OpRisk & Compliance: How common are rogue trading incidents at financial services firms? What is the average loss profile of one of these events?

Ed Doyle, Norkom: Rogue trading is a poorly defined term that covers a wide spectrum of trading activity, from acceptable risk to outright recklessness. In its simplest terms, rogue trading is any trading that oversteps the reasonable guidelines or rules laid down by the institution. It is up to the institution to define what is acceptable, based on its own assessment of risk. Of course, all trading incurs some risk; the key consideration lies in the distinction between known and quantifiable risk, and unknown and unquantifiable risk.

There is evidence to suggest that 90% of 'unsanctioned' loss incidents never make it into the public domain. Most are 'managed out', with positions being absorbed or hedged. Others may never be detected. The typical loss profile of such incidents is highly dependent on the instrument and the organisation, but the majority are far smaller than media headlines would suggest. Only a small minority, where the losses are inescapably huge, emerge to become public knowledge.

Rogue traders can make temporary profits too. Jérôme Kerviel has alleged, for example, that others were aware of his dealings but, while they were in the black, oversight was benign. Clearly, unmanaged risk is always bad. It is up to the institutions to prevent rogue trading before losses occur.

Cory Gunderson, Protiviti: There have been 11 (publicised) trading losses of over $1 billion, including Société Générale (SG). Of those 11 incidents, six - or a little over half - have been attributed to a rogue trader. It is difficult to say how often rogue trading events occur because institutions are typically not open to airing their 'dirty laundry'. Regardless, the publicised incidents over the past 15 years indicate that the size of loss is generally increasing. S. Ramakrishnan, Mantas: Over the past several years, there have been three incidents of the magnitude of the SG incident: Nick Leeson (£850 millon), which brought about the collapse of Barings Bank in 1995; Yasuo Hamanaka (£1.3 billon), who tried to corner the copper market at the Japanese conglomerate Sumitomo in 1996; and Peter Young (£220 millon), whose speculative trades at Morgan Grenfell broke regulations in 1996. There have been many other rogue trading incidents over the past 20 years, so it is not uncommon, but they don't usually reach the amounts of these three incidents. Rogue trading has always been part of the financial industry, given access to substantial money combined with loose controls and procedures and, of course, temptation. Additional incidents include: NatWest had losses of £90.5 million from two traders' activities in 2000; Muirpace Group lost £32 million in trading losses in 1997; and, in 1995, Daiwa Bank's loss of$1.1 billion in unauthorised trades over 11 years. Times of financial unease and crisis often cause more incidents - in such nervous times, traders can often make mistakes and become fraudulent to cover the trading errors. It is likely we will see more such incidents while the economy is in disarray.

Bruno Piers de Ravenschoot, Actimize Europe: An independent survey company conducted an employee fraud survey on behalf of Actimize in December 2007. Eighty-five percent of respondents had been impacted by employee fraud in the past three years and at a level ranging from 'somewhat' to 'extremely' and, of those that knew, 50% said they had experienced a case of data theft in the last 12 months. Twenty per cent of respondents didn't know if their organisation had experienced data theft in that period.

To answer your second point, what happened at SG is extraordinary in size but not extraordinary in nature as the survey we undertook proved. We also found that about half of the banks use a technology to check when traders overstep trading parameters but less than 8% use analytical profiling tools.

I feel it is worth pointing out that Actimize is the only vendor with convergence solutions in fraud detection and market abuse that can detect this kind of fraud. Aside from this, you must have seen recently in the press articles about financial institutions being fined by the regulator for failing to exercise proper control over traders who inflated loss to their banks, so this activity is not at all uncommon.

Iain McLeod, SAI Global: Fraud remains a major business risk for organisations. A combination of rapidly changing working practices and advances in technology is allowing rogue traders unprecedented access to online data on a global scale. Experts predict cybercrime will soon be on a par with illicit drug dealing and incurring losses of hundreds of billions of dollars.

Recent high-profile cases of fraud have received much media attention, perhaps due to the fact that organisations are under increasing scrutiny regarding fraudulent activity. However, publicising these incidents is no bad thing as it raises awareness of the fact that the risk of rogue trading is real and, more importantly, is a reminder that internal processes can and do fail.

