Incident learning to make organizations more resilient to fraud

(1)

Incident learning to make organizations more resilient to

fraud.

A comparison between a public and a private organization regarding learning from a

fraud incident to improve organizational resilience.

Leiden University – Faculty of Governance and Global Affairs MSc Crisis and Security Management

Student: Robin Vollebregt - s1628070 Supervisor: Dr M.A.J. Ezinga

(2)

Incident learning to make organizations more resilient to fraud – R. Vollebregt Page 2 | 74

“Failure is success if we learn from it.”

Malcolm Forbes

1

(3)

Abstract

This research explores the aftermath of a fraud incident that affects public and private organizations from a crisis management perspective. The study shows how organizations respond to a fraud incident and how they learn from it in the post-incident phase. The aim of this research is to look at fraud incidents as an opportunity for organizations to learn from, in order to become more fraud resilient. The focus is on the organizational level in the aftermath of an internal fraud incident to assess similarities and differences between a public and a private organization and to determine whether they could learn from each other. Therefore a comparative case study is used where two similar fraud cases are analysed in a public and a private organization. The comparison is based on the answers of interviewees, who were involved during the fraud incidents, and fraud experts.

This research contributes to reducing the knowledge gap about organizational learning and organizational resilience in crisis management after a fraud incident. At this point in time most organizations can learn much more from fraud incidents, which would make them more resilient. Nowadays, there is not one fraud response model, which fits all. Hence, organizations respond ad hoc to fraud without a (proper) response plan. Their main goal is often to mitigate the damages instead of learning from the incident in order to become more resilient against fraud. When an organization really learns from an incident this occurs only in a small part of the organization. Not the entire organization is involved in the learning process in order to improve the organizational resilience regarding fraud. Although, organizations want to learn from incidents, this goal is not yet embedded in the organizations. Moreover, there is a lack of effective learning because organizations feel pressure to act to a fraud incident, and do not, or partly, evaluate the post-incident process. These findings apply to both the public and the private organization. Interestingly enough, the two organizations do not differ that much in their response to fraud. Both organizations are at the same level, and it is not possible to state that one is better than another.

Keywords: Crisis Management, Incident Response, Fraud, Incident Learning, Internal fraud, Organizational Learning, Organizational Resilience, Fraud Resilience

(4)

Acknowledgements

Some things you cannot do on your own. Without the help, positive energy, and cooperation of others it would not have been possible to finish this master thesis within this timeframe. First of all, I would like to thank my supervisor Dr Menno Ezinga for his support, and reviews.

Secondly, I am very glad the Institute For Financial Crime (IFFC) gave me the chance to write my thesis for them to share knowledge about fraud. A special thanks to Mr. A.H.M. de Groot and Mrs. A. de Groot for their commitment and reviews.

Thirdly, I would like to thank the professionals, former colleagues, and clients who helped me and provided input for my thesis. Including the respondents and experts who have shared their expertise and confidential information with me.

Besides these people, I am very grateful to have such a supportive family (my parents, and Jola in particular) and stimulating friends. A special thanks to all my loved ones; because without their help this thesis would not have been the same. Especially, without the participation, critical opinion, encouragement, and strong commitment of my boyfriend, I would not have started a study again.

Finally, I am thankful for the chance that Deloitte Risk Services has given to me to study. It gave me the opportunity to follow and finish a full time master within a year.

(5)

Content

1. Introduction ... 6 1.1. Problem ... 8 1.2. Relevance ... 9 2. Body of knowledge ... 10 2.1. Fraud... 10 2.2. Crisis management ... 13 2.3. Incident response ... 16 2.4. Learning ... 23 2.5. Resilience ... 28

2.6. Public versus private organizations ... 30

3. Research design ... 37

3.1. Research methods ... 37

3.2. Case study design ... 38

3.3. Data collection... 39

4. Cases ... 42

4.1. Public organization ... 42

4.2. Private organization... 43

5. Analysis ... 45

5.1. A public organization in the aftermath of internal fraud ... 45

5.2. A private organization in the aftermath of internal fraud... 49

5.3. Organizational learning in the aftermath of internal fraud ... 52

6. Conclusion ... 56

7. Discussion ... 58

8. References ... 62

9. Appendices ... 70

9.1. Topic list for respondents ... 70

9.2. Topic list for experts ... 72

(6)

1. Introduction

Organizations are goal oriented, and want to achieve organizational objectives. Public organizations aim to provide public services, whereas private organizations want to make profit. In order to achieve these aims, it is crucial to be operational and therefore resilient. According to Deloitte (2016) operational continuity is the most valuable asset for organizations. Private organizations in particular often choose to protect their operations. For public organizations however, integrity control is a more important asset (Deloitte, 2016: p. 14).

