Slide 1: REDUCING FRAUD LOSES THROUGH RISK MITIGATION
CNI’s Journey, Mistakes, and Lessons Learned
Kenny Ong CNI Holdings Berhad
Slide 2: Contents:
A. B. C. D. Defining Risk Mitigation Reducing Fraud risk Probabilities Decreasing the Impact Tracking and Reporting
Slide 3: Intro and Background
Different Business, Different Frauds
Slide 4: Intro: CNI
1. 18 years old 2. Core Business: MLM 3. Others: Contract Manufacturing, Export/Trading, eCommerce 4. Malaysia, Singapore, Brunei, Indonesia, India, China, Hong Kong, Philippines, Italy, Taiwan 5. Staff force: ± 500 6. Distributors: 250,000 7. Products: Consumer Goods and Services
Slide 5: Intro: CNI
CNI’s Business Model background
Factory
CNIE DC
Customers Leaders SP
Slide 6: A. Risk Mitigation in CNI
No Business, No Risks.
Slide 7: No Business, No Risks.
• Ironically, our success is the cause of risk • More success, more money, more fraud • Easiest way to reduce fraud is to reduce business • Don’t laugh. This is what most FAC and HR people do, unintentionally
Slide 8: Fraud Risk Mitigation? (1/2)
We follow standard Fraud definitions: What is Fraud? 1. Someone is Lying 2. Someone is Benefiting Both Conditions must be met in order to be considered Fraud.
Slide 9: Fraud Risk Mitigation? (2/2)
We follow standard Fraud definitions: Risk = Likelihood x Impact Risk Mitigation =
↓ Likelihood, or ↓ Impact
Slide 10: Where are the Risks?
Industry Suppliers/Vendors Management Retail Front Staff Frontline
Slide 11: Industry Risks
• • • • • Get-Rich-Quick Schemes (Skim Cepat Kaya) Direct Selling myths Bad Hats Imposters Products on Shelves
These Fraud risks affect all Direct Selling organizations but cannot be controlled by us. Only in joint efforts by drafting & pushing new regulations
Slide 12: Real Fraud, Real Risks
1. 2. 3. 4. 5. 6. 7. 8. 9. DC Fraud Staff Fraud Management Fraud Distributor DC Assistant SP Payroll Undercutting Purchasing 1. 2. 3. 4. 5. 6. 7. 8. 9. Credit Card Ghost Staff Ghost Distributor Financial Reporting Theft F/L eCommerce Tickets Share manipulation
Slide 13: B. Reducing Fraud risk Probabilities
Prevent. Deter. Kill.
Slide 14: Fraud Root Causes
• Policy problem • People problem • Unavoidable problem
Slide 15: Risk Mitigation Strategies
Mitigation Structure Resources Identified Fraud Risks
Culture Leadership Person
Slide 16: Alignment: Framework
Structure
• • • • • • • •
Org Structure Job Design – C.Fraud.O. Policies & procedures Governance, Internal Controls Management Systems, SOPs Central Special Task Force Internal Audit, Surprise Audit, Regular Audit (Surveillance) • Levels of Authority, Power Balancing*
Slide 17: *Power Balancing
1. 1. 1. 1. Propose Approve Execute Monitor
BOD Set 1
BOD Set 2
Approval/Verification
Slide 18: Alignment: Framework
• • • • • • • Tools ICT Systems Rules detection Whistle Blower PED Profiling/Assessment Tools Budget for Investigation, Litigation
Resources
Slide 19: Strategy: Framework
Leadership
• PED • Involuntary Role Modeling • Personal accountability and Commitment • 10 Ants Values • Watch out: Current people promoted to Key Positions • Promotional criteria
Slide 20: Alignment: Framework
• New Employee Background checks • Willingness to Punish • Root Cause Analysis (Mager & Pipe) • Rotation • PED • Fraud Detection & Analysis Competency • High Risk Jobs • IT breaches through Frontline
Person
Slide 21: The Four Desperates
1. Desperate Competition 3. Desperate Achievers
2. Desperate Consumer 4. Desperate Changes
Slide 22: • PED
Slide 23: Possible General Root Causes for Fraud 1. 2. 3. 4. "Everyone does it." "It was small potatoes." "They had it coming." – the revenge syndrome "I had it coming." – the equity syndrome
Slide 24: GENERAL STRATEGIES AND POLICIES
• B1. Classification of Behaviors
– B1.1 Disrespectful Workplace Behavior – B1.2 Progressive Discipline – B1.3 Zero Tolerance
Slide 25: GENERAL STRATEGIES AND POLICIES
• • • • • • •
B2. Recruitment and Selection B3. Exit B4. Employee Assistance Program B5. Anonymous Hotline B6. Communication and Feedback B7. Training and Education B8. Formal Complaint and Grievance
Slide 26: GENERAL STRATEGIES AND POLICIES
• B9 Leadership
– 1. Leaders act as role models whether consciously or unconsciously – 2. Leaders determine the working environment
Slide 27: GENERAL STRATEGIES AND POLICIES
• B9 Leadership
– 1. Educate – 2. Involve – 3. Teach – 4. Eliminate
Slide 28: SPECIFIC STRATEGIES AND POLICIES
• C1. Theft and Fraud – Root Causes
– 68.6% - no prior criminal record. – Struggling financially or large purchases
• difficult time in their lives • gets out of hand
– Merger and acquisition or reorganization activity.