The direct financial costs resulting from fines, penalties, lawsuits and credit ratings can cost firms millions. However, qualitative measures of loss such as damaged reputation, credibility within the industry and employee morale should not be underestimated. It can take years to build a credible reputation and just one rogue trader incident to destroy it. In recent years, SG senior management built an unrivalled reputation and professional respect within the French banking industry as it successfully fought off hostile takeover bids. Now the same management is tarnished by lack of governance, supervision and control in a key part of the business.

OpRisk & Compliance: What kind of regulatory reaction do you foresee the international supervisory community having to the recent events at SG?

Piers de Ravenschoot, Actimize Europe: Usually regulators are slow to react but I wouldn't be surprised to see more efficient control of traders' positions. Perhaps an obligation to report traders' positions to exchanges and regulators will come.

Gunderson, Protiviti: Interest has understandably increased in how trading rooms are controlled. Already there are calls by some for increases in required minimum capital levels. There is discussion and higher risk now of additional controls being demanded by regulators or other stakeholders. Boards and senior management are asking: "How do we know this can't happen to us?"

Paul Curby, Insight Risk Group: The circumvention of controls at SG is another reminder of how vulnerable a bank can be. Particularly when someone takes the effort to deceive those tasked with the checks and balances.

Instant messaging communication may come under some sort of restriction. Policing is difficult: how can instant messages be reviewed in the context of legitimate trades, particularly when slang is used (which constantly evolves) and can hide real intention? This makes oversight very difficult.

Regulators may look to banks to rethink how they go about devising and testing their controls for fraud. With Sarbanes-Oxley (Sox) there is a shift away from process-mapping controls to scenario-building.

Recent large-scale frauds have shown that specialist expertise (beyond auditors and operational risk) is needed to stress-test the control environment and identify schemes that circumvent the controls. Audit committees will have more confidence in the results of audit reports if the control environment has been stress-tested, improvements recommended and adopted.

Ramakrishnan, Mantas: The most common regulatory reaction has usually comprised imposing monetary sanctions and establishing new procedures for reporting to the regulatory body. Usually the monetary sanctions are large enough to cause serious pain to the financial institution, but more importantly are designed primarily to highlight the power of the regulatory agency. The sanctions and new reporting/disclosure procedures are designed primarily to help the firm control future incidents and prevent similar rogue losses. They will often direct the sanctions and controls at the areas determined to be weakest within the organisation. In some cases, the regulatory agency has pursued the supervisor with the most responsibility for the oversight of the rogue trader, which might be difficult to determine in the SG case since different processes were involved.

McLeod, SAI Global: We can expect to see tougher penalties and higher fines for those breaking state banking commission regulations. We may also see a call for heavier regulation. Given the complexity and sophistication of existing regulations such as Sox and Basel II, one could well ask if such a backlash is really necessary? Indications are that, in addition to encouraging banks to tighten their internal risk controls, the Financial Services Authority and other regulators are already advocating more stringent controls and guidelines to help prevent such events in the future, particularly regarding derivatives trading. The SG incident will also push the authorities to mandate more rigid vetting processes for any internal departmental moves among employees within investment banks, particularly from back-office to front-office trading.

Doyle, Norkom: Some commentators have observed that the fact that SG was inspected at least 17 times during Kerviel's trading tenure raises questions about the efficacy of regulatory reviews. We expect to see further development in 'thematic reviews' aimed at a much deeper assessment of specific functions within an institution.

Trade monitoring has evolved enormously since the Barings case. Recognising that operational risks generally arise from a confluence of factors across the enterprise, regulators are encouraging institutions to replace the isolated monitoring of trading activity with an enterprise-wide risk management approach. This is an applaudable recognition of a fact amply demonstrated by the Kerviel case; that factors such as information and corporate security - which have typically lain outside the jurisdiction of traditional trade monitoring processes - can be contributory factors in trading activity abuses.

