Safety In Numbers

East Coast Fraud & Risk Management Group

Blog

BECAUSE OF COVID 19, IT'S TIME FOR A STRATEGIC MANAGEMENT RISK ASSESSMANT!

Posted on 5 March, 2021 at 9:55 Comments comments (0)

BECAUSE OF COVID 19, IT’S TIME FOR A STRATEGIC MANAGEMENT RISK ASSESSMANT!

Darrell Smith CFE, ARM, CIM, FCSI

 

In November of 2019, we ran a digital ad “How to Prepare Your Business for the Coming Recession”. While a number of people who responded to the ad had genuine concerns, the interesting thing was a lot of business owners said that their business was doing the best ever and that their company was sound and the economy was great. Five months later everything has changed. It’s not that I had a crystal ball and knew things were going to get bad. There were signs that the economy was slowing down, with record low interest rates and record high corporate and consumer debt. I mention this to illustrate how quickly the business environment can change and the importance of strategic and risk management planning. Business need to have a strategic plan, with the flexibility to identify the risks it faces and to react accordingly.

 

A strategic plan establishes where your organization is going and how it will get there. It is essentially a blue print for your organizations success. It is developed by Senior Management and the Board of Directors. It consists of a Vision Statement; where is the company going, A Mission Statement; why does our organization exist, Strategy Statement; what will we do to get there and a Strategic Plan; how will we do it.

 

Strategic risk management is a process of identifying, analyzing and managing risks that could prevent your organization from achieving its strategic goals. It could be either internal or external risks and its goal is to protect shareholder value and is part of the Enterprise Risk Management (ERM) process. An example would be Project Failure, where new software is installed, only to have it become obsolete or not do what it was intended to do.

 

So let’s look specifically at the main strategic risks your company will face and can prepare for:

 

1. You Lose Customers: Customers have ever changing tastes, needs and preferences. Losing customers reduces sales and profits. Losing too many customers to quickly can result in the business shutting down. Staying connected with your customers and understanding their changing needs will help you prevent surprises. Working with them will help you understand their business and make you more valuable to them.

 

2. Your Brand Loses Its Customer Appeal: While many brands retain their customer appeal for ever (Think Coke) others lose the appeal over a period of time (Think Blackberry). Brand erosion occurs over time because of changing customers. Some reasons for brands losing their power are; poor or declining product or service quality and poor customer service. Brands can also become boring and uninteresting to the customer.

 

3. Your Big Project Fails: According to the PMI, more than 14% of all projects fail. With 37% of the reason for failure was a lack of clear vision and goals. A PWC study of over 10,640 projects found that only 2.5% of companies complete their projects 100% successfully. The rest either failed to meet their original target or missed their original budget or deadline. Think about the financial cost of time and materials that go into a failed project and the opportunity cost. Ask how is this project going to help us achieve our strategic goals? What are our chances of success? How can we increase those odds?

 

 

4. Your Company Sales Stop Growing: When sales stop growing, it affects cash flow and profits to the shareholders. You start losing key employees and may have to pass on other opportunities. How do you keep sales growing without creating more risk?

 

5. Your Business or Industry Becomes a No Profit Zone: Many industries are losing their ability to generate a profit such as retail or manufacturing. This can be because of increased competition or customer power that demands lower and lower prices. Is your industry heading this way? What opportunities are available to counteract the process?

 

6. An Unstoppable Competitor Enters Your Market: Think of an owner of a small town grocery store, where a Wal Mart opens up down the road. They have vast financial resources, purchasing power with suppliers, top notch Management Information Systems and a world renowned brand. How do you compete with them? You can and businesses have done it.

 

7. Your Industry Reaches a Fork in the Road: Technology, Customers, Economics, Regulatory or Political events can be the reason for having to choose between two possibilities. An example would be an armoured car company, assessing the fact that cash transactions will soon become obsolete. Do they move into other markets or focus on getting new customers. When an industry is transformed up to 80% of businesses fail to adapt and make the transition, (Think Blockbuster).

 

 

So as a business owner or manager, how do you assess your strategic risk? Start by identifying and quantifying your risks by going through each one of the seven types of Strategic Risks I outlined above. As an example using number 1. Ask yourself are you losing customers? What is our customer turnover ratio? Why are we losing customers? If you are increasing your customer base, then why? Track your work by putting it into a simple Strategic Risk Chart.

Risk Odds of Occurrence in% Impact in$ Action/Countermeasure % Complete

Lose 15% of 75% 30% of Sales Reduce Expenses by 10% 40%

Customer’s $300,000 Hire customer service staff

So now you have analyzed the seven strategic risks, next you need to take the top three to five risks with the highest impact on your business and develop your action plan to mitigate the risks.

Two of the goals of strategic risk management is to deflect the smaller day to day risks and to mitigate the larger risks you cannot avoid. There is a whole list of risk avoidance and risk management techniques that companies can use. Everything from reducing your fixed costs, have effective business intelligence systems to gather information that affects your customers and competitors, have early warning systems on customers’ needs and changing tastes and a whole list of other techniques.

 

 

Statistically, 20% of new businesses will close in the first year and 50% of business will have closed by their fifth year. So the odds of surviving your first year is 80% and your fifth year 50%. So from a Strategic Risk Management perspective Covid 19 has increased the odds of business failures. The Restaurant Association of Nova Scotia completed a study and said that 10% of restaurants in Nova Scotia closed this year so far and another 40% could close by March 2021.

Companies that are highly leveraged will not be able to service their debt, consumers will spend less because of higher unemployment. Yet some companies will survive and prosper and other companies will start up and beat the odds. Luck may play a part but eventually your luck runs out, that’s why you need to ensure that your Strategic Plan Is sound and you identify the risks that can get in your way.

 

I have simplified the process a little to make it easy to understand and to keep it short. I find the most effective way of doing a Strategic Risk Assessment is through a company workshop. I offer half day workshops on Strategic Risk Management to companies involving their executives and senior managers. They are fun to do and there is always a number of key takeaways that help the client right away.

 

Feel free to reach out to me if you have any questions about how to get started.

