Raising awareness – also when it comes to topics like biases – is where everything starts. Without being aware of xyz no transformation can happen.
Therefore, I am convinced that with your personal awareness of being biased the protection already starts.
And if you extend it to your team, your organisation, you have a powerful tool at hand which is understood and supported. That is what you need to secure your most precious assets.
When it comes to social engineering there is that common myth of putting the term to the tech side and forget.
But it is everything else than tech. It is just us. Our human being!
Crisis shifts priorities
A shift in priorities during times of crisis is necessary. We all agree on that!
Reassessments must be made, and the focus is on the ability to act. While those responsible are organising themselves, others are doing the same on organizational level.
Especially in the area of fraud and cyber risks, adaptation to new circumstances rarely takes long. Often too long in my opinion and the reasons are manifold.
On the contrary. And that is the most important part of us to protect our most precious assets.
The scheming of the malicious social engineers does not stop at global crises but discover them as an entry point to prey that was often not on the agenda before.
I mentioned at the very beginning: Social Engineers love crises! Of course especially the malicious.
Fact is when a crisis hits: Either there were already prevention measurements in place or nothing will happen during the ongoing crisis.
During the crises, the resources will be allocated to Business Continuity Management which means, managing the impact of the crisis as such.
While the responsible – Board of Directors included – focus on the above-mentioned duties, the vulnerability of non-compliance, economic- and cybercrime increases. Silently.
When it comes to the fraud risk assessment we have to keep in mind and refresh, that there are different stages organisations are related to a fraud risk assessment:
Either it is
- Missing
- Not effective anymore
- Or Biased
You will know mention that there is a fourth category missing, the one which has a perfect implemented fraud-risk-assessment in place. Yes, you are right.
The experience taught me that in crisis these “well matured” fraud-risk-assessments immediately shift to No. 3 and I will tell you more about it in a few minutes.
None of the three categories will succeed against fraudulent behaviours but due to different reasons.
Let me give you as an overview and especially more beef to what these three categories means:
Three Categories of Fraud Risk Assessment Status when we hit a crisis
The first one is obvious:
Category 1: A Fraud Risk Assessment is missing
Without having a Fraud Risk Assessment in place, the potential risk is not identified at all. As the responsible know about the circumstance and do not trust on an existing assessment.
The vulnerability is very high or low – we just do not know about it. Impact and Likelihood of fraud is not assessed nor under control. Not managed at all
Category 2: The existing Fraud Risk assessment was made more than 5 years ago
With having a Fraud Risk Assessment done – even a long time ago – responsible feel safe.
Unfortunately, what I see in discussion with my clients – too safe. Wrongfully. There is hardly safety in an old risk landscape nor in in an old Fraud Risk Assessment.
Understanding how technology and business models changed over the last years and months, it is obvious that also the risks changed dramatically.
An not updated Fraud Risk Assessment provides a false security.
Category 3: The Fraud Risk Assessment is less than 12 months old
Talking to the last category of organisations might be the hardest because they have a brand new – in their mind – Fraud Risk Assessment.
But having heard what was mentioned for category 2, most of it also works for category three.
With additional challenge that having had the assessment within such a short time frame will mislead the awareness of security.
The crisis which hit the organisation needs to be understood to ensure that potential new risks can be taken up. When the Fraud Risk Assessment is still new it does not mean that the new risks are already involved. Taking the COVID-19 pandemic as an example I assume that hardly any organization expected – before the crisis hit – to have the “work from home” percentages increased to the max.
In short, all three categories face the challenge of either having loose ends related to the fraud risk assessment or nothing in place.
In addition to that, what a lot of the companies still do not yet have in place is the crisis scenarios. The preparation for such incidents is not done. Specific controls designed for the incident handling processes are often be dropped, and hence, the opportunity to defraud the organization increases significantly during crises.
KEY MESSAGES
Fraud vulnerability can significantly be decreased by raising the awareness of biases, social engineering, and risk-intelligence.
No matter at what stage we are with our organisation, crises are happening and when we wait until the next one hits us, we are not prepared.
When we use the time before and after, the vulnerability receives the necessary attention.
EPISODES’ REFLECTION
How you strengthen non-compliance and fraud resilience to a competitive advantage?
Even during crises I would like to invite you to reflect on the following three questions which can be taken as you “take to the office assignment” and also used within your team – which is not only related to non-compliance, economic or cybercrime
- What is the actual status of the above-mentioned categories?
- What would immediately reduce your vulnerability?
- Where are the resources who could have the first impact on this reduction?
Why not having an internal virtual challenge identifying the weak spots? Of course, please make sure that you communicate in a setup which is safe for the organization too.
IMPORTANT LINKS AND MENTIONS
xxxxxx
THANK YOU FOR SHARING, SUBSCRIBING AND REVIEWING
Thank you for joining me on this episode of THE HUMAN FACTOR – Corporate Integrity Matters.
If you enjoyed this episode, please share, subscribe and review on Apple Podcasts or Google Play Music so more people can enjoy the upcoming episodes.
Don’t forget to follow and connect with me on Linkedin, Twitter and Instagram. I am looking forward meeting you there.
YOU ARE IMPORTANT
Let me know what topic you would like to have on spot – via contact@structuul.ch
Further information about Corporate Integrity can be found on www.coporateintegrityconcepts.com
And if you are interested in becoming part of the amazing movement, join us on www.corporateintegrityacademy.com
