannot be changed is unnecessary, focus on what you can control and try not to make the same mistakes.

Anonymous

East Coast Fraud & Risk Management Group is a business partner with ClearRisk of St. John’s Newfoundland, the company behind ClearRisk risk management software solutions.

Darrell Smith CFE, ARM, CIM, FCSI

WHEN DOES AN EMPLOYEE GO FROM BEING A HUMAN RESOURCES ASSET TO A HUMAN RESOURCES LIABILITY?

There is an ongoing debate about whether an employee is an asset or a liability. Some say they are an asset because they add value, others say they are a liability because there is a cost to employing them through wages and benefits. Regardless of what position you take on this, there is one thing we all can agree on. Employees are essential for the businesses to function. So what happens when an employee’s actions or behaviours are contrary to the wellbeing of the company?

Fortunately, this is not an article to debate if an employee is an asset or liability. It is about identifying when an employee becomes a liability, the risk of that liability and what to do to manage that risk.

Before we look at when an employee becomes a liability, let’s go back to the beginning of when you hired them. Have you ever hired an employee that you wish you hadn’t? I have seen many employees hired by organizations that got the job because of a friend or family member working at the company, I have even seen an employee get hired over many other more qualified candidates because they were a great golfer. The company sponsored an annual golf tournament. When hiring new employees, you should be looking at answering three questions, 1. Can they do the job? 2. Will they do the job? 3. Will they fit into our organization? Qualifications and experience fall into these three questions and if you hire the most qualified person every time for the job. You have mitigated the risk of not only making a bad hire, but also reducing the risk of an unsuccessful candidate claiming discrimination and taking legal action. Conducting a through pre-employment screening check, will provide you with the information necessary to confirm your hire or look at the next most qualified candidate.

Because I write these articles mainly for small business and non-profits, I want to make sure that they have enough information on the whole recruitment, and selection process. As an example, some years ago I was brought in by a large national company to investigate two employees at different locations, who were suspected of theft. When we reviewed their employee file, the hiring supervisor, never checked prior work references for them as a matter of fact nothing was checked, they were just hired on the supervisors gut feeling. This company had very strict screening practices developed by their legal council, yet two locations were not following them. Turns out one of the employees was fired from his previous job because of theft. Make sure you do your due diligence on all new employee hires.

Ok so let’s get to why you clicked on this article. First of all what is the definition of a liability? According to Oxford English Dictionary “A liability is a state of being responsible for something especially by law” or “A person whose presence or behavior is likely to cause embarrassment or put one at a disadvantage.” Not only could the employee be a liability to your company, but your actions on how you deal with the wrongful behavior could also be a liability. As an example, accusing someone of theft without any evidence to back it up, can be a liability to the company. Another example would be to ignore a complaint about bullying or discrimination. Many general liability insurance policies do not cover employee law. So it is a good idea to ask yourself, can I be held liable in this employee law situation. Which is another reason to consult your legal counsel before taking action.

When does an employee go from being a Human Resources asset to a Human Resources liability? There are many reasons, they could become unproductive and their performance fall below other workers, they could also be violating company policies, become a liability by not following OH&S or environmental policies, disrupting the work place through harassment, discrimination or bullying. They could be stealing assets, committing fraud, using drugs or alcohol on the job or using company assets to post inappropriate comments on social media.

Of course not all of the above are cause for dismissal, if a good employee has suddenly become unproductive, there may be reasons for it such as physical or mental health issues or perhaps they are dealing with a traumatic event such as a divorce or the death of a family member. It is your responsibility as a small business owner or manager to identify the problem and take appropriate measures. However, some of these violations are clearly reasons for dismissal and need to be dealt with.

When you have information regarding an employee problem, you must determine the nature of the problem and decided action. As I have mentioned in a previous blog, evaluating Intelligence requires you to look at the source of the intelligence and the quality of the intelligence.

First thing is to ask why I think there is a problem?

Is it in the numbers, is productivity or sales down or is it because of another employee or customer made a complaint. How reliable is your information?

What type of violation or offense is it?

Is it a breach of Human Resources policies or procedures, is it a Code of Conduct breach. Is the behaviour a Criminal Code offense, such as theft, fraud, or assault? The type of violation is going to determine the seriousness of the complaint.

How does the violation or activity affect the company?