We expect the SG case will speed up this shift. In future, regulators will require proof of an organisation's ability to identify and connect 'early warning signs' arising across their business that, though insignificant in isolation, collectively, pose a significant enterprise risk. Such early warning signs were clearly missed at SG and, as a result, its reputation, credibility and ability to do business has taken a serious blow.

Paul Bach, Compassoft: For several years now, I've been seeing auditors, both internal and external, expanding their view of risk beyond companies' central systems to the less visible information distributed on individuals' machines. This information is far more difficult to track and control, and it may represent as much as 40% of a company's data, according to some Big Four firms. Auditors are focusing more and more on desktop applications, especially spreadsheets, as a critical source of risk. And it's not just financial spreadsheets they're worried about. They're taking a long, hard look at analytical and operational spreadsheets, too, and seeing them as completely unacceptable sources of business-critical risk and financial impact. Auditors increasingly understand that the highly distributed data held in these end-user applications requires its own controls. The international supervisory community should follow the auditors' lead, by directly and explicitly recognising the risks that this uncontrolled, everywhere-and-nowhere data presents and expanding control requirements to include the documentation and control of this data. I believe that is coming, and soon.

OpRisk & Compliance: What tools, procedures or methodologies could be used by firms to prevent similar rogue trader losses going forward?

These are technology problems and they require technology solutions. Software that can automate risk management for spreadsheets and other desktop-based information is available and in use today. These offerings can provide comprehensive, policy-based controls automation with functionality including the ability to discover new or changed spreadsheets, create detailed audit logs of changes to spreadsheets over time and perform automated risk assessment. They can detect control violations and notify the appropriate authorities, as well as conduct forensic analysis. And, crucially, they offer extensive reporting capabilities and management visibility, with dashboards that work with the risk management platforms that financial institutions already have in place.

When these technologies are widely adopted across the financial industry, a very dangerous fraud-control blind spot will be eliminated. Suspicious activity - for example, a junior trader with an unaudited spreadsheet that contains exceptionally large sums, unusually complex formulas or unexplained external data feeds - can be 'red-flagged' by these systems, simply, quickly and on a company-wide scale. The audit group can be notified of high-risk activity that violates the institution's established control policies and a secure copy of the spreadsheet can be created automatically for analysis. If the spreadsheet turns out to have a legitimate purpose, it can be placed under more direct control, with appropriate access security and version management. And throughout the process, documentation and a 'chain of accountability' can be maintained to ensure adequate record-keeping and satisfy the requirements of auditors and regulators.

Ramakrishnan, Mantas: In a volatile, global environment there can be a thin line between smart trades and illegal ones. Based on a library of trader behaviours, behaviour-detection engines can monitor trading and market-making activities with respect to regulatory compliance and best execution, and can provide alerts to the organisation when suspicious behaviour is identified, such as when behaviour outside of the norm for a position/specific employee/trader is identified. Monitoring and control over password generation would have prevented unauthorised access, but so would behaviour-detection engines by identifying behaviour outside the norm for a specific role. A system that identifies trader positions would have uncovered the fact that this particular rogue trader was amassing very large positions and transacting more numerous trades than normal.

Doyle, Norkom: The move towards centralised management of enterprise-wide risk will inevitably require IT investment. Organisations' ability to take an enterprise-wide approach has been hampered by the presence of disparate and incompatible detection and monitoring systems. It is fortunate that consolidating technologies are now available that are able to collect data from multiple detection systems deployed across the business, which means organisations will be able to avoid an expensive 'rip and replace' approach. Instead, such systems will use new levels of analytics to identify and connect warning signs such as information and corporate security threats, so that they can be addressed early.

Internal processes will come under increased scrutiny, particularly where back- or middle-office staff interact with the front office. Two-factor authentication will become a minimum standard for access to trade monitoring and other compliance systems, and we expect the use of biometric authentication to increase.

In addition, we expect institutions to review how they treat product risks. For example, Kerviel's work area was classed as dealing in 'low' or 'standard risk' products. However, the IT system that assessed the risk of trades in these products accepted manually entered bogus trades (from Kerviel himself), increasing the severity of the underlying operational risk.

Curby, Insight Risk Group: Stress-test the controls. If derivatives transactions and control environments are complex, people are more so. It is people who drive your business forward and drive profit. They form internal and external relationships, market, sell, trade, review transactions and verify controls.

