EMPLOYEES AND FRAUD RISKS CNI’s Journey, Mistakes, and Lessons Learned Kenny Ong CNI Holdings Berhad

Contents: Case Study Formula for Risk in CNI Defining Risk Mitigation Reducing Fraud risk Probabilities Decreasing the Impact Successful Risk Management programs Researchable fraud areas

Case Study

Formula for Risk in CNI

Defining Risk Mitigation

Reducing Fraud risk Probabilities

Decreasing the Impact

Successful Risk Management programs

Researchable fraud areas

This was what happened… Fraud Case Studies: Lost Tickets Over claims Undercutting F/L-Leader pact Swiss cash

Fraud Case Studies:

Lost Tickets

Over claims

Undercutting

F/L-Leader pact

Swiss cash

Intro and Background Different Business, Different Frauds

Intro: CNI 18 years old Core Business: MLM Others: Contract Manufacturing, Export/Trading, eCommerce Malaysia, Singapore, Brunei, Indonesia, India, China, Hong Kong, Philippines, Italy, Taiwan Staff force: ± 500 Distributors: 250,000 Products: Consumer Goods and Services

18 years old

Core Business: MLM

Others: Contract Manufacturing, Export/Trading, eCommerce

Malaysia, Singapore, Brunei, Indonesia, India, China, Hong Kong, Philippines, Italy, Taiwan

Staff force: ± 500

Distributors: 250,000

Products: Consumer Goods and Services

Intro: CNI

Intro: CNI CNI’s Business Model background Factory CNIE DC SP Leaders Customers

CNI’s Business Model background

A. Risk Mitigation in CNI No Business, No Risks.

No Business, No Risks. Ironically, our success is the cause of risk More success, more money, more fraud Easiest way to reduce fraud is to reduce business Don’t laugh. This is what most FAC and HR people do, unintentionally

Ironically, our success is the cause of risk

More success, more money, more fraud

Easiest way to reduce fraud is to reduce business

Don’t laugh. This is what most FAC and HR people do, unintentionally

Fraud Risk Mitigation? (1/2) We follow standard Fraud definitions: What is Fraud? Someone is Lying Someone is Benefiting Both Conditions must be met in order to be considered Fraud.

We follow standard Fraud definitions:

What is Fraud?

Someone is Lying

Someone is Benefiting

Both Conditions must be met in order to be considered Fraud.

Fraud Risk Mitigation? (2/2) We follow standard Fraud definitions: Risk = Likelihood x Impact Risk Mitigation = ↓ Likelihood, or ↓ Impact

We follow standard Fraud definitions:

Risk = Likelihood x Impact

Risk Mitigation =

↓ Likelihood, or

↓ Impact

Def: “Likelihood” 5% likely to happen, hasn’t occurred within last 5 years 1. Very Low 20% likely to happen, has occurred within last 5 years 2. Low 50% likely to happen, has occurred within last 24 months 3. Medium 75% likely to happen, has occurred within last 12 months 4. High 99% likely to happen, has occurred within last 12 months 5. Very high Definition Likelihood

Def: “Impact” 0-4K 0-2K 0-5K 0-10K 1. Insignificant 5K-20K 3K-10K 6K-25K 11K-100K 2. Minor 21K-40K 11K-20K 26K-50K 101K-500K 3. Moderate 41K-60K 21K-30K 51K-100K 501K-1M 4. Serious >60K >30K >100K >1.0M 5. Very Serious Sub C Sub C Sub B Sub A Impact

CNI Risk Categories Four Categories of Risk in CNI: Operational Risk Compliance Risk Financial Risk Strategic Risk

Four Categories of Risk in CNI:

Operational Risk

Compliance Risk

Financial Risk

Strategic Risk

How CNI Implemented Risk Management Concept for BOD Approval (please refer to slides Risk and Crisis Management - CNI BOD presentation v3.ppt ) Implementation Plan (please refer to slides FRAMEWORK PRESENTATION.ppt )

Concept for BOD Approval (please refer to slides Risk and Crisis Management - CNI BOD presentation v3.ppt )

Implementation Plan (please refer to slides FRAMEWORK PRESENTATION.ppt )

