KPMG’s new director of risk consulting Paul Evans, formerly of the Serious Organised Crime Agency, talks about the risk presented by organised crime

Cyber risk

Tell us a bit about your background.

I was at the SOCA [Serious Organised Crime Agency] for the last six years and before that I spent six years as the chief of criminal investigation at HM Revenue and Customs. Before that I was in intelligence for 20 years.

I’ve had lots of experience in watching things go wrong for corporations and in watching the human behaviours that often go with it. So this isn’t traditional figures or numbers based risk, it’s rather about behaviour and enabling people to prevent catastrophe.

Tell us about your top risk at the moment?

The first and foremost from my perspective is that there is an enormous amount of fraud around. Most of the picture that people see of fraud is about possibly 3 years behind because it takes three years for frauds to be detected.

The contemporary law enforcement picture is a much worse one. And it’s fraud anywhere. It’s fraud where you’re handling cash, where you’re handling value, it’s supply chain fraud, and there’s a lot of fraud that’s been driven up by the global financial crisis.

The second thing is that the landscape for corporates is just more complex than it was five years ago. Board members have an increased list of liabilities that they have to be defended against. For example the bribery act, corporate manslaughter, health and safety. Ensuring that these things are managed in a certain way is part of the board’s duty.

You have worked as part of SOCA’s national cyber crime team. Is cyber risk on your top risks list?

We are seeing lots of entities now wanting to refine their cyber security, simply because of the degree of threat. Where I come from cyber crime is a very important and a visible part of the range of organised crime techniques that face corporate entities.

I think risk managers really need to be aware of the sorts of techniques and tools that the criminals can use against the entity - Particularly the threats that might come from within the company rather than just from the outside.

Cyber crime is a very important and a visible part of the range of organised crime techniques that face corporate entities

Can you see any improvements in the way this risk is being handled?

There are well developed techniques and tools that can be used to encourage and help clients to better prepare themselves, but actually part of that understanding is around being able to be plucked into the contemporary picture of what cyber criminals are doing in the internet space.

The thing that struck me as a law enforcement professional is just how many cyber criminals are active in the internet space. The numbers are very, very large.

What risks does the government manage better than the private sector?

You wouldn’t know it from the media but government is particularly good at information assurance. Government is also pretty good at understanding the threat vectors and how the threat from organised crime changes and transmutes from one form to another.

There are three defining features of organised crime that government gets and corporates may not. The first is the very big numbers of people involved. The current government estimate is that 38,000 people in the UK are engaged in organised crime.

You wouldn’t know it from the media but government is particularly good at information assurance

The second is the way in which organised crime diversifies. So if we see minimum control and minimum penalties we will try to move its activity set away from high risks like drugs trafficking into things like fraud, particularly into mass market fraud.

You know those letters you get that say you won the lottery but you didn’t know you entered it? In relation to that they understand the way in which criminals identify and target very vulnerable people.

The third thing in the UK about organised crime is its resilience. Rarely does prison actually stop anyone from engaging in organised crime. At times it actually enhances their ability to engage in organised crime.

What is the motivation for this?

The criminals are astonishingly entrepreneurial. If you like the expression, they are sort of mutant capitalists. They can see weakness and weakness that can be exploited to gain.

There’s only one reason that people engage in organised crime and that is that they’re interested in personal gain. They’re not there for ideology or for reasons of politics, they’re there for one thing and one thing alone and that’s gain. Be it the gain of a corporate’s assets or of an individual’s assets.

NB: No photo of Paul Evans was available for “security reasons”.