Know What You Don't Know
3 comment(s)
"There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know."
Donald Rumsfeld
No one would ever confuse Donald Rumsfeld with Shakespeare but I think he's onto something here. In fact, I think most fraud managers are very familiar with both types of unknowns and the dangers that both present. Fraud is a complex subject. No one can truly be an expert in all areas, but in my opinion some fraud managers don't take the necessary steps to know as much as they could.
The worst is the case of "known unknowns". Here, fraud managers are aware they have a prevention gap but have not yet moved to fill the void. Financial institutions and companies will tolerate this once or twice but any manager that fails beyond that is living on borrowed time.
The harder case is the "unknown unknownâ€. This is the seemingly extraordinary event that comes out of nowhere as a complete surprise.
In either case, managers are stuck being completely reactive, not proactive. They think that nothing can be done to mitigate these unknowns and adopt a "wait and see" attitude to fraud. Rest assured fraud will happen, and certainly not on a timeline of their choosing. Reacting to fraud is much more difficult than being proactive (trust me, I speak from experience).
A proactive stance can take many forms, but it often begins with a fraud risk assessment. For those of you that are unfamiliar with the term, a fraud risk assessment (sometimes incorrectly referred to as a fraud audit) is focused on determining how well a company is positioned to detect and prevent both internal and external fraud within its operations. Using Donald Rumsfeld's lexicon, it is designed to uncover the "known unknowns", as well as the "unknown unknowns".
In simple English – a fraud risk assessment will provide you with much more information about the fraud risks facing your bank.
Surely, that is good thing! Actionable information in fraud detection and prevention truly is power. With better information, you can develop robust internal controls, detect fraud quicker, implement better technology solutions and ultimately save your bank money. You also don't have to say "I don't know" as much.
There are a number of great resources available online that outline the step by step process for conducting a fraud risk assessment, so I won't detail the process here. (Let me know if you'd like me to point you toward some of them.) However, please note that it is extremely important that there is "buy-in†at the executive level before you begin the assessment process. Fraud risk assessments, often uncover wrongdoing, therefore, it is best to secure the backing of senior management from the very beginning.
Share your stories around fraud risk assessments. What did you find out? Do you now have fewer unknowns? Did it help you reduce fraud losses?