By Derek Smith Jr
The management of risks has indeed been a crucial and complex undertaking for businesses globally. The efficient and effective management of these risks reflects corporate governance irrespective of the framework deployed by a business. Every business must protect themselves against risks of potential business interruptions by fully assessing their inherent risks, deploying mitigating controls and appreciating their residual risks. One such risk is fraud.
The Report to the Nations 2020 submitted by the Association of Certified Fraud Examiners (ACFE) noted that data collected from over 120 countries representing 23 major industry categories resulted in over 2,500 real cases of occupational fraud.
An organization’s approach to adverse events, such as fraud, is called contingency planning (CP). During this process, both the information technology (IT) and information security (InfoSec) communities’ interests are aligned to prepare for, detect, react to and recover from events that threaten the security of information resources and assets. An incident is an adverse event that could result in a loss of information assets but does not threaten the viability of the entire organization. The process utilized by a business to plan, detect, react, contain, eradicate or recover is therefore, in effect, incident response management. For the avoidance of doubt, although IRM, disaster response management (DRM) and business continuity management (BCM) have some overlapping similarities and are all major components of a business’s contingency planning, they are fundamentally different.
Building an enterprise-wide resilient business must include risk identification and assessment, risk controls and risk responses. I will address incident response management while underscoring its importance to business continuity or organizational resilience, then focus on core steps of IRM and their direct correlation and importance to building a resilient security culture within a business.
IRM and its importance
Historically, the control-centered approach to incident management was considered the standard, however, recently the focus has shifted to recovery rather than prevention as the complexity and consistency of threats increase. By centering information security management on the moment at which a fundamental security event occurs rather than on preventative control, management strategies can better address the balance between the two paradigms.
Having a robust incident response plan places an organization in a position to respond efficiently and effectively to threats. Without a strong incident response plan, incidents can quickly escalate to disasters. Weakness in these plans, if exploited, can increase the possibility of reputational risk — the direct or indirect negative effect of a business’ goodwill and or reputation.
Core steps of IRM
Investment in an incident response plan could prove tangible in the likely event of fraudulent attacks, cyber-attacks or a combination of both. As a catalyst to potentially huge financial and reputational risks, it is incumbent on an organization to thoroughly implement an IRM plan.
A basic fraud incident response plan should consist of the following:
• Fraud incident response team. Depending on the organization’s size, this team should include a legal resource (internal or external), human resources, an investigator and an audit committee representative.
• Incident response methodology.
• Pre-incident plan. Creation of teams and their roles, training of staff on plan details and responsibilities, fraud risk assessments, documents policies and procedures while simultaneously ensuring their alignment to the regulatory environment, are all components of this step.
• Post-incident plan. The key focus of this phase is to properly identify the scope of the suspected fraud in order to define your investigations and interviews, seek expert advice if needed, secure and preserve financial and non-financial information and determine next steps.
• Post-incident remediation. Organizations must complete gap analysis on plan effectiveness, procedures and training with a view to decreasing gaps, improving the incident response plan and maintaining fraud-incident reporting that are aligned with internal policies and procedures and the external regulatory environment.
Information security guru Bruce Schneier wrote, “Security is a combination of protection, detection and response.” Incidents of fraud cannot be stopped, however, a business’ preparation and response can be effectively managed through a robust risk response and a fraud incident response plan.
Derek Smith Jr is a Top 40 Under 40 leader; the compliance officer at Higgs & Johnson, a leading law firm in The Bahamas; and the former assistant vice president, Compliance & Money Laundering Reporting Officer (MLRO), at an international private bank. He is also a CAMS member of the Association of Certified Anti-Money Laundering Specialists (ACAMS) and an executive member of the Bahamas Association of Compliance Officers.