Accelerating anti-fraud innovation
The changing fraud risk landscape at XYZ Inc. was challenging Linda, the global head of investigations, to adapt. New fraud risks had emerged because of recent acquisitions into new markets and technology updates in the organization. Linda believed XYZ wasn’t prepared for the fraud risks. She wanted to gain more business transparency into specific payments to third parties and sales activities of her company’s employees. Her goal was to innovate, but where should she start? As William Gibson, a well-known science fiction writer said, “The future is already here — it’s just not evenly distributed.”
Merriam-Webster defines innovation as “the introduction of something new” and “a new idea, method, or device.” However, Merriam-Webster misses the boat because not just anything “new” will add value or help solve business problems. Jay Sonbolian, an EY principal who leads its Forensic & Integrity Services innovation committee, thinks of innovation as, “The art of making hard things easy, and creating value and risk insights where they didn’t previously exist.”
Spiffy technology alone doesn’t innovate
Anti-fraud innovation can differ significantly among organizations. Given organizations’ varying sizes, locations, industries and cultures, an anti-fraud solution at one entity might lead to a disaster at another. No one-size-fits-all approach exists. And no single technology solves all fraud risk problems.
“Organizations can sometimes fail at compliance and anti-fraud innovation initiatives simply because they believe they can just throw technical resources at it and be successful,” says Matt Galvin, vice president of ethics and compliance at Anheuser-Busch InBev (ABI). “The reality is that a whole host of people and business dependencies — relationships between conditions, events and tasks — need to exist for innovation to take hold, well before any kind of technical approach can even be defined.
“Technical approaches will always fail without defined goals and strategies, ownership and commitment,” Galvin says. “People, when excited about the latest technologies, can oftentimes ignore the simplest compound question, ‘What are we really trying to accomplish and why?’
“ABI’s compliance initiative and compliance monitoring platform, code-named ‘BrewRIGHT,’ formalizes and prioritizes innovation around a global team known as the ABI Fraud Squad. Using their BrewRIGHT analytics platform, the Fraud Squad team continuously monitors business transactions and investigative activity across the organization while the BrewRIGHT platform performs machine learning and continuous improvement techniques to constantly refine their models,” Galvin says.
“In the BrewRIGHT data analytics platform, for example, the Fraud Squad team evaluates the relative risk scores of high-risk entities based on due diligence, transaction activities and other factors, then puts them through a triage process where the Fraud Squad team can quickly address and remediate risk issues.
“For example, when a high-risk payment hits on certain risk triggers — such as an urgent payment, sensitive keyword description or an anomalous amount — Fraud Squad team members then link the risk-scoring model to that particular vendor or those employees,” Galvin says.
“Further, when team members determine the high-risk payment is improper, they update the model to continuously improve the reporting output to find similar high-risk transactions,” he says. (See the “Innovation Update” column, You can’t monitor what you can’t measure, Fraud Magazine, March/April 2018.)
Let’s now talk about some of the generally consistent innovation frameworks across organizations. Let’s also explore the process that many companies are taking to operationalize innovation and place it into an anti-fraud context.
Organizations, when they develop new products, commonly use the “innovation funnel” to evaluate ideas. An internet search of innovation funnel will give you many examples and variations. See one example below.
The first step is to ingest numerous ideas from disparate corners throughout the organization at the broadest opening — often called the ideate or ideation phase.
A cross-functional committee of stakeholders evaluates and refines an idea as it goes through the narrowing passage of the funnel — the evaluation phase.
As the passage narrows further, the organization develops product plans and all stakeholders commit to them and sign off — the acceleration phase. Prior to release is the incubation phase of product development through “sprints” and quality control.
Finally, the newly created innovation is released to the teams with accompanying training — the iterationphase.
Linda uses a compliance monitoring solution to innovate
Using our introductory case example, how did Linda — the global head of investigations — implement a new, innovative anti-fraud monitoring solution and adapt it to a changing fraud risk landscape at XYZ Inc.?
Ideation. Linda met with her leadership to discuss the strategy of re-evaluating the end-to-end process from fraud detection to mitigation. This included articulating business needs, risk landscape and potential benefits to the business for proactive compliance monitoring.
Linda stressed the need for improvement based on the fraud risk assessment her organization had recently completed and that demonstrated that the systems in place couldn’t meet most of the challenges and risks imposed by the volume, velocity and variety of transactional data flowing through the company.
