Tag Archives: systems

It’s All Good

adult-american-football-athlete-209954

I have written before about the importance of whistleblowers as a prime tool for detecting and discovering fraud. The ACFE’s 2018 Report to the Nations states that 40% of frauds were discovered through a tip from a whistleblower. This is, by far, the most common way in which fraud is uncovered. At 15%, internal audit came in a distant second. That’s huge. It is important to note that, in a business, a whistleblower can report wrongdoing in many areas – dangerous weaknesses in the design of a product, dishonest marketing and anything else going awry in an organization.

The history of the whistleblower in America dates back to the late 1700s when ten members of his crew and 2 citizens reported Esek Hopkins, the nation’s first commodore, for torturing British prisoners of war among several allegations. Hopkins was suspended and, in turn, retaliated by having the whistleblowers arrested. These whistleblowers appealed to the congress claiming that they were “arrested for doing what they believed and still believe was nothing but their duty”.  Congress responded by creating the country’s first whistleblower protection law. I love this story because it covers the entire whistleblower cycle. First, we have people seeing behavior that they believe is wrong and then taking steps to report this. We then have authorities taking action on the reported wrongdoing. We see the ugly side of things when Hopkins retaliates, something that, unfortunately, happens too often when whistleblower complaints are filed. Finally, we have whistleblower protections, as lawmakers recognize that it is important to have a system in place that protects those who call out what is wrong.

Sadly, this was not the moment when the world realized the importance of the whistleblower, holding the role in an esteemed position, where whistleblowers would be lauded and admired for all time. Instead, over time, in all spaces, including the movies, whistleblowers were given a bad rep and uncomplimentary labels like “snitch”, “informer” or “rat”. Instead of being admired for uncovering wrongdoing, whistleblowing was viewed as violating a sacred code of silence. We were being told that it was better to be a criminal, stealing money, jeopardizing people’s livelihoods and sometimes even their lives, than to be the person shining the light on all of this. We found ourselves in a space where, yes it’s terrible if someone runs off with your money or turns a blind eye to safety in a product, in pursuit of profits, but it is so much worse if someone tells us about it.

In 1971, Ralph Nader, the famous consumer activist, made it his mission to remove the tarnish from whistleblowing. He described whistleblowing as “An act of a man or woman who, believing that the public interest overrides the interest of the organization he serves, blows the whistle that the organization is involved in corrupt, illegal, fraudulent, or harmful activity.” He worked tirelessly to put a positive spin on the word whistleblower and as people view the role more favorably, whistleblowers can be better protected from retaliation.

We should recognize that it is not easy to be a whistleblower. Most people have a level of loyalty, if not to their job, then definitely to their colleagues. When they see fraud or other wrongdoing happening, they are torn and conflicted and often hope that they are wrong. Most of us like the people we work with and may know about their families and may even socialize with them. The second last thing we want is to find out that a coworker is perpetrating a fraud, only because the last thing we want is to be the person reporting this. At times, people will leave a job before they report a fraud. Other times, a person will keep quiet, hoping that someone else takes on the burden of reporting the fraud. It is a heavy emotional burden.

This is all before a whistleblower has to consider possible retaliation for reporting that wrongdoing. Many people fear losing their job or being ostracized after blowing the whistle on fraud. Unfortunately, sometimes these people are correct. At times the retaliation will not be overt but can happen in insidious ways where those retaliating try to find loopholes and legal ways in which to push a whistleblower out. When this happens, any other potential whistleblowers can be scared into silence. We tend to find out about this retaliation when a fraud is uncovered and we discover that, perhaps for years, others had tried to report the fraud but were fired, ostracized as people who were not team players, or treated as though they were insane for suggesting such a thing.

With these things in mind, it is paramount to business leaders and all others to act to hold whistleblowing as a positive action and to encourage and protect whistleblowers. Unless you are a leader perpetrating a fraud at your organization, why wouldn’t you want a whistleblower in your midst? Here are a few steps you can take to make this happen:

  • Your onboarding process should include information to employees encouraging whistleblowing and giving them clear and easy ways in which they can make reports.
  • Provide employees with an anonymous way in which they can share a tip. Also provide various places or a third party, in case the whistleblower does not feel that the option provided is one that is safe and one that will act on the tip.
  • Have zero tolerance for retaliation. This should not only be communicated to employees but be an active part of your company’s culture.
  • Show clearly that you have acted on a tip and that such actions are encouraged and appreciated in your organization.
  • Keep information on reporting whistleblowing prominent in your firm and remind employees regularly.

