Fraud Symptom 10 – Lapses in Information Assurance

The 2011 report of Panda Security titled “The Cyber Crime Black Market: Uncovered” discusses the way the crime organizations work to steal data and conduct frauds. The report mentions the ongoing rates for bank customer data – credit card information is sold between US$ 2 to US$ 90, depending on the nature of the card and information. European card details attract a higher price than US and Asia. The report mentions the roles of programmers, distributors, tech experts, hackers, fraudsters, cashiers, mules, tellers, and social engineering experts. They all have a role to play in the crime scene and collaborate to conduct high-level frauds.

In light of the increasing threat of cyber crime, information assurance plays a critical role in organizations, especially financial institutions. Media regularly provides cases of cyber attacks, which provide an external perspective. However, the foundation for sound information security is laid within the organization. Any lapses in this area, signifies a high risk of fraud. I am here giving some examples on how to identify the issues excluding the regular network breaches.

1.  Commitment to Information Assurance Policies and Procedures

The first indicator of lapses in information assurance appears on evaluating the information assurance policies and procedures. The questions to ask are – does it cover all sources of data leakage, does it monitor exceptions, how is the implementation and are regular audits conducted to ensure adherence.

To illustrate, I had once prepared an information assurance polices document for an organization. According to my estimate, on approval of the document, the implementation time was three months. However, to my surprise the management did not approve the document for over a year, despite repeated reminders on high exposure to information risks. I subsequently discovered that some senior executives were conducting frauds and laying the blame on the juniors. Their problem was that if the policies were implemented, they would not have easy escape goats.

2.    Level of Application Controls

Most organizations still lack focus on application controls – the basic input, processing and output controls and access controls. Access to critical information is available easily and hence can be stolen.

For example, in one case I had found that a VISA card application could be accessed by the employees working on the process from their homes or any internet café. Interestingly enough, all the customer information of the cards was visible outside of office premises and machines.

In another case, a Master card processing application of a bank had no input controls and verification controls on the amount. The employee could pass the transaction for US$ 5 million, when the real amount might be just US$ 5. The whole transaction was processed without verification checks and the only control available was at Master card office.

3.    Back-end Logs

From a fraud detection perspective, back-end logs are crucial. They provide the information of access of various accounts by employees, transactions conducted and the whole trail of activities. Analyzing the logs helps in identifying suspects.

However, some companies give the weird logic that maintaining back-end logs is expensive; hence, we do not keep them. With the cheap data storage facilities available, the organizations are losing the best tool available to them for fraud detection.

The second risk of back-end logs is that the information security personnel can play havoc with it. For example, if they have participated in a fraud, they can remain undetected. The simple process employed by deviant information security personnel is to download the back-end log, tamper with it to remove their own access trail and in its place put some other employee’s information. This way when the fraud is investigated, the other employee becomes the suspect.

These are just a few examples on how lapses in information assurance increase the risk of frauds.


To ensure that the organization is adequately covering information assurance risks, do the following:

a)  Implement information assurance policies and procedures.

b)  Put a system in place to regularly monitor adherence and address exceptions

c)  Conduct ethical network hacking to assess security vulnerabilities

d)  Review all critical applications for controls and mitigate the major weaknesses.

e)  Segregate duties of information technology and information security personnel to ensure that they do not tamper with the application. Build in some checks to monitor their activities.

f)  Investigate all breaches and incidents to determine the root cause analysis and make the environment more secure


The Cyber-Crime Black Market: Uncovered by Panda Security

To read more on Fraud Symptom series, click here

Fraud Symptom 9 – Ineffective Internal Audit Function

2010 Report to the Nations on Occupational Fraud and Abuse issued by ACFE mentions that 40% of the frauds are detected by anonymous tips from hotlines, 15% by management review and 14% by internal audit function. Secondly, the report categories fraud in three types. It states, “21% were caused by asset misappropriation schemes, 11% by corruption and 68% by fraudulent financial statements.” This clearly highlights the importance of internal audit function in preventing and detecting frauds especially financial statement frauds.

Additionally, the report states – “The median duration — the time period from when the fraud first occurred to when it was discovered — for all cases in our study was 18 months. Not surprisingly, cases involving financial statement fraud — the most costly form of fraud — lasted the longest, with a median duration of 27 months.” That is a long time, and during this period, an internal audit function would ideally have done at least a dozen audits on various aspects of financial statements. However, the question arises as to why the internal audit function fails to detect frauds.

1.    Organization Reporting Structure

 The internal audit head reports to the Chief Financial Officer (CFO). Now, in majority of the financial statement frauds the CFO is involved. Hence, in all probability even when internal auditors are aware of the wrongdoings they will not report the same to the CEO.

The second situation is that the internal audit head reports to another business head and not the CEO. In this case, a similar situation will arise, as the internal audit head is under control of a business head. If the business head is perpetuating frauds nothing will be reported. The ACFE reports states – “High-level perpetrators cause the greatest damage to their organizations. Frauds committed by owners/executives were more than three times as costly as frauds committed by managers, and more than nine times as costly as employee frauds. Executive-level frauds also took much longer to detect.”

 Hence, in such scenarios the CEO/ Board and Audit Committee are unlikely to have fraud cases reported to them.

2.    Collusion with Business Teams

 Auditing is a thankless job and auditors rarely win a popularity contest. The audit report is a proverbial hot potato – too blistering to handle. On the flip side, if auditors are winning popularity contests then they do so by issuing nice and sweet reports with no serious observations.

In such situations, the audit teams compromise their ethics and independence to cater to business teams and their own personal agendas. Though the role of internal audit function is to inform senior management and audit committee about serious breaches and wrong doings, the auditors do not report such instances. The internal auditors’ job is to identify discrepancies and challenge business teams to provide appropriate explanations and evidence. Instead, they colluded with the business teams to hide the serious discrepancies and observations, and just report low category/ impact findings to senior management.  

 3.    Lack of Technical Skills

Auditing is a specialized skill and not everyone’s cup of tea. The learning curve to reach a reasonable proficiency level is steep. In India, experienced chartered accountants generally lead the internal audit function in organizations. However, the catch is that either the team or the head may not have sufficient experience in conducting highly technical audits or detecting frauds.

The issue is so critical that the US PCAOB “requires independent auditors to evaluate the fraud-related activities of an internal audit function on an annual basis. If this evaluation finds an internal audit function to be deficient, the independent auditor must, at a minimum, issue a finding of a significant deficiency to the audit committee. The auditors must issue an adverse opinion if they conclude that the deficiencies rise to a material weakness.”