Examples of CNI Risks and Calculations Please refer to Handouts

Please refer to Handouts

Examples of Fraud Mitigation Actions: Fraud Risks

Where are the Fraud Risks? Industry Management Staff Frontline Suppliers/Vendors Retail Front

Industry

Industry Risks Get-Rich-Quick Schemes (Skim Cepat Kaya) Direct Selling myths Bad Hats Imposters Products on Shelves These Fraud risks affect all Direct Selling organizations but cannot be controlled by us. Only in joint efforts by drafting & pushing new regulations

Get-Rich-Quick Schemes (Skim Cepat Kaya)

Direct Selling myths

Bad Hats

Imposters

Products on Shelves

Real Fraud, Real Risks DC Fraud Staff Fraud Management Fraud Distributor DC Assistant SP Payroll Undercutting Purchasing Credit Card Ghost Staff Ghost Distributor Financial Reporting Theft F/L eCommerce Tickets Share manipulation

DC Fraud

Staff Fraud

Management Fraud

Distributor

DC Assistant

SP

Payroll

Undercutting

Purchasing

Credit Card

Ghost Staff

Ghost Distributor

Financial Reporting

Theft

F/L

eCommerce

Tickets

Share manipulation

B. Reducing Fraud risk Probabilities Prevent. Deter. Kill.

Fraud Root Causes Policy problem People problem Unavoidable problem

Policy problem

People problem

Unavoidable problem

Risk Mitigation Strategies Culture Mitigation Identified Fraud Risks Structure Resources Leadership Person

Alignment: Framework Org Structure Job Design – C.Fraud.O. Policies & procedures Governance, Internal Controls Management Systems, SOPs Central Special Task Force Internal Audit, Surprise Audit, Regular Audit (Surveillance) Levels of Authority, Power Balancing* Structure

Org Structure

Job Design – C.Fraud.O.

Policies & procedures

Governance, Internal Controls

Management Systems, SOPs

Central

Special Task Force

Internal Audit, Surprise Audit, Regular Audit (Surveillance)

Levels of Authority, Power Balancing*

*Power Balancing Propose Approve Execute Monitor BOD Set 1 BOD Set 2 Approval/Verification

Propose

Approve

Execute

Monitor

Alignment: Framework Tools ICT Systems Rules detection Whistle Blower PED Profiling/Assessment Tools Budget for Investigation, Litigation Resources

Tools

ICT Systems

Rules detection

Whistle Blower

PED

Profiling/Assessment Tools

Budget for Investigation, Litigation

Strategy: Framework PED Involuntary Role Modeling Personal accountability and Commitment 10 Ants Values Watch out: Current people promoted to Key Positions Promotional criteria Leadership

PED

Involuntary Role Modeling

Personal accountability and Commitment

10 Ants Values

Watch out: Current people promoted to Key Positions

Promotional criteria

Alignment: Framework New Employee Background checks Willingness to Punish Root Cause Analysis (Mager & Pipe) Rotation PED Fraud Detection & Analysis Competency High Risk Jobs IT breaches through Frontline Person

New Employee Background checks

Willingness to Punish

Root Cause Analysis (Mager & Pipe)

Rotation

PED

Fraud Detection & Analysis Competency

High Risk Jobs

IT breaches through Frontline

The Four Desperates 1. Desperate Competition 2. Desperate Consumer 3. Desperate Achievers 4. Desperate Changes

PED

PED

Possible General Root Causes for Fraud "Everyone does it." "It was small potatoes." "They had it coming." – the revenge syndrome "I had it coming." – the equity syndrome

"Everyone does it."

"It was small potatoes."

