Using human centered design to prevent fraud
The fraud diamond is a common framework for understanding why fraud occurs and designing better fraud controls. David Wolfe and Dana Hermanson built upon the fraud triangle developed by Donald Cressey in 1973 and explained that for fraud to occur, four elements had to be present:
All four elements of the fraud diamond (except for maybe opportunity) are about the person that committed the fraud. What was their motivation? How did they rationalise their actions? Did they have the capability to conduct the fraud? This suggests that the solution to fraud is also a very human problem.
Wolfe and Hermanson’s fraud diamond
When we build business processes or audit them, we use segregation of duties, approvals, check sums and system controls. We create handoff points and challenges that have to be navigated before the human worker can complete their work. This creates a lot of friction within the process.
Friction is designed to slow down the process, allowing for the transactions to be checked and, hopefully, demotivating unethical behaviour on the basis you’ll get caught. Without this friction, risk of fraud increases.
While friction can be used as a design element to prevent human error, in today’s businesses, friction also causes huge amounts of stress as employees attempt to get lots of work done under pressure to make it happen quickly to keep up with the pace at which business occurs.
So is there another approach to designing for fraud prevention that doesn’t rely on friction and gets at the heart of the fraud problem: humans?
A human-centred design approach to fraud prevention
The father of design, Don Norman, summarised the four key components of human centred design in a 2019 article:
1. Understand and address the core problems
2. Be people-centred
3. Use an activity-centred systems approach
4. Use rapid iterations of prototyping and testing
The core problem
“Core issues often include the people’s lack of understanding of the complexity of the entire system, misaligned resources and reward structures, and the disruptions caused by the work environment, with frequent interruptions, conflicting requirements, overly-complex technology, and the need for multiple transitions among technologies systems, and people leading to continual interruptions as well as lack of complete communication between elements.”Don Norman
Our traditional friction-based approach to fraud control actually exacerbates some of the issues in our most problematic processes. Let me go back over a couple of Norman’s points there.
“complexity of the entire system” In many cases, the system complexity is what allows for an opportunity to manipulate a transaction. Too much complexity clouds the process owners’ ability to review what has occurred within their system. It also clouds our ability to understand the root cause when something does go wrong. It’s easier to add another layer of control without considering what may be broken elsewhere in the system to allow the breach to occur.
“misaligned resources and reward structures” This is a huge one. Businesses expend a lot of effort on creating strategy, developing goals, identifying a metric partially aligned to the goals, and then measuring that metric as a fixed KPI. Often time fraud doesn’t start out as an attempt to steal millions of dollars but begins when an employee is under the pump, attempting to meet a KPI and runs out of valid actions to meet it. In this case, rationalisation becomes easy: the unethical action appears to be the best way to achieve the goals set for them by the organisation they are harming.
“the disruptions caused by the work environment”Norman has a long list of disruptions in the quote above. When creating controls, we don’t often don’t control for the work environment that influenced the employee’s ability to make an ethical decision, at least, not beyond creating a code of conduct and running some training. Ethical behaviour is an expectation we have of our employees. However, analysing a true ethical problem often requires a share of mental resources that are rapidly being absorbed by distractions, stress and complexity in our workplaces.
How do we apply this principle to fraud prevention? We need to make sure we are examining the problem at a depth to identify the real root causes, and considering the full complexity of the system and environment where the problem arises.
“It means considering all the people who are involved, taking account of the history, culture, beliefs, and environment of the community. The best way to do this is to let those who live in the community provide the answers.”Don Norman
Motivation is placed at the apex of the fraud diamond because fraud seldom occurs by accident. When attempting to get to the root cause of unethical behaviour, the human element needs to be one of the first areas to examine.
Research has found that employees often steal from workplaces as a result of their workplace environment or dissatisfaction with their job. (Hollinger and Davis) All of the elements in the quote above are relevant here: An organisation’s history gives employees an indication of the level of ethical behaviour required and the consequences of not complying with that standard. Culture and beliefs of those in the workplace can influence how the ‘grey’ cases are handled. The workplace environment can allow for fostering negative behaviours that lead to unethical actions.
When we examine the people-element in fraud cases, we need to consider all the people that are involved. Not just the processor and approver. We also need to consider the leader that oversees (and may pressure) the operators to behave in certain ways. Even when they’re not complicit in the fraud, a leader may contribute to fraud in a number of ways:
1. Creating an environment that contributes to motivation or rationalisation
2. Preventing witnesses from raising suspicious behaviour without fear
3. Performing their existing review controls inadequately (note, it’s seldom that the system control failed to notice an invoice exceeded a purchase order, and more often that the leader failed to scrutinise their budget variances enough)
How do we apply this principle to fraud prevention? We need to design our systems and controls for people, prioritising human behaviour in our designs and addressing the human context that creates the motivation, rationale and opportunity for fraud.