 However, it is extremely rare for an external auditor to report the deficiency and/ or management to conduct an independent review of the function.


 a)            Management must evaluate their commitment to internal audit and overall risk management functions. To do so, they can do a quick run of the 15 points mentioned in the post “Senior management commitment to risk management functions.”

b)           Big 4 and other audit firms conduct a review of the internal audit function to determine its competency and effectiveness. It is advisable if management wishes to improve the function, they benchmark it against the best practices followed in the industry.

c)            The quality of the reports submitted by the internal audit function needs to be evaluated. Ideally, no news is good news. However, the same cannot be assumed for internal audit reports. Depending on the industry, each organization faces certain inherent risks. If these are not being reported to senior management, then the likelihood of internal audit function collaborating with business teams to hide facts is high.


2010 Report to the Nations on Occupational Fraud and Abuse issued by ACFE

To read more of Fraud Symptoms series, click here.

Fraud Symptom 8- Breaches of Internal Controls

The Enron case highlighted that inadequate internal controls cause huge damage to the organization. Subsequently, the Sarbanes Oxley Act section 404 focused on making it mandatory for organizations to implement good internal controls. However, don’t view internal controls in isolation of the organization culture. As I had mentioned before that internal controls of an organization are as good as the culture. The probability of breach of internal controls is higher in negative cultures. (Read Impact of Organization Culture on Internal Controls). Though, in this post I am totally focusing on internal controls without linking to the organization culture.

While the organization expanded and grew, the focus on internal controls reduced. When we consider the bigger fraud cases, Enron, WorldCom, Barings etc., the organizations management committed one or a combination of the following mistakes.

a) Management stopped old control systems without introducing new control systems.

b) In some cases, continued to use old systems without conducting a review to assess their reliability and usability.

c) On the other hand, in some companies management relied on new systems without assessing their accuracy and timeliness.

d) Lastly, assigned roles and responsibilities without segregating duties and defining clear reporting lines.

In nutshell, one can say that management lacked focus on implementing internal controls. Due to these weaknesses in the internal control systems, management and auditors failed to detect frauds done by employees.  KPMG 2010 India Fraud Survey stated 75% of Indian organization experienced fraud. It further mentioned:  

“Supply chain fraud (procurement, distribution and revenue leakage) is the single most exposed area. Weak internal control systems, eroding ethical values and a reluctance on the part of the line managers to take decisive action against the perpetrators are cited as the most vital underlying reasons for frauds being on the rise.”

 So let me start with the ways lapses in internal controls in the purchasing process can result in huge fraud. The Common Wealth Games fraud depicts the methods that are used to tamper with the purchasing process. Here are some examples, which apply to organizations:

1.    Contracts awarded without ensuring reasonableness of requirements – The basic premise of issuing purchase contract is that there is a business requirement for a specific good or service. Breaches of internal controls occur when employees create unnecessary requirements to favor a certain vendor. To illustrate, in India terrorist threat is high, however there haven’t been any major incident of an office premises being targeted. Now let us say, the physical security team plays on the nerves on the senior management, since security is essential and creates many unnecessary requests for equipment. For example, request for automobile blocking ramps at gates, which may not be used in any other offices. Now each installation is in lacks and the physical security team gets kickbacks from the vendor for the contract.  

 Another way of circumventing the controls is to order in excess of requirement. For example, the organization needs 100 units of X product and the order is given for 200 units. Now since the business requirement is met, the excess stock will be ignored. Either the concerned employee can get the excess stock delivered outside the office for personal use or if delivered in office steal the stock later on.

2.    Contracts awarded without ensuring reasonableness of rates – Normally the bidder with the lowest rates and best quality gets the contract. Multiple vendors are invited to submitted quotes. However, the purchasing team can easily breach the internal controls by doing false paperwork. Let us say, that X vendor quoted the most reasonable price for a product. However, purchasing team has tied up with Y vendor. Hence, it just discards the documents submitted by X vendor and produces two additional set of bidding documents in which Y vendor is reflected in the best light.

 3.    Payments made without receiving goods and services – The purchase contract terms state the payment terms. Advance payments amount to 10-20% of the total purchase price. The payments team in the finance section can contravene this control by making advance payments for 70-80% of the contract without receiving any goods or services. This affects cash flows and the company loses interest income. The other risk is that if subsequently if the vendor gives sub-standard goods or services, the company does not many tactics for negotiating fair terms with the vendors.

4.    Contracts terminated on flimsy grounds – Most organizations invest significantly in vendor relationships since good relationships result in lower costs and better quality. However, to meet personal agendas employees can get the contracts terminated on flimsy grounds.  To illustrate, let us say the physical security team evaluates the security contract for the premises, inclusive of guarding services. Now, if the same security vendor provides services in all office locations of the organization, the cost will be lower since the vendor has economies of scale. However, the physical security team approves contracts of different vendors for different locations and terminates the contract on a yearly basis without renewing the same. The reason behind it is that the physical security team gets a kickback for every fresh contract.

 5.    Fake purchase contracts issued – In the worst-case scenario, employees can issue fake purchase contracts to vendors for meeting personal expenses. For example, let us say a physical security team has an XXX amount of budget for securing the organization. On the face of it, the team issues the contract to a guarding agency to protect an office premises. However, in reality the contract is given to spy on other employees for harassing them. In such cases, the organization suffers huge costs, as it is difficult to identify the true purpose of the contracts.


There are some key lessons to learn for senior management from these corporate disasters.

a)    Firstly, review process controls on acquisition of a new company, business or process. Conduct an independent review of controls to assess the vulnerability.

b)    Secondly, create new job descriptions with clear lines of responsibility and accountability. Remember that segregation of duties is essential for effective control. If employees are in the same positions for a longtime, rotate them to ensure they don’t get too comfortable in their positions.

c)    Monitor results through key performance indicators, exception reports and budget variances.

d)    Appoint independent external auditors (big four or other reputed concern) to evaluate the controls.

e)    In case of purchase contracts, audit the suppliers to see determine their authenticity of the contracts

f)     Conduct interviews with employees, consultants, contractors and subcontractors to assess whether kickbacks are being paid or received while entering into contracts.



KPMG India Fraud Survey Report 2010

To read more of the Fraud Symptoms series, click here.