 

WHY SMALL BUSINESS AND START UPS NEED A GOVERNANCE AND COMPLIANCE PROGRAM.

Posted on 5 March, 2021 at 9:50 Comments comments (0)

WHY SMALL BUSINESS AND START UPS NEED A GOVERNANCE AND COMPLIANCE PROGRAM.

Darrell Smith CFE, ARM, CIM, FCSI


Most small businesses are run by one or two entrepreneurial owners, with most day to day business decisions being made by the owners and senior managers. The external stakeholders, do not have an active role in the decision making process.

The stakeholders are, shareholders, lenders including banks and family, employees, suppliers, contractors regulatory agencies, government, customers and the general public. Many decisions made by organizations have consequences beyond the organization itself. Therefor in decision making a small business must take into account how it affects all its stakeholders. This approach is called social responsibility.

 

When we look at the definition of Governance, I like Ray Dalio’s definition from the Bridgewater Group. “Governance is the process that checks and balances power to assure that the principles and interests of the community as a whole are always placed above the interests and power of any individual or faction.”

 

Compliance is the process of making sure your company and employees follow the laws, regulations, standards and ethical procedures that apply to your organization.

 

Compliance does not constitute risk management, however the risks of non-compliance is countless. An organizations social license to operate requires more than just following the laws and rules of their environment. Risk Management is an essential part of the program, because not knowing the risks faced by the organization and the cost of those risks, make a Compliance program less effective.

Implementing Compliance and Governance with Risk Management, provides for a better understanding of threats and opportunities.

 

So in a small business or start up, many decisions are made daily, including decisions that affect all stakeholders. So it is important to have a decision making process that incorporates having adequate information to make the decision and implement it.

 

Good Governance provides a structure to protect the interests of shareholders and stakeholders, because they are not actively involved in running the company.

 

The advantages of having a Governance, Risk Management and Compliance Program (GRC) is not just following regulatory and legal conditions, related to your business and industry. But developing a strategic plan to achieve your business objectives, ensuring that your business goals do not exceed your risk appetite, developing a culture of accountability and transparency and having a reporting structure that designates responsibilities for compliance issues to the most qualified persons.

 

To build a Compliance Program, the first thing you need to do is set up an independent board of directors. I know what you’re probably thinking, I’m a small business or start up barely able to pay my bills. How can I afford a Board of Directors? The great thing is that there are many experienced business people, accountants, lawyers or retired professionals that would be happy to serve on your board. Not only do they bring valuable experience to your company, but they also have business contacts. The key is to have an independent board of directors.

 

Once you have selected your Board and have called your first board meeting. The first order of business is to develop a strategic plan of what your goals and objectives are for the company and then communicate it to all employees.

 

My experience working with and sitting on a number of boards is that management has great vision and strategy for their organization. However they have not put it into writing, what their goals are and how they will achieve them. Don’t confuse a strategic plan with a business plan. A business plan lays out the financial, marketing and operational goals of your business, a strategic plan states what your goals are for the business and how you’re going to get there. A business plan is usually developed by the owner, their accountant and perhaps several key employees. The strategic plan is developed by the board of directors. A strategic plan is an essential part of your overall business plan. Not having a strategic plan is like hiking in the woods without a compass or a map. After a very short time hiking, you get disorientated and you cannot tell what direction you are going, where you are or how to get back on the trail. A strategic plan maps out your objectives and the activities needed to get you there and provides you with the checks and balances to keep you on track.

 

Develop a Code of Conduct and Ethics: Whether you have been in business for 20 years or you are the only person in your start-up. Having a code of conduct and ethics is essential. A code of conduct governs decision making and how its employees and management should behave. A code of ethics governs actions and have five key areas, Integrity, Objectivity, Professional Competence, Confidentiality and Professional Behaviour. Typically they would be two separate documents, but many organizations do combine them.

I am a big believer in all firms having a code of conduct and ethics, regardless of their size and how long they have been in business. I have worked for companies where problems were identified and after implementing a Code of Conduct, communicating it to all employees and having them sign off on it annually. Behaviours such as theft, harassment, discriminations, and unproductive employees were reduced significantly. As a start-up it gives you a guide to good decision making by following the companies values.

 

Document all Job Descriptions, Processes, Policies and Procedures: Everything should be included, such as HR policies, financial, marketing and operations. The employees doing these jobs should be part of this documentation process. They can add valuable input, because they are the ones doing the job. The advantages of having everything documented are; Sets a standard for quality control, everyone is following the same procedures. Makes it easy for new employees or new locations to understand and follow company procedures. Provides an audit trail, as part of a risk assessment review. Are company policies being followed? As the business grows it maintains a level of consistency, reducing liability and financial issues, makes change management a lot smoother.

 

Have an Employee Handbook: Including the company history, mission, vision and the company goals. Your core values and culture, employee benefits and all policies and procedures. You should also have an orientation session with each new employee, to go over the items in the handbook and give examples of actual occurrences of how the policies apply to them. This step is extremely important as it helps to shape your corporate culture.

 

 

Perform Regular Risk Assessments: Conducting regular risk assessments will help you identify risks to your organization that can have negative consequences. By identifying them early, you can develop a risk mitigation plan to manage the risk. Traditional risk management looks at property, liability, and net income and people risks. Conducting regular risk assessments will also allow you to identify potential opportunities. Ask yourself, what are the three greatest risks facing my company? Ask your managers what are the three greatest risks facing their department?

 

Review Internal Controls: Internal controls are the guardians of your business. They are the methods, rules, and procedures used to maintain the integrity of the financial and accounting information. For any size business, the financial information is critical to managing the business. Protecting that information from fraud and theft, is essential to not just managing the business but the survival of the business. In my experience as a Certified Fraud Examiner, the number one reason that the perpetrator was able to commit the fraud. Was the complete lack of, or a breakdown in internal controls. Keep in mind that individuals who steal and commit fraud, are spending a lot of time on how to do it and not to get caught. They are looking for weaknesses or a lapse in the controls.

So it is essential that you spend enough time reviewing and testing your internal controls.