Linda based her business case for selecting anti-fraud initiatives on five main drivers: 1) increased efficiencies that would help streamline interconnectivity between her compliance department and other co-dependent units (such as information technology, operations, internal audit, human resources and legal), which management believed to be silos that didn’t regularly communicate about fraud risks, 2) increased efficiencies that reduced manual or repetitive tasks in her team’s fraud prevention and detection activities, 3) a measurable improvement in the integrity culture within the organization, such as improved employee communications and anti-fraud awareness, 4) decreased overall IT dependencies such as manual requests to access relevant data sources from IT, manual data entry to run the analysis or expensive and/or overly complex software and hardware requirements, 5) demonstrated fraud recoveries, such as stolen assets (e.g., in the form of travel and expense fraud, detection of improper payments, theft of data or other physical assets, etc.).
Linda also referenced a finding in the ACFE’s 2018 Report to the Nations that shows how the presence of anti-fraud controls relates to the median fraud loss (Fig. 18 in the report). The report shows that when “proactive data monitoring and analysis” were present, the median fraud loss was $80,000 as compared to $165,000 when the controls weren’t in place.
XYZ Inc. experienced more than 25 substantiated occupational fraud investigations the previous year. The median loss of $165,000 per incident equates to $4.125 million ($165,000 x 25) in financial losses as compared to $2 million ($80,000 x 25) if proactive data monitoring and analysis controls were in place — a savings of $2.125 million.
Consultation, RFPs, obtaining support
After upper management’s initial approval, Linda consulted with a broader group of potential future internal cross-functional stakeholders — including legal, IT, operations, HR and others — to gather information about their needs and dependencies and begin engaging them in the process.
She also sent requests for proposals (RFPs) to several outside service providers — mostly consultants with deep experience in fraud examinations, forensic data analytics and data science.
Linda understood that innovation fails when it’s only based on technology rather than driven by business principles. So, she was successful in obtaining support from key business stakeholders and process leaders, such as the heads of procurement, internal audit and information technology. With their support, she also obtained commitment from her boss — the general counsel — to proceed to the evaluation phase for three anti-fraud innovation scenarios in which XYZ:
Uploads transactional data to a secure third-party, web-based platform for analysis.
Licenses third-party software in-house and engages an outside consultant with relevant IT and anti-fraud expertise to manage the process.
Purchases an external third-party software license — or a combination of multiple licenses — and related IT hardware and deploys the monitoring solution itself.
Evaluation. As Linda and her team consolidated information from the RFPs and her internal stakeholders, she scheduled quick “scrum meetings” (frequent but short gatherings to discuss key tasks and progress) with her cross-functional team — comprised of employees from various departments — to discuss potential anti-fraud scenarios and test designs to refine strategies and goals.
Linda, her leadership and cross-functional stakeholders decided on a short list of ideas based on the above three scenarios. They then documented the next steps, assigned roles and responsibilities, and discussed how they could formulate a pilot project for each scenario, which would include both internal and external resources.
Acceleration. Linda considered the five key performance indicators in the ideation phase to build her business case. Based on that case and return-on-investment considerations management granted initial approvals, and the development plans commenced.
The project design occurred in the acceleration phase. As we’ve said, development isn’t limited to technical elements but begins by asking business-risk and fraud-risk questions and then expands into such areas as change management, process improvement, training and documentation. The work products include back-end database systems’ flowcharts, design of anti-fraud testing procedures and mockups of reporting dashboards.
Incubation. This is where the rubber meets the road for the team in a sequence of “drag race” development initiatives called “sprints.” Linda took the lead in managing the process complemented by a strong project manager who directed the daily tasks and scrum meetings.
After two months of two-week development sprints, which included quality analysis, the team created a working prototype of a procure-to-pay (how vendors are paid through accounts payable), travel and entertainment, and a sales monitoring analytics platform that addressed various anti-corruption, asset misappropriation and financial misstatement fraud schemes.
Iteration. Finally, the organization implemented the plans. The cross-functional team rolled out the new system in three months with the assistance of its IT resources to ensure proper testing and functionality. During that time, stakeholders explained the solutions to their teams via hands-on training and related how-to written documentation.
Over the next six months, Linda’s efforts began to pay off in the form of increased business transparency into high-risk payments, vendors and employees — particularly in the newly acquired markets.
In one case, her team identified a business-unit manager in an emerging market country that was bypassing significant controls including third-party due diligence efforts. In another case, her team saved tens of thousands by not having to travel to distant locations for investigations because they gathered all the evidence they needed from the analytics platform system so they could conduct phone interviews and form an actionable conclusion. Finally, Linda’s anti-fraud innovation efforts allowed her to be more proactive in her fraud risk program rather than always reactive to negative events or allegations of misconduct.
No cookie-cutter methods
There’s no one-size-fits-all approach in anti-fraud innovation particularly when it comes to data analytics and compliance monitoring. But this five-phased, innovation-funnel approach used in traditional product development might help your legal, compliance and anti-fraud compliance teams in operationalizing the process of innovation so that you, too, can be more proactive in your fraud prevention and detection efforts.