Fraud Symptom 7- Ineffective Human Resources Function

Every organization wishes to be a great place to work as it can attract and retain the best talent. Every employee wishes to work in an organization, which has a good work culture as s/he get fair treatment, growth opportunities and remuneration. In this one aspect, management and employees are in complete agreement as it benefits both. The key player for achieving this goal is the human resource function. However, an ineffective human resource function can cause the most damage not only for achieving business targets but also for also increasing fraud risks.

As I had mentioned in the earlier post – “Employee Disengagement Risks” as per Blessing White Employee Engagement Report Survey 2011, in India 37% of employees are engaged and 12% are disengaged. According to surveys conducted by LSA Global Learning Solutions, “lower employee engagement scores result in: 12% lower profits, 19% lower operating income and 28% lower earnings per share.Kroll Global Fraud Report 2010 states that in India, in 48% of the cases, the key perpetrators were employees. Hence, the question that needs an answer is how does this increase fraud risks?

1.   Recruitment & Selection Process

Human resource department (HRD) along with the business teams is responsible for recruitment and selection of the resources. In India, this becomes especially critical as human resource survey reports indicate that 25%- 30% candidates submit fake or inaccurate resumes. The second aspect is that with the increase in financial crime and terrorist threats, the organization becomes more vulnerable. Organized crime groups infiltrate companies to give a cover to their sleeper agents. Financial institutions are the most vulnerable, as understanding the systems also helps the crime groups in money laundering and organizing funds for their activities.

Under such circumstances, the HRD role is critical. HRD is responsible for background checks of the candidates. Any lapses in the process can cause high risk to the organization. Here are some examples of what can go wrong-

a)   Hire people for critical positions without verification – For example, risk management functional heads and second-in-commands positions are critical. They are subject to stringent checks. Without background verification, they shouldn’t he hired. In one organization, my superior was hired without any verification whatsoever. When his name was announced, me being a nosey parker did an independent personal verification and was quite amazed that he was hired since his professional background didn’t fit. I decided to give benefit of doubt and see for myself. Within a week of his joining, I knew that he didn’t even have the fundamentals of the areas I was managing. I thought he knew about the other areas of the department. My colleagues in that area informed me that he was clueless about their area. There was absolute chaos in the function, because he refused to take responsibility for any work whatsoever.

b)  Hire people for critical position with insufficient verification – For example, an executive assistant was hired for a senior manager without checking criminal records. She was previously involved in a high profile data theft case. On investigation, it was found out the vendor who was conducting background verification for the organization, didn’t even have an office in the city. The vendor was just generating verification reports with superficial checks.

c) Hire people knowing they have submitted false information – For example, in a case I found out that the new candidate was a plant by someone, most probably with the knowledge of local HRD team. The employee was subsequently found to be involved in a huge fraud.

Hence, if HRD team looks the other way or doesn’t put in effective measures for background verification, things can really go wrong for the organization. The fraud risks increase quite significantly.

 2.   Working environment

As I repeatedly say, organization culture makes or breaks the organization. Employees work best in an environment, which is free and fair. Even perceived unfairness by senior managers can cause the work culture to deteriorate. UK and US studies show that nearly 50% of the employees reported being bullied. In Asia where focus on organization culture is still in nascent stage, the percentages are higher. Now HRD has the role to provide a safe working environment. Any lapses from its part can cause a chain reaction in the organization and give encouragement to others to show deviant behavior. Here are some examples of it.

A senior manager has better relationships with the HR team than the juniors do. I would say, in some context HR team is there to protect the senior managers. However, when it is apparent that a senior manager is unethical, and a junior is ethical, HR should ideally arbitrate disagreements fairly. However, if it knowingly supports the senior manager in forcing the employee to leave his/her job, then incorrect messages are sent across the organization.

The second problem arises when HRD commences, participates or encourages top end mobbing. The report –Women and Workplace Mobbing by Dr Jocelynne Scutt states –

The politics of ‘high end’ mobbing are important to fathom, because this type of bullying is generally directed at change makers or change agents. If change agents are halted in their tracks, change will be stultified and the hopes we have for a different world, where bullying, abuse, discrimination, prejudice and bias become of historical interest only will be stymied. The hopes we have for construction of a world where disadvantaged and dispossessed groups are elevated to equality, and the misuse and abuse of power is ended, will not be fulfilled”.  

In such a case, the target is being an effective change agent that certain senior managers do not wish to occur since it is against their personal or political agendas. The message is sent across to attack the target, the abusers will not be prevented or stopped and will be provided protection. In such situations, the victim does not have any recourse with the HRD department, as they themselves are supporting the mobbing.

In such situations, the organization culture becomes deviant and aggressive. Employees are concerned about their safety. They face a psychological battle on whether to report or not to others. Read the article “Whistleblowing – The Psychological Paradox” to understand more.

The target employee may leave the organization or maybe forced to leave. Situation worsens when the mobbing continues after leaving the organization. Employee can be stalked; his/her reputation ruined and/or is given negative references on prospective jobs. If other employees know of such instances (sometimes there are more than one) they are terrified of facing the same situation. Hence, the senior managers responsible for initiating mobbing keep control of the others from reporting to other seniors by way of threat and punishment. The target employee is basically the sacrificial goat to ensure silence of others.

This is kind of worst-case scenario and the organization has extremely high fraud, legal and reputation risks.


 a)    Organizations must implement policies, procedures and systems for proper background verification of employees.

b)    HRD function must build a healthy work culture within the organization and maintain impartiality.

c)    If HRD team is participating in damaging work culture or mobbing etc. the individuals must be terminated.

d)   Organization must implement internal whistle blowing system that is not directly dealt by HRD team.

e)    Senior management must review the whistle blowing information on a monthly basis and ask the audit committee to independently investigate the reported cases. Investigation reports must be reviewed by senior management.

To read more articles on Fraud Symptoms, click here

Identity Theft at Banks

Last few weeks the news is that the top banks are doing massive job cuts to reduce operating costs. In my view, cutting jobs is a desperate move and not the best way to reduce costs. As a tactic to cut costs, it should be used last because of the long-term repercussions on employee morale, organization culture and performance. Thoroughly explore other aspects or line items to determine whether costs can be reduced in other areas. One of the areas where banks are facing a problem is the increasing amount of frauds, especially identity thefts.

