Tag Archives: fraud

Fraud Triangle – Cookies, Pencils, & Stealing

fraud cookieFraud Triangle

fraud pencil

Fraud Triangle-Cookies, Pencils, & Stealing From Your Employer

As my students and clients and past audiences know, I think many make security and fraud out to be something complicated when its not so here is another view of The Fraud Triangle.  The methods of the bad actors can absolutely be complicated, which makes chasing them FUN.  The principles, the root cause, the why, many times are quite simplistic.

Whether you are in a parent, a Fortune 15 multinational corporation, a small “mom & pop”, a 100 person NGO, or a 35000 person megachurch, the principles of bad behavior have something in common. The principles are what is generally known as The Fraud Triangle by the great criminologist, Dr. Donald Cressey.   I learned about The Fraud Triangle over the last 17 years from the amazing organization called The Association of Certified Fraud Examiners (The ACFE / @theacfe).

Intro to Fraud and The Fraud Triangle


All multifarious means which human ingenuity can devise, and which are resorted to by one individual to get an advantage over another by false suggestions or suppression of the truth. It includes all surprises, tricks, cunning or dissembling, and any unfair way which another is cheated.

Source: Black’s Law Dictionary, 5th ed., by Henry Campbell Black, West Publishing Co., St. Paul, Minnesota, 1979.

The Fraud Triangle

The fraud triangle is a model for explaining the factors that cause someone to commit occupational fraud. It consists of three components which, together, lead to fraudulent behavior:

1. Perceived unshareable financial need

2. Perceived opportunity

3. Rationalization

Simple to Complex

When a child is in your home and there is a cookie jar, the principles behind taking a cookie is rooted is the same principle as the biggest fraud you may hear about on a show like American Greed.

When you took that pencil or pen home from work or the hotel, the principle for why you took it, is rooted in the The Fraud Triangle.

No different than the typical act we consider to be fraud, like stealing a customer list or other confidential information or money from one’s employer/organization.

But Jim, really, my 5 year old is not a fraudster and how dare you call me a fraudster for this pen from the Hotel California….like you never committed fraud as your describe it.

Ah, but I didn’t, I am purely using a well researched concept of The Fraud Triangle to focus on the concept of living with Absolute Integrity and bringing up the next generation with a healthy fear of the consequences of not striving for Absolute Integrity everyday.

If Spade=Spade, then Fraud=”Fraud”

We are _________, We don’t __________, We have ________, so we don’t have fraud. Wow.  I am amazed at how scared organizations are at using the word ‘Fraud’.  A great fraud examiner that I had a privilege to work with for too few years recently, Cheryl Davis, always joked about “The ‘F’ Word”.  I didn’t fully grasp her wisdom until recently.  The word ‘fraud’ is so feared that is has become almost part of the “bad four letter word group” in many organizations.  “What do you mean Fraud?”, “I don’t consider that fraud”, “That’s just a management issue”, “That’s just a petty issue”.  There are no fraudsters in my house, church, organization, how dare you. Hey if you have people that work for you as employees or suppliers/vendors, look in the mirror and say it, “I am vulnerable to the ‘F’ Word”…I mean, Fraud.

Stop being a wimp.

If your 5 year old can justify stealing the cookie, you and your fellow workers can justify many other more malicious things.

Preventing Fraud – “Fight Fire With Fire”

If a fraudster (or child) needs opportunity, rationalization, and pressure to commit fraud (or take the cookie), how hard is it to maybe prevent fraud through simple things like:

  1. OPEN OPPORTUNITIES for the fraudster or child to be rewarded for finding their passion and providing small, ongoing rewards for creating new opportunities for you, your organization and the next generation.
  2. REPLACE RATIONALIZATION with rewards that are as diverse as your organization. Not just the best pay, but the best benefits, the best culture, the best place to work, the best listening skills. The best doesn’t mean perfect, the best means don’t do it unless you can do it with excellence that involves everyone.
  3. PURSUE PEOPLE’s PRESSURE with conversations and culture and rewards for transparency. Don’t put the employee recommendations box over the top of the trash can.  Post them on a wall with a big green check when you have implemented them.  Develop benefits that pops the pressures of the world.  Tell your story of the pressures you are under and how you handle them.

Absolute Integrity

Whether it is a note on the mirror in your bathroom or office or car or a foot mat next to your bed or a daily calendar reminder or all three, create a daily “stop” in your life that forces you to challenge yourself, “I will operate my life with absolute integrity today.  I will reflect absolute integrity without using words.  I will challenge my family to absolute integrity through love and example”. Okay Jim, I will ‘try” to no longer take the cookie…..

yoda there is no try

Start with your daily effort to live with absolute integrity and not as a fraudster and then become contagious.