"They had it coming." – the revenge syndrome

"I had it coming." – the equity syndrome

GENERAL STRATEGIES AND POLICIES B1. Classification of Behaviors B1.1 Disrespectful Workplace Behavior B1.2 Progressive Discipline B1.3 Zero Tolerance

B1. Classification of Behaviors

B1.1 Disrespectful Workplace Behavior

B1.2 Progressive Discipline

B1.3 Zero Tolerance

GENERAL STRATEGIES AND POLICIES B2. Recruitment and Selection B3. Exit B4. Employee Assistance Program B5. Anonymous Hotline B6. Communication and Feedback B7. Training and Education B8. Formal Complaint and Grievance

B2. Recruitment and Selection

B3. Exit

B4. Employee Assistance Program

B5. Anonymous Hotline

B6. Communication and Feedback

B7. Training and Education

B8. Formal Complaint and Grievance

GENERAL STRATEGIES AND POLICIES B9 Leadership 1. Leaders act as role models whether consciously or unconsciously 2. Leaders determine the working environment

B9 Leadership

1. Leaders act as role models whether consciously or unconsciously

2. Leaders determine the working environment

GENERAL STRATEGIES AND POLICIES B9 Leadership 1. Educate 2. Involve 3. Teach 4. Eliminate

B9 Leadership

1. Educate

2. Involve

3. Teach

4. Eliminate

SPECIFIC STRATEGIES AND POLICIES C1. Theft and Fraud – Root Causes Profile: 68.6% - no prior criminal record, Aged 26-40 years old, Annual income between RM15k-RM30k, 2-5 yrs of service Struggling financially or large purchases difficult time in their lives gets out of hand Merger and acquisition or reorganization activity. ‘ I don’t have a career here’ attitude.

C1. Theft and Fraud – Root Causes

Profile: 68.6% - no prior criminal record, Aged 26-40 years old, Annual income between RM15k-RM30k, 2-5 yrs of service

Struggling financially or large purchases

difficult time in their lives

gets out of hand

Merger and acquisition or reorganization activity.

‘ I don’t have a career here’ attitude.

SPECIFIC STRATEGIES AND POLICIES C1. Theft and Fraud - Prevention Background checks Duties segregated Anonymous hotline Share the wealth Communicate successes Make a big noise when discovered Video surveillance equipment

C1. Theft and Fraud - Prevention

Background checks

Duties segregated

Anonymous hotline

Share the wealth

Communicate successes

Make a big noise when discovered

Video surveillance equipment

SPECIFIC STRATEGIES AND POLICIES C2. Violation of confidentiality or security of company information - Prevention a. ICT Security Policies* b. Ownership of Intellectual Property c. Inside Information and Trading of CNI shares

C2. Violation of confidentiality or security of company information - Prevention

a. ICT Security Policies*

b. Ownership of Intellectual Property

c. Inside Information and Trading of CNI shares

*ICT Security and Fraud (1/3) Biggest ICT risks to CNI Security – All matters relating to the ‘coming-in’ and ‘going-out’ of all systems and information Backup - including Storage of critical and non-critical information and Disaster Recovery Continuity – Availability of systems and information at a 24x7x365 standard

Biggest ICT risks to CNI

Security – All matters relating to the ‘coming-in’ and ‘going-out’ of all systems and information

Backup - including Storage of critical and non-critical information and Disaster Recovery

Continuity – Availability of systems and information at a 24x7x365 standard

*ICT Security and Fraud (2/3) The following are threats faced by CNI from ‘inside’ the company: Current Employees, On-site Contractors, Former Employees, Vendors/Suppliers, Strategic Partners, and OEMs

The following are threats faced by CNI from ‘inside’ the company:

Current Employees,

On-site Contractors,

Former Employees,

Vendors/Suppliers,

Strategic Partners, and

OEMs

*ICT Security and Fraud (3/3) Web browsing and Internet Access Username and passwords Instant Messaging E-Mail File access permissions Backups Crisis management, Disaster recovery and Business Continuity Physical PCs and laptops Remote access Servers, routers, and switches Internet / external network Wireless PDA and cell phone Documentation and change management ICT Security, Backup, and Continuity Strategies 2005-2008:

Web browsing and Internet Access

Username and passwords

Instant Messaging

E-Mail

File access permissions

Backups

Crisis management, Disaster recovery and Business Continuity

Physical

PCs and laptops

Remote access

Servers, routers, and switches

Internet / external network

Wireless

PDA and cell phone

Documentation and change management

C. Decreasing the Impact We failed. Now what?

Why Impact? Escaped prevention Policy or Procedure Performance Cannot reduce likelihood - unavoidable