 

Have a Reporting Mechanism: As I have written about before, I am a big believer in having an anonymous reporting hotline. Where your employees, customers and suppliers can report potential wrongdoing to your company. See our Blog: “Not Having A Whistle Blower Hotline Is Like Leaving The Doors Unlocked At Night.” Having a reporting mechanism will result in wrongdoing being reported sooner, saving you time and money. It also sends a message that the company is serious about promoting moral and ethical behaviour in the company.

 

As a small business or start-up, here are some of the common issues that I have seen. Paying Income, Sales or other taxes, making payroll remittances, use of government funds and grants, Occupational Health & Safety, product and service liability, legal liabilities including discrimination and harassment, regulatory issues unique to your own industry, Anti Money Laundering regulations, conflicts of interest, protecting confidential customer and employee information.

 

So let’s look at the reasons why small businesses and start-ups need a compliance and governance program.

 

1. Having a CRG program provides the information necessary for management to make good business decisions and to be better leaders.

2. Better mechanisms in place to monitor and manage risk and identify potential opportunities.

3. Stakeholders will have more confidence in the owner and the business, by knowing that the business is being run in a responsible and ethical manner. If you’re looking for bank financing or to secure your first round in seed capital, and you have a GRC plan in place. This is going to probably work in your favor, compared to a company that does not.

4. It allows management to stay on track, because they have a plan to follow. If they lose their way the just go back to their strategic plan, values and mission statement.

5. It provides the framework for an organization to expand rapidly. By having a strategic plan, and all processes documented. If you open another branch or hire a lot of new employees, you have everything documented for them to follow. Allowing you to focus more on growth and less concern for compliance.

6. Reduced legal liability, by knowing what your greatest risks are and managing them.

7. Enhanced reputation in the business community, this is an advantage to getting customers, employees and financing.

 

I hate to use the old cliché, “they didn’t plan to fail they just failed to plan.” But when it comes to managing your small business or start-up effectively, growing sales and making a profit, you need to have a plan. Especially now with Covid 19 changing the way we work and do business.

 

While getting started may seem a little overwhelming, it’s not. Start with little steps, make a list of people you would like to have on your Board of Directors, review other companies Codes of Conduct, and think about what challenges and opportunities are ahead for your organization. The great thing with all of this is it doesn’t costs any money, unless you contract some of the work out. It just takes time, that will be well spent.

 

NOT HAVING A WHISTLE BLOWER HOTLINE IS LIKE GOING HOME AND LEAVING THE DOORS UNLOCKED AT NIGHT

Posted on 5 March, 2021 at 9:45 Comments comments (0)

NOT HAVING A WHISTLE BLOWER HOTLINE IS LIKE GOING HOME AND LEAVING THE DOORS UNLOCKED AT NIGHT.

Darrell Smith CFE, ARM, CIM, FCSI

You wouldn’t finish your work day and then go home and leave the doors unlocked to your business. Of course you wouldn’t. Not only would the unlocked door create an enormous security risk, you probably wouldn’t sleep that well. So not having an employee reporting hotline is like leaving the doors unlocked and hoping that you’re lucky enough that no one comes by and finds it open. Because if they get inside your business it could be very costly.

Even with modern security technologies, your first and most important line of defense is your locked doors. Alarm systems, and Closed Circuit Television Systems are just part of your overall security program.

My point is that even with modern security technology there are shortcomings that do not identify what I will refer to as the “intangible” occurrences of a criminal, regulatory, and human resources nature. What I mean by intangible occurrences are activities that are not apparent in the day to day operations of the organization. Such as an employee claiming expenses that they are not entitled to, an employee being discriminated against, an employee dumping toxic waste into the sewer system or a buyer taking kickbacks from the supplier. These events would probably not show up on a security camera, however your employees and even sometimes your customers may have evidence of these violations.

Employees who work in the specific area may have knowledge of such incidents, either through direct or circumstantial evidence. Yet they may hesitate to report the incident because of fear of reprisal or not knowing how or to who to report it too.

 

Organizations that do not have a reporting mechanism, have higher dollar losses because it takes longer for the event to be discovered, run the risk of legal, regulatory and criminal actions, have lower employee morale and risk damaging their reputation.

 

So What Is A Whistle Blower Hotline?

 

A Whistle Blower Hotline is an anonymous means for employees to report wrongdoing, knowing the report will be taken seriously and investigated. It is not for employees to report disagreements between themselves and their bosses or fellow employees.

Some hotlines are to just report fraud or environmental issues, while others allow any kind of violation to be reported, such as Fraud, Theft, Discrimination, Harassment, Bullying, Corruption, Sexual Harassment and any other violation.

Reports can be made by telephone 24/7 or online.

 

Why Is a Hotline So Important?

 

Studies have shown that if employees do not have an anonymous means of reporting workplace violations, they will either not report the violation, quit, go to the media or go to the police. By not reporting it, this causes additional financial losses to the company, can result in legal or criminal charges, and can cause unrepairable harm to the reputation of the business.

According to the Association of Certified Fraud Examiners 2020 Report to the Nations; The Duration of a Fraud Scheme, has a direct bearing on the median loss an organization incurs. The median loss is $50,000 for a fraud that lasts for 6 months and $740,000 for a fraud that lasts 60 months. It’s clear that the longer a fraud goes undetected the higher the losses. While this is just for fraud, I’m certain that this would be the same for any other kind of a violation. Whether it’s a criminal, regulatory or human resources in nature.

 

What is the Value of the Information Received from a Hotline?

 

Considering that all of your employees have knowledge of your operations and can see, hear or have physical evidence of potential violations. Why wouldn’t you want to make every employee an intelligence operative for your company? If you have 100 employees, that’s one hundred sets of eyes and ears gathering information, looking out for the companies best interests.

In the intelligence community, when evaluating intelligence information. You look at the source of the information and the quality of the information. So it makes sense that an employee would be in a position to have knowledge of violations. Even your customers and subcontractors would be in a position to have important information.

 

So Why Do So Many Businesses Not Have A Hotline?

