Monthly Archives: February 2011

Investigation – A sign of strength!

Leave a reply

When fraud or other malpractice is discovered, we tend to interpret it as evidence of management weakness. Whether or not that is the case, the first instinctive reaction of managers is often “Cover it up! They will do their own shotgun investigation, and move on with as little publicity as possible. It happens at every level; even at the top level many companies have preferred to reward malpractice with early retirement rather than face the publicity that an investigation might generate. This is unfortunate, as it sends the wrong signal to the organization, and erodes the internal culture. And, the organization loses the opportunity to learn from mistakes, raise internal awareness of risks and identify root causes that need fixing.

Fraud will happen

In practice, good management and strong internal control cannot guarantee the absence of fraud and malpractice. Every organization, to varying degrees, decentralizes authority and responsibility to its members. Management cannot maintain absolute control over the actions of employees, suppliers and business partners. The owners cannot fully control management. We simply cannot manage without trust. As a result, there will always be opportunities for fraud to occur. When it does, if the incident is detected, competently investigated and appropriately resolved, that is a sign of management strength, not weakness!

Be Prepared

We need to change our attitude towards the risk of fraud and malpractice. Typically, managers see these as an unlikely events, exceptions. We know they are possible, but we don’t expect it will happen in our organization. As a result, when a serious incident occurs we are caught off guard, embarrassed, and anxious to cover-up. We need to change our mindset and recognize that some amount of fraud and malpractice is highly probable. We can and should take reasonable preventive actions, but we should also be prepared to handle the incidents that will occur. By preparing a response plan, we can in a calm and organized manner set priorities, identify resources, and assign responsibilities. Then when the time inevitably comes, we can manage the investigation not as a crisis but as a normal business process.

Silo Mentality and Investigations

Various functions in the organization might have some capacity or mandate to investigate. There is internal audit, security, legal, HR, certainly line management, and others. If incident response plans are not formalized, the function that owns a particular investigation is often the one who first learns about it. There have been cases where two parallel internal investigations were started by different functions, each ignorant of the other! A formal incident response plan ensures that information is shared by a small, central group and that each investigation is managed by the persons most qualified to do so. More on this subject later!

Working with Rationalizations

Leave a reply

The concept of “Rationalisation” is familiar to students of fraud. According to Donald Cressey’s famous “Fraud Triangle”, people are able to commit fraud when three factors are present; a perceived need for money or personal advantage, a perceived fraudulent opportunity to obtain it, and an ability to rationalize the fraudulent actions. Traditionally we spend most effort designing controls that reduce fraud opportunities. We also pay some attention to the need factor, by designing incentive systems that align employees interests with those of the organization, and by screening employees before hiring. But what about the third side? Perhaps we do not do enough to counter the human tendency to rationalize inappropriate or unethical behavior.

A question of perception

Our decision to commit fraud, or to refrain, is determined by our perceptions. The opportunity we see may be real or illusory, and the probability of detection and punishment may be higher or lower than we imagine. The need we feel may stem from a real crisis, financial or otherwise, or from an unsatisfactory comparison of our situation relative to those around us. And finally rationalizations are pure perception. We create a convenient perception, even distort reality, in order to fit our requirements!

The concept of “Rationalisation” is familiar to students of fraud. According to Donald Cressey’s famous “Fraud Triangle”, people are able to commit fraud when three factors are present; a perceived need for money or personal advantage, a perceived fraudulent opportunity to obtain it, and an ability to rationalize the fraudulent actions. Traditionally we spend most effort designing controls that reduce fraud opportunities. We also pay some attention to the need factor, by designing incentive systems that align employees interests with those of the organization, and by screening employees before hiring. But what about the third side? Perhaps we do not do enough to counter the human tendency to rationalize inappropriate or unethical behavior.

Analyzing Rationalizations

The third side of the triangle has received the least amount of attention. Can an organization take proactive measures that reduce employees’ tendency to rationalize inappropriate behavior? To answer the question, we attempted to categorize common rationalizations used by fraudsters. In the figure below, the vertical line represents the individual dimension. To what extent is the individual consciously breaking the rules? The horizontal line represents the perpetrator’s perception of his social environment. Is the organization lenient towards rule-breakers, or are the rules strictly enforced?

Rationalizations

Four Categories of Rationalization – Taken from the book “The Anatomy of Fraud and Corruption” (Brytting, Minogue, Morino). Reprinted with the permission of Gower Publishing.

Detatched

In the first quadrant, ‘Detached‘, the subject deliberately violates the rules in an environment where rule breaking is not tolerated. The rule-breaker perceives the situation as so exceptional either due to force majeure, or implying a right of self-defence, or saving oneself or one’s employer from a financial crisis, that they can ‘detach’ themselves from the norm altogether. A person with insurmountable debts to pay, for example, might find fraud justifiable. Similar is the situation in which an individual regards himself as so important, or so special that he is above the moral standards that apply to others. They are detached from the official norms by virtue of their own perceived superiority. We also find it in the career criminal who has no intention of following the rules.

Decadent

The second quadrant, ‘Decadent’, describes a situation in which the fraudster see rules being broken all around them, and are able to use that as an excuse for doing the same. They know what the rules are, and realize that they are about to do something in violation but doubt whether anyone will care, or stop them; they perceive the environment as corrupt.

Devoid

In the third quadrant the perpetrator of a fraudulent or corrupt act does not perceive that their act is a violation of valid rules. Similar to the second quadrant, the fraudster sees rules being broken by others, but they also perceive that these others seem to be devoid of any guilt or shame at all, and the rule book devoid of relevance. The fraudster in this category is just going along with the crowd; it seems to be the normal thing to do. “I just do what they tell me to do”.

Denial

Finally, the fourth quadrant describes a situation in which the perpetrators are in a state of ‘Denial’: they conceal their actions and know that others will not approve of their actions if they are detected, but they have created rationalizations that trivialize their fraud. The employee borrows from the cash box, telling himself he will make good later. He is not fully aware that the rationalization is a lie, that he will not return the money for instance.

Changing Names

This suggests an approach to fraud prevention. Rationalization is about changing names. As long as the tempting opportunity comes with a label attached calling it ‘fraud’ or ‘corruption’, it will be condemned. Fraudsters change the label to something more acceptable or trivial. If we can raise employee awareness about what constitutes fraud, we can reduce the availability of the unconscious or subconscious rationalizations in the “Devoid” and “Denial” quadrants. And, if we can eliminate the misperception that the organization tolerates misbehaviour, we can reduce the availability of “Decadent” and again the “Devoid” rationalizations. Through employee training and other forms of internal communication we can expose rationalizations for what they are and render them ineffective. And most people, no longer able to rationalize fraudulent actions, will instead refrain.

The remaining hard cases

Of course we are left with the quadrant where fraudsters have detached themselves from the need to follow the rules. The narcissists, career criminals and desperate cases are perhaps beyond the reach of awareness training. But if we raise awareness throughout the organization, these few individuals may be easier to isolate and address through other means.

Conclusion

The persistence of fraud as a significant cost for organizations of every kind and around the world suggests both that fraud is a common occurrence and that prevention efforts are inadequate. While it may be impossible to prevent fraud completely, we believe that organizations could greatly improve their success by concentrating on all three sides of the fraud triangle. The importance of effective controls to reduce fraud opportunities is already well understood. Management and incentive systems should be designed with care, to avoid creating unreasonable pressure. And fraud awareness programs are required to deflate rationalizations by increasing employees’ understanding of appropriate behaviour and ensuring that they maintain an accurate perception of the organization’s lack of tolerance for fraud.

A longer version of this article features in the Feb/Mar 2011 issue of Fraud Intelligence (www.informaprofessional.com/fi).

Our corrupt biology

Leave a reply

There is something about fraud we find repulsive, worse than simple larceny or burglary. The latter are more physical, perhaps even violent crimes, and we fear them. But the deception of fraud seems somehow worse. Why?

The law of the jungle

Deception comes naturally. We find plenty of examples in the animal kingdom, with animals who camouflage themselves to surprise their prey, or prey who make themselves appear frightening or less edible. While this is perhaps adapted behavior rather than true deception, it illustrates the value of deception as an acceptable tactic according to the law of the jungle. Human beings did not get to the top of the food chain through virtuous means, or through physical prowess; we are expert deceivers. So if we can use these natural skills to get what we want, why not?

Survival of the Group

Mankind evolved as a social animal, since the group is far more effective at hunting and defending than a lone individual would be. The group can only function through cooperative trust, so we have developed the psychological ability and the cultural tools that allow us to work together. We carry within us not only the egotistical fraudster but the reciprocal team player.

Fraud is a strategic option

There is a risk that fraudulent individuals might exploit the fruits of cooperation. This is not in the interest of the larger group! But because it happens all the time, we have also developed the ability to suspect and detect fraud, and a tendency punish fraudsters. The point is that fraudulent behavior is nothing abnormal. It is simply one of the strategic options that we carry with us as part of our behavioral repertoire. In our daily lives, our fraudulent abilities are countered by social cooperative strategies designed for the common good, and if we are guilty of fraud against the group, a betrayal of trust, we keep it well hidden.