REDUCING FRAUD LOSES THROUGH RISK MITIGATION CNI’s Journey, Mistakes, and Lessons Learned Kenny Ong CNI Holdings Berhad

Contents: Defining Risk Mitigation Reducing Fraud risk Probabilities Decreasing the Impact Tracking and Reporting

Defining Risk Mitigation

Reducing Fraud risk Probabilities

Decreasing the Impact

Tracking and Reporting

Intro and Background Different Business, Different Frauds

Intro: CNI 18 years old Core Business: MLM Others: Contract Manufacturing, Export/Trading, eCommerce Malaysia, Singapore, Brunei, Indonesia, India, China, Hong Kong, Philippines, Italy, Taiwan Staff force: ± 500 Distributors: 250,000 Products: Consumer Goods and Services

18 years old

Core Business: MLM

Others: Contract Manufacturing, Export/Trading, eCommerce

Malaysia, Singapore, Brunei, Indonesia, India, China, Hong Kong, Philippines, Italy, Taiwan

Staff force: ± 500

Distributors: 250,000

Products: Consumer Goods and Services

Intro: CNI CNI’s Business Model background Factory CNIE DC SP Leaders Customers

CNI’s Business Model background

A. Risk Mitigation in CNI No Business, No Risks.

No Business, No Risks. Ironically, our success is the cause of risk More success, more money, more fraud Easiest way to reduce fraud is to reduce business Don’t laugh. This is what most FAC and HR people do, unintentionally

Ironically, our success is the cause of risk

More success, more money, more fraud

Easiest way to reduce fraud is to reduce business

Don’t laugh. This is what most FAC and HR people do, unintentionally

Fraud Risk Mitigation? (1/2) We follow standard Fraud definitions: What is Fraud? Someone is Lying Someone is Benefiting Both Conditions must be met in order to be considered Fraud.

We follow standard Fraud definitions:

What is Fraud?

Someone is Lying

Someone is Benefiting

Both Conditions must be met in order to be considered Fraud.

Fraud Risk Mitigation? (2/2) We follow standard Fraud definitions: Risk = Likelihood x Impact Risk Mitigation = ↓ Likelihood, or ↓ Impact

We follow standard Fraud definitions:

Risk = Likelihood x Impact

Risk Mitigation =

↓ Likelihood, or

↓ Impact

Where are the Risks? Industry Management Staff Frontline Suppliers/Vendors Retail Front

Industry

Industry Risks Get-Rich-Quick Schemes (Skim Cepat Kaya) Direct Selling myths Bad Hats Imposters Products on Shelves These Fraud risks affect all Direct Selling organizations but cannot be controlled by us. Only in joint efforts by drafting & pushing new regulations

Get-Rich-Quick Schemes (Skim Cepat Kaya)

Direct Selling myths

Bad Hats

Imposters

Products on Shelves

Real Fraud, Real Risks DC Fraud Staff Fraud Management Fraud Distributor DC Assistant SP Payroll Undercutting Purchasing Credit Card Ghost Staff Ghost Distributor Financial Reporting Theft F/L eCommerce Tickets Share manipulation

DC Fraud

Staff Fraud

Management Fraud

Distributor

DC Assistant

SP

Payroll

Undercutting

Purchasing

Credit Card

Ghost Staff

Ghost Distributor

Financial Reporting

Theft

F/L

eCommerce

Tickets

Share manipulation

B. Reducing Fraud risk Probabilities Prevent. Deter. Kill.

Fraud Root Causes Policy problem People problem Unavoidable problem

Policy problem

People problem

Unavoidable problem

Risk Mitigation Strategies Culture Mitigation Identified Fraud Risks Structure Resources Leadership Person

Alignment: Framework Org Structure Job Design – C.Fraud.O. Policies & procedures Governance, Internal Controls Management Systems, SOPs Central Special Task Force Internal Audit, Surprise Audit, Regular Audit (Surveillance) Levels of Authority, Power Balancing* Structure

Org Structure

Job Design – C.Fraud.O.

Policies & procedures

Governance, Internal Controls

Management Systems, SOPs

Central

Special Task Force

Internal Audit, Surprise Audit, Regular Audit (Surveillance)

Levels of Authority, Power Balancing*

*Power Balancing Propose Approve Execute Monitor BOD Set 1 BOD Set 2 Approval/Verification

Propose

Approve

Execute

Monitor

Alignment: Framework Tools ICT Systems Rules detection Whistle Blower PED Profiling/Assessment Tools Budget for Investigation, Litigation Resources

Tools

ICT Systems

Rules detection

Whistle Blower

PED

Profiling/Assessment Tools

Budget for Investigation, Litigation

Strategy: Framework PED Involuntary Role Modeling Personal accountability and Commitment 10 Ants Values Watch out: Current people promoted to Key Positions Promotional criteria Leadership

PED

Involuntary Role Modeling

Personal accountability and Commitment

10 Ants Values

Watch out: Current people promoted to Key Positions

Promotional criteria

Alignment: Framework New Employee Background checks Willingness to Punish Root Cause Analysis (Mager & Pipe) Rotation PED Fraud Detection & Analysis Competency High Risk Jobs IT breaches through Frontline Person

New Employee Background checks

Willingness to Punish

Root Cause Analysis (Mager & Pipe)

Rotation

PED

Fraud Detection & Analysis Competency

High Risk Jobs

IT breaches through Frontline

The Four Desperates 1. Desperate Competition 2. Desperate Consumer 3. Desperate Achievers 4. Desperate Changes

PED

PED

Possible General Root Causes for Fraud "Everyone does it." "It was small potatoes." "They had it coming." – the revenge syndrome "I had it coming." – the equity syndrome

"Everyone does it."

