Canada's Condominium Magazine
Can you trust your employees? Apparently not, especially the males aged 31–40 years who have worked for you for three to five years and are now in middle/senior management positions. According to a new PwC survey of cyber crime in Canada, those smart young men with the great credentials and the promising futures are the most likely to rob you blind.
How serious is the problem? More than one-third of Canadian organizations (37 per cent) reported economic crime in the last two years. Almost half of those (48 per cent) lost up to $100,000 to fraudsters and internal theft, and nearly as many (41 per cent) lost much more, up to $5 million. Oddly, more than a quarter of companies had not done any fraud risk assessment in the same period.
Crime is up, detection is down, according to PwC, which says that all organizations should have “defensive measures” in place to protect themselvcs. Economic crime is “pervasive” and shows up in all types of businesses. Even companies that do implement policies, procedures and controls are having problems as the “threat landscape” becomes increasingly complicated.
The most common economic crimes are asset misappropriation, or theft, euphemistically known as “shrinkage,” cybercrime, procurement fraud, human resources fraud, mortgage fraud, and bribery and corruption. Financial services is the most susceptible industry, but energy, utilities and mining are also named as being at high risk.
Economic crime is still pervasive in Canada as it continues to find new ways to infiltrate all types of businesses. Defensive measures should be part of any organization’s strategy and culture, not just the responsibility of one person or team. Despite many organizations implementing policies, procedures and controls, the increasingly complicated threat landscape challenges how businesses are balancing growth, risk management and resources.
The difficult thing is that half of all “serious” economic crimes are perpetrated by employees of the companies affected. How, then, can companies do more to protect themselves? As the PwC report indicates, economic crime is essentially “a poor decision driven by human behaviour.” Companies should, therefore, instill clear processes and controls for employees and create a culture where compliance is “hard wired” to values. It says that a values-based compliance program can attract the “best and the brightest” by demonstrating corporate responsibility, because “responsible people want to work for responsible companies.”
In other words, hire good people and they will not do bad things. And good luck with that. If 62 per cent of respondent organizations report experiencing asset misappropriation, there must be a lot of “bad” people slipping through the screening procedures and at best paying lip service to the companies’ values-based compliance programs.
What do companies do when they catch an internal perpetrator? They fire them, mostly. Some also inform law enforcement, some take civil action, some issue a warning, and a very few (3 per cent) do nothing at all.
Complicating the problem is a fairly widespread perception (43 per cent of respondents) that the authorities don’t have the means or the skills to solve these problems. If government agencies can’t investigate cybercrime and other forms of electronic fraud, companies will have to look after themselves, putting in place fraud risk assessment procedures, incident reporting mechanisms and so forth.
PwC offers the following as an example of an effective compliance program for organizations.
- Governance: oversight by the audit committee and board of directors
- Fraud risk assessment
- Code of business conduct and ethics
- Incident reporting mechanisms
- Investigation protocol (including suspicious transaction reporting)
- Remediation protocol
- Hiring and promotion policies and procedures
- Management evaluation and testing