Opportunity for fraud prevention is lost when businesses focus too much on the control process, and thereby fail to tap into their most valuable asset in a meaningful way: their people.

To understand how to bypass any control, speak to employees who use your systems and processes every day. They are guaranteed to know the loopholes. We help uncover the loopholes with experienced fraud risk professionals. Knowing how to ask the right questions, in a non-confrontational environment, will uncover the loopholes that will allow fraud to succeed in your business, both internal and external.

We have reviewed business units, including derivatives, securities, treasury, trade finance, equities, consumer banking and financial shared services centres. In every assignment we have uncovered large exposures. The largest is £1 billion.

We use a combination of direct interviews with staff and workshops to uncover how fraud could be committed against the business. The bank, in return, obtains a 'how to defraud' report along with immediate and strategic solutions to reduce the risks.

Implementation of recommendations will assist your operational risk staff to perform their jobs. It will also allow for your internal auditors to conduct audits and ensure compliance based on improved controls.

McLeod, SAI Global: Firms should advocate an enterprise-wide risk-based management approach to all areas of regulatory compliance and financial crime, not just for anti-money laundering (AML) as required by the regulator. Working in silos will increase the chances of inconsistent practices and will result in wasted resources being allocated to low-risk areas.

There are technology solutions (such as transaction monitoring and identity verification software) available to help prevent these kinds of incidents. Nonetheless, no single system will provide the solution. Having fraud prevention systems, policies and procedures in place can only truly be effective if they are properly supervised and audited and if managers and employees are trained to be aware of key controls and to understand how their behaviour can impact on them.

Training employees on your policies and procedures is an element of risk and compliance management that is often overlooked but one that can make all the difference in mitigating the risk of critical events. Fraud of any type is notoriously difficult to detect because it often involves concealment through falsification of documents or collusion among managers, employees or third parties. However, by making your employees aware of potential 'red flags' through effective training methods, you create a vigilant workforce capable of taking responsibility for minimising your organisation's fraud risks.

Piers de Ravenschoot, Actimize: "Internal controls at SG did not work as they should have," Christian Noyer, Central Bank Governor, told the French parliament. Before talking about procedures and methodologies, let's see what happened. Some elements are:

Starting in 2005, Kerviel began placing bets only in one direction, potentially to make far bigger gains while bets are supposed to mostly offset each other in what is typically a low-risk way of making a small profit.

Kerviel created a set of parallel fake bets in the opposite direction to give his supervisor the illusion his books were correctly balanced. He was using several fraudulent methods, among others, the misuse of the passwords of other employees (mainly for cancellation).

Kerviel inserted fictitious operations into portfolio B in order to give the impression that this portfolio offset portfolio A, which he had purchased. The main challenge of a case like this one is that the employee was using many techniques, such as circumventing controls, thereby limiting the effectiveness of other controls such as no cash movements or margin call, Identification shielding, common use of another employee's credentials to avoid detection, utilising internal/dormant or hidden accounts (account 88888), fake new counterparty accounts, cancellation of fictitious operations, utilising correspondent/omnibus accounts and so on.

In the SG case, we know that some systems and procedures actually detect suspicious activities, but the main problems were that some of these systems are not efficient and also that they are not communicating with each other.

Considered individually, some alerts or reports are not serious enough to generate an investigation but, if a central risk system had aggregated the signals into one case, the problem would have been avoided in the very early stages.So, to come back to the questions: the bank must have more efficient systems and have the ability to aggregate the problems and their warning signs into a single risk environment.

It is also crucial to have a system in place that can profile the traders against their past behaviour and against their peer groups. These are the various controls that Actimize so effectively applies.

Gunderson, Protiviti: It is important to note that controls operate in concert with one another - some are preventive in nature, others are detective. Certain controls are manual versus automated. Incentives also play an important part of the equation. Often the trader is trying to make more money for the firm (which may or may not directly impact the trader's bonus) and places progressively larger bets - it's not always a fraud situation designed to only benefit the individual.