“Moreover, activities do not exist in isolation: They are components of complex sociotechnical systems.”Don Norman, 2019, The Four Fundamental Principles of Human-Centered Design and Application
Many controls focus on single activities within a process: is the invoice less than the purchase order? Does the total of the expenses exceed this month’s budget? Has the timesheet been signed off by an approver? Frauds themselves are a momentary activity as well: the moment a falsified invoice is processed; the moment the bank details are changed to an employee’s account; the moment a budget figure is manipulated.
These single activities don’t exist in isolation. The moment a person becomes motivated to commit fraud usually doesn’t occur at the same time as they identify a rationalisation for their actions or notice an opportunity within their work. It’s not the same moment that a person learns their capability to commit the fraud.
Therefore when we are analysing root causes for fraud, we need to consider what happens before and after that moment in the process. We also must consider where a particular activity is dependent on another part of the process, a separate process or multiple interdependencies.
The temptation to implement a new control at the point where a fraud occurs is very high. The problems with this approach are two fold. It often fails to take into account the other steps in the process that allowed an unethical action to occur. Secondly, this approach increases the complexity which can in itself be manipulated unethically and slows down your business processes.
How do we apply this principle to fraud prevention? When analysing a fraud scheme, consider the entire lifecycle of the transaction, including the organisational context in which the employees are operating when they handle the transaction. Analyse all of these factors, not just the single moment of breakdown.
Prototype and Test
Testing fraud prevention mechanisms realistically is hard. We can’t predict when and where fraud is going to occur. By nature, if it is occuring, it’s not happening transparently where we can analyse it.
However, the effectiveness of our fraud controls can be proven through prototyping, testing and iterating the process when operating with ethical behaviour. We should run multiple ethical scenarios through the process to identify where strain is being put on the system that may allow for, or even cause, control failures.
Are we testing the review reports with our leaders to ensure that they are in a format and length that actually motivates effective review? Is a system control so restrictive that it is more likely to motivate non-compliance than prevent fraud? Have we adequately understood how our resource and reward models are being perceived by our employees? Do they motivate ethical behaviour or push employees into the ‘grey’?
To test these factors, we need to take an empathetic, non-judgemental approach to testing. Have an honest conversation with those responsible for review controls. Does this report actually tell you what you need to know to conduct the review? Is it of a length you can reasonably review alongside the rest of that person’s workload? Work with your accounts payable officers to understand what motivates non-compliant or ‘grey’ behaviour. How can we simplify controls in a way that enables employees to do their job while retaining the required oversight?
Advances in technology such as process automation, digital agents, blockchain and smart contracts all enable us to reduce risk without increasing friction the same way traditional controls have. We can use this technology to create more effective controls that interact better with the humans in our processes, removing unnecessary complexity.
How do we apply this principle to fraud prevention? Empathetic testing combined with innovative technology can help create a more transparent business process that is easier to control.
Designing controls for the human factor
In his classic The Design of Everyday Things, Don Norman gives the example of the poor control panel design that resulted in the 1979 Three Mile Island accident in Pennsylvania, United States.
Fraud may not be quite this catastrophic, but the theory is the same: sometimes it is a business process’ poor design that failed to take into account it’s human operators and enabled the unethical behaviour.
ACFE, ‘Fighting Fraud in the Government’, https://www.acfe.com/uploadedFiles/Shared_Content/Products/Self-Study_CPE/Fighting%20Fraud_Chapter.pdf
David T. Wolfe and Dana R. Hermanson, 2004, “The Fraud Diamond: Considering the Four Elements of Fraud.” CPA Journal 74.12, https://digitalcommons.kennesaw.edu/facpubs/1537/
Don Norman, 23 July 2019, ‘The Four Fundamental Principles of Human-Centered Design and Application’, https://jnd.org/the-four-fundamental-principles-ofhuman-centered-design/
Richard C. Hollinger and Jason Lee Davis, 2006, “9 Employee Theft and Staff Dishonesty.” https://www.semanticscholar.org/paper/9-Employee-Theft-and-Staff-Dishonesty-Hollinger-Davis/9cece3e4f7d52ac68cf79edf984254c807928b2b