I am using the report “Measuring Identity Theft at Top Banks (Version 1.5)” prepared by Chris jay Hoofnagle to support my argument. Secondly, the Fraud Survey 2010 conducted by SMG Group is relevant. Although the reports provide a little old data, I recommend both of them for a read to banking industry professionals. Below are some of my points.

To give a backdrop, according to the survey findings 76% of the frauds are detected in banks when the customer notifies the bank. This doesn’t reflect very positively on the fraud prevention measures put in place by the banks. An organization has high fraud risks for three reasons:

1)    Senior management is not committed to preventing frauds

2)    There is insufficient investment in technology and systems to detect and prevent frauds.

3)    The fraud investigation teams are either incompetent and/or deviant.

Chris Hoofnagle study states that the biggest banks are having the largest problems (page 16). Now this is interesting, because large banks would have the money to invest in technology and systems to prevent fraud. Hence, why are they failing?

On page 20, the graph titled “Top Credit Card Issuers by Volume, 2006” depicts an interesting picture. Quote from the report –

“When the estimated annual events are applied to the top ten credit card issuers according to the Nilson Report, by volume of cash advances and purchases made in 2006, American Express emerges as the least likely to suffer an identity theft event, followed by USAA. While Bank of America ranked highly in overall events, adjusting for credit card volume, Wells Fargo, HSBC, and Capital One emerge at the top.”

See the graph below, which gives the number of fraud events per billion in annual volume.  The top 25 banks in US accounted for 49.9% of identity theft complaints.

A second graph on page 22 gives a comparison on the top 25 banks identity thefts per 1000 customers, including the difference between retail depositors. Again, the top banks are doing badly. See the graph below:

Now in my view as most of these are credit/debit card frauds, then controls need to be put in place here. In credit/debit card frauds, the most frequent is that of “Card Not Present”. This can be through either internet or telephone banking. Now to actually verify the authenticity of the customer, banks must ask a series of questions from the customer – name, date of birth, place of birth, address etc. Secondly, for cards additional information needed is- credit card numbers, credit card holder name, expiry date and CVV number. Now how difficult is that to check and control. Why are fraudsters able to use Bin Card generating software and get away with millions in fraud?

In my view, something is not right. Banks should focus on reducing fraud costs to improve operating profits. What do you say?


Measuring Identity Theft at Top Banks (Version 1.5) by Chris Jay Hoofnagle –
University of California, Berkeley – School of Law, Berkeley Center for Law & Technology

2010 Survey Results- The Faces of Fraud- Fighting Back by SMG Information Security

Lessons in Crises Management from Anna Hazare’s Protest

If you break your neck, if you have nothing to eat, if your house is on fire, then you got a problem.  Everything else is inconvenience.  ~Robert Fulghum

Last month’s Anna Hazare’s fasting protest for Lokpal Bill showed one thing – that the government had no idea on how to manage a critical situation. In Baba’s Ramdev’s protest they got away with doing a surprise midnight action by police and thought that they same approach will work. It backfired and people were on the street. The government flip-flopped, screwed up and was red-faced. Their antics not only gave Anna Hazare’s civil society group the upper hand, they also showed that they have no idea what they were doing.

Source :

I watched the incident closely and was vastly amused. A small group took on the largest democracy’s government and government was on the back foot.

I have managed a number of crises. I am not sure why my bosses selected me- either because in the biggest of crises I never lost sleep, appetite or my sense of humor. And/or it was because I am single without any liabilities hence can move anywhere in the world within a short time span. So could be easily deputed to the crises location.

Therefore, here are some lessons from the episode, which are applicable to any organizational crises. I used these in many occasions and vouch that they will work.

1.    Don’t press panic buttons

Managing most crises situations is a psychological battle. The moment the key players of any one side panic, that team loses the game. So be chilled out and have fun. This might sound inane, but trust me it always has worked for me. Even in Hazare’s case, the government team panicked when they prosecuted him. That resulted in their downfall. Hence, stay calm and collected.

2.    Don’t play the opponents game

Never ever play the cards dealt out by an opponent. Develop your own strategy and force the opponent to react to it. The moment the opponent is forced to play your game, you have the upper hand. The Civil Society called the shots in the protest; they had the strategy outlined. The government team spent all their energies reacting to it.

3.    Don’t compromise

The moment you show willingness to compromise, you have lost the battle. Stick to your stance and keep the devil may care attitude intact. I recall an incident where a bunch of people wished to blackmail my father since he was in a senior level position and working in highly infested dacoit areas. My father told them to go to hell; he is not paying five bucks also. The blackmailers did not know what to do next.

For this, calculate the worst-case scenario for each of the consequences of the opponents move In Hazare’s case, the worst-case scenario for the government was that Anna Hazare dies fasting. That would have brought on riots and civil unrest. Hazare’s team knew that, they played the government on that.

4.   Don’t enter into opponents’ territory unprepared.

Never ever, enter a situation without having all the available information and holding a few aces in your hand. Don’t throw your cards away; hold them as long as possible. In Hazare’s case, the team had worked out the location, logistics, funding etc. The Civil Society ensured that even when the government had a stronghold in Delhi, they got the location for the time period they wanted.

5.    Identify the game changer

Determine which person or situation can make you win or lose the game. If a person is critical for your success, get them on your side. For example, if two sides are battling it out, find out who has all the information and on who is their success dependent. Will removing that person from the location make their strategy fall flat? If the opponent doesn’t have the key person or situation to exploit, assess what are the other alternatives they have? If they don’t have any, you have won the first round. In Hazare’s case, Ex-CM Deshmukh turned out to be the game changer.

6.    Maintain Confidentiality

In crises, situations don’t use open forums and social networks for discussions. Find a way to communicate confidentially with your few key team members. Give them unidentifiable cell numbers, secure laptops and other communication devises. Ensure that none of the cell phones, laptops, office rooms, etc. are bugged or have spy cameras. In Hazare’s protest, Swami Agnivesh turned out to be a mole. Use only people whom you trust completely from office or personal relationships.

7.    Prepare a crises management plan

Even for the remotest of the risks, identify people who can manage them, internally within the organization or hire external resources. Develop detailed plans for all the eventualities. Example are, hire an attorney for legal risks, a brand manager for reputation risks, fraud investigators for fraud risks etc. In Hazare’s case, government failed because they didn’t have a crises management plan.