Controls and key questions to be considered include:

Information technology:

• Establishing and enforcing 'user profiles' for trading area personnel

• Promptly deactivating access for employees who depart the firm

• Monitoring user access to detect unusual activity for a particular user profile

Tools for execution:

• Tool limitations for executing or processing trades, especially in highly manual environments or areas that lack preventive controls

• Opens up issues regarding manual errors and general spreadsheet controls

• When was the last time that spreadsheet controls were tested with similar rigor as the testing for a new trading system?

Limit setting, monitoring and management:

• Limit setting, monitoring and change processes

• Are limits periodically reviewed for appropriateness?

• Who is authorised to change limits and under what circumstances can changes be made? Who actually p rocesses these changes and who is aware of these procedures?

• Daily and intraday position monitoring

• Volume limits

• Existence of rapid response systems (for example, mechanisms that provide immediate notification of limit breaches via email or other means)

Operational controls:

• Efficacy of the control functions, (for example, internal audit)

• Influence/authority of traders over control functions (for example, does this hinder control function independence?)

• Segregation of duties

Reporting:

• Reliability/effectiveness of book management (for example, are there dormant books that are not reconciled and could therefore be used for unauthorised activity?)

• Profit and loss or other financial analysis

• How is actual working capital projected and tracked?

• How are possible variations in future working capital needs estimated?

• Are trends in mark-to-market tracked and analysed?

Risk culture and governance:

• Are the risk policies clear, understandable and consistent with the activities and risk profile actually being transacted?

• Are the transactions being executed and the level of activity consistent with the business profile publicly discussed at conferences and/or reported within financial statements/regulatory reports?

• Can more than a handful of employees understand the nature and risks of the transactions being executed?

• Do personnel in both management and the trading organisation have an appropriate perspective on the control environment and where risks are managed?

• Does management have a respectful, consistent and supportive attitude towards the control environment?

• Does the company view unexpected profits and unexpected losses with the same level of concern?

One key point to keep in mind is that often there are policies in place that govern desired behaviour. Too often, management relies on these policies as though they reflect actual behaviour. Aspirations and reality are often not the same, so having a sound policy can only provide a level of comfort that behaviour expectations have been articulated. It is not enough to prevent unfortunate incidents similar to what occurred at SG.

Similarly, management may rely on attestations to the existence of controls. Frequently, failures occur due to controls being ineffective in operation, despite being properly designed. Control effectiveness often depends on the people who execute those controls, and people are often the source of the most significant control weaknesses.

OpRisk & Compliance: What advice would you give to operational risk and compliance executives who are now suddenly being charged with "preventing any SG-type rogue trading event happening at our firm?"

Gunderson, Protiviti: Unfortunately, SG does not stand alone as a reminder that it is critical to understand and monitor the control environment surrounding trading activities. It is important to make sure that senior management and the board of directors understands the breadth of the trading activities and is supportive of the risk profile and the types of transactions executed on behalf of the organisation. We'd also recommend a holistic review of key risks and controls be conducted across the trading area. Such a review should recognise how controls work in concert, and cover everything from understanding trading strategies and policies through the trading process itself, models used, technology employed (and the controls in use over the technology) and the frequency/integrity of periodic reporting. No control system is perfect, as there are cost-benefit tradeoffs, but such a holistic review should serve to patch any obvious cracks and make it more difficult for the rogue trader to execute unabated in the future.

Doyle, Norkom: We advocate seven steps:

• Move towards enterprise-wide risk management to monitor the organisational weaknesses that allow rogue trading to occur. That includes monitoring information and corporate security systems and others, such as human resources, where, for example, unusual holiday patterns can be a leading indicator of illicit behaviour.

• Monitor the monitoring systems themselves, too, to identify the inappropriate use we have noted in the Kerviel case.

• Aggressively maintain clear division between front-, middle- and back-office operations and monitor the points at which they connect diligently.

• Review classification of product risk. In the Rusnak and Kerviel cases, the fraud occurred in areas judged to be standard risk, either because of the low-risk product (Kerviel) or the perceived small scale of the operation (Rusnak).

• Introduce multi-factor authentication to protect information assets and prevent even well-intentioned information compromises.