Escaped prevention

Policy or Procedure

Performance

Cannot reduce likelihood - unavoidable

Levels of Impact (Fraud) small impact BIG impact Tangible Monetary Loss (>1,000,000) inc. capital, share price Locality Intangible Reputation, Image Competitiveness Consumer confidence

small impact

BIG impact

Tangible

Monetary Loss (>1,000,000) inc. capital, share price

Locality

Intangible

Reputation, Image

Competitiveness

Consumer confidence

small Impact Escaped prevention Policy or Procedure Performance Cannot reduce likelihood - unavoidable CAR/PAR Mager & Pipe Study Trends PAR

Escaped prevention

Policy or Procedure

Performance

Cannot reduce likelihood - unavoidable

CAR/PAR

Mager & Pipe

Study Trends

PAR

Real Fraud, Real Risks DC Fraud Staff Fraud Management Fraud Distributor DC Assistant SP Payroll Undercutting Purchasing Credit Card Ghost Staff Ghost Distributor Financial Reporting Theft F/L eCommerce Tickets Share manipulation

DC Fraud

Staff Fraud

Management Fraud

Distributor

DC Assistant

SP

Payroll

Undercutting

Purchasing

Credit Card

Ghost Staff

Ghost Distributor

Financial Reporting

Theft

F/L

eCommerce

Tickets

Share manipulation

Real Fraud, Real Risks DC Fraud Staff Fraud Management Fraud Distributor DC Assistant SP Payroll Undercutting Purchasing Credit Card Ghost Staff Ghost Distributor Financial Reporting Theft F/L eCommerce Tickets Share manipulation

DC Fraud

Staff Fraud

Management Fraud

Distributor

DC Assistant

SP

Payroll

Undercutting

Purchasing

Credit Card

Ghost Staff

Ghost Distributor

Financial Reporting

Theft

F/L

eCommerce

Tickets

Share manipulation

Investigation: Principles Preserve Evidence = documents, computers, laptops, voicemails, emails, phone logs, security camera tapes etc. Focused on Facts Avoid (or try to avoid) legal exposure e.g. defamation, unlawful dismissal etc. Verdict/Punishment only after investigation is complete and results obtained Precedence Limit number of people Involve Professionals/Third Party whenever possible

Preserve Evidence = documents, computers, laptops, voicemails, emails, phone logs, security camera tapes etc.

Focused on Facts

Avoid (or try to avoid) legal exposure e.g. defamation, unlawful dismissal etc.

Verdict/Punishment only after investigation is complete and results obtained

Precedence

Limit number of people

Involve Professionals/Third Party whenever possible

Investigation: Process 5. Public Disclosure 6. CAR/PAR 4. Management Decision External Legal 2. Investigating Office (I/O) External P.I. 1. Case Tip Off 3. Internal Inquiry Independent Panel

BIG Impact Crisis Management Plan Crisis Communications Plan

Crisis Management Plan

Crisis Communications Plan

Crisis Management Plan Logistics & Info Systems Communications Process Owner: [dept. accountable] Policy and Planning After (profiting and learning) During (sound crisis management) Before (readiness for crisis) Crisis: Business Function

Crisis Communication Plan Crisis Communication Team (to determine small or BIG for communications purposes) Crisis Media Plan Media Management Media Centre Crisis Spokesperson & Interview Press Release

Crisis Communication Team (to determine small or BIG for communications purposes)

Crisis Media Plan

Media Management

Media Centre

Crisis Spokesperson & Interview

Press Release

No case study from CNI on Crisis Communications arising from Fraud Not yet happened (fingers crossed)

No case study from CNI on Crisis Communications arising from Fraud

Not yet happened (fingers crossed)

D. Tracking and Reporting

“ Asking the people responsible for preventing a problem if there is a problem is like delivering lettuce by rabbit" Norman Augustine CEO & Chairman, Lockheed Martin

“ Asking the people responsible for preventing a problem if there is a problem is like delivering lettuce by rabbit"

Norman Augustine

CEO & Chairman, Lockheed Martin

Tracking: Who? How? Centralized monitoring: trends, patterns, flag unusual, symptoms Regular reporting BSC, KPI and PMS embedded RWC – RMC Industry comparison IAD, MSD, RD, SDD

Centralized monitoring: trends, patterns, flag unusual, symptoms

Regular reporting

BSC, KPI and PMS embedded

RWC – RMC

Industry comparison

IAD, MSD, RD, SDD

E. New Fraud Risks We need help.

New Fraud Opportunities: CNI Change in Business Model: Inexperienced eCommerce Partner Merchants Franchise Conventional retail M&A Targets

Change in Business Model: Inexperienced

eCommerce

Partner Merchants

Franchise

Conventional retail

M&A Targets

eCommerce Frauds Account Takeover Pharming Counterfeit Advances Phishing Application Lost/Stolen Credit Cards eCom Frauds?

