We can learn a lot from reading about control breakdowns in the news. As risk managers, whenever we look at the headlines, we put our risk hats on and wonder “where was the control breakdown, and how would we mitigate that risk”. It is a strange thing that our career is so ingrained that it affects the way we view the world!
https://www.ajc.com/news/teen-accused-of-stealing-nearly-1-million-from-gwinnett-kroger/
The article linked above describes a particularly interesting and egregious case. A teen (unsophisticated fraudster) who was clearly aware of internal controls, found a mind numbingly simple way to circumvent the controls, and fraudulently obtain nearly $1m from a retail store over the course of 2 weeks by processing fraudulent “returns”. Root cause? An employee tasked with flagging fraudulent transactions was on vacation for 2 weeks.
There are so many layers to unpack here. First, the only near-real-time control on internal fraud, and to flag fraudulent transactions at a store level, is a single employee (i.e. a “two-eye” check). Second, there was no backup for this employee during a period of vacation or other unavailability. Third, the fraudster was able to create fraudulent returns over a two week period (i.e. there were no other controls to reconcile the returns daily).
As a member of a risk management advisory board, I am passionate about sharing best practices across industries, and one such practice is core-leave. I recall back in my early days in the banking industry, we used to implement handover/take-over controls in concert with core-leave policies. Core Leave is basically a minimum contiguous two week vacation/time off that key employees are required to take with no access to bank systems (including email). Another staff member “takes over” their daily responsibilities during that period with a formal handover document signed as evidence.
This process ensured there would be a period of time that staff members were unable to continue a potential fraud and there would be another pair of eyes on key processes within the bank. As someone covered by the core leave policy, I can also add that it was helpful for work-life balance. We often returned from core leave rested and re-energized. Without core leave, we often ended up working through our “vacation”.
Coming back to the control element though, core leave also ensured cross-training so that we are ensured at least one other employee has some basic level of knowledge about critical bank processes (addressing business continuity risk). If you ask any old trade services staff, they will wax lyrical about the old control methodologies. Core leave is something the industry has left behind because of the complexity of identifying key process and employees (aka institutional laziness, in my opinion). However, given the variety of risks it addresses (people risk, fraud risk, business continuity risk etc), more industries ought to consider core-leave/handover controls.
Additionally, it is worrying that in this era, fraud controls in some industries are still reliant on an employee “review”. Automation of fraud controls is critical in any retail/commercial enterprise. Old fashioned rules based fraud detection engines are hard to implement in complex scenarios, however, machine learning now allows models that can be trained to detect unusual activity even for complex workflows. Although, frankly, even a rudimentary rules based engine would have flagged up an $87k return at a grocery store! Fraud detection is complex, but it cannot rely on a single employee/point of failure. There are now numerous providers of fraud detection technology to suit any budget range.
Final thought – as I’ve highlighted previously, risk managers often hear “it could never happen here”. In addition to horizon scanning to identify possible risks and incidents in the marketplace (through industry-specific loss databases), it is incumbent on us to ensure the business can articulate why it could not happen here (i.e. what mitigants are in place). We must ensure that the business formally accept any risk that falls outside the defined risk tolerance, assuming of course, that the business has defined their risk appetite (if not, that is task #1). I’ve often found that when I commit the risk profile to print, and request that the governance committee accept or mitigate the risk, the governance committee 9 times out of 10 will choose to mitigate the risk. And frankly, the times that the governance committee accepts the risk, I fully support it – our calling as risk managers is not to prevent the business from taking appropriate risks, it is to ensure they understand the risk they are taking on. This is why independence is critical for risk management functions.
So many layers, so little time to pick this apart. Risk Management is my area of passion, so if anyone wants to engage on this topic (I suspect some of my financial service colleagues have strong feelings on core leave!), or if you need any pointers on tech providers in this space, please connect with me.