 

In my experience with our in house hotline, I have heard many reasons for not having one. We are too small, the unions don’t want us to have one, the bosses don’t want any more headaches or we have a reporting mechanism already. This is my favorite because, they think that having a policy where information is to be reported to their immediate supervisor will work. The problem with this is that the employee cannot remain anonymous, they fear repercussions from the individual they are reporting or their employer. The one thing that all organizations can rule out for not having a whistleblower hotline is cost. The cost can be as little as a dollar per employee per year, with usually a minimum subscription. So a small business with 100 employees would pay $1000 per year, for a hotline service. I have just quoted a price for our Workplace Violations Hotline, other hotline prices may vary.

 

As Part of a Compliance Program.

 

A whistleblower hotline forms the basis of a compliance program, along with a Code of Conduct and Ethics and the ability to investigate all complaints in a timely manner, the tracking of all complaints to determine trends and for additional follow up. So every business regardless of size or financial condition can have the three cornerstones of a Compliance Program. By having a Hotline it tells all your employees that you take all violations seriously, and by creating a culture of “it’s the right thing to do” by reporting wrongdoing in your organization.

 

So in this post Covid 19 environment, where revenues and profits are down and many employees are working from home. Implementing a hotline is not only a prudent move, but will provide an excellent Return on Investment and peace of mind.

 

WHY EMPLOYEES STEAL

Posted on 24 October, 2016 at 10:20 Comments comments (5)

Darrell Smith CFE, ARM, CIM, FCSI

Whether you are in manufacturing, retail or a service industry. Your employees steal from you for all the same reasons. Criminologists state that three elements must be present in order for employee theft to occur,

1. Motive: Employees may have financial, gambling, substance abuse problems, or may just feel they are unappreciated or under paid at work.

2. Opportunity: The lack of security control systems and clear cut policies and procedures. Make it easier to steal from you.

3. Justification: Is simply the employee justifying his actions by saying I will put it back, it's not really stealing or they want me to take it.

Once all three elements are in place you have employee theft. The 10-10-80 rule states that;
- 10% of your employees will steal from you at each and every opportunity.
- 10% of your employees will never steal from you at any opportunity.
- 80% of your employees may or may not steal from you based on motive, opportunity, and justification.

As employers we have no control of an employee's motive or justification, but we can do something about opportunity. Being pro-active to prevent employee theft is more effective, and costs a lot less than being reactive. An effective employee theft prevention program should include the following preventative measures.

  • Conduct pre-employment screening checks to eliminate potential employees with motive and justification.
  • Have a clear and concise corporate code of conduct outlining what behaviour is expected of your employees, and what course of action will be taken in the event of a violation.
  • Have a Whistle blower Hotline to allow employees to report wrong doing anonymously. Studies have shown that  having a whistle blower hotline, will reduce the severity of losses by catching the theft sooner. Many whisltleblower hotlines; such as our own Workplaceviolationshotline.ca allow all types of workplace violations to be reported.
  • Communicate this code of conduct to all new and existing employees, suppliers and contractors. Have them sign off on it every year.
  • Be consistent with enforcing policies. Treat every violator the same.
  • For younger workers with less time on the job, have employee appreciation and recognition programs. Such as a $10.00 gift certificate to a coffee shop or movie theatre.

In conclusion a proactive approach to employee theft will be more cost effective, providing a greater Return on Investment.

Managing Business Reputation Risk

Posted on 9 May, 2014 at 21:45 Comments comments (11)


MANAGING BUSINESS REPUTATION RISK
Darrell Smith CFE, ARM, CIM, FCSI

East Coast Fraud & Risk Management Group - www.eastcoastfraud.ca  

Most organizations don’t give much thought to their business reputation until something goes wrong. One of the reasons is that a business’s reputation is difficult to identify, analyze and put a value on. It is an intangible asset that does not show up on the balance sheet, except perhaps as Goodwill when one company buys another company. Your reputation is what brings customers to you, keeps your customers coming back, and why existing customers will refer friends and family to your business. Your business reputation is one of your greatest assets and if not managed it could be a liability or it could also mean missed opportunities.

According to the Insurance Institute of America, the definition of Reputation Risk is;

 “An intangible Asset that relates to an organization’s goals and values, results from behaviors and opinions of its stakeholders and grows over time. It is the comparison between stakeholder’s experiences and their expectations and is the pillar of the organization’s legitimacy or social license to operate. An organization maintains a good reputation when it meets or exceeds stakeholder expectations.

 PUTTING A VALUE ON REPUTATION

The first thing you must do is recognize the value of your reputation. Intangible assets in some organizations can represent 50% or more of a company’s total value. While there are several ways of valuing reputation risk, such as the Fair Market Value approach, which would assign a value if put on the market and the Cost Approach which is the amount the organization invested to acquire their reputation. Risk Managers prefer the Income Approach which puts a current value based on discounted cash flows, the reputation would earn in a given period of time. By recognizing the value of your reputation, it allows you to think of it as an asset. If damaged it can cause a loss of key stakeholders, but there is also an upside that you can take advantage of opportunities to add value to your reputation. As an example the tainted Tylenol crisis in 1982, had Johnson & Johnson develop tamper proof pill bottles that are now used globally.

IDENTIFY KEY STAKEHOLDERS

You should identify your key stakeholders and rate them based on importance, because each stakeholder’s expectations may be different. I use a rating system with a base of 100 and assign each stakeholder points based on their importance. Stakeholders can be classified as external and internal. Internal could be management, employees, and Board Members, while external could be customers, suppliers, shareholders, and government regulators.      

SOURCES OF RISK TO REPUTATION

Sources of risk to reputation can include the following;

1.      Deliver on Customer Promises: Is the company (non-profit or government entity) delivering high-quality, competitively priced goods and services?
2.      Regulatory and Legal Compliance: Is the company seen by its stakeholders and the public as law abiding and comply with all laws and regulations?
3.      Communication and Crisis Management: Does the company have an effective communications plan to manage stakeholder expectations? Are they transparent in their business dealings?
4.      Financial Performance and Long-Term Investment Value: Does the company have a steady record of financial performance and are they a good long-term investment?
5.       Corporate Governance and Leadership: Does senior management and the Board of Directors lead by example and set an appropriate tone at the top.
6.      Corporate Social Responsibility: Is the company considered by its stakeholders a good corporate citizen and does the company minimize the negative impact and maximize the positive impact of its activities on the environment and society as a whole?
7.      Workplace Talent and Culture: Does the company recruit high quality employees and treat them well? Does the corporate culture motivate employees to take pride in their work?