We are in the midst of football season and many fans are very upset with referees right now because it seems they are not making calls that they should, and they are letting players get away with things that lead to what fans view as unjust outcomes. If we feel this strongly about referees blowing the whistle on bad plays, shouldn’t we be bringing at least the same level of passion to blowing the whistle on wrongdoing in businesses and other organizations?

 

Tagged , , , , , , , , ,

Nobody’s Perfect

stockvault-fortune116480

Barings Bank was the United Kingdom’s oldest merchant bank and the second oldest merchant bank in the world. In 1992, the bank sent 25-year-old Nick Leeson to be the general manager at its new office in Singapore. During that first year there, Leeson made unauthorized trades that earned Barings £10 million in profits. The bank should have had a system where one person was a trader, and another was double-checking and then authorizing these trades. Instead, Leeson did everything with no checks and balances. Yes, these trades were unauthorized, but they made the bank a lot of money and so, instead of nipping the unauthorized trades in the bud, Barings paid Leeson a massive bonus and labeled him a rising star. Things changed very quickly, and Leeson started losing money on his trades. Instead of reporting his losses, Leeson hid them in a suspense account, that he created and tried, unsuccessfully, to recoup his losses. He would then hide those losses in this suspense account as well. By the end of 1994, the losses stood at £208 million. In February of 1994, Leeson left a note stating, “I’m sorry”, and fled Singapore, leaving Barings Bank with £897 million in losses (equivalent to $1.4 billion). Barings Bank could not recover from those losses and, after being in business since 1762, collapsed and was bought by ING for £1.

The story of Barings Bank and Nick Leeson is like one of those puzzles where you circle the ten things wrong in a picture – there are that many problem areas and weaknesses that led to the downfall that we could revisit this story many times for lessons. Today we shall focus on Nick Leeson hiding his bad bets. Initially, Leeson made errors and miscalculations on some trades that he made and lost money from those errors. From some of the accounts from Leeson, it is implied that mistakes were not looked upon kindly. Leeson claimed that he first opened the suspense account in which he hid losses after a colleague lost £20,000 after making an error herself. Instead of either one of them reporting the error, they decided to hide this error from leadership. Nick Leeson then went on to hide more of his trading errors here, thinking, in the manner of a gambler, that he could gain the money he had lost back, and his bosses would never find out what he was doing.

I thought about Nick Leeson this week because I am reading Principles by Ray Dalio. In it, he tells the story of how his employee Ross, who was in charge of trading at the time, forgot to make a trade and that cost the business “several hundred thousand dollars”. Dalio tells us that, with such a costly error, he could have dramatically fired Ross and “set the tone that mistakes would not be tolerated. Instead, Dalio recognized that mistakes happen to us all the time, he himself had made mistakes so large that he had essentially lost his business at some point. Dalio’s approach, which is an approach that I am a huge fan of and have tried to follow for a long time, is to think about what to learn from mistakes and how to improve things to minimize the chances of those mistakes happening again, or at least how to minimize their impact should they occur. As I have written before, Dalio recognized that punishing Ross for his mistake would likely result in other people working hard to hide any errors. Dalio saw that would cost his business a lot more in the long run. At his firm, Bridgewater, Dalio and Ross created an error log where errors were tracked and addressed. Instead of people getting into trouble for making mistakes, they would get into trouble when they didn’t report mistakes.