Latest Fraud topics: General Whistle Blowing compensation: tied to $$ amount of fraud exposed New US law -> Not allowed to sue Accountants, Auditors, Lawyers. What implications? Credit Crunch = Tighter Cash Flow = More desperate people = more Fraud? Sub-prime crisis + Société Générale = Transparency, Disclosure, Relationship Transparency

Whistle Blowing compensation: tied to $$ amount of fraud exposed

New US law -> Not allowed to sue Accountants, Auditors, Lawyers. What implications?

Credit Crunch = Tighter Cash Flow = More desperate people = more Fraud?

Sub-prime crisis + Société Générale = Transparency, Disclosure, Relationship Transparency

Fraud: Research Options? Profile of a Fraudster in Malaysia New Fraud Risks in the 21 st century business environment Internet, eCommerce, and ICT related Fraud risks and prevention Company Culture and its influence on Fraud Risks HR practices that can decrease Fraud in a company

Profile of a Fraudster in Malaysia

New Fraud Risks in the 21 st century business environment

Internet, eCommerce, and ICT related Fraud risks and prevention

Company Culture and its influence on Fraud Risks

HR practices that can decrease Fraud in a company

Risk Management: Research Options? New Strategic Risks faced by businesses Embedding Risk Management into Strategic Planning New Risks in the 21 st century business environment Risk Management in Small and Medium sized companies in Malaysia The role of Risk Management in Mergers & Acquisitions

New Strategic Risks faced by businesses

Embedding Risk Management into Strategic Planning

New Risks in the 21 st century business environment

Risk Management in Small and Medium sized companies in Malaysia

The role of Risk Management in Mergers & Acquisitions

End Points

Dangers of Direct Incentives lessen internal motivation, switch to mercenary mode, do something and do not do something else, easier for competitors to recruit, lessen teamwork & helpful culture, less and less impact for same value, mockery of base salary and employment contract, rebellion from non-incentivised staff, end up incentivising everyone for everything?, bribe and fraud culture,

lessen internal motivation,

switch to mercenary mode,

do something and do not do something else,

easier for competitors to recruit,

lessen teamwork & helpful culture,

less and less impact for same value,

mockery of base salary and employment contract,

rebellion from non-incentivised staff,

end up incentivising everyone for everything?,

bribe and fraud culture,

Mistakes and Lessons Learned Price to Pay for Fraud/Risk Mitigation => Business Flexibility Control vs. Growth Rules vs. Humanity/Motivation Not tackling the root cause i.e. Motive + Opportunity i.e. Humans Focus on FAC vs. Sales/Marketing => who has control? Relationship Role vs. Enforcement Role e.g. SDD/Ticketing, FTF vs. RD

Price to Pay for Fraud/Risk Mitigation => Business Flexibility

Control vs. Growth

Rules vs. Humanity/Motivation

Not tackling the root cause i.e. Motive + Opportunity i.e. Humans

Focus on FAC vs. Sales/Marketing => who has control?

Relationship Role vs. Enforcement Role e.g. SDD/Ticketing, FTF vs. RD

In the end… Great Wall of China humans are the weakest link bad treatment of staff will lead to weak link i.e. easier to bribe, easier to con, etc; bad treatment examples: insulting, lose face, broken promises, no dignity, public criticism, restructure without communication

Great Wall of China

humans are the weakest link

bad treatment of staff will lead to weak link i.e. easier to bribe, easier to con, etc;

bad treatment examples: insulting, lose face, broken promises, no dignity, public criticism, restructure without communication

Thank You. soft copy of slides: www.totallyunrelatedrandomanddebatable.blogspot.com