Just as many other kids growing up in the eighties, I too fell in love with the original Star Wars trilogy. A masterpiece, so revolutionary for its time, that it managed to grab hold of entire generations and, today, continues to do so with every new one.
Back then, unlike today, it was normal to watch movies over and over again, and I must have watched these three movies hundreds of times. Despite the passionate scrutiny, there was one thing that I was never able to understand: how was it possible that the Death Star could be destroyed by a single shot? It made no sense to me…
Over the decades new movies were released, but I only ever watched “Star Wars: Episode I – The Phantom Menace”, the very first episode of the prequel trilogy, back in 1999. Maybe not too shocking to some hard-core fans, I found the new movie far less fascinating than the original three and consequently stopped at that one.
Later in life, I matured a career in risk management, thus the question I had as a kid became even more baffling. Was the Imperial Risk Management team sleeping while the Death Star was being planned, designed, built and tested? Were they out enjoying a drink with Darth Vader? Impossible! Risk managers hardly get to mingle with top management.
The more I learned about risk management, the more inexplicable this was turning out to be. Certainly, they must have had “Death Star Destruction” listed in their risk register; most probably the risk was plotted on the top left corner of their heatmaps: very high impact, very low likelihood. I bet that the outcome of the quarterly risk assessments must have always resulted in the event being classified as highly improbable, if not impossible.
Furthermore, although having computer graphics similar to an arcade videogame from the late seventies, the AI/ML technology they must have had, would have identified the weakness already at the drawing table. The Empire had the drawings in its hands all along and failed to recognise the vulnerability, while the rebels discovered it in less than a week from obtaining a copy of the structural plans. I guess it must have been a matter of start-up genuine ambition versus corporate complacent overconfidence.
It has been estimated that it would cost $850 quadrillion to build a Death Star. Taking into account inventory, property, intangibles and investments, the Empire’s balance sheet must have been abundantly sizeable to justify investing a few trillions into IT Security and Risk Management. If they did, they really picked the wrong people for the job. Perhaps they hired a flashy consultancy firm that delivered what the Empire’s top management wanted, rather than what they needed.
Then, in 2017, on a boring 9 hours business flight to who-remembers-where, by pure chance, I watched “Rogue One: A Star Wars Story”. To my immense surprise, the movie unveiled (spoiler alert!) that Galen Erso, a renowned polymath expert in crystallography who despised the Empire, had been tasked to redesign the power source of the superlaser used by the Death Star to destroy planets and, while doing so, was able to build a fatal flaw in the form of a ventilation shaft directly connected to the reactor core. I know… this is a bit too geeky…
At last the answer was revealed: it was Internal Fraud!
It was so simple. Yet, despite my regular dealings with the devious subject, I never really considered an inside job a credible possibility, because creating a weakness that could potentially destroy the Death Star would have required, in my opinion, a level of access and unsupervised labour exceptionally high. Still, there it was. And perfectly justified too.
On a personal level, I have a very broad definition of Internal Fraud: any breach of trust, in any mutually agreed relationship, aimed at taking advantage of a given situation at the expense of most of the parties involved. Hence, it spans from a corrupted cop to a bribed politician, from a cheating partner to a deceitful team, from an employee that steals company property to a manager that hires a relative; to me anyone acting against the agreed rules and policies within the same faction is committing Internal Fraud.
More commonly, in a business environment, Internal Fraud is identified as an act committed by an employee, or group of employees, with the intention of taking advantage of the organisation they are part of. It mostly occurs, in terms of frequency, at the lowest levels, as there is less control, due to the usually low-risk nature of the activities performed. On the other hand, it is less common, albeit way more treacherous, higher up in the hierarchy, because more and more scrutiny is applied to all players involved, who, in addition, generally have more to lose.
When well organised, despite being ambiguously sensed via the atmosphere it creates, it is usually difficult to detect, as it operates within the open gaps embedded in our processes without triggering any alarm. However, once discovered, as we pierce through the layers of deceit, it falls to the ground like a house of cards, often leaving behind sufficient evidence to identify all players involved.
Frequently, the cost of Internal Fraud is grossly underestimated. Most companies stop at the mere financial impact, while the biggest impact is actually on the morale of staff. As I mentioned, Internal Fraud can be sensed, even though there is no hard evidence to prove it. Most employees would simply end up trying to ignore that sensation, being mildly affected on a subconscious level; the foulest ones might actually seek to join the deceit or even try to outperform it; while our stars will be the ones more severely disturbed by it.
Inaction on our side will lead to the destruction of our stars. Good employees will not tolerate an environment where misconduct is inadequately addressed or, even worse, completely overlooked. This is truly the biggest cost deriving from Internal Fraud. Difficult to measure and assess, but still addressable with the right risk strategy.
A common approach to successfully manage Internal Fraud is via the implementation of control measures on any activity that is prone to exploitation; check and balances can be created purposely with the intention of avoiding people taking advantage of their roles, positions and ensuing access, making it harder for anyone to abuse the system. But what are the consequences of implementing such an elementary approach?
Focusing on control and treatment is effective, but it comes at a cost: it ensues a culture of mistrust. We are effectively saying “we trust you, but we just don’t trust you enough”. To steer clear of any negative vibe generated by the control measures being implemented, we conjure any type of excuse, from the simple “it is just to prevent you from making an unintentional mistake” to the mind-blowing “we need to protect the accounts via a dual approval, in case you are kidnapped”.
Don’t get me wrong, I am the first one to say this is required. We still need to protect our organisations from any possible external intruder, today more than ever before. So, controls and checks are essential. It is just not the most efficient way to go about when it comes to internal threats. What I am suggesting is that more attention should be placed elsewhere, in order to drive a safer internal environment. My money is on culture.
If there is one thing we learned from the Empire is that ruling through fear and coercion leads to conflict. Similarly, in a business environment, an approach led with an iron fist where no one is trusted typically backfires. It is also true that nowadays it is an approach that lingers on from the past millennium and stems out of a typically military-like methodology. Despite several recent efforts to change this outdated approach, many people still resort to it, when unable to drive a more mature tactic.
As risk managers, even if at times we consider ourselves Jedi, we cannot quite force-choke people into submission, regardless of their actions and wrongdoings. We need to be leading by example, using our force to show our organisations the path to the light side. Therefore, we need to be above the expectations we impose on others, ensuring that a fair amount of trust can always be placed upon us.
Furthermore, it is our duty to apply a consistent standard: we have to expect the same from anyone at any level within the organisation. Allowing for disparities in how we hold people accountable is in itself a form of Internal Fraud. We are letting down a part of the workforce in favour of another one, creating an unequal ecosystem.
My recommendation is therefore to foster a culture of openness and integrity, where all employees can feel safe to speak up and report any unusual behaviour they might witness or even merely sense. We need to reward anyone who calls out unwanted conduct and we need to be ready to be the first ones to be judged through our own system. A double standard cannot exist in such strategy and everyone has to fall under its umbrella in equal terms.
Not even the Death Star could have destroyed a star, but Internal Fraud can for sure destroy the best stars in our organizations. It is our obligation, as risk managers, to protect them at all costs, also via the creation of a trustworthy culture where they can securely perform and thrive.
May the best culture be with you
