- Fragmentation. Financial service organizations often lack a common platform for managing enterprise-wide investigations, fraud, incidents, issues, events, complaints and/or loss. Instead, different business groups within the organization manage corporate investigations in their own silos.
- Inconsistency. These fragmented investigation processes are poorly defined and do not provide an enterprise visibility into incidents and loss. As a result, the organization has a variety of methodologies ranging from the ad hoc to the mature.
- Misuse of technology. Financial service organizations tend to have an abundance of homegrown spreadsheets, custom-built databases, and perhaps an occasional commercial product thrown into the mix. There is limited adoption of enterprise technology to manage fraud investigations processes.
This is cause for concern. In today's complex and distributed financial services environment, an organization, from both a compliance and operational risk perspective, needs a 360-degree view of enterprise fraud investigations and loss. Corporate governance, strategic decision-making and the protecting stakeholder value require understanding where the greatest incidents and losses have been.
Further, the over reliance on spreadsheets and homegrown databases to manage investigations should raise issues with legal and corporate compliance departments. These systems lack the robust audit trail found in commercial applications. Spreadsheets in particular should be avoided for managing investigations as they fail to demonstrate the integrity of the information and who entered it (what is referred to as non-repudiation).
Consistency is key
The first step in overhauling a financial organization's fraud investigation management approach is to think 'enterprise.' A common process for managing enterprise investigations provides for collaboration, consistency, efficiency, accountability, and transparency.
An enterprise approach provides incident data across business units, processes, and relationships. It allows the organization to maintain detailed investigation history and audit trails, manage the lifecycle of investigations, link incidents to remediation procedures, and identify trends to monitor similarities and relationships in investigations. This in turn allows the organization to understand all of its mitigation and prevention requirements.
Financial organizations considering an enterprise fraud investigation platform should consider the following in their selection process:
- Investigations process management. The platform should have a lifecycle approach with robust process management capabilities. Process management capabilities provide the ability to prioritize, assign, and track incidents from identification to resolution. Within each incident, the organization should have the ability to assign a lead investigator and support staff as well as the capability to notify personnel when incidents enter their case management queues. Look for visual workflow modeling, process flowcharts, and task management features. This includes project management capabilities to assign and manage the calendars and resources assigned to investigations.
- Investigations content management. A strong investigations management tool also provides a breadth of content management functionality, including content repository, version control, access management, and records and retention management for investigations.
- Enterprise loss analysis. The platform should have robust capabilities to categorize, measure, allocate, record, import (external loss data) and report on fraud and losses across the organization. This includes analytic capabilities to model and report on loss trends, such as root cause and trend analysis, ability to report on loss/event data to the control environment, as well as functionality to provide for loss distributions and calculations).
- Remediation management. Related to the process and project features, a platform should have the ability to track and manage the remediation process. Specifically, organizations should look for the ability to track and monitor the status of remediation, such as recognized control gaps, audit findings, and regulatory interactions/reporting.
- Hotline. Another important feature to look for is the ability to integrate with the organization's anonymous hotline/whistleblower system for reporting incidents and events.
- Security architecture. Investigations management platforms are effective only if the financial organization can tightly control access to sensitive information. Data security is a critical element to consider in an investigations platform -- and an inherent weakness in spreadsheets and personal databases. Features should include elements such as: role based administration of privileges, integration with directory services, secure access incident data down to the individual field level, protection of the identity of the individuals involved, and ensuring the integrity of your organization's confidential information.
- Reporting and dashboarding. A full-bodied investigations management platform provides an easy-to-use interface for reporting and managing investigations. Specific features to consider include the ability to monitor investigation status, produce reports that measure and report on impact, and other reports to track incidents by type, date, person, location, financial impact, and other attributes. Dashboards are also essential and should provide management with real-time access to current incidents, their resolution status, key metrics, and the relationship of incidents/events. That will enable the organization to identify trends and relationships.
- Configuration flexibility & usability. The strongest tools support flexible configuration without customization of code. The entity can manage structures, rules, workflow, and user-interface characteristics without customization. Investigation personnel should be able to use the system without being technically savvy. Select a platform that has an intuitive look and feel with navigation and an information presentation that minimizes the need for user training.
About the author:
Michael Rasmussen (email@example.com) is with Corporate Integrity, LLC. Michael is the authority in understanding governance, risk and compliance (GRC). He is a sought-after keynote speaker, author and collaborator on GRC issues around the world and is noted for being the first analyst to define and model the GRC market for technology and professional services. Corporate Integrity, LLC is a strategy & research advisory firm providing education, research and analysis on enterprise governance, risk management and compliance.
This was first published in October 2008