Reducing Fraud Losses through Risk Mitigation - ABF Conference on Managing Risks in Corporate Fraud

Slide 1: REDUCING FRAUD LOSES THROUGH RISK MITIGATION CNI’s Journey, Mistakes, and Lessons Learned Kenny Ong CNI Holdings Berhad

Slide 2: Contents: A. Defining Risk Mitigation B. Reducing Fraud risk Probabilities C. Decreasing the Impact D. Tracking and Reporting

Slide 3: Intro and Background Different Business, Different Frauds

Slide 4: Intro: CNI 1. 18 years old 2. Core Business: MLM 3. Others: Contract Manufacturing, Export/Trading, eCommerce 4. Malaysia, Singapore, Brunei, Indonesia, India, China, Hong Kong, Philippines, Italy, Taiwan 5. Staff force: ± 500 6. Distributors: 250,000 7. Products: Consumer Goods and Services

Slide 5: Intro: CNI CNI’s Business Model background Factory CNIE DC Customers Leaders SP

Slide 6: A. Risk Mitigation in CNI No Business, No Risks.

Slide 7: No Business, No Risks. • Ironically, our success is the cause of risk • More success, more money, more fraud • Easiest way to reduce fraud is to reduce business • Don’t laugh. This is what most FAC and HR people do, unintentionally

Slide 8: Fraud Risk Mitigation? (1/2) We follow standard Fraud definitions: What is Fraud? 4. Someone is Lying 5. Someone is Benefiting Both Conditions must be met in order to be considered Fraud.

Slide 9: Fraud Risk Mitigation? (2/2) We follow standard Fraud definitions: Risk = Likelihood x Impact Risk Mitigation = ↓ Likelihood, or ↓ Impact

Slide 10: Where are the Risks? Industry Suppliers/Vendors Management Retail Front Staff Frontline

Slide 11: Industry Risks • Get-Rich-Quick Schemes (Skim Cepat Kaya) • Direct Selling myths • Bad Hats • Imposters • Products on Shelves These Fraud risks affect all Direct Selling organizations but cannot be controlled by us. Only in joint efforts by drafting & pushing new regulations

Slide 12: Real Fraud, Real Risks 1. DC Fraud 1. Credit Card 2. Staff Fraud 2. Ghost Staff 3. Management Fraud 3. Ghost Distributor 4. Distributor 4. Financial Reporting 5. DC Assistant 5. Theft 6. SP 6. F/L 7. Payroll 7. eCommerce 8. Undercutting 8. Tickets 9. Purchasing 9. Share manipulation

Slide 13: B. Reducing Fraud risk Probabilities Prevent. Deter. Kill.

Slide 14: Fraud Root Causes • Policy problem • People problem • Unavoidable problem

Slide 15: Risk Mitigation Strategies Mitigation Resources Structure Identified Fraud Risks Culture Leadership Person

Slide 16: Alignment: Framework Structure • Org Structure • Job Design – C.Fraud.O. • Policies & procedures • Governance, Internal Controls • Management Systems, SOPs • Central • Special Task Force • Internal Audit, Surprise Audit, Regular Audit (Surveillance) • Levels of Authority, Power Balancing*

Slide 17: *Power Balancing 1. Propose 2. Approve 3. Execute 4. Monitor BOD Set 1 BOD Set 2 Approval/Verification

Slide 18: Alignment: Framework Resources • Tools • ICT Systems • Rules detection • Whistle Blower • PED • Profiling/Assessment Tools • Budget for Investigation, Litigation

Slide 19: Strategy: Framework Leadership • PED • Involuntary Role Modeling • Personal accountability and Commitment • 10 Ants Values • Watch out: Current people promoted to Key Positions • Promotional criteria

Slide 20: Alignment: Framework • New Employee Background Person checks • Willingness to Punish • Root Cause Analysis (Mager & Pipe) • Rotation • PED • Fraud Detection & Analysis Competency • High Risk Jobs • IT breaches through Frontline

Slide 21: The Four Desperates 1. Desperate 2. Desperate Competition Consumer 3. Desperate 4. Desperate Achievers Changes

Slide 22: • PED

Slide 23: Possible General Root Causes for Fraud 1. "Everyone does it." 2. "It was small potatoes." 3. "They had it coming." – the revenge syndrome 4. "I had it coming." – the equity syndrome

Slide 24: GENERAL STRATEGIES AND POLICIES • B1. Classification of Behaviors – B1.1 Disrespectful Workplace Behavior – B1.2 Progressive Discipline – B1.3 Zero Tolerance

Slide 25: GENERAL STRATEGIES AND POLICIES • B2. Recruitment and Selection • B3. Exit • B4. Employee Assistance Program • B5. Anonymous Hotline • B6. Communication and Feedback • B7. Training and Education • B8. Formal Complaint and Grievance

Slide 26: GENERAL STRATEGIES AND POLICIES • B9 Leadership – 1. Leaders act as role models whether consciously or unconsciously – 2. Leaders determine the working environment

Slide 27: GENERAL STRATEGIES AND POLICIES • B9 Leadership – 1. Educate – 2. Involve – 3. Teach – 4. Eliminate

Slide 28: SPECIFIC STRATEGIES AND POLICIES • C1. Theft and Fraud – Root Causes – 68.6% - no prior criminal record. – Struggling financially or large purchases • difficult time in their lives • gets out of hand – Merger and acquisition or reorganization activity. • ‘I don’t have a career here’ attitude.