IMPLEMENTING A RISK MANAGEMENT PLAN FOR REPUTATION RISK 

Identify, Analyze and Prioritize Reputation Risks: Identify the key drivers of risk by reviewing past incidents and future risks. Analyze those risks based on tangible losses or gains to reputation and put a priority on each one. As an example an investment firm that has numerous compliance issues with advisors recommending high risk investments, could result in loss of clients and assets, regulatory fines, a criminal investigation or class action lawsuit.

Develop and Implement a Risk Response: To implement a risk response to a specific reputation risk, it depends on the source of the risk, whether the risk is a threat or an opportunity, the risk appetite of the organization and whether the risk can be mitigated and the total cost of mitigating the risk (ROI).

Monitor the Results: After the risks have been identified, analyzed and prioritized and risk responses have been developed and implemented. The risks should be monitored by management for any changes in the risk frequency or severity and take appropriate action. The objective is early detection and immediate treatment.

To effectively manage your reputation, recognize reputation as an asset, that like any other asset there are risks that may affect it and there are also opportunities that allow you to improve your reputation. Many companies actually seek out risk to maximize profits and gain a competitive advantage over their competitors.

How to Use Corporate Culture to Prevent Fraud

Posted on 14 April, 2014 at 20:00 Comments comments (3)


How to Use Corporate Culture to Prevent Fraud   
Darrell Smith CFE, ARM, CIM, FCSI

Corporate Culture can be described as “The beliefs and values which are understood by employees.” Culture is like an invisible energy field that surrounds your organization and determines how people think, act and see the world around them.
Some facts about corporate culture include;
1. Culture determines the “way of life” for employees who often take its influence for granted.
2. Over time culture is fairly stable and resistant to quick changes. Once a culture is ingrained into the organization, it can resist change even with high employee turnover. 3. Culture involves both internal and external characteristics.
4. Employee’s know what the culture is and can describe its characteristics. You can measure, evaluate and perfect it.
5. Culture will develop in a random fashion, or you can manage it if a firm has incorporated it into their strategic plan that identifies specific properties and goals. 

So how can a company reduce fraud in their organization by managing corporate culture? By aligning the organizations goals with the socialization process. The socialization process is what passes an organization’s culture from one generation of employees to next.  

According to Dictionary.com the definition of the socialization process is; the continuing process whereby an individual acquires a personal identity and learns the norms, values behaviors  and social skills appropriate to his or her social position.
 
The three stages of the socialization process are;  

1. Anticipatory Socialization and the Hiring Process: Begins when the employee simply considers working for a company and continues through the hiring process, where the interviewer will communicate the norms and values of the company and determine if the candidate is a good fit.  

2. Formal Socialization: Can be in the form of orientation and training programs for new employees and also through a mentoring process where values, skills and habits are communicated to the new hire.  

3.  Informal Socialization: Occur through many informal channels, through interaction with fellow employees and informal interactions with management. This is where the most effective and lasting socialization takes place. 

At the anticipatory and hiring stage, the first step is to communicate the company’s norms and values through the web site to potential and current employees, that your organization puts a high value on honesty and integrity. Then during the interview process, the interviewer will reinforce the values by making it part of the interview process by asking open ended questions and reinforcing the company values.  

The formal socialization stage is an excellent opportunity to begin the education process by making it part of the training program, through codes of conduct statements, and company policies and procedures. It is also very important to match the new hire with a mentor who will reinforce the company values in a positive reinforcing way. Use real examples of how real employees made contributions to preventing fraud.  I am a big believer in positive reinforcement and not using negative reinforcement, such as discussing how this employee was caught committing fraud. This sets a negative tone for the new hire.

  Finally the informal socialization process is where the employee will develop their values and ethics system by interacting with other employees and various levels of management. It is essential that management lead by example and follow the same rules as expected from the employees. Employees that are role models and set a good example should be given more exposure to the new employees.

  I have worked with clients who accepted that employee fraud and theft was part of their culture, and spent large amounts of money on security, CCTV, and audit programs, focused on catching and prosecuting the dishonest employee. This is really just dealing with the effect and not the cause. I have also worked with companies who tried to change the culture of fraud and theft, by managing the corporate culture. The return on investment is much higher.  

While every organization is unique, here are some helpful hints to get started;  

-  Survey your employees to understand their thoughts on fraud and theft in the           workplace.  

-  Develop a vision statement that reflects the vision of the company on fraud and  employee dishonesty. I had the privilege of doing some work for a contact center and the VP came into the class of new trainees and said I only ask two things of you; 1. Don’t use violence against each other 2. Don’t steal from the company or commit illegal acts against us. They have never had a workplace violence incident or fraud committed against them. Don’t underestimate the power of vision.  

-  Ensure senior management is on board and make sure they give a reason why the change is occurring.   

-  Establish a team to guide the change process. 

-  Set short-term wins, rather than one or two big goals. This will keep employees engaged and focused. Failing to meet a big goal or milestone will discourage employees and may mean the end of the program.  

We have discussed corporate culture and the role it plays in shaping employees thoughts and behaviors. We also discussed how the culture can be managed with the socialization process. To change your culture takes time and a lot of energy, however the end result is worth it.
At East Coast Fraud & Risk Management Group we have worked with many organizations and developed several employee surveys, you can use to survey your employees on corporate culture as it relates to fraud and employee dishonesty. Drop us a line if you would like a copy of one at www.eastcoastfraud.ca


REDUCING THE RISK OF BUSINESS IDENTITY THEFT

Posted on 5 March, 2014 at 10:35 Comments comments (5)


REDUCING THE RISK OF BUSINESS IDENTITY THEFT 
Darrell Smith CFE, ARM, CIM, FCSI

Most of us are familiar with personal identity theft, where an individual has their identity stolen, but business owners may not be as familiar with Business Identity Theft. Business Identity Theft is not the theft of customer’s personal information, but is someone assuming the identity of the business, that has no right to, for illegal purposes. The purpose is to gather information on the company and then submit fraudulent business records and tax filings, causing significant financial losses to the company and defrauding their creditors, suppliers and financial institutions.
Corporate Identity Theft is not just about corporations, but include non-profits, government, small & medium enterprises, partnerships and sole proprietorships.    