Closing thoughts

In crises situations, the leaders and crises managers need to be emotionally strong to lead the organization through it. In some cases, a small fix can control the external problems; however, a lot of effort is required to control the internal damage to the organization. That sometimes takes six months to a year to resolve issues, make the culture strong, fix the systems, build teams etc. The best way to climb the Mount Everest is to start at the bottom and take one-step at a time. It is a test of endurance, persistence and stamina to reach to the top. In adversity, the tough battle it out.

CAG Audit Report on Air India and Indian Airlines

“Man must rise above the Earth — to the top of the atmosphere and beyond — for only thus will he fully understand the world in which he lives.” — Socrates

I was waiting for the Comptroller and Auditor General (CAG) performance audit report on the Civil Aviation Ministry, which includes operations of Air India Limited (AIL) and Indian Airlines Limited (IAL). Both the airlines, AIL on international routes and IAL on domestic routes have lost market share in the last few years. The liberalization of civil aviation sector by allowing private airlines to operate ended the monopoly of the government airlines. The market perception was that this resulted in huge operating losses. However, there is much more dirt. Give below some of the highlights of the report.

1.    Purchase of Aircrafts

The report questions the Boeing aircraft purchasing decisions made in 2004-2005 by the Civil Aviation Ministry. In December 2005, decision was made to purchase 50 aircrafts at a price of Rs.33,197 crore (USD 6871 million). The initial plan in 2004 was to purchase a lesser number of aircrafts and over the period, the order increased. CAG has questioned the decision, that the market demand was not sufficient to place such a large order. As per the report –

“The increase in numbers does not withstand audit scrutiny, considering the market requirements obtaining then or forecast for the future as also the commercial viability projected to justify the acquisition. The acquisition appears to be supply-driven.”

It further questions the sudden speed shown by the ministry in purchase decisions. It also categorically refutes the assumptions made for the project and states the costing analysis was improperly conducted. Most of the purchase money was to be funded from debt. In the report it states-

“This was a recipe for disaster ab initio and should have raised alarm signals in MoCA, PIB and the Planning Commission.”

It has concluded that Ministry of Corporate Affairs (MoCA) influenced this decision.

Lessons for private sector

From a private sector perspective, the observations apply to the purchase department. Purchase decisions made without considering organizational requirements as a favor to the supplier implies that purchase department is receiving kickbacks. Overlooking so many aspects of internal controls means collision between employees and departments (buyer, purchase and finance departments). Employees may process fake purchase orders for personal expenses. Periodic supply chain audit including purchase function and inventory management reduces probability of purchasing frauds.

2.   Merger of AIL and IAL into NACIL

The second mind-blowing statement made is about the merger of the airlines. Here is an extract-

“Based on the records, we are unable to ascertain the detailed justification for, or the background to the “in principle” approval of GOI for working towards the merger of AIL and IAL.”

The report further states that the merger made little sense after such massive aircraft acquisition plans. Besides the timing of the merger, the report mentions that financial analysis of the proposed merger was insufficient, without considering ground level realities. Human resources, maintenance of aircrafts, operations, system integration etc. were not delved into deeply for decision-making. The auditors are of the opinion, that the decision was made at the top without due consideration.

Lessons for private sector

Experience has shown that in India most of the mergers and expansion plans are ill thought. For example, some senior managers propose a location for an office, and the decision is made. A detailed analysis at operational, financial and market is not available. I had mentioned in fraud symptoms series that mergers without organizational integration and extensive geographical distribution increases fraud risks. Hence, organizations must conduct detailed reviews of business strategies while making decisions having long-term impact.

3.   Role of Ministry of Corporate Affairs

It hasn’t spared the MoCA at all. The ministry will have some answering to do. Here is a line about the Memorandum of Understandings (MOU) signed by the airlines.

“This skewed the MOU ratings of IAL and AIL to unduly represent a rosy picture of performance. The overall combination of financial and non-financial parameters devised for the MOUs were such as to ensure that the MOUs become a meaningless exercise, rarely (if ever) reflecting poor performance, and ensuring lack of accountability for all parties concerned.”

These are strong statements questioning the validity of key performance indicators, measurement criteria and performance reporting.

Lessons for private sector

The phrase “what cannot be counted, cannot be measured” holds well in respect to performance management. Private sector suffers from the same malaise. Instead of select few performance indicators management is bombarded with trivial many. With the information overload, massaging of data occurs simultaneously. Hence, the timely and accurate information about company performance is not available. Management decisions are flawed and reactive in nature. Investing in good business intelligence systems helps to surmount this problem.

Closing thoughts

The report is excellent and as usual, I am impressed with the independence of CAG reports. The one shortcoming is that the losses were not quantified as in the previous 2G Telecom and Common Wealth Games Report. CAGs viewpoint is that it was outside the scope of the current audit. I disagree with the statement. If the observation is part of the report, the impact of loss is inclusive. Nonetheless, I recommend fellow risk managers to read the report. They can learn a few good lessons.

Corporate Governance in Private Limited Companies

Transparency is often just as effective as a rigidly applied rule book and is usually more flexible and less expensive to administer. – By Gary Hamel

 Corporate governance in private limited companies is an often-ignored topic as it is not mandatory by law. The Companies Act and SEBI Listing Agreement focus on corporate governance aspects of public listed companies. The reason for excluding private limited companies is that they do not have numerous shareholders hence the risk is minimal. I beg to differ. Corporate governance encompasses much more than shareholder rights. Corporate governance includes rights of investors, financial institutions, customers, suppliers, employees and society.  

Let us first cover the backdrop of the problem briefly. In India, 90% of the companies are either unlisted public companies or private limited companies Private limited companies fall under three groups – 1) private companies belonging to business families; 2) private companies as subsidiaries of listed Indian public companies; and 3) private companies as subsidiaries of foreign companies.  

The corporate governance is limited in 1st and 3rd categories as in the 2nd category the provisions of listed companies apply to quite an extent. In the second category, it is dependent on the owners to take the initiative. The biggest challenge is for 3rd category as holding companies provisions may not be applicable in India. However, they are applicable in the country of the holding company. If the holding company is listed then corporate governance aspects apply of the relevant country. Though, quite frequently the focus in the subsidiary company is not the same as holding company. These companies sometimes have turnover and employees more than the listed organizations. Still these are not covered in the regulatory ambit.