A Great Read on the Topic from Joe Wells


Found a Great Church Security Assessment

Shout out to Kris @ 5544885 for this resource!

Great Church Security Assessment

Okay, I admit I am generally NOT a fan of checklist security assessment with one exception, when a organization (yours) doesn’t have full time security team / professional available and has a desire to improve their posture AND commits to engage with a trained security professional based on the results.

Kris Moloney is a great church security professional and developed this excellent Church Security Assessment.  The important thing is for you and your team to complete the assessment honestly and completely.  In fact, have several people complete and compare answers.  Ask yourself, are you completing it based on what is fact, what you think exists, or what someone has told you?  Even if you have to physical walk around your organization / building with the assessment, do it.

SheepdogChurchSecurity.net Church Security Assessment

Please email Kris and thank him and share this post with your fellow church leaders  / churches.  As always, feel free to reach out to me if you have any questions.

BTW: If you are planning on being at Gateway Church’s Leadership / Pastors Conference this year, I will be there again and available for one-on-one FREE discussions on your church security questions. I will have two give aways for 3 hours of consultation at the conference.  I will be volunteering, but just email / DM me on Twitter and we can find a place to meet up.


My Church Security – Just Give Me a Church Security Manual


church security manual

My Church Security – Just Give Me a Church Security Manual….and I’ll be all set.


Church Security Manual – Check – All done…….Really, I hope no one has convinced you that a church security manual is the answer or will contain the answer.  I have seen some of most immature security practices in large organizations that have a security manual that was 3 inches thick.  Now I am a fan of a church security manual but for a specific set of purposes.  I am a fan of training using a church security manual. I am a fan of pocket guides that are a subset of a church security manual.

Here are a FEW of the domains/sections/documents that should exist, of which a few I will provide you a template when you sign up for our mailing list and let us know which specific ones you are looking for.

Internal employee, Internal Contractor/Vendor/Supplier, Volunteer are three different groups of people that you need to consider when writing your church security manual and think about the audience, the maturity of the audience, the impact on the audience, etc.

A church security manual can contain:

  • Policies
  • Guidelines
  • Standards
  • Requirements
  • Recommendations
  • Procedures


  • Missing Child, Missing Parent
  • Evacuation
  • Shelter-in-Place
  • Active Shooter
  • Incident Reporting
  • Camera Usage
  • Suspicious Persons
  • Network, Electronic Communications Usage
  • Export Control
  • Missions Trip Security and Safety
  • eDiscovery
  • Protection of sensitive information (PII, SPI, HIPAA)
  • Use of Radios
  • Alarm Response
  • Roles & Responsibilities
  • Security Camera Management
  • Security Alarm Management
  • Supplier / Vendor Security Requirements

A good church security manual AND church safety manual  are critical both in day-to-day assurance and in crisis. But remember, people aren’t going to be running to find the manual when a incident occurs. Thus the critical piece is awareness / training and retraining and retraining on the CONTENT and CONTEXT of the relevant part of the manual.  The #1 part of these manuals is not the STEPS its the scope and the roles and responsibilities.

Sign up for our mailing list to receive our free Church Security Template and other great resources and information

My Church Security – Where do I start?

MyChurchSecurity.comMy Church Security – Where do I start?

I know never answer a question with a question, but this will be a contextual exception. Where should you start?

Start by asking yourself or your team, “do I understand I have a security apparatus already? All I need to do is understand what I have today, what else I MIGHT need, where should I start to move forward.”.  Future blog posts will focus on a FREE tool I created to help make this SIMPLE.

Another question, “does my leadership/board understand where we are and that we need to move forward?”

Last question, assuming you are the champion of this work, do you have a trusted, available individual, preferrable trained,  that will be your go-to person for this moving forward.

I know this is strange, but let’s hold on “do I have any money?” question, don’t want to spoil the fun before we start.  I’m also going to hold off also the question, “do I need security”, I think my blog will end up answering this question in the end, without going crazy with a complex threat assessment.

My Church Security – Incident Management / Incident Response

MyChurchSecurity.comIncident Management

The another common starting point of designing and implementing a security department or fraud department is to setup a quick and SIMPLE incident command structure.  Let’s face it, there are too many stories where a incident happens the day after you read this. There is a JPEG version, Mac TouchDraw version of the file and How-To Video.  As I get feedback on the template/checklist, I will be updating it.  May hope is it is SIMPLE and should take no more then a hour or 2 to customize to your organization.

