Authored by: Emily Irving, VP Third Party Risk, BlackRock and Shared Assessments Steering Committee Vice Chair and Bob Jones, Senior Advisor, The Santa Fe Group
If you could print $200 million on your home printer each year, how would it affect the world economy? If all humans could avoid physical contact with each other for two weeks, would the common cold be eradicated? If every person on earth aimed a laser pointer at the moon, would the moon change color?
Author and former NASA roboticist Randall Munroe poses these and other peculiar questions in his best-selling book “What If?” for an extremely practical reason. By providing serious scientific answers to these hypotheticals, Munroe takes readers on a journey that inspires them to think more creatively about real-world challenges, expands their awareness of what’s possible, and sharpens their problem-solving skills.
Third party risk management (TPRM) leaders ought to embark on a similar journey. A valuable way to do so is by collaborating with an inherently skeptical group of professionals who have mastered the art of asking hypothetical questions: anti-fraud experts. Fraud examiners, fraud prevention specialists and other anti-fraud professionals routinely pose TPRM-relevant questions such as:
- Why don’t wire transfers to our vendor contain a recipient’s name?
- What if an employee’s home address appears as a vendor address in our accounts payable (A/P) database?
- Why is our Phoenix office being repainted for the fifth time this year?
- Why are vendors with high bids winning the competitive bidding processes?
- Why are we approving so many change control requests from that vendor?
- What if a third party executive has close ties with a former government official in a country known for corruption?
It turns out that fraud is a major source of third party risk; it also turns out that third parties are a major source of corporate fraud.
To date, 90 percent of Foreign Corrupt Practices Act (FCPA) enforcement actions since the law came into force in 1977 have involved third party intermediaries, according to ongoing research conducted by Stanford Law School and Sullivan and Cromwell LLP. The interrelated nature of fraud and third party risk management behooves TPRM teams and corporate fraud-prevention experts to work together and continually communicate. In many instances, however, collaboration between organization TPRM and fraud prevention ranges from subpar to non-existent.
Building and improving this relationship begins with recognition of the value that anti-fraud expertise can add throughout various TPRM phases. Equipped with that understanding, TPRM leaders and professionals can consider subsequent steps to launch and advance ongoing collaborations among anti-fraud teams and TPRM groups.
The Value of Skepticism
The decades-old concept of the fraud triangle remains relevant today because it has proven so effective in preventing, deterring, detecting and investigating corporate fraud. According to this framework, fraud occurs when three conditions exist:
- A non-sharable problem;
- An opportunity for trust violation; and
- A set of rationalizations used to justify the fraud.
The criminologist credited with originating the Fraud Triangle concept indicated that all three elements must be present for a fraud to occur, according to a Fraud Magazine article titled “Iconic Fraud Triangle Endures.” The author of that piece, W. Steve Albrecht, also emphasizes that “The triangle metaphor continues to be extremely useful in helping anyone better understand fraud.” Albrecht served as the first president of the Association of Certified Fraud Examiners (ACFE), the world’s largest anti-fraud organization and premier provider of anti-fraud training and education.
Fraud awareness adds value throughout the TPRM lifecycle, including the following phases:
- Due diligence and onboarding: Spotting atypical behavior, sniffing out inconsistencies and continually asking “Does this make sense?” are primary responsibilities of anti-fraud professionals. These experts frequently access databases in a secure, compliant and discreet manner while conducting their detective work. For example, when a company is considering hiring a vendor, the anti-fraud team might ping that vendor’s various addresses against organizational databases containing employee addresses. While a match would not automatically disqualify the prospective vendor or trigger disciplinary action against the employee, it would certainly result in a rigorous examination along with some some pointed questions.
- Monitoring: Anti-fraud professionals typically monitor whistleblower hotline claims and follow up on those issues. They also deploy link analysis to identify relationships among various types of fraud investigations. This link analysis can be harnessed to monitor data traffic for any related suspicious activity. Given that fraud examiners tend to be the first responders to fraud claims, the information they glean from these events can provide early or even advance warning of information security breaches.
- Incident response: Some industry regulations mandate the anti-fraud team’s participation in incident response activities. In the financial services industry, for example, companies must report suspected crimes – those that may have been committed against them or those in which they may have been used as a conduit – to the U.S. Treasury’s Financial Crimes Enforcement Network within 30 days of detection. The investigations expertise and interviewing skills that anti-fraud professionals possess not only aid the incident response effort but also can produce valuable insights that TPRM teams can use to improve their processes.
Anti-fraud experts bring a heavy dose of skepticism to all of their work. They also tend to be well-versed in running what-if scenarios as well as in the psychology and motivations that contribute to fraudulent behaviors. These competencies and exercises can help TPRM managers probe their existing processes and capabilities for weak points that they might otherwise overlook.
However, finding these experts requires some detective work in many mid-sized to large organizations. In some companies, the anti-fraud team resides in a larger corporate security group; in others, it may be part of the internal audit function, the enterprise risk management function, or the general counsel’s office. Large enterprises may favor a decentralized approach where a number of anti-fraud teams operate in a matrix structure. Additionally, these teams often operate under different names in different companies. Banks may house anti-fraud professionals in financial intelligence units while retailers refer to these groups as loss prevention. Insurance companies often have special investigations units.
Once TPRM leaders uncover where anti-fraud resources are located in their organization, they can get started on establishing and nurturing these collaborations. On that count, the following steps and considerations can help:
- Recognize the unique value of the anti-fraud mindset: TPRM leaders and professionals should keep in mind that anti-fraud experts bring a unique perspective, training and set of techniques to the table. These capabilities can significantly enhance the efficacy of TPRM programs.
- Adjust if anti-fraud resources are minimal: Some companies, including many small to mid-sized organizations, do not have a dedicated anti-fraud team. In some cases, individuals who possess this expertise – former members of local, state and federal law enforcement or the military, and/or professionals who have earned the ACFE designation – may work in other areas of the business (e.g., facilities management) and can be asked to collaborate with third party risk managers. The internal audit function as well as external anti-fraud experts can also be enlisted to provide anti-fraud support.
- Look for opportunities to collaborate: Anti-fraud experts can start their partnership with TPRM colleagues simply by sharing anecdotes about fraudulent activity they’ve witnessed or learned about through professional channels. Keep in mind that this relationship can be mutually instructive. Many anti-fraud programs will benefit from learning how to adapt portions of TPRM frameworks and methodologies to their work. The due diligence and onboarding of vendors represents a good area to begin reevaluating together. As gatekeepers of these vendor relationships, TPRM managers can ask anti-fraud colleagues what types of screening approaches and questions they would put to prospective third parties.
- Include other stakeholders: As TPRM programs begin to work with anti-fraud experts it is important to expand these collaborations to include other parts of the organization that are ripe for fraud and/or third-party risk, such as procurement, A/P, human resources, and information security.
Once TPRM and anti-fraud groups establish a relationship, they should look for ways to integrate anti-fraud considerations and activities into TPRM processes and programs in a permanent way. Doing so can help prevent disturbing and costly hypotheticals – no matter how absurd they may sound – from becoming reality.
What if: https://what-if.xkcd.com/
Stanford Study: http://fcpa.stanford.edu/chart-intermediary.html