Fraud, compliance concerns and cyber attacks have become the costly norm for North American and Latin American companies. These threats are increasing in scope, number, and severity, and the COVID-19 pandemic has made things worse. But many companies do not have adequate defenses against these threats, even though the average combined loss from fraud, data breaches, and regulatory fines can be more than 1 percent of their profits.
These are some of the key findings from A triple threat across the Americas, the KPMG Fraud Outlook for 2022.
In North America —
- Two-thirds of respondents expect external fraud to increase in the next year.
- 84 percent say that cyber risk will grow.
- 73 percent expect compliance risk to rise.
In Latin America —
- Respondents’ companies are more than twice as likely to experience internal, or occupational, fraud as compared to those in North America.
- Over a quarter of respondents are unsure if their companies fully meet local rules with respect to corruption and money-laundering regulations.
We call these triple threats a ‘threat loop’ because each threat adds to the potential damage inflicted by the others. We believe that defending against this threat loop requires a collective, interconnected effort. Companies need to look at the impact created by these threats in conjunction, rather than just the risks they pose separately. This requires a comprehensive risk assessment backed by data analytics, a close study of compliance measures and fraud mitigation efforts, a review of remote and hybrid working environments, and a careful monitoring of cyber threats.
A holistic risk assessment
An effective risk assessment should identify risks and support the effective distribution of resources for risk mitigation. Mitigating low-level risks should not drain valuable resources from addressing more critical risks. Companies should identify their primary risks first, identifying gaps in defenses and taking immediate steps to fill these gaps. In identifying these risks, companies should also keep in mind that today’s threats are interconnected. For example, the lack of compliance in the IT department could lead to a cyber breach that, in turn, might lead to an incident involving fraud.
A rigorous risk assessment requires buy-in from the CEO, the board, and upper management. Decision makers need to clearly understand the significant costs of these interconnected threats in terms of reputational, financial, and operational damages. Backed by executive buy-in, the company’s compliance and legal departments can develop the resources they need to identify risks, mitigate potential threats, and build a culture of enforcement and accountability.