• Test operational risk, information and corporate security functions vigorously. In AML we are seeing good progress, where external teams are used to challenge and attempt to overcome their AML protection. This approach could wisely be adopted more broadly.

• Tighten internal audits to guarantee the vigour of case reviews and to ensure that sample documentation is checked with counterparties to expose fictitious trades.

Bach, Compassoft: The best place to start is to recognise that unaudited information isolated on employees' desktops, particularly in spreadsheets, presents an entirely unacceptable risk, and that mitigating this risk must be an ongoing process, not a one-time project. The next step is to use a policy-based approach to prioritise spreadsheets based on identified risk factors, including the type of content in the spreadsheet: who's using it, the frequency of use, the presence of external data links, hidden data, macros, errors or long formulas and, of course, the specific business function of the spreadsheet. Banks and other companies should be able to identify and remediate the most risk-intensive spreadsheets before moving on to those that present less urgent problems. The standards will, of course, vary from company to company. Specific guidelines for spreadsheet risk evaluation are available from auditing firms such as PricewaterhouseCoopers, and can be adapted to create criteria and controls that address a company's specific needs.

Something else that is extremely important is remembering that the data on employees' desktops is constantly changing, which means that new risks can emerge rapidly. It's essential to maintain a continuously updated central inventory of all the spreadsheets in use. Identifying new and changed spreadsheets, as the changes take place, provides a basis for understanding them and the information they contain, and the types of controls that are needed for the risks they present.

And, of course, it is critical to use technology linked with sound policy to address this technology-based problem.

Ramakrishnan, Mantas: Operational risk and compliance executives need to review their internal procedures and systems to determine whether they could identify, in advance, suspicious patterns of behaviour in these areas of concern: behaviour occurring outside the normal profile for a position in the firm, behaviour indicating more numerous trades than expected or amassing of larger than normal positions, and generation of passwords or lack of generating passwords with enough frequency to avoid misuse of passwords and access to data/records, and so on. Once such a review is done - and hiring an outside firm to do this review is much more likely to identify areas of concern due to their independence from the firm - the operational risk and compliance executives need to obtain systems that will fill the gaps. These systems should provide all of the behaviour pattern detection required to identify suspicious behaviour outside the norm for the roles involved. The firm needs to be conscious of the need for independent compliance systems in preventing further rogue trading events. It is the lack of such independent compliance systems that present the employees/rogue traders with opportunity for abuse.

Curby, Insight Risk Group: You must hope for the best but plan for the worst. Don't rely on existing controls and Sox process maps of the control environment. You must stress-test the controls to identify weaknesses within your own specific environment.

Employees are far more complex than the set of rules and controls that are written to guide them. Inherently there is a need for professional and personal recognition by the employees family, peers, colleagues and industry. Traders especially are risk takers by nature. They research and exploit opportunities in the market to make profit for their banks. Under the right conditions, opportunity can push anyone over the edge to do something they wouldn't ordinarily do.

Banks must look inward when considering whether their controls stack up. If they don't, external crime groups will. Even worse, it could happen from within.

Staff turnover and internal staff movement causes increased risk to the control environment. This can often make for unclear responsibilities or matrix reporting lines and lead to confusion around controls.

Many banks use various satellite systems either purchased or developed in-house that feed into a core trading system. Security is only as good as its weakest link. While new software is implemented to improve service delivery, and financial instruments and products are constantly evolving, controls in these areas also need to evolve to keep pace. However, it is employees who input trades, build relationships with clients, check net positions, do the reconciliations and interpret the data, so employees are the key.

Middle- and back-office failures to identify deception (such as the one at SG) are directly attributable to system loopholes that had existed for a long time and were already known to employees.

Middle- and back-office, audit, compliance and other oversight type of functions check according to the existing control environment. They often fail to recognise the various loopholes for fraud. Unless you understand how to manipulate the system, then you will not be able to properly check the various trades purportedly done.

Any experienced trader will know the controls used by middle- and back- office employees. They will know this from sheer experience.

Having policies and controls without stress-testing them in the actual operating environment is like driving at high speed on a motorway shrouded in fog. Eventually you will crash.

