Fraud intel gathering: Prevent, Detect, Respond
Some of you may remember former US Secretary of Defense Donald Rumsfeld’s speech about “known unknowns and unknown unknowns.” It was widely parodied but stuck with me. Managing integrity risks often falls into this gap.
During a project earlier this year, someone said (paraphrasing), “We get reports on emerging money laundering and consumer fraud scams, even cyber. Why don’t we get the same for corruption and other fraud areas?” That’s a gap we may look at plugging. But first, let’s take a step back and look at where the intelligence for those reports comes from:
Prevention:
🚦 Lateral thought (e.g. ‘red teaming’ and penetration testing)
🚦 Threat models and predictions
🚦 External collabs (the collective intelligence in fraud is high)
🚦 Multi-disciplinary risk assessments (easy, but rare)
🚦 AI and machine learning predictive analysis
Detection:
🚦 Automated monitoring systems (e.g., analytics)
🚦 Testing (audits, transaction tests, etc.)
🚦 Speak-up channels and attentive staff
🚦 Culture & behavioural analytics (much overlooked)
🚦 Good old ‘four eyes’ and management review
Response:
🚦 Lessons from others (see re: Macy’s below)
🚦 Near misses root cause analysis
🚦 Alerts from external parties (customers, cops, etc.)
🚦 Crisis management simulations and training
🚦 Continuous improvement
These lists are not exhaustive, and not all are accessible to every in-house risk, compliance, or legal team. However, some will be. By doing this, we move away from the depressing picture seen in our Fraud Prevention Scorecard data, where no one feels their “organisation’s ability to adapt fraud prevention measures to new threats” is adaptable or highly adaptable.
As we start to move unknowns unknowns to known unknowns, they can, more quickly, become known (and then managed, transferred, mitigated, or avoided). The crucial bit is what I discussed last week: we need to communicate about fraud threats and risks. We must move fraud from “unknown don’t care” to “known and care” with our colleagues and broader stakeholders.
Which prevent, detect, and respond methods work for you? Which ones do you not understand (yet)? If you want to discuss them, you know where to find me…