Well it has been a weird few weeks here!
I am going to share some personal painful stories here…
Two businesses (not adbank) have both had issues of employee theft which is a first for my business! We are not talking hundreds of dollars but over 6 figures!
I won’t get into the exact details but one is solved and one is in the process of being solved.
The key anytime we have a major f-up in our business is to dig in and understand why it was allowed to occur, if the risk of it occurring again is worth putting in stronger systems.
This article will cover the 2 scenarios the systems that were in place and why they failed plus the 5 keys everyone should do if they have any team members with access to hurting your business financially.
Swiss Cheese Model for Losses:
One of the ways I like to think about the risk mitigation systems inside my business is the Hazards – Losses path through multiple layers of swiss cheese. No system can be completely bulletproof but the idea is if all layers are in place and working the probability of all holes lining up is very low.
Failure 1: Speed vs Control Accepted Risk
An employee wired himself funds, oversight was not in place fast enough.
There were 3 layers of mitigation
- Mitigation #1 – Trusted employee & controlled access
- Never a sufficient mitigation on its own!
- Mitigation #2 – Accountant monitoring monthly numbers
- The accountant was unfortunately months behind not revealing the problem.
- Mitigation #3 – Bookkeeper/Controller onboarded
- The controller for the business was not up to speed fast enough leaving a window of time where things would go undetected.
In the end we were not pushing the pace fast enough on the 2 financial oversight systems resulting in a window for theft to occur.
Although this was the far larger of the 2 thefts it is one where no major systems upgrades are needed as there was some acceptance of risk due to prioritization and low probability of someone repeating with the systems that were too slow to get in place now in place.
- Note – All funds from this theft have been recovered + consideration for time/fees.
Failure 2: Execution
Although the dollar amount is smaller than failure/theft #1 this one has me much more upset.
This was a known risk we had put many barriers against but the systems all failed in the same way to allow this to occur.
- Mitigation #1 – Trusted long term team member & controlled access
- Clearly this is not enough to rely on blindly! This employee has been with me for YEARS and involved on multiple projects.
- Mitigation #2 – Daily Revenue and Expense Monitoring – Temporarily Not Active
- During this time we had taken a break from the daily expense tracking due to workload in other areas
- Mitigation #3 – Weekly unit economics review – Didn’t Validate
- This one is frustrating as this practise was created with the intent of being able to quickly detect any issue however the theft was paired with forged numbers that were not validated. Human error on compliance to the process for validation of the numbers was the reason this mitigation failed.
- Mitigation #4 – Monthly PnL statements and review – Not setup on new system
- We have been in the process of upgrading our proper monthly PnL and as a result were not in a position to review them. Getting these completed slipped down the priority list and as a result allowed this issue to continue.
Note – All funds have not been recovered, the length we will go to will be unreasonable 🙂
5 Steps to Take:
- Financial Risk & Access Control Matrix
- There are a lot of potential attack vectors. Having an organized control list of all the places that someone could impact you financially and then understanding who currently has access is key. There are the obvious locations like bank account, paypal but then you also need to think about the revenue sources Amazon Account, AdSense account etc. Plus, don’t forget places where funds could be improperly sent from Fiverr, UpWork etc. Don’t forget your websites that make the money, swapping out an affiliate link on a few pages can be another source of theft that is harder to detect.
- Agreements Updated
- Ensuring compensation agreements are in writing is key to ensure there can be no debate about the amount of funds received.
- Have Contact Information Handy
- For anyone with access to money you should have accurate information on them including name, ID, phone number, address etc.
- Proper Login & Password Management
- Managing logins for a team is a daunting task! 1Password and LastPass are the tools we use for a couple different projects. The key is to be able to quickly turn on/off access while controlling the ability to provide access through either the tool as a user (with the login still in the password management system) or shared access via a password management system. Strong random never reused passwords and 2FA activated whenever possible goes beyond just internal theft but is one of the most basic steps to avoiding theft from hackers.
I hope you haven’t experienced any issues like these. My hope is sharing these unfortunate events and what I have learned will be helpful in preventing future problems for you or if problems do occur arming you with what you need to resolve quickly.
Please share any other suggestions on how to help protect your business!