Insider Risk (not Threat)

Over the last decade the media has been full of "threat," almost to the exclusion of "risk."  It should not surprise anyone that insider risk has been written of as "insider threat."  It is true there is a small threat from insiders but it has a very low rate of occurrence.  The real concern for insiders arises from consequences, not threat.  The high rate threat comes from outside, not inside.  Outsiders damage the brand: insiders bring down the business.  The threat is from the outside, risk from the inside.

Most of our employees really do want to do their jobs.  In the rare cases where they fail it is more likely to be accidental rather than malicious.  "The dummies have it, hands down, now and forever."  No matter how damaging, mistakes tend be overlooked, accepted as normal and unavoidable, and forgiven.  Even malice is more likely because of a management failure to train,  supervise, and reward, rather than a failure of motive on the part of the employees.  

Conrad Hilton, the founder of Hilton Hotels, used to display in his guest rooms what he called the  Eleventh Commandment, "Thou shalt not tempt."  My favorite ethical test is, "Nice people do not do that."  I learned my second favorite ethical test at Nortel in Canada.  When i asked my client to describe Nortel's ethical culture he said, "Behave as though your mother were watching."  Good managers watch like "Mother."  

Malicious insiders may be needy, greedy, or disgruntled.  The needy or greedy resort to fraud and embezzlement, while the disgruntled lean toward destruction.  Even the fraud may be rooted in part by a failure ot management to properly address error.  The employee makes a mistake; no one notices.  He repeats it and again no one notices.  He begins to think that a deliberate act, one in the direction of his benefit, may similarly go unnoticed.  

Watch for good numbers.  If the numbers are too good to be true, they are not true.  

The disgruntled employee is most likely upset because he believes that his worth and his contribution to the enterprise have not been properly recognized and rewarded.  However, that feeling did not occur suddenly,  He did not go home happy on Tuesday night and come in and take the place apart on Wednesday morning,  The disaffection grew slowly over time.  It likely did not go unnoticed.  His managers likely knew that he was not happy but had delayed taking action until it was too late.   Perhaps please, thank you, and attaboys are the most efficient controls.  While not a substitute for proper compensation, they do not cost much.  

Speaking of proper compensation, the higher up the management chain, the more important it becomes.  It must take into account the economic contribution of the scope managed.  It must also take into account the economic discretion that the officer exercises.  One of the reasons that we see corruption in government is that officials are not compensated in proportion to the power and influence that they exercise.  While such compensation may be hard to justify politically, it does work to limit corruption.

While management tends to worry about IT, and IT failures get the media attention, most fraud takes place in business applications.  Workers steal where they work, e.g., accounts payable and receivable, payroll, goods, inventory, credit.  IT people are more likely to convert capacity than to manipulate business applications.  

While management tends to focus on those engaged in low level routine, think clerks and tellers, the real damage comes from officers and professionals.  Tellers steal small and are caught early.  Officers steal big and may not be caught for years.  However, one must take into account the power and fragility of IT, when managing employee satisfaction and morale.  

Few embezzlers started out to steal big.  They started small but it was not detected: temptation. It became habitual and grew in magnitude over time.  Early detection and correction is essential.  

One last thought before we go.  The most effective control over insider risk is management supervision.  Everyone deserves to be supervised by someone who knows enough to understand and appreciate what they do.  On the other hand, automated controls and procedures are often more efficient than expensive supervision.  While we use them because they are efficient, they are effective only in the presence of good management.  They are hardly ever effective in controlling managers and executives.  

In summary, think risk not threat, error before malice, business before  IT, managers and executives before tellers and clerks, supervision before automation.