Friday, August 22, 2014

Managing Insider Risk

"Outsiders damage the brand; insiders bring down the business."

"We use automated controls over insiders only to the extent that they are more efficient than management supervision; under no circumstances are they a substitute for supervision."

Management of insider risk is not for the indolent, ignorant, or incompetent.  It requires diligence, special knowledge, and skill.  Here are some ideas that you may find useful.

Focus controls on the early detection and correction of errors.  Not only will such controls also resist malice but they reduce the temptation that results when employees make errors and recognize that they are not detected.

Focus controls on executives, officers and managers rather than clerks and tellers.  History suggests that we often focus on those likely to steal little and be caught early rather than those able to destroy the business but be caught late.

Ensure that supervisors have the necessary knowledge, skills, and abilities to perform and assess the duties of subordinates.  Historic losses from insider errors or malice have involved employees whose superiors did not understand what they did.

Structure duties and roles such that one person, simply performing his assigned duties, without doing anything heroic or exercising extraordinary judgement, acts as a control over others.  This arrangement detects errors and omissions, and discourages and detects malicious acts.

Separate origination from approval, record creation from maintenance, and custody of assets from the records about those assets.  These rules are as old as double-entry bookkeeping and originate with the same little monks.

Require the cooperation of two or more people to exercise extraordinary privileges or capabilities.  No one should have been able to do what Edward Snowden appears to have done.

Consider the rule of "least possible privilege" when granting access and authorizing capabilities.  Said another way, employees should have only those privileges and capabilities necessary to carry out their assignments. Guard against the accretion of privileges as employees move from role to role through their careers.

Use automatic alerts and alarms. Distribute them to those best able to recognize the need for and the authority to take the necessary corrective action. Distribute them such that one person has to deal with only a few a day. Require that individuals make a record of the disposition of all alerts and alarms

Instruct all employees to report all anomalies and variances from expectation to the attention of at least two people, including one manager and a member of the audit or security staff.  Be sure to treat all such reports and reporters with respect; dismissing them will discourage future reporting.

Measure and report on performance; changes in performance are suspicious.  However, "If the numbers are too good to be true, they are not true."   Massive frauds, including Bearings Bank, Enron, and Equity Funding, all began with glowing revenue numbers.  Management fraud has resulted from attempts to keep beating earlier numbers.

Rotate employees in assignments and enforce mandatory vacations; continuity is often necessary to mask malicious activity.  Officers who come into the office when they are supposed to be on vacation should be viewed as suspicious rather than diligent.

Compensate employees in a manner that is consistent with the amount of economic discretion that they exercise.  Under paying is corrupting.

Use invoices, statements, confirmations and other communications to and from customers, suppliers, investors, and taxing authorities to control insider risk.  While these controls operate late, and may be seen by the media as relying upon chance, they are legitimate, effective, and efficient; management is entitled to rely upon them.  Automatic, i.e., not under the control of the originator, transaction confirmations sent by e-mail or SMS are both timely and cheap.

Say "please" and "thank you." With few exceptions, unhappy insiders believe that their contribution is not recognized or appreciated by management.

Revoke all access, privileges, and capabilities immediately upon termination or separation.  Of course, this requires that one keep track of what they are.


No comments:

Post a Comment