The Institute of Companies Secretary of India has issued recommendatory guidelines for it. The Companies Bill, presently awaiting parliamentary approval does cover the same. This definitely is a step in the right direction. Organizations must take first mover advantage to incorporate the provisions in their governance, risk management and compliance programs.  I am giving below five areas that they can focus on:

1.     Corporate Social Responsibility

In 2009, Ministry of Corporate Affairs (MCA) issued voluntary guidelines for Corporate Social Responsibility (CSR). The guidelines discuss key aspects of governance practices that business organizations need to focus on. The policy covers six aspects- 1) Care of all stakeholders; 2) Ethical functioning; 3) Respect for workers’ rights and welfare; 4) Respect for human rights; 5) Respect for environment; and 6) Activities of social and inclusive development. The policy requires that business entities should provide an implementation strategy covering projects, timelines, resource allocation etc.

Organizations to communicate their commitment to CSR can put the policy on their website with each locations implementation strategy. This will help communicate organizations ethical stance to all third parties wishing to do business with it.

2.    Appointment of Board of Directors

In public listed companies, independent board of directors is appointed to ensure better governance. Family owned listed companies and private limited companies are remarkably cagey about appointment of external independent directors as they consider it as interference and sharing of power.

The private companies owned by foreign companies generally appoint directors from within the subsidiary organization. Friends and colleagues are appointed and they form a coterie. Although, this is legal it does influence governance as Chairman/ CEO lose the benefit of independent viewpoints and unbiased opinions. Boards have two purposes – 1) Act as trustees for the organization 2) Provide strategic insight to CEO. However, CEOs of private limited companies are disadvantageous position in comparison to listed companies CEOs

In such cases, it is a good practice to appoint directors from other group organizations. Secondly, if the holding company management permits, appoint exceptionally qualified independent directors. Here, management gurus, ethics leaders, financial experts and other professionals can be appointed. A right balance must be maintained to have an effective board.

3.    Rules and Performance of Board of Directors

 Unfortunately, the board meetings in private limited companies are sometimes held for namesake. It is more to complete the paperwork to meet the regulatory requirements can have an engaged discussion and chart out business strategies.

To ensure the board members are engaged the first step is to formulate and implement rules for the directors and define their area of responsibility.  Roles and responsibilities should be given according the qualifications and skill sets of the member. If the board skills are not sufficiently diversified, additional members must be appointed. Board members should commit sufficient time to the company. On a periodic basis, their performance against the targets should be evaluated by other board members. The mandate must be to add business value to the organization. It is a good practice to early audit the participation of board members in meetings and their respective performance.

4.    Risk Management & Internal Controls

 Indian Company Law mandates all companies private and public limited, over specified turnovers and capital to have proper internal control systems. The external auditors are required to report on the status of internal controls.

However, it does not mandate audit committees or risk committees for private limited companies at board level. It is a good practice to formulate one and ensure it provides relevant information to the audit. Financial and risk management experts can be appointed from within the organization or outside to give an independent view.

 5.    Appointment of Auditors

 Auditors in family owned companies are sometimes appointed based on old business relationships. This practice in India, significantly affects the independence of the auditors.

In respect to subsidiary companies, Indian and foreign companies, auditors are chosen by the holding company’s management. In most cases, the holding company’s auditors are appointed for confidence in consolidation of financial statements. Although this is a good practice, in Indian context there is a small snag. Local relationships with the auditors might circumvent the independence. Hence, if local management is involved in frauds, the auditors may compromise in ethical reporting. It is a good practice to frequently call on the holding companies audit partner and advise him/her on the issues. Direct relationships with international partners put a check on local auditors.

 Closing thoughts

In India, corporate governance practices are just a little over a decade old and mostly focused on listed public companies. In private limited companies, it is still in nascent stage. Organizations however can voluntarily take the initiative to adopt best practices. This improves confidence of third parties and brand reputation. It also benefits if the organization in a few years is planning to turn public limited or plans to sell the company.



Ministry of Corporate Affairs (MCA) – Corporate Social Responsibility (CSR)  Voluntary Guidelines.


10 Steps for Restructuring Risk Management Function

“Don’t judge each day by the harvest you reap but by the seeds that you plant. “ – By
Robert Louis Stevenson

Last decade altered the risk profile of the world. Look it from any lens – financial, technological, political, legal, reputation or physical – risks have increased for all organizations. The business rewards are higher of organizations who effectively manage risks.

Previous year’s Deloitte study on governance, risk and compliance showed that financial institutions with highly developed risk management function showed 23% better financial performance than their peers with skin-deep risk management functions. A strong risk and ethics culture facilitates more reliable reporting of financial and non-financial performance indicators thereby improves management functioning and strategic risk management. It improves staff engagement levels and enhances relationships with investors, regulators, customers, and other external parties.

These results indicate that the effort on developing risk management functions is worthwhile. Hence, to leverage the benefits companies need to restructure risk management function. I am sharing some ideas on the steps needed to restructure risk management functions.

1.    Get the right team on board

Selecting key risk management personnel is the single most important factor for an organization to form an effective risk management function. Risk managers must have technical expertise, business knowledge, soft skillsemotional intelligence, psychological strength and strong personal values. Reason being risk managers are the charioteers of the organization. The CEO and management lead the organization to  uncharted territories to win the battles in the markets. The risk managers ensure the safety of the senior management and organization. Their role requires them to constantly face adversity, be change agents, knowledge managers and principled role models. Hence, getting the right risk managers is crucial for success of the organization.

Neglecting this aspect can cause heavy damages to the organization. Risk managers have access to sensitive information. Hence, without the emotional intelligence and personal values, they can easily become deviant. Without the psychological strength to face adversity and strong consciousness, they may not inform various risks to senior management to save their own skin. Lastly, as risks are dramatically changing, without the technical expertise and knowledge, they may lead the management astray.

2.    Modify organization structure

At the global level, there is ongoing debate on the organization structure of risk management functions. Companies are focusing on integrating governance, risk management and compliance (GRC) functions. As per the KPMG Convergence report, 50% of the respondent organizations were spending 5% of annual revenue on GRC. However, interestingly cost is not the driver for integrations. As per the report – “44 percent cite overall business complexity, followed by a desire to reduce organizational risk exposure (37 percent) and improve corporate performance (32 percent).” This indicates that risk management organization structure has an impact on financial performance of the organization.

