Night Watch vs. Mona Lisa
The Night Watch by Rembrandt van Rijn is one of the most valuable paintings. These days it is on display in the Rijksmuseum, it has always been owned by the city of Amsterdam and it is not insured. Therefore it is impossible to value the painting, making it priceless. Attempts to estimate the painting’s value amounted to around 600 million euro.
How do you safeguard a painting that is worth so much? The Louvre has a similar painting: the Mona Lisa. They have chosen for bullet-proof glass, a barrier and keeping the public at a distance. This is not an option for the Rijksmuseum, because they believe that such an approach does not do justice to the painting. They chose to let go of control. No glass, no barrier, instead opting for security guards that are trained in signaling unusual behavior and that can directly and adequately intervene when necessary. Control has been replaced by vigilance and assertiveness.
I see a significant parallel with the way organizations protect themselves against fraud. In my opinion too many organizations opt for the Louvre method and too few for the approach of the Rijksmuseum.
Why? Fraudsters love rules, processes and new technologies, because these offer new opportunities. They focus entirely on bypassing security based on static procedures.
On the other hand, I miss this same eagerness in organizations to employ the new technologies to combat fraud and undesired behavior. And there is so much technology that is perfectly suitable for detection. Take for example machine learning, predictive coding and sentiment analysis in audio files.
We also see an abundance of new rules and legislation, or a stricter enforcement of existing rules and legislation. After each incident, after each scandal the call for stricter regulation becomes stronger, because we can’t allow it to happen again.
Does it help? I don’t think so, as scandals, incidents and fraudulent behavior still occur.
Everyone has their price
For me the above was the reason to investigate whether protection against fraud and fraudulent behavior could be done in a different and better way.
In the fraud investigations that I do, my research takes place over a period of several years. Organizations I work for regularly ask how it is possible that the fraud has remained undetected for all those years. Why has the whole range of preventive measures not helped to stop the fraud or undesired behavior?
The answer is simple: people will always be creative and you can never make something 100% watertight. There are always people who have a reason or feel the need to commit fraud. Where there’s a will there’s a way. There is an anecdote about Abraham Lincoln from the time before he was president of the United States and he still worked as a lawyer. A man went to Lincoln and enquired if he would be willing to defend him. Lincoln asked if the man was guilty. The man said he was and Lincoln refused the job. Even when he was offered 1,000 US dollar he continued to refuse, and he also turned down the offer of 2,000 US dollar. At the offer of 3,000 US dollar he became angry and threw the man out of the office. Surprised, the man asked why he had not got angry before, not with an earlier offer or when the man admitted to be guilty. “You came too close to my price,” Lincoln replied.
Because everyone has their price. There are always circumstances that will make people adjust their norms and values and turn to fraud.
The control paradox
But what do you have to do then to combat fraud?
I am convinced that, like the Rijksmuseum, we should let go of control. Complete control is impossible, you can’t prevent everything and you can’t prepare yourself for every eventuality. Trying this will only lead to a rigid organization, based on false security and a culture of checklists.
This will only have the opposite effect: an increase in rules and measures against fraud and undesired behavior does not lead to a corresponding decrease in fraud and undesired behavior. The more rigidly you try to prevent something, the greater the inclination, also internally, to bypass the measures. The world is simply too complex and uncertain to be prepared for everything and to mitigate all risk. Who could have predicted the Volkswagen scandal in which defeat devices were used to meet the emissions standard? Who knows what the next scandal will be?
Therefore we need to focus on vigilance, to signal fraud and undesired behavior when it actually takes place and not afterwards. The technology already exists, take for example machine learning and other data analysis techniques. We also need to train employees and make sure fraud and undesired behavior are openly discussed.
The second pillar is assertiveness. Just signaling is not enough. When we see unusual behavior, we immediately need to be able to, want to and dare to intervene. This can be achieved by training employees and by realizing a transparent culture. For example, interesting techniques can be learnt from crisis management in the armed forces.
In the end these changes need to result in a less rigid organization where everyone is vigilant, involved and assertive.
Let go in order to conquer
My call to let go of control is often put down as naivety. I see that differently, because at Deloitte the approach is already proving successful on a small scale. Therefore I challenge you to reflect on and develop the vigilance and assertiveness of organizations. Are you ready to let go of control and conquer fraud?