Businesses are targeted for many reasons, including;  

- More complex financial affairs than an individual, numerous people involved and less chance of being discovered.
- Businesses have large cash balances in the bank, making it more profitable for the fraudster.
- Easier to open up a business bank account and get credit, than opening an individual account.
- Higher credit limits and less collateral required.
- A lot of business information is public such as HST tax numbers on invoices, licensing,    permits, and loans secured by assets through Personal Property Security Searches. Also anyone can request a credit report from the credit agencies on a company.                                       

In a 2012 survey by Javelin Strategy Research Report, 75% of data breach reports took place in businesses with fewer than 100 employees…           

While there are numerous scams involving Business Identity Theft, the following are some of the most common; 

1.         Fraudulently Change Your Business Registration Information: All business registrations in Nova Scotia are filed with the Registry Of Joint Stocks and when a company wants to submit a change to their registration, they fill out a form with the changes, sign it and send it either by mail or electronically. The Registry updates the information without verifying the changes, and most Provinces and States do the same. This allows a fraudster to change your corporate information, such as adding a new director, changing the corporate mail address or designating another name as the corporate secretary/treasurer. Then all they have to do is print off a copy and take it to the bank and open an account with the information or have mail delivered to the changed address.
Changing the business registration information could allow them to purchase assets in the company name, sell company assets, get access to bank accounts and credit lines, and get credit cards issued.  

  2.         Cyber Crime: The main technique here is Phishing, which is when the cyber criminals send out thousands of emails that look like they are from a legitimate financial institution. It is usually an urgent message saying something like “we have detected unauthorized use of your account,” “detected a security breach,” or “too many log in attempts,” or some other reason. The web site looks legitimate and the email address is usually very close to the actual financial institutions address. The email instructs you to click on the link which will take you to the site and get you to reset your password and or enter your account number. No financial institution will ever send you an email saying there is a problem with your account. 

3.         Obtain Loans and Credit using the business owner’s personal information.  Just like personal identity theft, the purpose here is to obtain the owners personal information and then either conduct business in the business name or to obtain credit and other assets or open bank accounts by using the owner’s information. Think about how easy it would be for someone to walk into a bank, with your full name, address, date of birth, Social Insurance Number, employer and open up an account or to apply for a credit card on line. 

  Here are some TIPS to help you prevent Business Identity Theft; 

Ø      Review you banking agreement. Before you are a victim of Business Identity Theft, know your banks policies on liability for fraud on your bank accounts. Ø      Reconcile your bank account daily. By using online banking you can log onto your account and review balances and transactions. Report any discrepancies to your bank immediately.
Ø      Use a secure computer, that only you have access to, for your business banking. The computer must have anti virus and anti spy ware software protection. Use passwords that are at least eight characters long and change them monthly. Do not access your bank accounts through public internet or Wi-Fi spots and don’t use your smart phones to log onto your business bank accounts.
Ø      Educate all your staff on Phishing scams on line, and by telephone calls requesting information over the phone. I know of a situation where the administrative assistant gave out information over the phone, to what they thought was a legitimate call, by a vendor wanting to deposit the funds electronically. Resulting in losses to the company.
Ø      Protect all your business documents and information. Keep all financial and confidential information locked up and in a secure location. I worked on an investigation where the cleaners would come in at night and one of them would go to the receptionist computer, log on and down load confidential information and sell it to their competitor.
Ø      Shred all unneeded documents that have confidential or financial information on them. I prefer a shred company that supplies the onsite shred boxes and empties them on a regular basis.
Ø    Check your business registration information regularly. This can easily be done by going to Registry of Joint Stocks website www.rjsc.gov.ns.ca and entering your business name. 
Ø    Check your business credit reports at least once a year and more frequently if you suspect something. Reports can be obtained from Trans Union and Equifax and Dunn & Bradstreet.
Ø    Have high quality computer virus and spy ware software.
Ø    Train all your employees on Business Identity Theft prevention. This should be part of new employee training and orientation and make it a topic at staff meetings. Ø    Be aware of large orders from new customers or a new company. Do your due diligence by asking. Does the order make sense? Does the order information raise a red flag? Such as overseas address or a PO Box. If you are not sure call the customer or email for additional information.
If in doubt, hold the order back. It is better to delay an order from a new customer than to ship goods and not get paid for them. One results in a potential loss of a customer the other is a loss of inventory or cash.  

In closing keep in mind that cyber crime operates anonymously, the fraudsters don’t wear masks and rob banks. They conduct their crimes from the comfort of their own homes, they are very good with computers and many are well educated, they know the chances of getting caught are slim. All organizations should make Business Identity Theft part of their risk management program. Talk to your insurance broker to see if you have coverage for Business Identity Theft.

Visit our site for additional blogs at: www.eastcoastfraud.ca

The High Risk of Fraud in the Accounting Department

Posted on 5 January, 2014 at 13:40 Comments comments (11)

Darrell Smith CFE, ARM, CIM, FCSI
 

No where in an organization is the opportunity for fraud the greatest and the catastrophic losses the highest than in the Accounting/Bookkeeping department.   The accounting department handles large inflows and outflows of cash and cheques, that a dishonest employee can find numerous ways to commit fraudulent acts. Not only can they commit the fraud, but they also have the means to conceal it, because they have too much control over the accounting function and the secrecy that surrounds the financial information.

As a Certified Fraud Examiner, I am seeing a huge increase in accounting fraud, with devastating consequences to the owners and shareholders of the business. If you read the papers, there is something every week about another organization finding themselves a victim of employee fraud. Many of these businesses actually close or go bankrupt because of the losses.  