The first step as I have mentioned before, is to appoint a Chief Risk Officer (CRO) reporting to the CEO. However, the single step itself will not give substantial benefits. The function needs to cover strategic, tactical, operational, financial, reputational, political, legal and other risks. It should have a specialized team of business ethics managers, fraud investigators, internal auditors, compliance officers, information security personnel, physical security managers etc. The reporting lines need to be clear, and the control must not be with business heads. In case of global organizations, there should be matrix reporting to integrate with global initiatives.

3.    Clean up the mess

Charles Darwin had said – “It is not the strongest of the species that survives, nor the most intelligent, but the one most responsive to change”. Since we base our identity on what we have done in the past, it is difficult to let go. However, it is difficult to run fast with old baggage. Elephants don’t dance; hence, we need to bring flexibility in the risk management organization. The first thing to do after getting the team and structure in place is to get rid of the redundant people, processes and technology.

This might sound harsh and ruthless; however, it is a necessity for making an agile organization. However, we need to stop adding organizational resources trying to inspire employees that avoid and inhibit change or processes and technology that is not giving adequate returns. Simply put, clean up the previous mess otherwise it will keep resurfacing and the new team will continuously spend time fire-fighting old issues. Do this by identifying all the facts, halting ongoing violations and preventing their re-occurrence in the future.

4.    Evaluate risk exposures

Dynamically changing internal and external risk landscape of organizations increases the risk exposures. Frequently, companies fail to identify emerging risks, as they have no previous exposures to it. For example, few companies still don’t have social media risks management plan or policy within the organization. The senior management dabbles in social media, and without guidelines, significant reputation risks exist.

Recent incidents have shown black swan incidents can trigger major disasters. However, organizations frequently calculate each risk exposure separately, rather than seeing the correlation between risks and assessing the collective impact.

Additionally, regulatory risks change due to multitude of new reforms, policies, and acts issued across countries. For example, the recently released UK Foreign Corrupt Practices Act affects all the subsidiary companies working in other geographies. Hence, compliance and legal functions need to evaluate the risk exposures on an ongoing basis.

Similarly, with new business strategies, strategic and operational risks change. Hence, before formulating a risk management strategy, it is important to identify various risk exposures.

5.    Assess various frameworks

While frameworks are not an end in itself, they do provide the means to achieve a desired state of risk management. Various frameworks of enterprise risk management (COSO:2004, ISO 31000, AN 4360:1999, OCEG Redbook 2.0 etc.) ensure a good starting point towards rebuilding the function. Depending on the industry, an organization can choose from a variety of frameworks (information security, data protection, and banking)  to model the risk management function.

Take care to customize the framework guidelines according to the organization requirements. Choose the best fit and/or combine a couple of them to form a best fit. Sometimes the mindset is that implementing a framework is only useful when certification is required to enhance business. However, this approach is incorrect.

Risk managers can also use frameworks to benchmark the maturity level of the risk management function. Frameworks generally depict t best practices, hence provide a good roadmap for improving the function.

6.    Higher external consultants

Sometimes it is a good idea to hire external consultants, especially when revamping the function. The challenge of restructuring risk management function is that there is a high level of wariness amongst stakeholders if things have gone wrong before. The old risks management team may be viewed skeptically and the new risk managers don’t have the political and operational knowledge to be effective. They are also scared of giving the not so rosy picture to senior management as they haven’t had the time to develop strong relationships with them. This leaves all parties concerned attempting to wade through muddy waters.

External consultants besides have excellent technical knowledge are less involved in the politics of the organization. Hence, they are more independent and confident in presenting the bare facts. They are unlikely to face retaliation from business teams, as they are not part of the organization. Secondly, since they look at the scenario with fresh eyes they see the bigger picture better. Hence, it benefits the organization to smooth the path of restructuring by seeking additional help and advice.


7.    Develop risk management strategy

I have written previously on criticality of forming a risk management strategy and I reiterate the importance here. Risk management functions are taking bottom up approach when presenting annual plans to senior management. For example, if the organization is having a balance scorecard performance appraisal system, the annual plan may be nothing more than the consolidation of balance scorecards.

This approach doesn’t give a strategic advantage to the organization. The business strategy and risk strategy are running parallel with major disconnect.

Risk managers need to prepare an annual strategy along with a long-term strategy for 3-5 years. The risk strategy has to be aligned and derived from the business strategy. Use strategy maps to monitor the performance of the strategy and revise it accordingly.


8.    Leverage technology

Putting experienced boots on the ground without relevant technology doesn’t give incremental returns on investment. Investing in GRC software adds value to the function and business. The Economist Intelligence Unit report “Too Big to Fail” states that 51% of the financial institutions participating in the survey increased investment in technology.

Secondly it says – “Just 40% of respondents say that their firm is effective at collecting, standardizing and storing data. Insufficient data is also seen as one of the key barriers to effective risk management after regulatory uncertainty and poor communication between departments.” Hence, efficient and effective risk management requires timely and relevant information and analysis for effective decision-making. Without technology, risk managers provide outdated qualitative information to management. It results in reactive rather than proactive risk management. Business intelligence tools – SAP Business Objects, IBM Cognos, etc. – give risk dashboards for business executive users. As data is apolitical, the dashboards help in accurate decision-making.

 Moreover, the focus now is on building a risk and ethics culture within the organization. Traditionally formal classroom training programs were used. However, these have proved to be majorly ineffective as users fail to apply the concepts after leaving the classroom and revert to old habits within a few weeks. Studies have shown that employees are easily influenced when they participate in the process and have a continuous stream of information. Therefore, applying concepts of collective intelligence is beneficial. Organizations can have internal social networking sites, blogs and knowledge management systems. These allow employees to share knowledge, concerns and take ownership for managing their own department’s risks.

9.    Get business teams commitment

Sell, sell, and sell. Do as much internal selling as possible to get buy-in from the business teams. Get business executives talking about risk management through social networking sites, blogs, senior management messages, group discussions, step one meetings etc. Create a common language across the organization.

Studies have shown that people respond more strongly to risks – when the consequences of those risks are available to them, such as from memory, from imagination, and from mass media. For example, if they witness a news item about a house fire, they are more likely to avoid the kind of behavior that they believe started the fire.” Hence, the more information business executives have regarding various risks the less prone they will be to taking unnecessary risks. Let them be the owners of transforming the risk culture within the organization. Risk managers just need to provide the guiding light.