Does it affect employee morale, does it put an employee in danger, or will it hurt the reputation of the company? Is there a financial cost to the company?

Are people at risk of injury or physical harm?

This could be an Occupational Health and Safety issue, or it could be a physical threat or Workplace Violence.

Let’s be perfectly clear, this is not an article to provide you with Legal Advice. Its purpose is to give you guidance on identifying and analyzing potential employee problems. Every situation is unique and the only way to ensure you are taking the right course of action is to contact your legal advisor for advice. I understand that in this Covid 19 business environment that money is tight. But after you have identified the problem seek legal advice to ensure you are taking appropriate action. Finally make sure you follow the lawyer’s advice and don’t do something else.

Once you have determined that a potential violation exists, you need to act on it right away. Thinking in terms of the Who, What, Where, When Why, How and Action Taken. Will provide an investigation template to document your findings.

1. Who: Who are the victims, who are the witnesses, who is the subject of the complaint?

2. What: What is the offence,

3. Where did the offense occur? Location, department.

4. When did it occur? Time and Date.

5. Why did the offense occur? Reason for the offense being committed.

6. How did the offense occur? Lack of internal controls or something else.

7. Action Taken: After conducting your inquiry, are you referring it to a manager or the HR department for follow up and how will it be treated. Are you requesting outside help such as a Private Investigator, Lawyer, Police or another specialist.

Once you have conducted your initial fact finding and have determined that there is cause for concern. You then have to decide a course of action. Is there enough evidence or cause for concern that it requires immediate attention?

Two of the biggest mistakes I see when it comes to employers investigating complaints and violations is:

A. That the employer fails to act on the information immediately. This delay can increase the seriousness of the violation, causing it to escalate and create greater liability to the organization or increase its financial losses.

B. Owners and Managers fail to document the complaint and information gathered at the beginning and during the course of the investigation. This is critical for evidence purposes and to show you took action right away. Your personal notes may even be allowed as evidence in the court room, if you had to testify.

Some helpful Prevention Tips:

1. Have a code of conduct and ethics that lays out the expected behaviors of employees and the consequences for breaching those rules.

2. Have a Whistleblower Hotline so employees can report wrongdoing anonymously. Such as our www.workplaceviolationshotline.ca.

3. Pre-screen all employee before hiring.

4. When it comes to investigating complaints get evidence not explanations.

5. Don’t hesitate to get outside help if needed. Such as Lawyer or Private Investigator. Hiring a third party can ensure an unbiased investigation.

6. Only share the information with other managers on a need to now basis. This is not to only protect the investigation, (Loose Lips Sink Ships) but also to protect the employee’s privacy. If an employee is doing something wrong and they learn they are being investigated, it could escalate their behaviour putting people in danger or destroying evidence.

In closing, Covid 19 has changed the way we work, with more people working from home. But this will not change human behaviour, some employees will cross the line. Be vigilant and diligent, manage your assets and reduce your liabilities.

BECAUSE OF COVID 19, IT’S TIME FOR A STRATEGIC MANAGEMENT RISK ASSESSMANT!

Darrell Smith CFE, ARM, CIM, FCSI

In November of 2019, we ran a digital ad “How to Prepare Your Business for the Coming Recession”. While a number of people who responded to the ad had genuine concerns, the interesting thing was a lot of business owners said that their business was doing the best ever and that their company was sound and the economy was great. Five months later everything has changed. It’s not that I had a crystal ball and knew things were going to get bad. There were signs that the economy was slowing down, with record low interest rates and record high corporate and consumer debt. I mention this to illustrate how quickly the business environment can change and the importance of strategic and risk management planning. Business need to have a strategic plan, with the flexibility to identify the risks it faces and to react accordingly.

A strategic plan establishes where your organization is going and how it will get there. It is essentially a blue print for your organizations success. It is developed by Senior Management and the Board of Directors. It consists of a Vision Statement; where is the company going, A Mission Statement; why does our organization exist, Strategy Statement; what will we do to get there and a Strategic Plan; how will we do it.

Strategic risk management is a process of identifying, analyzing and managing risks that could prevent your organization from achieving its strategic goals. It could be either internal or external risks and its goal is to protect shareholder value and is part of the Enterprise Risk Management (ERM) process. An example would be Project Failure, where new software is installed, only to have it become obsolete or not do what it was intended to do.

