1. REDUCING FRAUD LOSES THROUGH RISK MITIGATION CNIs Journey, Mistakes, and Lessons Learned Kenny Ong CNI Holdings Berhad

2. Contents:

Defining Risk Mitigation

Reducing Fraud risk Probabilities

Decreasing the Impact

Tracking and Reporting

3. Intro and Background Different Business, Different Frauds 4. Intro: CNI

18 years old

Core Business: MLM

Others: Contract Manufacturing, Export/Trading, eCommerce

Malaysia, Singapore, Brunei, Indonesia, India, China, Hong Kong, Philippines, Italy, Taiwan

Staff force: 500

Distributors: 250,000

Products: Consumer Goods and Services

5. Intro: CNI

CNIs Business Model background

Factory CNIE DC SP Leaders Customers 6. A. Risk Mitigation in CNI No Business, No Risks. 7. No Business, No Risks.

Ironically, our success is the cause of risk

More success, more money, more fraud

Easiest way to reduce fraud is to reduce business

Dont laugh. This is what most FAC and HR people do, unintentionally

8. Fraud Risk Mitigation? (1/2)

We follow standard Fraud definitions:

What is Fraud?

Someone is Lying

Someone is Benefiting

BothConditions must be met in order to be considered Fraud.

9. Fraud Risk Mitigation? (2/2)

We follow standard Fraud definitions:

Risk = Likelihood x Impact

Risk Mitigation =

Likelihood, or

Impact

10. Where are the Risks?

Industry

Management Staff Frontline Suppliers/Vendors Retail Front 11. Industry Risks

Get-Rich-Quick Schemes (Skim Cepat Kaya)

Direct Selling myths

Bad Hats

Imposters

Products on Shelves

These Fraud risks affect all Direct Selling organizations but cannot be controlled by us. Only in joint efforts by drafting & pushing new regulations 12. Real Fraud, Real Risks

DC Fraud

Staff Fraud

Management Fraud

Distributor

DC Assistant

SP

Payroll

Undercutting

Purchasing

Credit Card

Ghost Staff

Ghost Distributor

Financial Reporting

Theft

F/L

eCommerce

Tickets

Share manipulation

13. B. Reducing Fraud risk Probabilities Prevent. Deter. Kill. 14. Fraud Root Causes

Policy problem

People problem

Unavoidable problem

15. Risk Mitigation Strategies Culture Mitigation Identified Fraud Risks Structure Resources Leadership Person 16. Alignment: Framework

Org Structure

Job Design C.Fraud.O.

Policies & procedures

Governance, Internal Controls

Management Systems, SOPs

Central

Special Task Force

Internal Audit, Surprise Audit, Regular Audit (Surveillance)

Levels of Authority, Power Balancing*

Structure 17. *Power Balancing

Propose

Approve

Execute

Monitor

BOD Set 1 BOD Set 2 Approval/Verification 18. Alignment: Framework

Tools

ICT Systems

Rules detection

Whistle Blower

PED

Profiling/Assessment Tools

Budget for Investigation, Litigation

Resources 19. Strategy: Framework

PED

Involuntary Role Modeling

Personal accountability and Commitment

10 Ants Values

Watch out: Current people promoted to Key Positions

Promotional criteria

Leadership 20. Alignment: Framework

New Employee Background checks

Willingness to Punish

Root Cause Analysis (Mager & Pipe)

Rotation

PED

Fraud Detection & Analysis Competency

High Risk Jobs

IT breaches through Frontline

Person 21. The Four Desperates 1. Desperate Competition 2. Desperate Consumer 3. Desperate Achievers 4. Desperate Changes 22.

PED

23. Possible General Root Causes for Fraud

"Everyone does it."

"It was small potatoes."

"They had it coming." the revenge syndrome

"I had it coming." the equity syndrome

24. GENERAL STRATEGIES AND POLICIES

B1.Classification of Behaviors

• B1.1 Disrespectful Workplace Behavior

• B1.2Progressive Discipline

• B1.3 Zero Tolerance

25. GENERAL STRATEGIES AND POLICIES

B2. Recruitment and Selection

B3. Exit

B4. Employee Assistance Program

B5. Anonymous Hotline

B6. Communication and Feedback

B7. Training and Education

B8. Formal Complaint and Grievance

26. GENERAL STRATEGIES AND POLICIES

B9 Leadership

• 1. Leaders act asrole modelswhether consciously or unconsciously

• 2. Leaders determine the workingenvironment

27. GENERAL STRATEGIES AND POLICIES

B9 Leadership

• 1. Educate

• 2. Involve

• 3. Teach

• 4. Eliminate

28. SPECIFIC STRATEGIES AND POLICIES

C1. Theft and Fraud Root Causes

• 68.6%- no prior criminal record.

• Struggling financially or large purchases

• • difficult time in their lives

• • gets out of hand

• Merger and acquisition or reorganization activity.

