​

IN THE WAKE OF the financial crisis, organizations must prepare to deal with an increase in fraudulent activities. Security can address such threats by establishing an operational fraud-prevention program. Such a program, which works by bringing in stakeholders from throughout the organization, can thwart loss by leveraging talents across the global enterprise.

Fraud, corporate security, forensic investigation, and information security professionals should all be a part of the program, and they should share information with the law enforcement community and industry colleagues to further reduce risk. The head of security can play the lead role in spearheading the program, which should have three components: governance, implementation, and compliance.

Governance

An effective operational fraud-prevention program starts at the top with corporate support. The fraud-prevention program’s objectives must be incorporated into the company’s comprehensive policy and code of conduct to provide the program with the appropriate authority and visibility.

The CSO or security director can be instrumental in defining the elements of the fraud-prevention program and promoting its importance to management and employees. This policy should not set out specifics but should establish the overall intent of the program. Once governance is established, the specifics of the program should be addressed in the next phase.

Implementation

This phase includes establishing the fraud-assessment team, developing a risk-assessment methodology, reviewing current procedures, identifying gaps, and establishing information-sharing procedures.

Team. In my experience with fraud-assessment teams, it is critical to bring in people with diverse skill sets and backgrounds. In the financial services industry, for example, a fraud-assessment team would include representatives from investigations, corporate security, forensic investigation, account takeover, account setup, account maintenance, customer service, information technology, and information security.

Methodology. The first step in this process is to establish what regulatory and industry mandates must be satisfied. Next, the team must ascertain the company’s risk-tolerance level with regard to fraud. It must then determine which assets are critical and the types of fraud to which those critical assets might be exposed. The team is now ready to consider what that exposure is per risk and per asset and how to mitigate it.

The team must decide which methodology best suits the organization. Among the options are methodologies issued by the Department of Defense, Sandia Labs, the Department of Homeland Security, and ASIS International. Risk-assessment methodologies are based on similar concepts, but they vary in their quantitative approaches. Each organization will have different needs and must choose the methodology that best addresses the risks at hand.

Review. While the company presumably did not already have a fraud-prevention program, it likely had bits and pieces of fraud-prevention procedures and policies that had grown up over time throughout the organization. The assessment team should review and evaluate those preexisting fraud and security policies, which might include in the case of identity theft, for example, how customer accounts are set up and maintained, how customers’ personal data is protected, and what is done if a data breach or theft is discovered. This comprehensive review should produce an accurate picture of the current safeguards and controls for reducing and managing fraud.

After completing the review of existing safeguards and controls, the team must also review any prior risk assessments that the company conducted so that it will be aware of what the organization has already assessed, deployed, and countered in the past. This review will ensure that the team’s effort takes into account everything that preceded it so that it can change or incorporate those policies as appropriate.

For example, one security director with whom my company consulted found that he was getting repeated requests for security awareness training from various departments throughout the company. The ad hoc nature of the training was expensive, and the security director feared that the requests were in response to security lapses—in other words, the training was reactionary rather than proactive.

When we came in to help with the review of fraud policies, my company found that awareness training was not included as a basic training component like the privacy and safety training that was mandated by federal regulation. As a result, the awareness training was requested on a random basis whenever a company director felt it was warranted.

In light of this finding, the security director began conducting awareness training as a basic component on an annual basis and removed it from the purview of company directors. The security director then conducted refresher training based on reported incidents rather than by request. The change reduced costs and increased the effectiveness of the training.

Another vital element of the review process is to compare industry best practices to an organization’s security posture or framework. For example, there are customer-identification-program guidelines, Bank Secrecy Act guidelines, incident-response guidelines, and a host of information-security guidelines that set out generally accepted antifraud or security measures.

As a CSO or security director, an added value might be illustrating how an organization’s security framework compares to these industry guidelines. A security manager can illustrate a fraud-prevention program’s worth by pointing out that the company’s policies meet standards that have been both adopted by other companies and found to be effective. Similarly, security can justify enhancements to the program by showing that the existing plan is substandard in the industry.

Gaps. The result of the above review and analysis will be to reveal the existing gaps in the company’s fraud-prevention framework. The team’s next task is to develop a remediation strategy to address these gaps.

Cost, of course, is always an issue when it comes to deciding what solutions to implement. It may be possible to work security objectives into other objectives, thereby reducing the direct security cost of the project. For example, if the engineering department is updating fiber optics systems, the security director can leverage an opportunity to share in the cost of the project to meet security needs. Similarly, if an access control system can be used for time and attendance, HR may be willing to share some of the system’s cost.

Information sharing. In the implementation phase, information sharing is a significant hurdle for organizations and law enforcement agencies to overcome. In some cases, information sharing is a sizeable internal challenge. Business units may be responsible for individual issues relating to fraud credit card fraud, identity theft, or deposit fraud—but the company may have no centralized depository for collecting, storing, analyzing, and sharing fraud data or information with all business units, let alone government or law enforcement agencies.

Adding to the silo effect, business units will likely each have their own specific missions and mandates. Additionally, internal organizational structures or policies can place limitations on information sharing. The risk assessment must set out how the team will facilitate information sharing.

Compliance

The compliance phase is the final and crucial pillar. The compliance phase should include testing and auditing of the program. It should also be adjusted in response to changes in the organization, such as would occur as the result of a merger, for example.

By establishing an operational fraud program, security managers can help to minimize fraudulent activity within the organization and ensure that any attempts at fraud are detected before they can hurt the bottom line or the company’s reputation.

William Anderson recently joined a financial institution as vice president of corporate security and protective services. He has 25 years of experience in providing or conducting investigations and consulting on operational fraud programs. Anderson is a member of ASIS International.