Slide 29: SPECIFIC STRATEGIES AND POLICIES • C1. Theft and Fraud - Prevention – Background checks – Duties segregated – Anonymous hotline – Share the wealth – Communicate successes – Make a big noise when discovered – Video surveillance equipment

Slide 30: SPECIFIC STRATEGIES AND POLICIES • C2. Violation of confidentiality or security of company information - Prevention – a. ICT Security Policies* – b. Ownership of Intellectual Property – c. Inside Information and Trading of CNI shares

Slide 31: *ICT Security and Fraud (1/3) Biggest ICT risks to CNI 2. Security – All matters relating to the ‘coming-in’ and ‘going-out’ of all systems and information 3. Backup - including Storage of critical and non- critical information and Disaster Recovery 4. Continuity – Availability of systems and information at a 24x7x365 standard

Slide 32: *ICT Security and Fraud (2/3) The following are threats faced by CNI from ‘inside’ the company: • Current Employees, • On-site Contractors, • Former Employees, • Vendors/Suppliers, • Strategic Partners, and • OEMs

Slide 33: *ICT Security and Fraud (3/3) ICT Security, Backup, and Continuity Strategies 2005-2008: 1. Web browsing and 1. Physical Internet Access 2. PCs and laptops 2. Username and passwords 3. Remote access 3. Instant Messaging 4. Servers, routers, and 4. E-Mail switches 5. File access permissions 5. Internet / external network 6. Backups 7. Crisis management, 6. Wireless Disaster recovery and 7. PDA and cell phone Business Continuity 8. Documentation and change management

Slide 34: C. Decreasing the Impact We failed. Now what?

Slide 35: Why Impact? 1. Escaped prevention • Policy or Procedure • Performance 2. Cannot reduce likelihood - unavoidable

Slide 36: Levels of Impact (Fraud) • small impact • BIG impact  Tangible  Monetary Loss (>1,000,000) inc. capital, share price  Locality  Intangible  Reputation, Image  Competitiveness  Consumer confidence

Slide 37: small Impact 1. Escaped prevention – Policy or Procedure • CAR/PAR – Performance • Mager & Pipe 3. Cannot reduce • Study Trends likelihood - • PAR unavoidable

Slide 38: Real Fraud, Real Risks 1. DC Fraud 1. Credit Card 2. Staff Fraud 2. Ghost Staff 3. Management Fraud 3. Ghost Distributor 4. Distributor 4. Financial Reporting 5. DC Assistant 5. Theft 6. SP 6. F/L 7. Payroll 7. eCommerce 8. Undercutting 8. Tickets 9. Purchasing 9. Share manipulation

Slide 39: Real Fraud, Real Risks 1. DC Fraud 1. Credit Card 2. Staff Fraud 2. Ghost Staff 3. Management Fraud 3. Ghost Distributor 4. Distributor 4. Financial Reporting 5. DC Assistant 5. Theft 6. SP 6. F/L 7. Payroll 7. eCommerce 8. Undercutting 8. Tickets 9. Purchasing 9. Share manipulation

Slide 40: BIG Impact • Crisis Management Plan • Crisis Communications Plan

Slide 41: Crisis Management Plan Business Function Crisis: Before During After (readiness for (sound crisis (profiting and crisis) management) learning) Policy and Planning Process Owner: [dept. accountable] Communications Logistics & Info Systems

Slide 42: Crisis Communication Plan • Crisis Communication Team (to determine small or BIG for communications purposes) • Crisis Media Plan – Media Management – Media Centre – Crisis Spokesperson & Interview – Press Release

Slide 43: • No case study from CNI on Crisis Communications arising from Fraud • Not yet happened (fingers crossed)

Slide 44: D. Tracking and Reporting

Slide 45: “Asking the people responsible for preventing a problem if there is a problem is like delivering lettuce by rabbit" Norman Augustine CEO & Chairman, Lockheed Martin

Slide 46: Tracking: Who? How? 1. Centralized monitoring: trends, patterns, flag unusual, symptoms 2. Regular reporting 3. BSC, KPI and PMS embedded 4. RWC – RMC 5. Industry comparison 6. IAD, MSD, RD, SDD

Slide 47: E. New Fraud Risks We need help.

Slide 48: New Fraud Opportunities Change in Business Model: Inexperienced eCommerce Partner Merchants Franchise Conventional retail M&A Targets

Slide 49: eCommerce Frauds Lost/Stolen Credit Cards Account Application Takeover eCom Frauds? Pharming Phishing Counterfeit Advances

Slide 50: Mistakes and Lessons Learned 1. Price to Pay for Fraud/Risk Mitigation => Business Flexibility 2. Control vs. Growth 3. Rules vs. Humanity/Motivation 4. Not tackling the root cause i.e. Motive + Opportunity i.e. Humans 5. Focus on FAC vs. Sales/Marketing => who has control? 6. Relationship Role vs. Enforcement Role e.g. SDD/Ticketing, FTF vs. RD

Slide 51: In the end… • Great Wall of China – humans are the weakest link – bad treatment of staff will lead to weak link i.e. easier to bribe, easier to con, etc; – bad treatment examples: insulting, lose face, broken promises, no dignity, public criticism, restructure without communication

Slide 52: Thank You. soft copy of slides: www.totallyunrelatedrandomanddebatable.bl ogspot.com