• • I dont have a career here attitude.

29. SPECIFIC STRATEGIES AND POLICIES

C1. Theft and Fraud - Prevention

• Background checks

• Duties segregated

• Anonymous hotline

• Share the wealth

• Communicate successes

• Make a big noise when discovered

• Video surveillance equipment

30. SPECIFIC STRATEGIES AND POLICIES

C2. Violation of confidentiality or security of company information - Prevention

• a. ICT Security Policies*

• b. Ownership of Intellectual Property

• c. Inside Information and Trading of CNI shares

31. *ICT Security and Fraud (1/3)

Biggest ICT risks to CNI

Security All matters relating to the coming-in and going-out of all systems and information

Backup - including Storage of critical and non-critical information and Disaster Recovery

Continuity Availability of systems and information at a 24x7x365 standard

32. *ICT Security and Fraud (2/3)

The following are threats faced by CNI from inside the company:

Current Employees,

On-site Contractors,

Former Employees,

Vendors/Suppliers,

Strategic Partners, and

OEMs

33. *ICT Security and Fraud (3/3)

Web browsing and Internet Access

Username and passwords

Instant Messaging

E-Mail

File access permissions

Backups

Crisis management,Disaster recovery and Business Continuity

Physical

PCs and laptops

Remote access

Servers, routers, and switches

Internet / external network

Wireless

PDA and cell phone

Documentation and change management

ICT Security, Backup, and Continuity Strategies 2005-2008: 34. C. Decreasing the Impact We failed. Now what? 35. Why Impact?

Escaped prevention

• Policy or Procedure

• Performance

Cannot reduce likelihood - unavoidable

36. Levels of Impact (Fraud)

small impact

BIG impact

Tangible

• Monetary Loss (>1,000,000) inc. capital, share price

• Locality

Intangible

• Reputation, Image

• Competitiveness

• Consumer confidence

37. small Impact

Escaped prevention

• Policy or Procedure

• Performance

Cannot reduce likelihood - unavoidable

CAR/PAR

Mager & Pipe

Study Trends

PAR

38. Real Fraud, Real Risks

DC Fraud

Staff Fraud

Management Fraud

Distributor

DC Assistant

SP

Payroll

Undercutting

Purchasing

Credit Card

Ghost Staff

Ghost Distributor

Financial Reporting

Theft

F/L

eCommerce

Tickets

Share manipulation

39. Real Fraud, Real Risks

DC Fraud

Staff Fraud

Management Fraud

Distributor

DC Assistant

SP

Payroll

Undercutting

Purchasing

Credit Card

Ghost Staff

Ghost Distributor

Financial Reporting

Theft

F/L

eCommerce

Tickets

Share manipulation

40. BIG Impact

Crisis Management Plan

Crisis Communications Plan

41. Crisis Management Plan Logistics & Info Systems Communications Process Owner: [dept. accountable] Policy and Planning After (profiting and learning) During (sound crisis management) Before (readiness for crisis) Crisis: Business Function 42. Crisis Communication Plan

Crisis Communication Team (to determine small or BIG for communications purposes)

Crisis Media Plan

• Media Management

• Media Centre

• Crisis Spokesperson & Interview

• Press Release

43.

No case study from CNI on Crisis Communications arising fromFraud

Not yet happened (fingers crossed)

44. D. Tracking and Reporting 45.

Asking the people responsible for preventing a problem if there is a problem is like delivering lettuce by rabbit"

Norman Augustine

CEO & Chairman, Lockheed Martin

46. Tracking: Who? How?

Centralized monitoring: trends, patterns, flag unusual, symptoms

Regular reporting

BSC, KPI and PMS embedded

RWC RMC

Industry comparison

IAD, MSD, RD, SDD

47. E. New Fraud Risks We need help. 48. New Fraud Opportunities

Change in Business Model: Inexperienced

eCommerce

Partner Merchants

Franchise

Conventional retail

M&A Targets

49. eCommerce Frauds Account Takeover Pharming Counterfeit Advances Phishing Application Lost/StolenCredit Cards eComFrauds? 50. Mistakes and Lessons Learned

Price to Pay for Fraud/Risk Mitigation => Business Flexibility

Control vs. Growth

Rules vs. Humanity/Motivation

Not tackling the root cause i.e. Motive + Opportunity i.e. Humans

Focus on FAC vs. Sales/Marketing => who has control?

Relationship Role vs. Enforcement Role e.g. SDD/Ticketing, FTF vs. RD

51. In the end

Great Wall of China

• humans are the weakest link

• bad treatment of staff will lead to weak link i.e. easier to bribe, easier to con, etc;

• bad treatment examples: insulting, lose face, broken promises, no dignity, public criticism, restructure without communication

52. Thank You. soft copy of slides: www.totallyunrelatedrandomanddebatable.blogspot.com