In many small and medium firms, it is usually just one or two individuals who process accounts receivable and payables, receive cheques and make deposits at the bank.
As stated above there are many opportunities for bookkeepers to commit fraud, but most employees would never consider such a thing. The Association of Certified Fraud Examiners states that in order for fraud to occur, three things must be present. They call it the fraud triangle, which consists of Motive, Opportunity and the Rationalization by the employee, to commit the fraud. Employers cannot control the Motive and Rationalization, but they can do something about Opportunity.
Implementing internal controls and monitoring them is essential. 

In many of the cases I have worked on in the past 20 years, I have seen a number of red flags that are common. While every case is unique there are a number of warning signs that owners and managers should be aware of.   

1. Lack of Delegation of Duties: As stated previously, many small firms have only one or two people in the accounting department. They essentially control every aspect of the accounting function, from invoicing clients, to Accounts Receivable, Bank Deposits, Bank Reconciliations, Cheque signing authority, and post all entries into the accounting system. 

2.  Gambling or Addiction Problems: Employees that have such problems have a greater need for additional funds, giving them a motive and the rationalization to commit fraud.
 
3. The employee who seems to live beyond their means: Employees, who spend a lot of money on clothes, travel, cars, and any other consumer item, may have a greater need and resort to fraud. These employees are concerned about keeping up the image of being successful and well off.
 
4. The employee who always complains about money: Employees who regularly complain about not being able to pay their bills, who borrow money from other employees and consistently require cash advances. This could be a red flag for fraud.

 5.   I don’t know why we are not doing better financially: As an owner/manager you have a pretty good handle on your revenues and expenses. If you think you should be doing better financially then you are, investigate it. Don’t take the bookkeepers reasons for such shortages, get evidence not explanations. At the very least it will give you a better understanding of the cause and the ability to correct it. 

Here are 4 risk mitigation strategies to help prevent accounting fraud in small and medium enterprises;  

1.   Segregation of accounting duties: By far this is the most important control, yet in almost every case I have seen. There is either, a lack of segregation of duties or a break down in the accounting controls, because of staff shortages in the accounting department or an employee off sick. Segregation means that different employees handle the various stages of the receiving of and disbursements of cash and cheques. As an example; let’s assume that we are a service industry that invoices clients weekly and receives payments in the form of cheques in the mail In many enterprises the bookkeeper would open the mail and post the cheques to the various client accounts. They would then do up the deposit, take it to the bank and then do the monthly bank reconciliation. They would also prepare all invoices, have cheque signing authority, add new clients and suppliers to the accounting system and be able to make changes to or override accounting entries. Essentially, they have control over every aspect of the accounting function and when senior management or the external auditors require an explanation of a transaction, they also have control over what explanation is given. A simple system of segregation of duties is to not allow an employee to control the whole process. Here are some easy controls to put in place:

a. The mail is opened by two employees and all cheques received for that day are then recorded into a cheque registry, which records the company, cheque number, amount and date of cheque. The cheques should also be stamped “FOR DEPOSIT ONLY” at this stage.  The cheque registry can then be compared with the actual deposits. If cheques in the amount of $15,000.00 were received on July 1, then the deposit book and the bank statement should show a deposit of $15,000.00 on July 1. Timing differences can occur but all deposits should be matched. Once the cheques are received and recorded, they are then forwarded to the Account Receivable department, where they are posted, by another employee, the bank deposit is then done up and another employee takes the deposit to the bank.  

b. The bookkeeper prepares outgoing cheques, and then gives the cheques plus all supporting documentation including purchase order, invoice, expense forms and any other supporting documentation to a senior employee for review. After examining each cheque and supporting documentation for legitimacy and accuracy, they will then sign the cheque. Ideally all cheques should have two required signatures. Then the cheques are put in envelopes and another employee mails them. The key here is once the bookkeeper prepares the cheques, they no longer have anything else to do with them. 

c.   Ideally the owner/manager should control the cash. This means that all bank deposits should be made by the owner. If this is not possible, then trusted employees from other areas or departments can make the deposits. Different employees can do different days and be sure to let your bank know who is eligible to make deposits. A bank card can be obtained that only allows deposits to the bank account, withdrawals or other transactions cannot be made on this card. The key is that there is complete segregation of duties. From the receipt of cheques, to preparation of invoices and bank deposits, no one person has control over more than one function of this process. 

2.   Screen accounting employees properly by conducting Criminal Records Checks and verifying references. Criminal records checks are important for obvious reasons. You can request an employee obtain one from the local police agency or you can use a firm that provides criminal records checks. My experience shows that most accounting employees, who commit fraud, did not have a previous criminal record, but they may have left previous employers under suspicious circumstances. It is also essential that reference checks from past employers, be completed on employees. I recommend the last two questions be asked 1. Do you have any reason to doubt the honesty of the candidate? 2. If the opportunity presented itself would you rehire the candidate?  

3.    Know your business: As the owner you have a pretty good idea of what your sales and expenses are and what your profit margins should be. If you have cash flow problems and don’t know why, look into it. In many cases I have worked on, this was a red flag that owners told me they thought there was something wrong but did not look into it, until it was too late. I recommend, to have a good working knowledge of your revenues and expenses and to know your gross margins. When I ran my business I knew my margins were approximately 18%, so $100,000.00 of sales a month should have given me $18,000.00 cash flow. If you have offices or branches in other regions, make sure you monitor them individually. If you think something is wrong, discuss it with your managers and accountant. A vertical and horizontal analysis of the Income Statement and Balance Sheet may give you a place to start. 

4.    Listen to employees and customer complaints: Frequently when a fraud is being committed it may affect suppliers, employees or customers. If suppliers are not being paid, then employees, who purchase supplies, will be told the account is not up to date. If customers complain about their accounts not up to date, when they make payments, this could also be a red flag.        

In conclusion, organizations of all sizes and types are victims of accounting fraud. Even large accounting departments with CFO’s, accounting managers and internal and external auditors, fraud still goes undetected. Only through sound internal controls, and astute managers will fraud be prevented and detected. The purpose of this article is a starting point, to get owners and managers to think about their own vulnerabilities in the accounting department and the impact to the organization if fraud occurred. Every organization is different so get help in conducting a fraud risk assessment and to set up sound internal controls and monitor them.

