Risk Insider: Greg Bangs

When Do-Gooders Do Wrong: Fraud at Nonprofits

By: | May 21, 2015 • 2 min read
Gregory W. Bangs is chief underwriting officer of global crime at XL Catlin. Over the last 30 years, he’s been underwriting insurance and developing new products in the U.S., U.K., Hong Kong and France. He can be reached at Gregory.Bangs@xlcatlin.com.

Recently, a former Emory University employee pleaded guilty to wire fraud after embezzling more than $300,000 in tuition and fees paid by students. She instructed students to wire their tuition into her own Paypal account.

According to her attorney, “Based on the circumstances at her life at the time, she made some poor choices.”

From universities to religious groups to a host of local, national and global charities, nonprofit organizations are full of honest, hard-working people dedicated to improving society in some way. Unfortunately, even the most well-meaning individuals can find themselves in situations — faced with financial troubles or other personal circumstances — that tempt them to act inappropriately. Before they know it, they find themselves in financial hot water and, in turn, their nonprofit employer is in it as well.

According to the latest “Report to the Nations on Occupational Fraud and Abuse, 2014 Global Fraud Study,” by the Association of Certified Fraud Examiners, not-for-profit organizations continue to make up more than 10 percent of frauds committed.

While a for-profit organization may see stolen money take a bite out of its profits, a charitable organization may see even greater financial and reputational damage when money intended for doing good goes elsewhere.

That’s why the temptation to cover up financial problems can be particularly attractive for nonprofits. For organizations that rely on charitable giving, the notion that they are not safeguarding donations more carefully can put a dent in the future donation stream.

It’s also a bit of a double-edged sword for nonprofits. Putting fraud controls in place may entail some administrative costs and many donors evaluate their giving decisions based on nonprofits’ cost allocations, leaning towards organizations that show more of a donor’s dollar goes directly to their cause, not administrative costs.

While a for-profit organization may see stolen money take a bite out of its profits, a charitable organization may see even greater financial and reputational damage when money intended for doing good goes elsewhere.

In the long-run however, internal processes and protocols can prove to be a wise investment that will assure that money given to a cause is allocated to do the good it is intended, not to get swiped by employees.

Like any for profit organization, not-for-profits need to maintain a strong system of internal controls, among them:

  • Segregate duties. This assures that one employee cannot perform a complete financial transaction from end-to-end without involving someone along the way.
  • Background checks. For a nominal cost, nonprofits can make sure that employees have not already had some past issues that would affect their judgment with the organization’s money
  • Invest in technology. Today software accounting packages can raise a variety of red flags such as repetitive withdrawals or employee expense reimbursements.
  • Identify the role of board members for responding to or investigating allegations of fraud. Many seasoned financial and business professionals serve on charitable organization’s boards of directors and can be valuable sources for setting up fraud control procedures.
  • Commit to an independent audit every 4-5 years. Larger charitable organizations may commit to independent audits more regularly as they are often required in order to receive federal funding. Smaller organizations can seek more affordable methods of evaluating the nonprofit’s financial positions, such as a review of certified financial statements.
  • Prosecute offenders. Again, many nonprofits can be reluctant to go public with fraud cases because of its potential effect on donors. Not acting however, can be equally detrimental, sending a signal that employees who dip into an organization’s bank account may just walk away with a slap on the wrist.
Share this article:

Cyber Security

Cyber Vulnerabilities ‘Easy to Find’

Old ploys and process deficiencies impact 2014 data breach attack numbers.
By: | May 13, 2015 • 4 min read

Verizon’s “2015 Data Breach Investigations Report” (DBIR), published earlier this month, paints a disturbing picture for organizations and their customers.

The 2015 report analyzed more than 2,100 confirmed data breaches and approximately 80,000 reported security incidents in 2014.  The previous year’s report, which covered 2013, looked at 1,367 data breaches and analyzed more than 63,000 security incidents.


In about 70 percent of the new cases, decades-old ploys such as phishing and hacking are still successful because companies haven’t kept up with patching.

The question is, why are so many companies still not ahead of the curve when these cyber attacks can have such a devastating impact? The reasons boil down to priorities, process, and people.

“The bad guys don’t really have to work too hard to do this,” said Mark Weatherford, principal at The Chertoff Group and former deputy undersecretary for cybersecurity at the U.S. Department of Homeland Security.

“They are looking for vulnerable people all the time, and unfortunately it’s far too easy to find them.”