With Leeson (and Barings Bank) and Dalio in mind and the different outcomes that have resulted from their approaches to dealing with mistakes is very telling. One person brought down the second oldest merchant bank and the other has what is considered to be the fifth most important private company in the United States. Some things to keep in mind when considering how to manage responses to errors in your business:

  • Create an environment where everyone is comfortable reporting errors that they have made. Be explicit with this, both in what you say and how you respond.
  • When you discover a mistake, take the time to look, with your team, into how this mistake might have been avoided or recognized and resolved earlier. An example is, with a missed trade, it is likely that Dalio and his team looked at the process and sought to put in checks to make sure that there were others aware of the trade, checking to make sure the trade was made and having a way to check in with Ross to make sure he had not forgotten.
  • Review your systems to see where there are checks and balances and if especially important areas are not put on one person. Make sure that someone else is checking – we all make mistakes and that is why there is a checking system. Not to make us feel bad about ourselves but in recognition of our humanness.
  • Have open discussions about errors and get input from all levels on how to avoid or detect errors. At the leadership level, you may come up with a system, but you may find that staff find that process cumbersome, don’t stick with it and errors can go undetected for a while. And if an error has not even been detected, it can’t be reported.

These are just a few things to think about but the most important part is creating an environment that is open to communication, not just about success, but about the things that have gone wrong. You should think about making the environment open for the hard conversations the priority because it is simple to report and celebrate success but failure and error are what kill our business. With that in mind, are there situations that you have found yourself in where either you or someone on your team made a mistake? How did you respond, how did others respond, and how did things turn out?

Tagged , , , , , , , , , ,

Just In Case

stockvault-journey190946

 

I’m that person. Next to you on the plane. Pulling out that safety booklet and reading it, from beginning to end. I’m that person. Listening attentively while the flight attendants go through their entire routine, from how to buckle and unbuckle your seatbelt, to the reminder to not inflate your lifejacket until you are outside the plane. Every time, I’m that person. I look around for the nearest exit and sometimes do a mental calculation of my best route there. I check in the booklet to see where my lifejacket is supposed to be and I sometimes feel about to make sure that the booklet is correct. As often as I have flown, I take the time to go through the process and remind myself of what I know and to see if there is something I have missed in the past or a new instruction that may have been added.

Sometimes I wonder if it’s a bit much. However, recently when a plane in New York City made an emergency landing, video taken by a passenger showed that many people on that plan had no idea how to operate the lifejackets and way too many of them had inflated their lifejackets while still inside the plane. This may have been related to panic during a stressful situation but, from looking around me during the pre-flight safety instruction session, it seems the bigger issue is that most passengers just don’t pay attention. There are more interesting or pressing matters that command our attention and, specifically for those who fly often, we are likely lulled into an arrogance of the familiar. We have done this many times before, we must know exactly what’s up at this point. It may be only on that rare occasion of an emergency that we realize that it is ha been so long since we paid attention to the instructions that we now have a very vague idea of what to do.

Many businesses will have a company policy, code of conduct and operations manual and include training. When a new employee starts with a company there is often some kind of onboarding process that includes either training sessions or handing over a policies and procedures manual or a combination of the two. In addition to sharing with the employee how the employee should go about doing their job, the training and manuals should also include what should be done when things go awry. These instructions should be clear, and employees must know not only what to do but also who to go to for guidance when things are not right. Employees must also know who to inform and the various levels of leadership that this information should go through. If there is no protocol, an employee will not know who to take a problem to and those who are told may not know what to do with the information. You don’t want to be that company in the news admitting that people noticed an issue early on but that the information did not make its way to the right people to manage it.

In addition to the initial training, companies should remind employees often. This can be performed in-person, in an online session or through other messaging, like posters around the company. It is dangerous and foolish to believe that employees will remember their week of training or the contents of a manual years into employment, especially during the first week at a company an employee is not yet familiar with the day to day workings of that company. When a crisis hits, you don’t want to be the person being told, “You should have known what to do. We told you during your initial training, ten years ago.” You especially don’t want to be the person asking a coworker why they can’t remember that old training – honestly, what do you remember from ten years ago?

Thinking about your business, take steps to:

  • Include in your training, what a person should do when something is wrong, who they should report to and options for anonymous reporting, in case the matter is sensitive, and an employee might fear retaliation for reporting.
  • Make sure that your training is clear and easy to understand and follow up with employees to make sure that they have understood and retained the training.
  • Have a non-retaliation policy at your company, for people who report wrongdoing and errors. This policy must be something your business takes seriously.
  • Have a disaster recovery policy that you revisit and update regularly. Make sure your employees are familiar with the policy so they know what they are responsible for doing.
  • Have important policy information displayed around the office, to remind employees what is expected of them.
  • Perform regular training updates of your employees so that you are not relying on ten-year-old memories.