So let’s look specifically at the main strategic risks your company will face and can prepare for:

1. You Lose Customers: Customers have ever changing tastes, needs and preferences. Losing customers reduces sales and profits. Losing too many customers to quickly can result in the business shutting down. Staying connected with your customers and understanding their changing needs will help you prevent surprises. Working with them will help you understand their business and make you more valuable to them.

2. Your Brand Loses Its Customer Appeal: While many brands retain their customer appeal for ever (Think Coke) others lose the appeal over a period of time (Think Blackberry). Brand erosion occurs over time because of changing customers. Some reasons for brands losing their power are; poor or declining product or service quality and poor customer service. Brands can also become boring and uninteresting to the customer.

3. Your Big Project Fails: According to the PMI, more than 14% of all projects fail. With 37% of the reason for failure was a lack of clear vision and goals. A PWC study of over 10,640 projects found that only 2.5% of companies complete their projects 100% successfully. The rest either failed to meet their original target or missed their original budget or deadline. Think about the financial cost of time and materials that go into a failed project and the opportunity cost. Ask how is this project going to help us achieve our strategic goals? What are our chances of success? How can we increase those odds?

4. Your Company Sales Stop Growing: When sales stop growing, it affects cash flow and profits to the shareholders. You start losing key employees and may have to pass on other opportunities. How do you keep sales growing without creating more risk?

5. Your Business or Industry Becomes a No Profit Zone: Many industries are losing their ability to generate a profit such as retail or manufacturing. This can be because of increased competition or customer power that demands lower and lower prices. Is your industry heading this way? What opportunities are available to counteract the process?

6. An Unstoppable Competitor Enters Your Market: Think of an owner of a small town grocery store, where a Wal Mart opens up down the road. They have vast financial resources, purchasing power with suppliers, top notch Management Information Systems and a world renowned brand. How do you compete with them? You can and businesses have done it.

7. Your Industry Reaches a Fork in the Road: Technology, Customers, Economics, Regulatory or Political events can be the reason for having to choose between two possibilities. An example would be an armoured car company, assessing the fact that cash transactions will soon become obsolete. Do they move into other markets or focus on getting new customers. When an industry is transformed up to 80% of businesses fail to adapt and make the transition, (Think Blockbuster).

So as a business owner or manager, how do you assess your strategic risk? Start by identifying and quantifying your risks by going through each one of the seven types of Strategic Risks I outlined above. As an example using number 1. Ask yourself are you losing customers? What is our customer turnover ratio? Why are we losing customers? If you are increasing your customer base, then why? Track your work by putting it into a simple Strategic Risk Chart.

Risk Odds of Occurrence in% Impact in$ Action/Countermeasure % Complete

Lose 15% of 75% 30% of Sales Reduce Expenses by 10% 40%

Customer’s $300,000 Hire customer service staff

So now you have analyzed the seven strategic risks, next you need to take the top three to five risks with the highest impact on your business and develop your action plan to mitigate the risks.

Two of the goals of strategic risk management is to deflect the smaller day to day risks and to mitigate the larger risks you cannot avoid. There is a whole list of risk avoidance and risk management techniques that companies can use. Everything from reducing your fixed costs, have effective business intelligence systems to gather information that affects your customers and competitors, have early warning systems on customers’ needs and changing tastes and a whole list of other techniques.

Statistically, 20% of new businesses will close in the first year and 50% of business will have closed by their fifth year. So the odds of surviving your first year is 80% and your fifth year 50%. So from a Strategic Risk Management perspective Covid 19 has increased the odds of business failures. The Restaurant Association of Nova Scotia completed a study and said that 10% of restaurants in Nova Scotia closed this year so far and another 40% could close by March 2021.

Companies that are highly leveraged will not be able to service their debt, consumers will spend less because of higher unemployment. Yet some companies will survive and prosper and other companies will start up and beat the odds. Luck may play a part but eventually your luck runs out, that’s why you need to ensure that your Strategic Plan Is sound and you identify the risks that can get in your way.

I have simplified the process a little to make it easy to understand and to keep it short. I find the most effective way of doing a Strategic Risk Assessment is through a company workshop. I offer half day workshops on Strategic Risk Management to companies involving their executives and senior managers. They are fun to do and there is always a number of key takeaways that help the client right away.

Feel free to reach out to me if you have any questions about how to get started.