Among definitions of a crisis, I prefer the one given by the Publicly Available Specification for Crisis Management (PAS 200:2011) issued by the Cabinet Office and the British Standards Institution: a crisis is an “inherently abnormal, unstable and complex situation that represents a threat to the strategic objectives, reputation or existence of an organization.”
“Abnormal,” “unstable” and “complex” are the keywords.
While dealing with a crisis, like the current coronavirus pandemic, organizations may deploy an unusually large part of their resources and time for managing the incident and its impact. By doing so, organizations may suspend or limit some controls over critical processes. For example, they may speed up the procurement process and eliminate some controls, especially the most time-consuming ones. This can increase the organization’s vulnerability to fraud.
Fraudsters, whether internal or external, are waiting for this opportunity. Here are three major factors that make an organization vulnerable to fraud during a crisis.
ABSENCE OF FRAUD RISK ASSESSMENTS
I have almost never seen organizations assessing fraud risks while preparing their crisis management plans (CMPs) and business continuity plans (BCPs). Indeed, very few organizations consider including a fraud risk assessment in their business continuity risk assessment (BCRA) and business continuity risk mitigations (BCRM) strategies, which is a critical piece of establishing a CMP or a BCP. Understandably, organizations are more concerned with business impacts of disruptive events on their core processes while conducting BCRAs and BCRMs. Shifting focus to core processes sounds obvious and logical. However, the way processes are functioning during and after the crisis event increases the organization’s vulnerability to fraud. Hence, if fraud risk assessments are not part of your organization’s BCRA and BCRM strategies, you will leave yourself vulnerable to fraud, and things may go from bad to worse.
LACK OF CONSISTENT CRISIS PREPAREDNESS
Let’s say your organization has included fraud risk assessment in BCRAs and BCRMs. What if its emergency, response and business continuity plans are not effective when the crisis occurs? Under stressful conditions, organizations may waive the existing crisis management plan and adopt hastily conceived measures. Specific controls designed for the disaster handling processes may be dropped, and hence, the opportunity to defraud the organization increases.
EMOTIONAL CHARGE AND POST-CRISIS PSYCHOLOGICAL DAMAGES
The French Resource Center for Information on Economic and Strategic Intelligence emphasizes the fact that a crisis is most likely accompanied by a strong emotional charge, causing the affected organization to lose its bearings. I think we can all agree that the current crisis fits this description. One of the most challenging parts of crisis management is to handle the emotional charge instead of only focusing on assets and processes recovery.
Employees or stakeholders are seldom viewed as important assets to “recover” after crises. But think about it. As we’ve already seen, people lose their jobs. Self-confidence can take a hit after a crisis. Some people are losing their health. Loved ones are affected. Many employees may suffer from trauma now and even for a long period after the crisis ends. Failing to reassure them and take measures to alleviate their physical and psychological suffering can raise the pressure and the rationalization factors of defrauding the organization in the future.
WHAT YOU SHOULD DO TO STRENGTHEN FRAUD RESILIENCE DURING A CRISIS
First, be aware that crisis events may raise your organization’s vulnerability to fraud. Accept this reality. Then take a set of appropriate countermeasures, including but not limited to:
Identify and assess likely fraud risks that can emerge due to exceptional management measures. If, for example, some controls are attenuated or suspended, the associated consequences should be carefully assessed. To counteract this effect, brainstorm specific fraud schemes that may occur during the ongoing crisis management process.
Design cost-effective controls to compensate for any controls that are attenuated or suspended. The new controls should be easy to apply and not slow down the emergency management processes.
Closely observe how employees and major stakeholders react and behave after the incident. Due care should be taken to ensure that employees and stakeholders recover quickly from the potential crisis effects. To increase your organization’s chance of success, conduct an emotional impact analysis the same way you would conduct the business impact analysis. A crisis may more seriously affect people who are the most vulnerable.
During the current coronavirus pandemic, which is a major worldwide health crisis, consumers and organizations are facing emerging fraud risks. Make sure your organization is doing everything it can to mitigate the corresponding fraud risks.