It takes me only a couple of minutes to get through the safety brochure and some airlines put time and energy into creating engaging and fun pre-flight safety videos that are actually fun to watch. I hope I am never in a flight emergency situation, but I go forward knowing that if that should happen, I shall at least remember to not inflate my lifejacket while still on the plane.

Tagged , , , , ,

Keep Rolling

gratisography-433H

When I first started running, I was out training, and my knee suddenly buckled in pain. I thought I had broken something, but it turned out that I had IT band syndrome. I tried several approaches to get better. Among these, I would change up my routes so that I was balancing out which leg was favored, I worked to improve my gait and I started foam rolling. No one warned me about that rolling. I think tears sprung to my eyes that first day I foam rolled. I know for sure that I yelped in pain, several times (thankfully I was alone). I couldn’t believe that I was supposed to do this every day, but I had to roll through the pain because I had a race on my schedule and I needed my knee to start working again.

After rolling consistently, I was amazed by how much better everything worked. I was also incredibly relieved that the rolling didn’t hurt so much anymore. I was a foam rolling disciple and whenever anyone told me they were contemplating taking up running, I urged them to also contemplate taking up foam rolling. At a point, I actually found joy in foam rolling. I could get through a rolling session with nary a yelp. It was glorious.

Recently, foam rolling slipped out of my life. After a fall apparently chipped a piece of my knee into non-existence, I could not run at all and I was, instead, focused on weight training to strengthen my knees. At the end of a week of working out, the trainer advised a foam rolling session. I didn’t even think twice; I hadn’t been running, how bad could things be? Painfully terrible, it turns out.

Managing controls in a business works in a similar manner. Sometimes, when a company sets up or has an auditor highlight weaknesses in its control systems, the company will go about creating policies and procedures that address risks and institute controls. At times, with that company, new hires will be given these manuals to read and, if they are lucky, these new employees will receive training. This training will teach the employees about the culture of the company and how to follow policies and procedures, in order to minimize risk within that company. However, how often will that company review its policies and procedures to see if they are relevant to technological advances and new risks that have arisen?

  • How often will the company’s leadership review policies and procedures with existing staff, to ensure that people have not slacked off and are still, for instance, getting the approvals that they are supposed to obtain for transactions?
  • Is anyone checking that reconciliations are occurring monthly (or at whatever frequency has been established) and, once performed, that those reconciliations are being reviewed by the relevant staff?
  • If there is a policy for checks over a certain amount to be signed by two signatories, is anyone reviewing to make sure this is the case?
  • When employees have left the company, have their access to the company’s system been suspended? Once suspended, have their accounts been deleted so that no one else in the company can use them? If they were signatories for bank accounts, has the bank been informed and has the bank removed them from the signatory list?
  • Have the company’s staff received training in how to reduce the risk of phishing?
  • Has the company’s leadership received any training themselves to update them on current risks and to remind them what the policies and procedures of the company are?

These are just a few examples of the many ways in which a company should be regularly checking in and exercising its control muscles. If all you are doing is handing over a manual on day one and assuming that your staff knows what and how they need to do things, you are only setting yourself up for possible pain in the future.

  • Can you be surprised if one of your staff members gets phished and hackers gain access to your company? Think about the pain of finding out that someone pretending to be the CEO sent an email that instructed accounts payable to wire a sizeable amount of money to an offshore account and that accounts payable fell for the scam?
  • If no one is regularly reconciling accounts, can you really be shocked when you discover that an employee has taken advantage of this lack of oversight and embezzled money?
  • If accounts of former employees are not properly suspended and deleted, how will you figure out who has been using them since the former employee left? How will you be able to trace unauthorized transactions?
  • If your company’s leadership is not up to date on policies and procedures, how can they enforce them? At that point, everyone will be just guessing and hoping for the best. Being unprepared and hoping for the best tends to only work out well in the movies.

