top of page
  • Lia Tsur

The Desire to Trust

"What's the highest risk in your division?"

While I was the risk manager of the financial division at one of the biggest Israeli banks, I would often get asked: "What is the highest risk in your division?" later on, with the accumulated experience, facing various types of risks, dealing with the first defense line aka the business / operational managers, I realized what the answer was...

It is an unknown risk.

We have all recently heard of the German company WIRECARD case of fraud, under which 2 billion Euros have disappeared... this caught everyone by surprise, nobody understands how such a huge financial company, has lost 2 billion euros and no one has caught on to that... (seriously? do you believe nobody knew about it? Well... I don't). My job, for the last 17 years, has been to read and analyze incidents of embezzlement and fraud. So what have I learned over the years from reading and analyzing the cases? That the story repeats itself again and again (and again) and the only changes are the dates, amounts, and the people involved. surprised? If you're not engaged in the profession, I can understand why, but if you are in the profession, then you shouldn't be surprised.

The desire to trust.

I can totally see why human's nature is to trust and believe in others (who am I to argue with the one who created us ?) and thank God statistically most people are trustworthy, but (!) the nature of the risk and control managers should be the exact opposite of the automate human nature: they need to be suspicious and they need to communicate to the decision-makers what the risks are, the probabilities and what should be done. In addition, the business needs to make as much money as possible (economics 101...). Therefore, in many cases, controls and investing resources for mitigating the risks is seen as "less sexy", unnecessary, a waste of time, and also disrupting business to make more money... So what did we get? Great conditions and opportunities for crooks and criminals to do as they please...

Reality is somewhere in the middle, there are organizations (such as banks) that have a tough regulator forcing them to manage risks in general and embezzlement and fraud risks in particular (Disclosure: I managed such a unit in one of the biggest Israeli banks for 5 years). In spite of the fact that banks are investing a lot of resources and money to minimize the risk, naturally, there is never a 100% guarantee. In organizations that are not subject to the Bank of Israel, the "appetite for risk" is determined by the "spirit" at the top, how well it understands the risks and whether or not it is willing to accept them.

As for the above case, I was asked "Where is EY's responsibility"? So I will briefly summarize my opinion on the case (based on media publications only) Tone at the top! A financial company that rolls such large amounts, can not employ external control entities! It's wrong and unprofessional. You can not take outsourcing for internal controls. Things you see from the inside cannot be seen from the outside! And this is why there is a professional gap between consultants who have been consultants throughout their lives and between hands-on control and risk managers that work within organizations. As flashy and impressive as it may seem, outside parties cannot be exclusively relied on So, what should be done?

1. Finding the most vulnerable places in the organization, as to what will hurt the most and may bring down the organization.

2. Do a deep dive analysis and actually break down the work process and examine whether or not there are any gaps, exposures, etc.

3. Define compensatory risk mitigation controls. This is an entire professional world of its own. The reduction can be "simple" to move a control unit to another organizational subordinate with 0 costs, exceptional report characterization, change of work process (again 0 costs), division of 2 units (operation and control), and sometimes the recommendations streamline the work process and even save money! Not all recommendations are necessary for a new costly system. Although, sometimes in order to make a leap, implementing a dedicated system, is necessary, depending on the context, organization, and potential damage.


bottom of page