Piers de Ravenschoot, Actimize: As explained earlier, all banks have systems in place and early signs are often detected in disparate systems such as risk management, trading irregularities, compliance system, corporate security, audit and control, etc.

But some of these systems are not efficient, so how does the bank connect the dots? I think that the most efficient way to reduce the risk exposure of the bank is to have a three-pronged approach:

• A multi-dimensional analysis - for example, operational, compliance and security with efficient control electronic system.

• Profiling of trader activity - whatever the creativity of the rogue trader, at some point he will always behave differently from his own profile or the behaviour of the group he belongs to. In the case of SG, we would have detected very early on activities such as abusive cancellation, concentration into low margin call instruments, and so on.

• Score aggregation of alerts and reports coming from various control systems - this would have caught the various signals coming from systems and, by consolidating them, the fraud would have been avoided.

McLeod, SAI Global: Managing the risk of fraud is always going to be a major challenge for senior risk executives. Its detection is increasingly difficult as rogue traders become more sophisticated in their methods of deception. However, having clear and visible leadership from the top, based on stated ethical values - supported by policy, training and awareness and ongoing monitoring, evaluation and investigation - will aid the prevention of such incidents occurring.

Having sound compliance risk policies, systems and internal controls in place to help minimise the risks of fraud is essential, however, having a knowledgeable and vigilant workforce is of equal importance. Many organisations have introduced whistle-blowing hotlines to encourage employees to report suspicious activities. Policies and procedures are only truly effective if you communicate these to your employees. After all, your employees can be your best line of defence against internal fraud but, left uneducated, they could be your worst downfall.

To educate your employees it Is important to keep the training engaging, relevant and context-driven rather than theory-led to bridge the gap between policy and practice. This way your employees will better understand the application of your fraud prevention requirements to their day-to-day work. Your training should aim to give your employees the confidence and knowledge to 'do the right thing'. Senior executives should be leading by example by helping to promote an enterprise-wide risk management culture for the organisation rather than a tick-box compliance culture.

Paul Bach, Compassoft

Software industry veteran and pioneer in the spreadsheet governance, risk management, and control space. As CEO of Compassoft, Paul has built the company to a leadership position in the market-place and established strong ties with Big Four accounting firms.

Paul Curby, Insight Risk Group

Founder and managing director of the Insight Risk Group, Paul has over 25 years of experience in the area of fraud risk and specialises in banking. Before Insight Risk Group, he held director positions with a boutique and Big Four accounting firm specialising in fraud and forensics.

Edward Doyle, Norkom

Senior compliance product manager responsible for developing and enhancing Norkom's product management strategy with over 15 years' experience in financial services, working in the areas of compliance and operational risk. Edward holds a masters' degree in technology and innovation management from the Smurfit Business School, University College Dublin. Global head of operational risk management, with responsibility for business continuity management, information security and risk support for operations.

Cory Gunderson, Protiviti

Global leader of Protiviti's financial risk strategy and management practice. He oversees a team of risk professionals focused on improving clients' ability to manage credit, market and commodity and operational risks, as well as performing model validations.

Iain McLeod, SAI Global

Managing director of SAI Global's compliance division for Europe, Middle East and Asia. Over the course of his career, Iain has had significant experience of working with multinationals to deliver effective compliance, risk and ethics programs, a number of which have been recognised with industry awards.

Bruno Piers de Ravenschoot, Actimize

Prior to Actimize, Piers was vice president European sales for Poet, a German software provider, where he successfully participated in the launch of Poet in the Neue Market in Frankfurt. Prior to this, he worked for Credit Suisse First Boston (project Mynewdeal.com) as head of business development.

S. Ramakrishnan, Mantas

A 23-year finance and technology veteran. Prior to joining Reveleus in September 2001, Ramakrishnan held leadership positions at Citibank, including chief information officer for the Citibank global consumer bank where he laid the foundation for global information standards, strategic analytics and database marketing.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here: http://subscriptions.risk.net/subscribe

#### 7 days in 60 seconds

###### SOFR discounting, Covid and scenario crowdsourcing

The week on Risk.net, September 12–18, 2020