Maintaining and updating policies and procedures should be a proactive and continuous activity. Speak with a forensic CPA about how to create, institute and regularly review your control systems to reduce risk in your company. It may seem like schlep in the beginning, but having the systems serves a deterrent to those contemplating wrongdoing, it also keeps your staff more educated about how, for instance, they can recognize errors or attempts to suck them into a scam. This can also mean that when something is going awry, it is spotted earlier, minimizing possible losses.

You should be doing this to avoid or, at the very least, minimize any future pain. You don’t want to be like me where incredible pain leads to you even more pain, on the eventual path to healing. Take it from my IT band, proactive is so much better than reactive.

 

Tagged , , , , , , , , ,

If Lost… Then What?

img_1715.jpg

At the end of May, I was on my way to an event, when a flash of pink on the sidewalk caught my attention. I stopped and realized that I was looking at a small square of leather. I bent down, picked it up and turned it over in my hands. It was a wallet with a MetroCard, some credit and debit cards and a driver’s license in it. I pulled out the license, looked it over, and walked over to the restaurant that was a few feet away from where I had just found the wallet. I must have made a few people nervous, staring at them and then down at the license, to see if anyone there resembled the photo. No luck. I then pulled out my phone and tried a few quick searches, online, to see if I could figure out how to contact this woman. Her name was more common than I imagined; several options came up and none appeared to be her. Yes, her license had an address on it but, the license had been issued several years earlier and people in New York City can move around quite a bit, in search of amenities such as a view, an elevator or affordable rent. As I was running late, I decided to go to my event and put my search off until later. On my way, I spotted a parked police car. I got excited, thinking that I may be able to hand over the wallet, but the excitement faded when I got close to the car and found that there was no one sitting in it.

When I got home and had more time to do so, I hunted down the woman whose wallet I had found and delivered it to her. Even if she had cancelled her cards, I am sure she was happy to get her stuff back – who knows maybe her MetroCard still had 29 days of use left on it. That experience reminded me of a time, years ago, when someone stole my handbag at the airport. I was livid that someone had invaded my space and even stood yelling, in the terminal, for the thief to just take my cash and give me back my stuff. Suffice to say, that did not happen. I did, fortunately, have a kind gentleman give me money to get the train back home. However, a few weeks later, my phone rang and it was the airport, calling to tell me that my bag had been found. They had been able to contact me because I happened to have a dry-cleaning slip in my wallet, and my phone number was on it. I was lucky that I had that slip in my bag but these two events really got me thinking about recovery plans, not just in business, in other aspects of our lives.

With a wallet, for instance, you can keep a business card in the wallet, or put a small card in your wallet with an email address and/or phone number so that, should you be unlucky enough to lose the wallet and a kind stranger picks it up, they can contact you and figure out how to get it back to you. It is an easy thing to do and could be hugely useful. It doesn’t even have to be your usual email address, if you have fears about your inbox being inundated by unwanted email, you can create an email address that you keep for moments such as this.

We never think that we will either lose our stuff or have it stolen from us but it can happen to any of us. It can be personal or it can be a business loss, such as a system crash, or theft and, in all cases, having a recovery plan will go a long way to make recovery less stressful and less expensive. If, at this very moment, you lost everything on your computer, what would you do? Does the thought give you heart palpitations because you would lose very important data, with no way of getting it back? Would you have to shell out a lot of money and spend valuable time working to try to recover everything? Would you wonder whether or not your business could survive such a loss? If this thought is a scary one to you, you should be thinking about sitting down with trusted professionals, to create and put a comprehensive protection and recovery plan in place. You should review various scenarios, even if you think it wouldn’t happen to you. Things to consider when doing this:

  • Are you backing up your data on a regular basis? Automating this process is a great way to make sure that it happens – you don’t want it to all depend on your remembering to do it.
  • Where are you keeping your backups? Do you keep a backup offsite and unconnected to your current system? You don’t want your backup corrupted, should your system go down.
  • Are you checking the integrity of your backups? It isn’t helpful to think you have been creating backups and find out, when you need the backup, that the process was not occurring.
  • Now that you have backups, do you have a recovery plan? Do you know what you are going to do should things go awry? Does your staff know? Do you have the plan in writing and in a space where it can be easily accessed? Have you trained your staff in this recovery process?

