Too bad the ‘fraud triangle’ endures…
Despite having been torn; down or to pieces, or whatev’… and some handy pages helping you out. To see that when you use those words often, they may not mean what you think they mean … [anyone see the pleonasm in this page its title ..?]
The classical fraud triangle is presented as if all three factors may have to be present at any one (sic) time, to ‘have’ fraud committed. However, on even the slightliest closer inspection, one sees that this wasn’t in the original ideas. If you read the above first link, it will show that a. it was about social psychology; b. “for embezzlement to occur, there must be: 1) a non-sharable problem, 2) an opportunity for trust violation and 3) a set of rationalizations that define the behaviour as appropriate in a given situation. He [Sutherland, stealing (sic, ominously) from the inventor Donald Cressey … What 1. did he have to use his position (2.) and what 3. …? Oh of course, the 1. was pressure to publish and/or make a name; ed.] wrote that none of these elements alone would be sufficient to result in embezzlement; instead, all three elements must be present.“; c. it wasn’t about a triangle.
The fraud triangle is near-always brought to bare when ‘fraud’ is in play, which invariably makes the case be stolen (sic) by legalistically inclined pundits that know of no ‘intent’ or such vaguenesses but want to deal with Actions only as the thing to sue against since the law knows (forbids) no psychology only the results in action(s).
To focus only on the legal, only-actions-count kind of factors is somewhere on the bandwidth of naive – to -guilty-by-omission. Both ex ante, in the preventative work, and in the ex post, detective, corrective and (actor and victim) improvement work. But the legal angle does bring an interesting thing, being the demonstration in law that total security is a pipe dream and welcome to reality. Some countries have acts of law that make committing a crime a crime itself. Seems like breaking such a law either one goes down a Alice’ian rabbit hole of infinite recursion or Russell’s paradox is in play. Only demonstrating the sheer incompetence of some (the involved) lawmakers, that they fell for such a practical joke by their colleagues. We may hope. Turning the culprits [hey there they go ..!] into http errors 418 (Russell’s ones of that, too). If you now lost me in the subcultural references, join the club that will have nay already includes me…
End of intermission
This is not totally wrong but leaves the vast majority of anti-fraud work on the table. Since so much about what one can ‘do’ against fraud and its opportunities, lie within the realms of both (sic) the psychological side of things, and the operational side. As will be depicted below: Those are the two sides. There aren’t three.
Practically, most current approaches use an ORM lens to focus on Opportunity — with a handful of side initiatives (one per global organisation …!) also taking ‘awareness’ or ‘motivation’ into some consideration.
As far as staff (bound to obey through livelihood dependence (however loosely or choke-tightly…) on continued employment – bondage isn’t just some peoples’ preference but mostly throughout humanity, what the masses revolt against) are sent to ‘training’ which psychologically is group punishment for individuals’ perceived faults and hence will backfire, or are ‘nudged’ i.e., brainwashed with surreptitious poster campaigns et al, which will backfire once people see that their minds are attempted to be corrupted (sic), such campaigns are at best window dressing which seems to be called ‘greenwashing’ nowadays for all forms of this. At worst, they backfire spectacularly into widespread counteractions. If you don’t trust me, a. I have zero reason to trust you, b. I will show you how I will out-master you in the take-what-you-can game ..! Yes when you go around basically suspecting all employees as a fraud risk, you’ll get the results you were nervous about much beyond your wildest dreams.
End of intermission
And this ORM side is oh so often badly, very badly executed. Remember the atrocities of “3 Lines of Defence” of yesteryears …? Your children will not believe you ever believed in that sh.t. Yes it’s bad; the closer one gets to those that pipe dream of their authority received through pursuing the kindergarten ‘logic’ (not) of 3LoD crossed [wanted to say: ‘squared’, but proper application of that would be beyond comprehension to the followers, fellow travellers] with lack of clue about how meshes of control objectives and controls, are not effective at all. Improvements have been proposed, but are hardly even noticed.
A lot of time, a lot of insightful stuff regarding employees is apparently missed. Even when from a Master, who finds his masterpiece (among a number…) apparently ignored by the vast majority of the ones that should par excellence have memorised the messages from it. Which can most partially be summed up by the following:
and would include reference to:
plus, one could throw in a picture on Knowledge–Attitude–Behaviour–et al:
From which one can deduce [c’mon, it’s hardly hard ..!] that there’s much more to life than just rote work, robot-style “compliance” (quod non), and that you’d better know and use that others do care about more than your petty little behavioural expectations. They bring in the money, not you… (?)
