Where are your organisation’s vulnerabilities?

“There was always something fishy about him.” “We all knew that, but...” “I would never have thought that...” These are typical sentences heard from colleagues during coffee breaks right after misconduct comes to attention.  Management is usually held responsible for dealing with an organisation’s vulnerabilities. However, you also have a duty of loyalty, just like any other employee in your organisation. Whether you are in a managerial position or not, you have a responsibility to report irregularities to those who are responsible.

An organisation can only succeed when people pull together. In extreme cases, issues that have not been reported to board or management may have crippled or even brought down the entire organisation. There are several examples of this in recent history.

Raising an issue is particularly important when it involves information security or misconduct, as these reach every corner of an organisation. In addition, legislators have tightened penalties for acts of negligence over the past few years.

How, then, can vulnerability control be implemented across the organisation? Based on our experience, we have listed five items representing typical vulnerabilities in organisations. There are also more comprehensive pieces of literature and frameworks, such as the new Fraud risk management guide. We recommend paying special attention to, at least, the following issues:

1. Middle management bears central responsibility for control
   It is typical that middle management is responsible for controlling organisational vulnerabilities, but according to research they are actually one of the biggest groups of perpetrators. This is why it is important to give employees the opportunity to report suspicious activities to someone above their own line manager or other executive (“skip level reporting”).
    
2. People rely on common sense
   Every organisation should have comprehensive guidelines and practices in place. Approved and written operating methods help ensure that activities are based on common practices instead of everyone acting solo. In simple terms, guidelines should be short, unambiguous and practicable.
    
3. Too much is dependent on one individual
   Sometimes an employee acts very independently in the same position for a long time, gradually acquiring more and more rights and entitlements. In such a case, misconduct might not be detected until this person leaves the organisation. This can be mitigated through, for example, job rotation, a formal risk detection practice and a regular inspection of access governance practices.
    
4. Potential cases of misconduct have not been identified
   It is useful to regularly deliberate on the cases of misconduct that are most likely to occur in the organisation. Where is the organisation vulnerable? How should the organisation act with customers and suppliers? What is the worst thing that can happen?
    
5. Misconduct brings the organisation to its knees
   If misconduct or unethical behaviour comes as a complete surprise to the organisation, it might have a profound impact on the organisation or even its continued operation. To overcome the situation, the organisation should have a defined and agreed set of operating methods, roles and responsibilities.

Trust, but verify

Even though every employee of an organisation has a duty of loyalty when it comes to vulnerabilities, possible liabilities for misconduct are aimed at those who are responsible for the matter at hand, and therefore organisation and allocation of responsibilities must be carried out unambiguously, in writing.

The organisation has to go through a complex, multi-phase process to get the controls running in a way that supports business operations. They may not be perfect at the first attempt – or ever, which is more likely. They need to adapt to changes in operational requirements. Plans made several years ago might no longer be suitable to meet current or future needs.

Internal resources are not enough in all situations, so it is a good idea to map potential partners in advance. With the help of a professional partner, the organisation can look into preventing misconduct and identifying problems - or start to investigate an actual or suspected case of misconduct quickly.

During the Cold War, U.S. President Ronald Reagan quoted a Russian proverb that is just as true today in preventing organisational vulnerabilities: “Trust, but verify”.