Fighting insider threats: One size fits all doesn’t work

in Advisory, 15.06.2017

Stop insider threat before it walks through the door. Robust screening and vetting processes alongside traditional recruitment strategies can help spot red flags. And the periodic review of existing employees is also an essential countermeasure. Above all, when in doubt, seek outside help.

This year’s edition of the KPMG’s Forensic Fraud Barometer found that just under half of the cases of white-collar crime tried by Swiss courts in 2016 were committed by employees. Senior management posed the greatest threat, acting as the perpetrator in 79 percent of these cases; solely on their own in 58 percent and in collusion with employees in 21 percent. Reported losses climbed to a record high of CHF 1.4 million despite a slight drop in the number of incidents compared to past years. One case involving a loss of CHF 800 million contributed to the high.

How can you protect your organization from such fraud? How do you know whether you are at risk and whether your employees are who they pretend to be?

Stop risk at the door

Clearly, depending on an employee’s position and the nature of each business, companies face a range of potential risks including financial loss, operational risks and reputational damage. As these risks aren’t always adequately addressed, you might consider adding more robust screening and vetting measures to your existing recruitment processes. A vigorous pre-employment screening and vetting process will mitigate risks and any negative impact on your business. Moreover, establishing such a screening and vetting process could play a prophylactic role – you may prevent candidates with questionable backgrounds from even applying.

Review existing employees periodically

Boosting the rigor of your recruitment process isn’t enough. You’ve got to think in terms of life cycles. To be most effective, undertake employee screening and vetting at regular intervals during the period of employment. To be reliable, checks must have a finite time validity, as is the case with federal employees at the highest security level. As the personal situation of your workforce – and thus the potential risk for your organization – evolves constantly, it’s essential to integrate a periodic re-evaluation of existing employees and their granted accesses into every insider-threat management strategy.

Determining the adequate interval for reassessment depends on the respective function, its corresponding entitlements and other factors such as country and industry, which all impact the actual risk-level. Due to the high involvement of senior management in fraud cases, the validity of their assessment should generally be shorter than for other employees. The same holds true for functions in high-risk countries and high-risk industries, which require special attention.

Don’t miss out on good candidates – reassess red flags

You can detect potential read flags with targeted background checks, such as the review of relevant diplomas, work certificates, criminal records or the candidate’s CV. Such checks are integral to any screening and vetting process either as a part of the recruitment process or reassessment of your existing workforce.

Still, it’s paramount to acknowledge that identifying a red flag does not necessarily constitute an actual risk. By conducting a personal interview with the candidate, you can deepen your analysis to determine and quantify potential risks, expected damages as well as the likelihood of occurrence in a particular role, the issue’s seriousness and the time lapse since occurrence. Red flags, if verified, should bar someone from employment only if:

  • the conviction is closely related to the job considering the nature of the position
  • the nature and seriousness of the offence
  • the length of time since its occurrence.

Otherwise, you may miss out on a suitable, qualified candidate.

The candidate’s cooperation is necessary to obtain significant results. You must strike a balance between achieving the desired scope and depth in your screening and vetting process with creating a pleasant, informative interaction with the candidate. Candidates who are informed about the process are more willing to cooperate so the likelihood of gaining meaningful insights rises. If the candidate feels treated unfairly, cooperation can deteriorate. This will hinder the process, leading to poorer insights and possibly the wrong decisions – such as missing out on a qualified, suitable candidate.

An example of using context to quantify underlying risk

Keeping in mind that a red flag doesn’t always constitute an actual risk and needs additional attention, one example of such an instance is the following: You’re considering a candidate with a single criminal record for driving under the influence of alcohol that dates back 5 years. You must put the information into context to identify and quantify the underlying risk. If this is a candidate is applying for the position of the CEO’s personal driver, the record should certainly be considered as a risk. However, if the candidate applied for the position of compliance officer at a bank, it might still be an indicator, but is by no means a proof of an actual risk.

Let’s assume the offence occurred the morning after a wedding and that the candidate took too little time to process the alcohol. As a result, the candidate got caught with a blood alcohol level just above the limit. To deal with this situation, you should perform a risk assessment considering the gravity of the offence, its circumstances and the relevance to the function in consideration. Moreover, an in-depth interview to discuss and clarify the issue would help determine whether the findings are relevant from a security perspective and to compile a more comprehensive basis for decision-making.

Allocate your resources wisely

Companies can perform the measures mentioned above internally, but often the available resources aren’t sufficiently trained, the dedicated workforce doesn’t have access to the right tools or the capacity when needed. In those cases, but not exclusively, such services can be successfully outsourced to independent specialists who offer vast expertise in the field to avoid potential conflicts of interest. Nevertheless, it’s crucial to select providers who can exploit their experience to impartially review and optimize internal processes. Managing insider-threats is not a “ticking-the-box exercise”. Poor selection can evoke a false sense of security leaving risks undervalued and the company exposed.

Experienced providers bring a thorough understanding of potential issues and access to additional, more sophisticated resources that can consequently boost an organization’s knowledge and security. They also offer relief for the workforce during periods of great strain. Furthermore, including impartial experts will signal integrity and a commitment to ethical behavior – a message that’s well-received by stakeholders, and especially regulators.

Build a corporate culture of ethics

A well-defined, robust screening and vetting process helps enforce your ethics and integrity policies. And enhances your company’s ethical climate from within increasing trust across the board – amongst employees, shareholders, regulatory bodies and other stakeholders. Moreover, any documented preventive measures and use of external, impartial expertise may be considered – when a company is faced with an investigation – in the court’s decision on sanctions.

The protection these measures afford can more than offset the expense of investing resources in compliance to integrate countermeasures. As a balance must be struck between investment and the level of security the company wants to achieve, it’s a question of applying a risk-based approach that prioritizes the focus of resources on highest risk carriers. The sheer range and volume of employees and functions a business may deal with can make it inefficient or even unfeasible to thoroughly screen everyone.

One way to get around this issue is to categorize functions into specific risk categories. These categories might be determined by industry, country of operation and the relevant function. Once the functions are categorized, you can take steps to apply appropriate controls. For low risk positions, candidates may be subject to desktop due diligence only. For high risk or where there is a lack of publicly accessible information, a full in-country due diligence may be required. This helps to allocate the resources efficiently as the highest risks are assigned the necessary resources.

Summary

Don’t forget to consider insider threats when developing processes to protect your firm. Develop robust hiring processes to spot red flags early on as well as regular risk reviews of existing employees. Outside specialists can bring added credibility and demonstrate your commitment to ethics and compliance – to employees, shareholders, regulators and other stakeholders. Paying attention to the various levels of risk each function and individual carries can save money and time.

 

 

Further information:

 


Leave a Reply

Your email address will not be published.