To help organizations assess these threats more effectively, Verizon Managing Principal and report author Bob Rudis said the report — for the first time — includes an impact section that ties dollars and cents to each data record compromised.

“We now have impact information that folks can use for risk management purposes, including enterprise risk management and financial risk management,” said Rudis.

“It’s a model for looking at breaches at a whole new way that we couldn’t talk about before.”

The model shows different loss forecasts for different volumes: the average loss for a breach of 1,000 records is between $52,000 and $87,000; for 10 million record losses, it’s $2.1 million to $5.2 million.

As for the types of cyber attacks plaguing organizations, about 83 percent of security incidents involve compromising websites and servers to go after a secondary victim by denial-of-service attacks, host malware, or to repurpose the site for phishing. This is up from 76 percent from the 2014 report.

Additional top threat patterns include: miscellaneous errors, such as sending an email to the wrong person; crimeware (malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; web app attacks; cyber espionage; point-of-sale intrusions, and payment card skimmers.

The industries most affected by cyber attacks are the same as in recent years: public, information, and financial services.

How to respond? First, look at different industries that are experiencing the same kind of attacks as you are — no matter how different they seem, advised Verizon Senior Analyst Suzanne Widup: “See if you can make contact with them and not stay within your same silo.”

To start closing the high volume of vulnerabilities organizations often have, Weatherford advised developing better patch management programs that include testing and a timeframe for implementation.

“I hate to sound that simplistic but really that’s why [threats from] 2007 pop up in companies – because companies haven’t done their due diligence to do the [security] hygiene that they need to do,” he said.

Marc Spitler, Verizon senior analyst, puts it more colorfully: “Instead of just playing Whack-A-Mole with the particular vulnerabilities, [companies] need to understand why they were actually visible to begin with.”

Finding qualified IT people to tackle the security problems is another reason companies aren’t keeping up with patches and other protections, said Mike VanDenBerg, a managing director in KPMG’s cyber services and information protection practice based in Dallas.

“There’s an undercurrent not mentioned in the report: that the supply and demand of labor in this industry is very unbalanced,” he said.

“Every single client that I have in the Fortune 50 cannot find enough qualified people to do what needs to be done in this space. If I were to invest the next million dollars in my security problem … it would be [in] trying to solve the problem that I’ve had for several years, which is people. It’s just a matter of priorities.”


For VanDenBerg, consistently covering the entire data environment will make the biggest difference to companies.

“Some of the constraints are: legacy systems that can’t be patched, are out of support, [or] are off the books from an accounting perspective but are still functional from a technology and business perspective. [These are] great from a financial standpoint but it’s bad from a security standpoint,” he said.

“Shutting down those assets and moving to new and different technology ultimately will increase your security. Yes, it will open up to holes in the future but I’d rather have something that I can do something about than have old technology that I can’t.”

Looking to trends in 2015, Verizon’s Rudis had this to say: “My prediction is a non-prediction; if the status quo [within organizations] stays, we are pretty much going to see almost a mirror image of the report next year.”

Maura Ciccarelli is a long-time freelance writer. She can be reached at riskletters@lrp.com.
Share this article:

Sponsored Content by CorVel

RIMS Recap: Tech Trends that Could Change Everything

The future is here, and emerging technology is transforming the landscape of workers' compensation.
By: | May 8, 2015 • 5 min read

Last month, Gordon Clemons, CEO and Chairman of CorVel Corporation, presented at the RIMS Conference in New Orleans, La. about emerging technology and how it is impacting risk management and workers’ compensation. The discussion served as a springboard for new insights on how technology will change the industry, and reaffirmed the need for integrated systems and human interaction for the best results.

The presentation noted the future is here – and technology is constantly evolving in hopes of outpacing tomorrow’s needs. As these technology platforms become more inherent in daily life, the gap in translating their utilization to workers’ compensation will begin to close.

Technology in Healthcare

Gordon Clemons, CEO and Chairman, CorVel Corporation

While many consumer-based technology advancements exist in other industries, perhaps most notably in the retail space helping vendors to reduce various delays in the sales experience, people may forget that healthcare, too, is a consumer industry. And as such, healthcare also experiences workflow lags, which can be collapsed.

While patients and claims may not lend themselves as freely to mobile applications and technology that subscribes to the “Internet of Things” philosophy, the rapid rate of development foretells the not-too-far-off arrival of the “a-ha,” “wow factor”-type application that consumers are seeking in the healthcare industry.