The core use of the template is help your organization/team(s) to establish a usage and SIMPLE incident command structure and basic things for each role to play that can be referenced easily (laminate it).  This is like an evacuation map that you hang on the wall but is needed/used by the people that would be involved in responding to an incident.  This template can be used for a wide variety of incidents, some incident types may have less boxes than others.

The big mistake I hear about in churches/NGOs is the have a “incident procedures/protocols” in a notebook in Pastor Billy Bob’s office.  Problem is….at the start and during an incident, nobody can find Pastor Billy Bob and the key to his office.  This template is NOT a replacement for the book procedures/protocols and training!!  It is SIMPLY DESIGNED to be a fast, avaiable reference.

The basic flow is that Authority and Command & Control moves from left-to-right, top-to-bottom (thus the arrows).  The boxes at the top is a SAMPLE of people/titles/roles that would be your primary command and control people (example: operationally, media, pastorally, etc.). The three rows of boxes at the bottom are EXAMPLE groups/roles/titles of TRAINED people that would be performing a specific and/or small number of duties upon initial notification (row 1), during the incident (row 2), and after the incident (row 3).  Again, you may not have as many rows or columns in your version, but start somewhere.  Even if you draw it on a flip chart or white board to start.  The important thing is the arrows and meaning behind the arrows.

My Church Security – Church Leaders at a Fraud Conference?

I know, not exactly in the “how to design” category but it got me thinking. I have the privilege of attending the Association of Certified Fraud Examiners 25th Annual Fraud Conference next week (2014….ok and in 2015 also) to catch up on some training, new techniques, and interact with some amazing peers. On a sad note, for the ones that are familiar with the ACFE, I understand this will be Dr. Wells’ last conference. His impact on the world and my career is immeasurable. But back to the question, yes, churches should, at a minimum, have wisdom and knowledge of fraud, why because the probability, vulnerability of fraud being committed at your church….is greater then zero, sometimes already happened/happening or is about to. I’m not saying that the senior pastor should attend the conference, but someone in the church leadership / board / or executive pastor-type of role should consider it. If they are unable to attend, they should check out the many (free) webinars that the ACFE has on their site. I have been involved in actual responding to fraud and have identified countless fraud vulnerabilities in churches, it is an important aspect of your overall security plan. Be Blessed.

My Church Security – Why Am I Doing This?

Why Now? Why Am I Doing This Site?

All my wisdom and knowledge came by the grace of my Lord Jesus.  First there is a great need to reform our industry, stop training security and fraud professionals to be unknowingly deceptive, and I think this whole security thing is easy and fun.  It’s kind of like those interesting and talented magicians that “expose” how tricks are done.  Over the years, I have had the honor to visit so many organizations that need SIMPLE help.  Recently I have had the humble honor to get requests from a few church and para-church organizations and I thought I could provide them some ideas and tools they can use immediately without growing frustrated with lay people wanting to make major complex structures.  Oh, and some of this, I just have to get off my chest, its so frustrating sometimes….hehe.  Seriously, my summary goal is to provide simple ideas to people who are in the process of designing/implementing a church security or church safety or church fraud department or churches that have been doing it for 30 years and just need some fresh ideas. I hope you are blessed by the content.

My Church Security – Church Security vs. Church Safety

MCS_Logo_wText_288Church Security vs. Church Safety


One of the most common questions / observations I get from churches just (re)starting their security activities is whether they need a SAFETY program/team/department/policy or a SECURITY program/team/department/policy.  So there are a number of factors to consider when creating BOTH, yes both.

First let’s focus on three basic definitions that I will stick to throughout my blogging, podcasting, speaking, teaching journey:

  • SECURITY – The detection of, prevention of, and response to a crime.
  • SAFETY – The detection of, prevention of, response to an accident.  I call this the “spilled milk” areas
  • SAFE – A level of assurance that a human has related to not being a victim of crime or accident.

So an organization needs to have both a CHURCH SECURITY and CHURCH SAFETY program to increase the level of assurance called “SAFE”.  I am NOT a safety expert though I have a tendancy to spot safety issues when I am doing security.  I don’t have safety checklists, safety policy, safety training, like those that might come from fire departments or OSHA or safety professionals that may be part of your organization.

The main concern that I hear about consistently, is churches don’t want to use the term “security” because of they are concerned that their audience, customer, clients, congregations will question the need for “security”, guns, guards, cameras, etc.  When in reality security is so much more and it helps them be SAFE. Churches also don’t want their security team to think they are law enforcement with authority to do anything and thus think not calling a security team will solve this.  It won’t.

My main concerns are people getting confused about their role and legal aspects.