"It was small potatoes."

"They had it coming." – the revenge syndrome

"I had it coming." – the equity syndrome

GENERAL STRATEGIES AND POLICIES B1. Classification of Behaviors B1.1 Disrespectful Workplace Behavior B1.2 Progressive Discipline B1.3 Zero Tolerance

B1. Classification of Behaviors

B1.1 Disrespectful Workplace Behavior

B1.2 Progressive Discipline

B1.3 Zero Tolerance

GENERAL STRATEGIES AND POLICIES B2. Recruitment and Selection B3. Exit B4. Employee Assistance Program B5. Anonymous Hotline B6. Communication and Feedback B7. Training and Education B8. Formal Complaint and Grievance

B2. Recruitment and Selection

B3. Exit

B4. Employee Assistance Program

B5. Anonymous Hotline

B6. Communication and Feedback

B7. Training and Education

B8. Formal Complaint and Grievance

GENERAL STRATEGIES AND POLICIES B9 Leadership 1. Leaders act as role models whether consciously or unconsciously 2. Leaders determine the working environment

B9 Leadership

1. Leaders act as role models whether consciously or unconsciously

2. Leaders determine the working environment

GENERAL STRATEGIES AND POLICIES B9 Leadership 1. Educate 2. Involve 3. Teach 4. Eliminate

B9 Leadership

1. Educate

2. Involve

3. Teach

4. Eliminate

SPECIFIC STRATEGIES AND POLICIES C1. Theft and Fraud – Root Causes 68.6% - no prior criminal record. Struggling financially or large purchases difficult time in their lives gets out of hand Merger and acquisition or reorganization activity. ‘ I don’t have a career here’ attitude.

C1. Theft and Fraud – Root Causes

68.6% - no prior criminal record.

Struggling financially or large purchases

difficult time in their lives

gets out of hand

Merger and acquisition or reorganization activity.

‘ I don’t have a career here’ attitude.

SPECIFIC STRATEGIES AND POLICIES C1. Theft and Fraud - Prevention Background checks Duties segregated Anonymous hotline Share the wealth Communicate successes Make a big noise when discovered Video surveillance equipment

C1. Theft and Fraud - Prevention

Background checks

Duties segregated

Anonymous hotline

Share the wealth

Communicate successes

Make a big noise when discovered

Video surveillance equipment

SPECIFIC STRATEGIES AND POLICIES C2. Violation of confidentiality or security of company information - Prevention a. ICT Security Policies* b. Ownership of Intellectual Property c. Inside Information and Trading of CNI shares

C2. Violation of confidentiality or security of company information - Prevention

a. ICT Security Policies*

b. Ownership of Intellectual Property

c. Inside Information and Trading of CNI shares

*ICT Security and Fraud (1/3) Biggest ICT risks to CNI Security – All matters relating to the ‘coming-in’ and ‘going-out’ of all systems and information Backup - including Storage of critical and non-critical information and Disaster Recovery Continuity – Availability of systems and information at a 24x7x365 standard

Biggest ICT risks to CNI

Security – All matters relating to the ‘coming-in’ and ‘going-out’ of all systems and information

Backup - including Storage of critical and non-critical information and Disaster Recovery

Continuity – Availability of systems and information at a 24x7x365 standard

*ICT Security and Fraud (2/3) The following are threats faced by CNI from ‘inside’ the company: Current Employees, On-site Contractors, Former Employees, Vendors/Suppliers, Strategic Partners, and OEMs

The following are threats faced by CNI from ‘inside’ the company:

Current Employees,

On-site Contractors,

Former Employees,

Vendors/Suppliers,

Strategic Partners, and

OEMs

*ICT Security and Fraud (3/3) Web browsing and Internet Access Username and passwords Instant Messaging E-Mail File access permissions Backups Crisis management, Disaster recovery and Business Continuity Physical PCs and laptops Remote access Servers, routers, and switches Internet / external network Wireless PDA and cell phone Documentation and change management ICT Security, Backup, and Continuity Strategies 2005-2008:

Web browsing and Internet Access

Username and passwords

Instant Messaging

E-Mail

File access permissions

Backups

Crisis management, Disaster recovery and Business Continuity

Physical

PCs and laptops

Remote access

Servers, routers, and switches

Internet / external network

Wireless

PDA and cell phone

Documentation and change management

C. Decreasing the Impact We failed. Now what?

Why Impact? Escaped prevention Policy or Procedure Performance Cannot reduce likelihood - unavoidable