By the way; the actors are ‘always’ present — at least their internals (as above) are, 24/7 so you better deal with that also on a somewhat more continuous basis than the annual let-the-secretary-click-the-right-answers-for-you online “training” thingy.
As if the stuff you have in pace, would or even could work. Dependent as you are on heat map reports … I need not say more on the subject than before, over and over again (apart from this link-summary) or dwell on the Controls issue that would take libraries to get out of your cargo cult systems [yes you are this primitive…!!]…, or it would be that there’s news in this town; a sort of Christmas gift move to the blindsided.
In short [not]: What you have today, in terms of risk management (or even only ~analysis) or ‘(sets of) controls’, is a shambles to put it as mildly as one can. Being ignored by the ‘1st line’ for the actual RM1 and RM2 in particular, shows they see the folly of the whole 3LoD thinking with the fooly (sic yes I made that an expression by using it) of the 2nd line above all. Just be happy you’re ignored, can continue to reap the budgets that you do [hint: any budget not well spent is a direct write-off loss so maybe not complain for not getting enough as you might poke up a sleeping bear…] and are tolerated for stupid-compliance reasons only.
And note that in the overall fraud threesome [the originals never made it a triangle, that was for those who didn’t quite ‘got it’ in order to impostorsyndrome themselves out of it with a Powerpoint pic avant la lettre], Opportunity seems to be something that normally isn’t there but suddenly presents itself. [Motivation and Rationalisation are apparently considered to be present for much longer, as they need ‘preparation time’ to mature to a usable (sic) level when called upon by the sudden appearance of the O.] Which is contrary to everyday business operations of course. Which is also where one would start to fix things but see that countering the psycho half (sicn) is as much a part of daily ops [so, not ever project-based – though 15, 29 and 32 of this] as daily ‘controls’-compliance ops / ORM is.
What to do, then …?
- Do some serious (O)RM [almost all RM is O-RM ..!!], that on the Threat side deals, aside from Acts of Nature and Acts of Man – Unconscious/accidental-style, also with Acts of Man – opportunistic-threat stuff. Plus, includes the ‘risk management’ done at the Actor side (like here). And, works through a portfolio management framework like here. Even including this, preferably, to bring down resistance which so far is far from futile [or it wouldn’t have existed anymore; see how total-society-uprooting-threatening your current approaches by the responses seem to have been]. Realise, too, that each and every ‘control’ introduced, brings new vulnerabilities and maybe you’ve gone beyond the optimal already and create more vulns than you ‘solve’.
- Do all the things against the Actors, permanently. ‘Against’ as in: Not distrust everyone as Guilty until (like, never) proven innocent, but the other way around — facilitate freedom until your pension [a number of latter-day links to papers in/of e.g., HBR, McK (if one can still trust them now they’re so exposed as required-results-report-for-sale cheapos), Quartz, Longreads, Medium, Tilda et al bring a bit of news to this scene; study the definitive materials as they can help from Old School / 2nd-Wave and counterculture-anarchy [not quite so much, if you study that link ..!!] organisational frameworks clashes to synthesis into the 3rd Wave ideal form of the future mixing needs and freedom in suitable mixes].
See, this should have been in place all along. Conclude that you brought about fraud by your own ‘leadership’ [don’t get me started on that oh now you did! See: I meant lack of…] of micromanagement which is your only resort when all else, like any true understanding of ‘management‘, wasn’t present. Also, take note of this, and realise that diverstity in your organisation doesn’t (only) increase diversity in threats but much more increases chances that deviations get noticed; if all eyes look at/for the same things they’ll miss most of the important (sic) deviations but when the focuses and angles differ, full coverage comes much closer much easier, automaticallier ;-/ just like two antimalware scanners cover more than one.
- Use all the new info you can get your hands on [for a start: the above links and where they lead you; should I add: in particular when off this blog…], and throw in some elaborate program on the quantitative side (Nassim Taleb, Vose, to name two ends to a scale) but also on the cultural side (these here couple of pundits (huh) provide a nice introduction and some links-from) — and continue to use the stuff you’ve interpreted from the above pics on how people work, internally. Let’s also include phrases like ‘Monte Carlo simulations, tornado charts et al.’; ‘AI/ML for modelling, visual-, text- and speech- semantical processing, prediction, and outlier detection’ in the mix. Any suggestions of what may be added here?
Anyway. Let’s just not talk of ‘fraud’ triangles ever again, ‘kay ..?
Now, finally, for your viewing pleasure:
[Strategy (which is execution, as in this) and detail a beautiful picture makes; Hilversum]