There are people who are well-trained in helping you create a backup and recovery plan and that can start with your CPA. You want someone who has experience and knowledge regarding best practices that are practical, useful and effective.

We are humans who work with technology that we have built and we must, therefore acknowledge that we are not infallible and we must therefore create, review and update our contingency plans. And that plan can never just be relying on the kindness of strangers.

Tagged , , , , , ,

I Trust You, But…

Image

Last Saturday, my husband showed off some of his work in an open studios event at Industry City. He did the lion’s share of the work but, on Friday evening, he asked me to come over and help him a little. He assigned me the job of placing 5×7 prints of some of his work in 5×7 frames. It sounds straightforward enough and I am sure that my husband trusts me and has great confidence in my abilities. Nevertheless, after I had framed a few photos, he came over and checked my work. It turned out that some of the photos were not quite centered in their frames. He handed them to me, offered me some tips on how best to center photos in frames, and asked me to redo them.

This reminded me of when I was a kid and my parents would check my homework. I know that they felt that I could do it. I know this because they would say things like, “You can do better than this; try again.”Most of the time the issue was that my handwriting was barely legible on a good day. Knowing that my work would be reviewed, on days when I was tempted to rush through my homework, maybe because I wanted to play or watch TV, I willed myself to slow down and get it done correctly the first time around. I did not want to get into trouble and I definitely did not want to have to do my homework over again.

Recently, I have been reading stories about people in charge of a business’s finances perpetuating fraud. These people carried on their shenanigans and were not caught until the businesses they were employees of were practically going under. You know why? Because no one ever checked their work. Ever. In the cases that I read, the business owners were all charmed by the charismatic and capable people that they hired to manage their finance departments. The business owners gave these managers unfettered access to the companies’ bank and credit accounts and, boy, did those managers take full advantage of this access. They opened new credit accounts, they maxed out existing accounts and they went shopping! These business owners only found out what was going on when purchases they were trying to make were declined because their accounts were wiped out. In every case, the owners had left the finances up to the managers that they had hired so that they could focus on operations. They seemed to forget that an essential part of a business is the money needed to run it. They did not keep tabs on where the money went after it came in.

Because none of us is infallible and because too many among us are not always honest, it is vital that work is checked by someone else. Depending on the size and complexity of an entity, there are various ways in which to incorporate checks into a system to prevent and detect error and fraud.

  • There must always be a review of another party’s work. In a very small business, this may mean that the business owner is periodically reviewing bank and credit card statements. It may mean that the business owner will check incoming mail on a random basis, to make sure that unauthorized statements have not been opened in the name of the business. In larger businesses, there should be processes where the work done by one employee is reviewed by another employee for error and misstatement.
  • Someone other than the person booking cash entries in the ledger should perform reconciliations of the bank and credit accounts. Reviews and reconciliations of payable and receivable accounts should also be performed.
  • Make sure that staff take vacations and that, while they are on vacation, someone else does their work. In this way if anything is amiss, a new pair of eyes may catch mistakes or other missteps that are being made. In addition to this, having someone else do the work also means that one person does not have exclusive knowledge of a process in a business. In this way, no employee is indispensable. Also, when more people understand a process, and employee is less likely to try hide fraud in the process.
  • If possible, move work around among employees, again, so that more people in a department have a greater understanding of what is going on. The saying is familiarity breeds contempt; it can also breed careless errors. People operating in autopilot can become too comfortable with the work that they are doing and make careless mistakes because they are not paying close enough attention to the work.

Check, check and check again. If people know that there are effective checks in a system, they are likely to be discouraged from trying to steal from an entity. If people know that their work will be checked, they are more likely to pay attention to details so that they don’t have to do the work over again. Even when I was frustrated because the photographs seemed to shift all by themselves when I tried to secure them in the frames, I growled, I complained, and I started over and over again until I got it right. You know why? Well, because I like to do a job well AND I didn’t want my husband handing the work back to me and calling me out on getting it wrong.

Tagged , , , , , , , , ,