10. Formulate audit committee/ risk committee

In India, 90% of the companies are unlisted or privately held companies. The corporate governance norms of listed public companies do not apply to them. Hence, quite a few do not have focus on risk committees or formulate an audit committee. This becomes tricky situation as sometimes the private companies CEOs are managing bigger turnovers than listed companies are. If they have a team of technocrats running the business, the focus on risk management is limited. The problem becomes bigger in case of global organizations with subsidiaries in various geographies.

In such a scenario, it is a good idea to form risk and audit committees. The members may be board members and senior risk managers from other locations, if the organization is unwilling to have external members. The idea behind is that other locations senior managers will look at the information independently and share best practices at global level.

The board of directors and senior management though cannot delegate their risk oversight role completely do get better sources of information. As this keeps the internal teams on their toes, as they know that there are other risk experts looking at their work.

Closing thoughts

To progress, one has to change. Risk managers need to tackle the challenge of evolving risks hence need to transform rapidly. Their ability to adapt and transform themselves directly correlates to the organizations ability to manage risks. During change, a team is fragile and needs constant nourishment.  Hence, senior management support is needed for the change, not only by providing the budgets but also protecting their nascent growth. A good GRC function gives competitive advantage to the organization, hence it is worth the effort.

 The Business Enterprise magazine published this article in  December 2011 issue.


Women Risk Managers and Power Games

Be it known that we, the greatest, are misthought.” By Cleopatra

Recent issue of Business Today magazine named the womanpower in corporate India. My favorite corporate queens were as usual amongst the top – ICICI Bank CEO- Chanda Kochar, Axis Bank CEO- Shikha Sharma and HDFC Executive Director – Renu Sud Karnad. Their success in the financial field is inspiring and one has to meet them to understand their acumen. However, the magazine article – “The Most Powerful Women in Indian Business” started with the following line:

“For generations, the choice between domestic idyll and a career has been the unique dilemma of women”

Yawn!  Uncreative journalists typecast even the most successful women.

Men don’t suffer the same fate. During my teens, my father was a single dad and a Chief Engineer. Dad would have beaten the life out of the person who dared to suggest that he couldn’t do both efficiently. (Psst, I did overhear dad sometimes exasperatedly say to his friends – “Looking after one rebellious teenage daughter is more difficult than managing ten dam sites”. But let us ignore this, I always did.) Alas, if women took such a stance they become supposedly unfeminine.

My perspective is that women entering finance line after doing a chartered accountancy or MBA (Finance) course are already mentally prepared for the roller coaster ride. So, I thought of the real career related challenges female risk managers face in their path to growth. Here are three situations in different stages of career. While I can’t say this is gender specific, men can face similar situations too, but possibility of women facing it is higher.

1.    The Young Professional

At the start of my career, a batch mate of mine, an exceptionally beautiful woman with a razor sharp mind excitedly called me at office. The edited conversation for you:

She: Sonia, at this audit client site I have met X guy. Very intelligent and suave. He came to the auditor’s room and chatted with me for an hour.

Me: Wow, I am happy for you. What next?

She: He invited me for a date.

Me: So are you going?

She: I have started investigating his department.

Me: Shit! Does he know?

She:  No. Whenever I see him, I give a big smile and bat my eyelids.

She was right on track. Investigations revealed that he was conducting a big fraud. This social trick has been used on nearly every young female auditor and investigator. Men think they can charm the wits out of women and hide their criminal activities. A woman would be too distracted to pursue her assignment properly. The distraught admirers are incommunicado after issue of the report.

2.    The Mid-Senior Level Professional

Consulting companies hire the better of the lot of experienced female risk managers. A consultant has to deliver high quality consistently otherwise, they will lose the client. Hence, meritocracy prevails in selection and recruitment.

However, the mindset is significantly different in the Indian industry sector. Some companies want to hire not so bright women (or men) as risk managers.  The male managers think that women are more compliant, less assertive and more controllable. Hence, a female risk manager will be more agreeable to their demands if they wish to pressure her.

Quite frequently, business executives want portions of the risk reports deleted and/or altered. They want to hide the inaccuracies, wrongdoing and frauds from CEO/Board. They assume that female risk manager can be bullied easily into a compromise, as she is far more vulnerable than male colleagues are.

Depending on the organization culture and situation, things can get nasty for women. In the Indian environment, unscrupulous business executives can destroy a woman’s personal and professional credibility easily by spreading rumors about her love life.

As India is a conservative male dominated society mindset is that if a woman has two lovers she is a whore, and a man with hundred lovers is great in bed. (Psst, who are the men having affairs with?) Hence, if a married woman is rumored to be having an office affair and her husband hears of it, she sometimes ends up paying a heavy price for it. A single woman’s reputation of independent reporting can be easily destroyed if it is rumored that she is having an affair with office colleagues. Most women risk managers leave their jobs and career at this point. There are only a few sophisticates who nonchalantly brazen out these situations.

3.    The Senior Level Professional

Breaking the glass ceiling with three inches heals is tough for Indian women on the whole and especially for the risk managers. The top order is still a male bastion. Though, a couple of times I have caused cracks in the ceiling, the top job is elusive. The best thing about failures is that they give an insight on the reasons for failure. I learnt a couple of lessons from them.

The men’s club at the top has the most political influence. Unfortunately, even senior female risk managers are not part of the group. Hence, they only get second-hand information of the political games being played. This puts them at a disadvantage in comparison to a male competitor. As he is part of the group, he can make the right political maneuvers. On the other hand, a female risk manager needs a mentor who fights her case with the group.

The second aspect is that if a female is not part of the group, they don’t trust her. In most organizations, a CEO’s direct reports have the most power and they only share it with people whom they trust. They are wary of risk managers as they have access to sensitive information of all departments and can break a few high profile careers. Hence, the CEOs direct reports generally do not approve the appointment of a risk manager who is loyal to the CEO and/or does not belong to their group. That situation makes them vulnerable, especially if they are involved in unsavory activities.

Therefore, a female risk manager succeeds in taking the top slot only when a whole number of situations are in favor of her. Her soft and technical skills are just one aspect which helps her in climbing the ladder.

Closing Thoughts

In India, female risk managers occupy less than 5% of senior risk management positions in industry and consultancy. While the regular gender diversity concerns remain, female risk managers face a few more challenges due to the nature of their job. The dedicated ones continue to persevere and fight the battle. Their passion ensures success.

Again, in Cleopatra’s words –

All strange and terrible events are welcome, but comforts we despise.”