Visit our site for additional blogs at: www.eastcoastfraud.ca

How Not To Lose Your Life Savings to Fraudulent Investments and Advisors

Posted on 7 November, 2013 at 9:54 Comments comments (5)
How Not to Lose Your Life Savings to Fraudulent Investments.
 
As a former stockbroker turned fraud examiner, I am always dismayed when I hear about another investor getting swindled out of their life savings. It hurts the reputation of not only the firm involved but the industry as a whole. The securities industry is one of the most highly regulated industries in Canada with Investment Advisers being carefully screened, regulated and monitored. The firms are also highly regulated, by Provincial Securities Regulators, National Securities Regulators and their in house Compliance Departments. So with all this regulation, how can investors lose their life savings to bad investments and dishonest advisers?
 
I just read an online comment about a well publicized case in Halifax, where the blogger asked “What do we pay the Securities Regulators for, when investors continue to lose their savings” by bad advisers and investment scams. In my opinion that is like blaming your local Police Department when your house gets broken into or your car gets stolen. By saying they should have been there to prevent it.  The Securities Regulators are in a similar position; they do not have the resources to monitor each and every investor account.
 
While this may seem to be a long-winded explanation, I use it to drive home the point that investors must take at least some responsibility for their investments. No one will look after your money better than you will.
 
Here are some suggestions to follow to help you sleep a little better at night, at least when it comes to your investments.
 
1. Determine your investment objectives: By identifying your short and long-term goals. Determine how much risk you want to take and what kind of return would you like. Keep in mind the higher the return the higher the risk.
Once you have developed your investment objectives, stick to your plan. Don’t allow your advisor or relatives to talk you in to taking more risk than what you set out to take. Stick with investments you know and understand, if it is too complicated then pass on it. Make sure your advisor knows your objectives and it is reflected in the New Account Application Form. Advisers have to follow the Know Your Client rule (KYC). Review your investment objectives annually and update the KYC form. As an example; if your investment objective is 60% Income and 40% long-term growth, do not be forced into short-term trading or borrowing to invest.
 
2. Do your Due Diligence: Your Due Diligence should be done when selecting a new adviser, when choosing a firm and when selecting appropriate investments.
 
Selecting an Adviser – Most investors choose an adviser by either someone referring that person to them, by calling a firm and getting transferred to an adviser or by receiving a cold call from an adviser. It doesn’t matter how you got the name, your job is to ensure that you trust the adviser and you feel comfortable working with them.
You are hiring someone for one of the most important jobs, managing your money. So instead of being interviewed by the adviser you should interview them for the position. Just like if you were hiring someone for a job placement. Tell the adviser you are looking to hire someone to manage your money and have some questions you would like to ask, to ensure a good fit.
Here are some due diligence questions to ask; remember to take notes of your interview.
 
1. How long have you been in the business and what is your educational background and credentials.
2. What is the value of the assets you manage for all of your clients? This can be important because advisers with big books of business are more established and probably have a more stable income. Some advisers will have a minimum account size, so if you do not meet that minimum size, find someone else to deal with.
3.  What is your investment philosophy? Are they traders, speculators, or asset gathers?
4.  What percentage of your clients assets are in stocks, bonds, mutual funds.
5.  What is the annual turnover of your client’s assets? The turnover determines how frequently the adviser trades stocks or mutual funds.
5.  Have you ever been subject to an investigation by the securities regulators? Do you have any pending complaints or investigations open now?
This information can be verified by going to Investment Industry Regulatory Organization of Canada (IIROC) and the Mutual Fund Dealers Association (MFDA). For IIROC enter www.iiroc.ca  then click on IROC Advisers Report and enter Advisers name. For MFDA enter www.mfda.ca click on For Investors, and then Check an Adviser.
For investors in the United States enter www.sec.gov then go to Education, Check Out Broker or Adviser, Then Central Registration Depository and Broker Check. Then add broker name.
 
Do not be intimidated and ask any questions you feel are relevant. If you don’t get the right answer, go somewhere else.
 
3.  Check Your Account Statement Every Month: This is extremely important for two reasons;
1. Early detection of errors and unauthorized trades or account withdrawals.
2. As a possible deterrent. Advisers may be more hesitant to tamper with an investor’s account that checks the statement every month and calls and asks questions.
 
Your monthly account statement is a summary of your investment holdings, their value, any buy and sell transactions, any dividends or interest paid and any account withdrawals or deposits.
When your monthly statement arrives, review the asset summary section to verify the securities in your account are correct, including cash held. Then check the total value for this month compared to the previous month. Review the account activity section. This will show any purchases or sales of securities and dividends or interest received and any other fees charged to your account.
For each transaction, you should compare the statement with the buy and sell transaction slips you receive for each purchase or sale. Save all your confirmations and statements.
 
 
 
Some other Do’s and Don’ts:
 
-                     Do not make any check payable to the financial adviser.
-                     If an adviser pitches an investment and says you have to act right now, pass on it. Any good investment will be available later. This tactics is to instill a sense of urgency in the investor.
-                     Be aware of pitches from individuals who are selling to a specific group that you belong to, such as religious, nationality or hobbies. While this is a legitimate prospecting tool for many advisers, the unscrupulous adviser will prey on a specific group. This is called infinity fraud, and the investor’s justification is that so many other people you know have invested into it. It must be alright.
-                     Be aware of unrealistic returns, either for one year or over a period of years. 
-                     Be aware of guaranteed returns, especially higher than market rates of similar investments.
-                     Check to see if the firm is registered with the regulatory agency and if the specific investment is registered.
 
Many of us spend more time looking after our cars than we do our investments. Do your home work; ask questions and most of all trust your instincts.
Visit our site for other blogs at: www.eastcoastfraud.ca
 
Happy Investing

Fraud & Risk Management for S&M Enterprises

Posted on 31 August, 2013 at 10:45 Comments comments (5)
We are pleased to have added a Blog to our site. We will be covering topics that affect Small & Medium Enterprises such as Investment Fraud, Corporate Culture and Fraud, Corporate Identity Theft and Enterprise Risk Management. We encourage our many clients and friends to offer suggestions and comments. More to come shortly.