This is the final part of the Fraud, Directors and the Board, published in the same section of India CSR Network.
Cost – effectiveness Considerations
Insurance to cover certain forms of fraud may be difficult to obtain at an affordable price. The cost of preventative measures can be compared with those of incidents of fraud and the likelihood of their occurrence. More sophisticated criminals also monitor the cost-effectiveness of their operations. Like entrepreneurs, they think in terms of probabilities, risks and returns.
Measures and responses that increase the risks facted by criminals, lower their returns, reduce the probability of a successful strike and raise the prospects of being tracked, caught and/or closed down may cause them to pause. They might give up, if continuing does not seem worthwhile. Effective Individual and collective action by companies, regulators and other agencies can deter attacks and cause criminals to switch their attention to softer targets.
Counter-fraud activities and agencies may also have to cover costs and show value for money. In judging performance, should one add the cost of preventative and counter measures, and disruption caused, to any financial losses suffered? Awareness of incidents of fraud can lead to a loss of trust. Opportunities that are missed as a results can be difficult to assess. Many companies do not report fraud, fearing this might reduce prospects, customer and investor confidence.
Sharing information about attacks and how best to address them can be very beneficial for tackling certain forms of fraud, especially cyber crimes. Directors may be concerned to protect intellectual property and commercially sensitive information during the process. However, these may be more at risk if reluctance to cooperate results in insufficient information to assess what is happening across a market or sector. This can complicate prioritisation and the planning of responses.
Companies are often less worried about small financial losses than they would be about a major leak of personal or corporate data. However, the lack of vigilance on the part of some people that causes them could reveal a systemic weakness. This might be exploited by other criminals intent upon making a smaller number of much larger gains. The possible consequences of all breaches and deficiencies should be carefully considered. Small tremors can be harbingers of major quakes.
Assessing Corporate Exposure
Directors should be alert to where a company and its people are vulnerable. Often the easiest way into an organisation’s systems and data is via a naïve or slack employee, or a connected party who leaves a door open or inadvertently admits a criminal to a corporate network. After entering by a back door the criminal can move to where “valuables are stored”. The full range of communications are at risk. Large numbers of people become victims of email, text, postal and telephone scams.
A scams occurs when a victim authorises payment, which may not be the case with fraud. Like fraud, a scam is criminals behavior. Persistents scam callers set out to build trust. A proportion of those targeted reveals their passwords. Anti-fraud newsletters and other communications can alert people to the consequences of becoming a victim and the risks of compromising the security of corporate systems. Basic guidance should not be overlooked. Many people put image and details of their activities, movements, homes and offices on social media. Such disclosure gives criminals a mass of information, including notice of when they are away.
People should be vigilant in relation to their own actions what is going on around them. They should look out for signs of concealment, defensive behavior and liying, and where such behavior might succeed. When in doubt or concerned, they should alert a corporate and network security team. Confidential reporting links and help lines may be welcomed and used by those with concerns. Whistleblowing policies can enable more cases of fraud to be identified, but people may require reassurance that they will not suffer adverse consequences if they speak up.
Many Manufacturers could do more to prevent the misuse of products that are connected to the internet. Developers of corporate software need to be aware of security issues. In many countries, there are various sources of information and intelligence that companies can turn to, and public and other services they can access, to better protect themselves. Care should be taken to ensure that corporate policies to reduce fraud and abuse do not inhibit innovation and responsible risk taking.
Anti –fraud Strategies and policies
Cyber security and anti-fraud strategies and policies should be higher on some boardroom agendas. Many directors need to step up to their responsibilities in relation to fraud and other criminals activity which can have immediate and lasting consequences. They are also a threat to market systems and societies within which companies operate. Directors have a duty to act in the long-term interests of those to whom they are accountable and for whom they are responsible.
Boards should balance costs and benefits and take stakeholder interests into account when taking decisions. Expensive arrangements based upon previous experience may fail to provide protection against new forms of attack. Affordable ways of adapting defences in the light of a changing risk and threat environment, flexibility, 24/7 monitoring, and responding decisively and rapidly when frauds and hacks occur are all desirable.
Checks, alerts, help and monitoring and reporting arrangement can be built into processes and support tools. It is good business sense and a moral and social responsibility to collaborate to protect a company – and its supply chain and stakeholders – and confront significant threats to future operations and sustainable development. Customers, suppliers, staff, associates, investors, business partners, public bodies and others can all become victims of fraud and other criminal activities that are increasingly undertaken across national borders and on an international basis.
Given the nature of threats, should boards leave it to law enforcement agencies with their budget and manpower constraints to act alone to stem the criminal tide? If boards do not take steps to protect companies and their stakeholders, report and share information, and collaborate with regulators, law enforcement and other agencies, Government may become more involved. They have a duty to protect citizens. Like companies they face difficult choices. Some measures might involve extra bureaucracy, further costs and additional taxation. Action such as greater powers to snoop or intervene when vital services are interrupted may prove unpopular with many directors.
While people are wedded to greater connectivity, internet transactions and other activities, remote access, portable technology, e-government and other on line services, and flexible working and learning practices, our vulnerability as individuals, communities and societies may continue to increase. If our way of life, markets and the capitalist system are to survive, directors and boards must play their part in corporate and collective efforts to protect them.
(*Prof Colin Coulson-Thomas is IOD India’s Director General, for UK and Europe Operations, also holds a portfolio of board academic and international roles, and has advised directors and boards in over 40 countries.)
(Article first published in Director Today, May 2017)
Copy Right: Director Today.