I was discussing this topic with a church and convinced them that the way they were communicating to the team and other parties was actually deceptive.  Also legally, at least in the state of Texas, there are strict laws and regulations of people PERFORMING THE ROLE of security, REGARDLESS of what they are called or labelled.

Now I am not going to be upset, if a church has a great and robust security program and labels it (document, website, badge, etc. as  “[church name] Safety Team/Program/Policy”.  As long as EVERYONE knows their ROLE/PURPOSE is security per the definition above.  That doesn’t mean they can’t also identify true safety issues, but those issues should be turned over to facilities or other operational teams so as to not distract the security team from their primary security role.

I’m not trying to be technical, just want you to clearly understand where I stand on this topic and how you should communicate and operate.

I will do everything I can to be consistent in these definitions and I hope you will consider these thoughts in your communications. But don’t be surprise if you comment or ask for help with your “safety program” and I ask for clarification.


Be Simply Secure, Simply Designed, Simply Fun in your church security program




My Church Security – If I Had to Start Somewhere….

The Kiddos, please, The Kiddos.

That’s right, not evacuation, not shelter in place, not active shooter, its about the kiddos.  Everything in security at a church is important, but it is not all equally important nor can you do it all, so if you had to start from zero and you haven’t had any significant threats, I recommend you starts with the kids.


High trust, high vulnerability, amazing, and many times untrained (in security response) volunteers..

A number of ideas, in no particular order:

* Background Checks for workers and volunteers

* Mandatory Awareness Training like MinistrySafe

* Mandatory Response Training (shelter, evac, medical)

* Recommended Training (cpr, aed)

* Panic buttons

* “Blue Lights”

* Computerized Check In Systems (w/photo of mom/dad and kid)

* Parental Alert “system” (pagers, text messaging, notice on overhead screens)

* Man trap or in-service door lock downs

* Mandatory drills

* Special Needs Kid awareness

Remember the childrens workers are gifted with KIDS not SECURITY, and “equipping” them doesn’t mean you try to make them security people, that’s not what God gifted, called, or sent them to be.

My Church Security – Security Team Skill Set

Now this probably is more helpful for larger organizations or even corporations vs. potentially alot of my audience, but hopefully give you all something to think about. . I did a little security department design daydreaming today and thought about the question, “Jim, if you had the chance to hire a new person to your security department or are starting from scratch (not talking about zero-based staffing), what skill set would you hire?”

Now the easy answer is, a security person or that missing (technical) skill, but in my years of experience I have rarely had the chance to stop and think about this but I would do it this way now.

I remember a VP of Security and I walking down downtown Tampa’s Franklin Street Mall one day when I was with a small business unit and she asked me, “Jim, what skills set is missing from my organization?”, and at the time, I quickly said “dedicated software development resources”.  Now I focused on not security people that are software developers, but actual dedicated software developers to develop tools for the security people. Big difference.  Security people with software development skills are good security people, but which skill set will be utilized the most?  The security side.  The software development side of them is part of the wisdom / knowledge their would use in their security role.  I have been coding since I started in the technology industry from BASIC to Shell Scripting to a little C to ol’ dBase to some SQL and have a ton of respect for developers, but I only do development with I need to fix a short term problem, far from my primary skill.

So I clean the slate of my imaginary security org chart and started over.  So do I get 3 people or 20 people?  Do I get FTEs?, only employees?, can I outsource? Or let’s assume I have all the security skills (different than capacity) I need…..

How about a Marketing / Sales person for designing those ROI Presos to the execs?

How about a data scientist / DBA data model design work?

How about a analytics / BI person (shameless plug for Tableau) for visualization and dashboard DESIGN help?

How about a finance person for business cases?

How about a software developer for widget tool development?

How about a web / WordPress designer?

How about a project manager (PMP-like)?

How about a training developer for security awareness development and team training management?

How about a customer satisfaction survey / NPS expert?

Now remember, I am going to have to get someone else to help do the interviews outside my staff.

I could go on, but you see my point, sometimes I think, if I had only three headcount and only hired 1 security person and 2 people with the above skillsets, I could “justify” more security people faster.  The alternative is going to the people in the overall organization (e.g. marketing department) and ask/partner/beg for these skills to help you?  Insource to your own organization or tack onto an existing supplier contract.  You may even find there is extra resources on a supplier contract for the skills that wouldn’t cost you anything.

Something to ponder on your next headcount increase or attrition opportunity or even initial design.

For my church audience that has no security skills but want to hire that first one, I will address that in a future post, very specifically.

What skillset would you want next? Post a comment

Be blessed and remember, its all about Simply Secure, Simply Designed, Simply Fun