• ‘I don’t have a career here’ attitude.
Slide 29: SPECIFIC STRATEGIES AND POLICIES
• C1. Theft and Fraud - Prevention
– Background checks – Duties segregated – Anonymous hotline – Share the wealth – Communicate successes – Make a big noise when discovered – Video surveillance equipment
Slide 30: SPECIFIC STRATEGIES AND POLICIES
• C2. Violation of confidentiality or security of company information - Prevention
– a. ICT Security Policies* – b. Ownership of Intellectual Property – c. Inside Information and Trading of CNI shares
Slide 31: *ICT Security and Fraud (1/3) Biggest ICT risks to CNI 1. Security – All matters relating to the ‘coming-in’ and ‘going-out’ of all systems and information 1. Backup - including Storage of critical and noncritical information and Disaster Recovery 2. Continuity – Availability of systems and information at a 24x7x365 standard
Slide 32: *ICT Security and Fraud (2/3) The following are threats faced by CNI from ‘inside’ the company: • Current Employees, • On-site Contractors, • Former Employees, • Vendors/Suppliers, • Strategic Partners, and • OEMs
Slide 33: *ICT Security and Fraud (3/3)
ICT Security, Backup, and Continuity Strategies 2005-2008: 1. Web browsing and 1. Physical Internet Access 2. PCs and laptops 1. Username and 3. Remote access passwords 4. Servers, routers, and 2. Instant Messaging switches 3. E-Mail 5. Internet / external 4. File access permissions network 1. Backups 1. Wireless 2. Crisis management, 1. PDA and cell phone Disaster recovery and 1. Documentation and Business Continuity change management
Slide 34: C. Decreasing the Impact
We failed. Now what?
Slide 35: Why Impact? 1. Escaped prevention
• Policy or Procedure • Performance
2. Cannot reduce likelihood - unavoidable
Slide 36: Levels of Impact (Fraud)
• small impact • BIG impact Tangible
Monetary Loss (>1,000,000) inc. capital, share price Locality
Intangible
Reputation, Image Competitiveness Consumer confidence
Slide 37: small Impact
1. Escaped prevention
– Policy or Procedure – Performance • CAR/PAR • Mager & Pipe
1. Cannot reduce likelihood unavoidable
• Study Trends • PAR
Slide 38: Real Fraud, Real Risks
1. 2. 3. 4. 5. 6. 7. 8. 9. DC Fraud Staff Fraud Management Fraud Distributor DC Assistant SP Payroll Undercutting Purchasing 1. 2. 3. 4. 5. 6. 7. 8. 9. Credit Card Ghost Staff Ghost Distributor Financial Reporting Theft F/L eCommerce Tickets Share manipulation
Slide 39: Real Fraud, Real Risks
1. 2. 1. 1. 2. 3. 4. 1. 1. DC Fraud Staff Fraud Management Fraud Distributor DC Assistant SP Payroll Undercutting Purchasing 1. 2. 3. 1. 1. 1. 1. 2. 1. Credit Card Ghost Staff Ghost Distributor Financial Reporting Theft F/L eCommerce Tickets Share manipulation
Slide 40: BIG Impact
• Crisis Management Plan • Crisis Communications Plan
Slide 41: Crisis Management Plan
Business Function Crisis: Before During After (readiness for (sound crisis (profiting and crisis) management) learning) Policy and Planning Process Owner: [dept. accountable] Communications Logistics & Info Systems
Slide 42: Crisis Communication Plan
• Crisis Communication Team (to determine small or BIG for communications purposes) • Crisis Media Plan
– – – – Media Management Media Centre Crisis Spokesperson & Interview Press Release
Slide 43: • No case study from CNI on Crisis Communications arising from Fraud • Not yet happened (fingers crossed)
Slide 44: D. Tracking and Reporting
Slide 45: “Asking the people responsible for preventing a problem if there is a problem is like delivering lettuce by rabbit"
Norman Augustine CEO & Chairman, Lockheed Martin
Slide 46: Tracking: Who? How?
1. Centralized monitoring: trends, patterns, flag unusual, symptoms 2. Regular reporting 3. BSC, KPI and PMS embedded 4. RWC – RMC 5. Industry comparison 6. IAD, MSD, RD, SDD
Slide 47: E. New Fraud Risks
We need help.
Slide 48: New Fraud Opportunities Change in Business Model: Inexperienced eCommerce Partner Merchants Franchise Conventional retail M&A Targets
Slide 49: eCommerce Frauds
Lost/Stolen Credit Cards Account Takeover eCom Frauds? Application
Pharming
Phishing
Counterfeit Advances
Slide 50: Mistakes and Lessons Learned
1. Price to Pay for Fraud/Risk Mitigation => Business Flexibility 2. Control vs. Growth 3. Rules vs. Humanity/Motivation 4. Not tackling the root cause i.e. Motive + Opportunity i.e. Humans 5. Focus on FAC vs. Sales/Marketing => who has control? 6. Relationship Role vs. Enforcement Role e.g. SDD/Ticketing, FTF vs. RD
Slide 51: In the end… • Great Wall of China
– humans are the weakest link – bad treatment of staff will lead to weak link i.e. easier to bribe, easier to con, etc; – bad treatment examples: insulting, lose face, broken promises, no dignity, public criticism, restructure without communication
Slide 52: Thank You.
soft copy of slides: www.totallyunrelatedrandomanddebatable. blogspot.com