Once we get there, we can only expect that the Pangea of resources will yield better outcomes. The potential impact to medical management includes more affordable/accessible healthcare, patient convenience, personal assistance, automatic inputs to claims systems and less administration from both patients and injured workers.

“Healthcare is stubborn about change. There are more data points in healthcare and there is a greater need for high quality and accuracy,” Clemons said.


Tech Trends for the Next Digital Decade

As an industry advocate in all things innovation, CorVel has been keeping tabs on emerging tech trends. As they begin to influence in other industries, it sparks the question – will they eventually change workers’ compensation?

Here are some of the trends on CorVel’s radar:


Smart phones and tablets were the first mobile devices to really start to gain traction across people’s personal lives. Since then, wearables (like Fitbits and smart watches) have been part of the next digital generation to be taken up by consumers.

As these personal devices quickly advance, wearables could offer payors and employers added insight into the wellness of claimants through the extent of their retrievable data.


Beacons are devices that use low-energy Bluetooth connections to communicate messages or triggers directly to a smart device (such as a phone or tablet). Retailers have started using this technology, sending offers to near-by consumers’ phones. Now the concepts of smart mirrors and smart walls offer a one-stop-shop with recommendations related to the preferences of the shopper – making a hyper-efficient business model. It is possible that we could see these devices adapted to being a catalyst for healthcare’s business model by reducing the delays of administrative work.


Formally known as unmanned aerial vehicles (UAV), drones can be remote-controlled or flown autonomously through pre-defined flight plans within their internal systems. Some carriers are testing the use of drones to potentially be used to evaluate property damage and responding to natural disasters.


As most injuries reported in workers’ compensation are musculoskeletal injuries, the industry lends itself well to the benefits of telecommunications and telemedicine. With the rise of electronic capabilities, telemedicine becomes another option to help guide an injured worker through their entire episode of care, reducing time delays.

In order to get to that point in time, implementing these trends (and those that are yet to be launched) will only be as successful as the population willing to accept them. Buy-in will require a commitment to the long-standing pillars of the industry. According to Clemons, “While technology can truly move the needle in workers’ compensation, it will take more than bells and whistles to maximize its impact.”

“People’s feelings are valid. The skepticism surrounding new technology is not misplaced, but neither is the enthusiasm,” Clemons said.

New Trends, Same Priorities

SponsoredContent_CorVelBeyond the buzzwords and hype surrounding the latest apps and devices, for new technology to succeed within the workers’ compensation realm, it boils down to the two primary concepts that drive the industry to begin with – effective infrastructure and a people-first philosophy.

The power of applicable resources and the actionable data that results from them is in the foundation of the systems themselves; that primarily being through the influence of integration. It is not a new concept; however, as technology advances and the reach of analytic capabilities broadens, it is important to find a provider that can harness this data and channel it into effective workflows to increase efficiencies and promote better outcomes.

CorVel’s proprietary claims management system has been developed and supported by an in-house, full-time information systems division to be intuitive and user-friendly. Complex, proprietary algorithms link codified data across the system, facilitating collaboration between services, workflows, customers, and technology and eliminating the risk that a crucial piece of information will be missed. The result is an active “ecosystem” providing customers with actionable data to provide the most accurate, comprehensive picture at any time, while also collapsing inherent delays.

For the injured worker, the critical human touch connection in the workers’ compensation process can never be minimized. By cutting lag time throughout the various inefficiencies underlying the industry’s workflows, CorVel can connect injured workers with quality care sooner. As systems advance, claims and managed care associates do not have to spend as much time on administrative work and will instead be able to devote more time to the injured workers, reviving the human touch aspect that is just as impactful within the industry.

Regardless of the technology that lies ahead, CorVel looks to the future with investments in innovation, while not losing sight of their role and responsibility to clients and patients. Dedicated to constant improvement for the services they provide injured workers and industry payors, CorVel is committed to improving industry services one app, click, drone (or whatever is yet to come) at a time – perhaps something to discuss in San Diego at next year’s RIMS conference.

For more information, visit corvel.com.


This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with CorVel Corporation. The editorial staff of Risk & Insurance had no role in its preparation.

CorVel is a national provider of risk management solutions for employers, third party administrators, insurance companies and government agencies seeking to control costs and promote positive outcomes.
Share this article: