We humans open to manipulation. The higher the pressure – internal or external, the greater the diversity and the bigger the impact of the various biases. It would be naïve to believe that the current COVID-19 pandemic will not cause any damage in this respect.
Crisis shifts priorities
A shift in priorities during times of crisis is necessary. Reassessments must be made, and the focus is on the ability to act. While those responsible are organising themselves, others are doing the same. Especially in the area of fraud and cyber risks, adaptation to new circumstances rarely takes long. On the contrary. The machinations of the malicious social engineers do not stop at global crises but discover them as an entry point to prey that was often not on the agenda before.
Either there were already preventional measurements in place or nothing will happen during the ongoing crisis. Which is not foreseen to be ended within a short time period. No matter whether the lockdown will be ended or not. The companies will face challenges far longer than the lockdown exists. The resources will be allocated to Business Continuity Management which means, managing the incident as such.
While the responsible – Board of Directors included – focus on the above-mentioned duties, the vulnerability of non-compliance, economic- and cybercrime increases.
The different stages organisations are in are summarized in three different categories – related to a fraud risk assessment:
- Not effective
None of the three categories will succeed against fraudulent behaviours but due to different reasons. The follow short overview explains what the challenges are.
Three Categories of Fraud Risk Assessment Status
Category 1: A Fraud Risk Assessment is missing
Without having a Fraud Risk Assessment in place, the potential risk might be quite aware. As the responsible know about the circumstance and to not trust on an existing assessment. The vulnerability is very high. Impact and Likelihood not assessed nor under control.
Category 2: The existing Fraud Risk assessment was made more than 5 years ago
With having a Fraud Risk Assessment done – even a long time ago – responsible feel safe. Unfortunately, what I see in discussion with my client – too safe. Wrongfully. There is no safety in an old risk landscape nor in in an old Fraud Risk Assessment. Understanding how technology and business models changed over the last years and months, it is obvious that also the risks changed dramatically.
Category 3: The Fraud Risk Assessment is less than 24 months old
Talking to the last category of organisations might be the hardest because they have a brand new – in their mind – Fraud Risk Assessment. But having read what was mentioned for category 2, most of it also works for category three. With additional challenge that having had the assessment within such a short time frame will mislead the awareness of security.
In short, all three categories face the challenge of either having loose ends related to the fraud risk assessment or nothing in place. In addition to that, what most of the companies do not yet have in place is the crisis scenarios. The preparation for such incidents is not done. Specific controls designed for the incident handling processes are often be dropped, and hence, the opportunity to defraud the organization increases significantly during the current pandemic crisis we all face.
And we all do not expect to have the fraud readiness preparation and crisis scenarios for incidents now done during or post COVID-19 crisis. It will take much longer as the emotional charge regarding non-compliance and fraud – no matter whether in the territory of cyber or not – is huge.
How you strengthen non-compliance and fraud resilience to a competitive advantage
Even now during the crisis – which is not related to non-compliance, economic or cybercrime think a few minutes about
- your actual status of the above-mentioned categories? It is not about blaming yourself or the team. It is just a fact.
- What would immediately reduce your vulnerability? Think creatively, please!
- Where are the resources who could have the first impact on this reduction?
As you might have read in my other articles about “thinking like a fraudster”. Why not having an internal virtual challenge identifying the weak spots? Of course, please make sure that you communicate in a setup which is safe for the organization too.
We have seen tremendous input from all different hierarchy level on the questions raised during the last challenge and I am convinced, your team – from Board Member to the apprentice – will highly appreciate your effort of thinking beyond the COVID-19 crisis.
The first step towards resilience is understanding and re-activating the precious skill of creativity – especially as a leader.