A Lesson on Mitigating Insider Risks
/By sharing his real-world experiences and practical guidance, Ashu Sharma, a group investigations manager with Anglo American, showed anti-fraud professionals how to critically assess their own organizations and take concrete steps to mitigate insider risks.
At the 2025 ACFE Fraud Conference Europe, Sharma presented a case study in his session, “Mitigating Insider Risk: Lessons from a Case Study,” that highlighted the complex and often unexpected ways in which insider threats can manifest. The session emphasized the importance of proactive risk management and provided actionable strategies and insights for organizations to implement.
Defining the Core Insider Concepts
Sharma described the importance of clearly defining the core concepts of insider risk management to ensure a common understanding and facilitate effective communication within your organization. He specifically addressed the difference between “insider,” “insider threat” and “insider event,” as the following:
Insider: Any person who has, or previously had, access to and authorized knowledge of the organization’s resources, including people, processes, information technology and facilities.
Insider Threat: An insider, or group of insiders, that either intends to or is likely to cause harm or loss to an organization.
Insider Event: The activity conducted by an insider (whether intentional or unintentional) that could result in, or has resulted in, harm or loss to the organization.
He stressed that understanding these distinctions is crucial for accurately assessing and mitigating insider risks.
Additionally, Sharma addressed the different types of insiders and the factors that contribute to insider threats, such as:
Malicious Insiders: Insiders who intentionally seek to harm an organization.
Negligent Insiders: Insiders who, through carelessness or lack of awareness, create opportunities for harm.
Compromised Insiders: Insiders whose accounts or systems have been compromised by external actors.
Case Study
The core of this session focused on a case study of how insider risks can be connected. Sharma explained how this particular case began with an employee exceeding allotted toilet breaks, which after further investigation, revealed a gambling operation in the men’s restroom. That discovery then led to another discovery: a loan shark operation run by the employee’s manager.
Loan sharks are often described as a person or entity that lend money at a higher-than-legal interest rate, potentially using threats of violence to collect debts. In this case, the loan shark manager handed out money, forced people to gamble and threatened staff, leading to a big insider event.
Sharma highlighted several key learnings of the case, including:
Seemingly minor issues, such as the employee exceeding allotted toilet breaks, can be indicators of larger problems.
Insider threats can be layered and interconnected.
Weak internal controls can create opportunities for insider fraud to take place.
Mitigation Strategies
By the end of the session, Sharma provided attendees with actionable strategies for mitigating insider risk:
CODE OF CONDUCT AND COMPANY VALUES
Develop a comprehensive code of conduct and clear company values. These should clearly define acceptable and unacceptable behavior and be regularly reviewed and updated. The code of conduct should establish the expected behaviors of employees, where the company values should establish why and how the company operates and what it stands for.
Make Insider Risk Relevant
Conduct a thorough risk assessment of insider risk specific to your industry and business unit, ensuring that insider risk policies will incorporate compliance with relevant regulations. Additionally, implement role-based access controls to enforce policies with tailored monitoring.
Conflict of Interest
Provide clear definitions for direct and indirect conflicts, as well as defining approval processes for managing those conflicts. Organizations should be able to actively monitor for potential conflicts of interest through monitoring, rather than relying solely on self-disclosure.
Procurement Fraud
Establishing robust procurement fraud controls should include implementing due diligence procedures, separation of duties and continuously monitoring procurement activities.
Background Vetting
Thorough background checks should be ran by a central fraud team, security, compliance team or any additional team independent of HR. Not conducting proper background vetting procedures is a ground floor risk for any organization, making regular reviews and updates necessary.
Speak-Up System
Creating a functional “Speak-Up” system should encourage employees to report concerns without fear of retaliation and ensure that reports are investigated thoroughly. This system should have one point of entry for all escalations, one case management system and one investigation function.
Sharma emphasized the importance of a proactive approach to insider risk management, stating, “It’s amazing what you can do, the results you can get by doing these proactive exercises. And it also puts everyone else on alert.” By understanding the core concepts, learning from real-world examples and implementing mitigation strategies, organizations can strengthen their insider risk defenses against internal threats.