Escaped prevention

Policy or Procedure

Performance

Cannot reduce likelihood - unavoidable

Levels of Impact (Fraud) small impact BIG impact Tangible Monetary Loss (>1,000,000) inc. capital, share price Locality Intangible Reputation, Image Competitiveness Consumer confidence

small impact

BIG impact

Tangible

Monetary Loss (>1,000,000) inc. capital, share price

Locality

Intangible

Reputation, Image

Competitiveness

Consumer confidence

small Impact Escaped prevention Policy or Procedure Performance Cannot reduce likelihood - unavoidable CAR/PAR Mager & Pipe Study Trends PAR

Escaped prevention

Policy or Procedure

Performance

Cannot reduce likelihood - unavoidable

CAR/PAR

Mager & Pipe

Study Trends

PAR

Real Fraud, Real Risks DC Fraud Staff Fraud Management Fraud Distributor DC Assistant SP Payroll Undercutting Purchasing Credit Card Ghost Staff Ghost Distributor Financial Reporting Theft F/L eCommerce Tickets Share manipulation

DC Fraud

Staff Fraud

Management Fraud

Distributor

DC Assistant

SP

Payroll

Undercutting

Purchasing

Credit Card

Ghost Staff

Ghost Distributor

Financial Reporting

Theft

F/L

eCommerce

Tickets

Share manipulation

Real Fraud, Real Risks DC Fraud Staff Fraud Management Fraud Distributor DC Assistant SP Payroll Undercutting Purchasing Credit Card Ghost Staff Ghost Distributor Financial Reporting Theft F/L eCommerce Tickets Share manipulation

DC Fraud

Staff Fraud

Management Fraud

Distributor

DC Assistant

SP

Payroll

Undercutting

Purchasing

Credit Card

Ghost Staff

Ghost Distributor

Financial Reporting

Theft

F/L

eCommerce

Tickets

Share manipulation

BIG Impact Crisis Management Plan Crisis Communications Plan

Crisis Management Plan

Crisis Communications Plan

Crisis Management Plan Logistics & Info Systems Communications Process Owner: [dept. accountable] Policy and Planning After (profiting and learning) During (sound crisis management) Before (readiness for crisis) Crisis: Business Function

Crisis Communication Plan Crisis Communication Team (to determine small or BIG for communications purposes) Crisis Media Plan Media Management Media Centre Crisis Spokesperson & Interview Press Release

Crisis Communication Team (to determine small or BIG for communications purposes)

Crisis Media Plan

Media Management

Media Centre

Crisis Spokesperson & Interview

Press Release

No case study from CNI on Crisis Communications arising from Fraud Not yet happened (fingers crossed)

No case study from CNI on Crisis Communications arising from Fraud

Not yet happened (fingers crossed)

D. Tracking and Reporting

“ Asking the people responsible for preventing a problem if there is a problem is like delivering lettuce by rabbit" Norman Augustine CEO & Chairman, Lockheed Martin

“ Asking the people responsible for preventing a problem if there is a problem is like delivering lettuce by rabbit"

Norman Augustine

CEO & Chairman, Lockheed Martin

Tracking: Who? How? Centralized monitoring: trends, patterns, flag unusual, symptoms Regular reporting BSC, KPI and PMS embedded RWC – RMC Industry comparison IAD, MSD, RD, SDD

Centralized monitoring: trends, patterns, flag unusual, symptoms

Regular reporting

BSC, KPI and PMS embedded

RWC – RMC

Industry comparison

IAD, MSD, RD, SDD

E. New Fraud Risks We need help.

New Fraud Opportunities Change in Business Model: Inexperienced eCommerce Partner Merchants Franchise Conventional retail M&A Targets

Change in Business Model: Inexperienced

eCommerce

Partner Merchants

Franchise

Conventional retail

M&A Targets

eCommerce Frauds Account Takeover Pharming Counterfeit Advances Phishing Application Lost/Stolen Credit Cards eCom Frauds?

Mistakes and Lessons Learned Price to Pay for Fraud/Risk Mitigation => Business Flexibility Control vs. Growth Rules vs. Humanity/Motivation Not tackling the root cause i.e. Motive + Opportunity i.e. Humans Focus on FAC vs. Sales/Marketing => who has control? Relationship Role vs. Enforcement Role e.g. SDD/Ticketing, FTF vs. RD

Price to Pay for Fraud/Risk Mitigation => Business Flexibility

Control vs. Growth

Rules vs. Humanity/Motivation

Not tackling the root cause i.e. Motive + Opportunity i.e. Humans

Focus on FAC vs. Sales/Marketing => who has control?

Relationship Role vs. Enforcement Role e.g. SDD/Ticketing, FTF vs. RD

In the end… Great Wall of China humans are the weakest link bad treatment of staff will lead to weak link i.e. easier to bribe, easier to con, etc; bad treatment examples: insulting, lose face, broken promises, no dignity, public criticism, restructure without communication

Great Wall of China

humans are the weakest link

bad treatment of staff will lead to weak link i.e. easier to bribe, easier to con, etc;

bad treatment examples: insulting, lose face, broken promises, no dignity, public criticism, restructure without communication

Thank You. soft copy of slides: www.totallyunrelatedrandomanddebatable.blogspot.com