In both sectors fraud can serious threaten operations. It is key for organizations to prevent fraud to ensure public trust and market sustainability (Deloitte, 2014). However, newspapers frequently show screaming headlines on fraud incidents (including data leakage, corruption, and conflict of interests. Some recent examples:

(1) Panama papers: the leakage of private data that exposed, among others, misconduct of politicians and leaders ( http://thehackernews.com/2016/04/panama-paper-corruption.html?m=1).

(2) Issues with mismanagement, and the lack of controls at Imtech ( http://www.elsevier.nl/economie/blog/2015/08/niet-fraude-maar-bestuursmodel-is-reden-van-ondergang-imtech-2669449W/).

(3) The investigations regarding corruption and bribery at FIFA ( http://www.trouw.nl/tr/nl/4508/Sport/article/detail/4061288/2015/06/07/Ook-Blatter-zelf-nu-direct-gelinkt-aan-Fifa-fraude.dhtml).

This implies that organizations do not learn from each other, or from fraud incidents in general. This thesis gives insight in if and how organizations learn from fraud, and if they could learn from each other in order to become more resilient to fraud.

Due to fraud, organizations suffer from financial and reputational damage (Deloitte, 2014). Losses due to fraud and error in any organisation should be expected to be at least 3%, probably almost 6% and possibly more than 10% according to the report ‘The Financial Cost of Fraud’ (Gee and Button, 2015, p. 10). The Association of Certified Fraud Examiners (ACFE) notes that the worldwide damages of fraud cost trillions of dollars each year (2014a: p. 2). ACFE (2016) reports that most cases have less than $200.000 of losses, but cases with $1 million or more losses are growing each year.

(7)

Organizations lose revenue as a consequence of fraud (ACFE, 2014c). The financial impact for small organizations with less than 100 employees is very high. Large organizations have more fraud prevention measures but still lose $120.000 on average due to fraud each year (ACFE, 2014c). Identity theft and cybercrime are the most common fraud cases in the public and banking sector (ACFE, 2014c; Deloitte, 2016). Larger organizations have to deal mostly with asset misappropriation and corruption (ACFE, 2014c). In general most cases are related to asset misappropriation. According to the latest research of ACFE (2016) 83.5 percent of the questioned organizations become a victim of asset misappropriation.

This thesis focuses on fraud in organizations caused by employees. This kind of fraud is also called occupational fraud or internal fraud (Peltier-Rivest, 2009). The sectors, which suffer the most of internal fraud are finance, banking, manufacturing, government and public administration (ACFE, 2014c). “Fraud costs trillions of dollars damages each year, and government entities are among the most common victims […] everyone pays for these frauds in direct and indirect ways” (ACFE, 2014a: p. 2). Therefore this study compares a public organization (a local government) and a private organization (a banking institution) in their response to internal fraud and their incident learning capacity.

Combatting fraud demands an ongoing and multidisciplinary approach, which ensures the continuation of each organization’s core operations before, during, and after a disruptive event. “Organizations have to engage in a comprehensive and continual process of prevention, preparedness, readiness, mitigation, response, continuity, and recovery” (ASIS, 2009). It is important for organizations to learn from fraud incidents in order to improve their fraud resilience. “Prevention starts with being well informed; the more individuals know about fraud, the less likely they are to be victimized” (ACFE, 2014a: p. 2).

The study is conducted in the research area of crisis management. Crisis management is usually used to deal with disasters, catastrophes, and emergencies. Financial Economic Crime (FEC) as a subject in crisis management is a discipline to develop. In this thesis internal fraud is used as an incident to learn from. This research is done from a crisis management angle. A specific theory about fraud crisis management does not exist, therefore this thesis uses the theories of crisis management, public administration, organizational learning, and organizational resilience within the context of a financial crime scenario. The role of incident learning regarding internal fraud incidents is taken into account. The thesis proposes that as soon as organizations learn in the post-incident phase, they will be able to change the current

(8)

status regarding fraud resilience. Learning can improve the organizational system in order to become more resilient against fraud incidents.

1.1. Problem

According to the Global Economic Crime Survey of PwC (2016) 36 percent of all organizations become victim of financial economic crime (e.g. fraud). The rise of fraud in cybercrime, and ineffective fraud detection will cause more problems in the future (PwC, 2016). Hobsbawm states: “the only certain thing about the future is that it will surprise even those who have seen furthest into it” (1987, p. 340). So even when organizations have adequate measures in place, it is highly possible to get surprised by an incident. Deloitte and Forbes (2016) argue that the question is not whether your organization will become a victim but when. And when it happens, most organizations do not have fraud response plans ready to respond adequately to crisis situations (PwC, 2016; Deloitte and Forbes, 2016). The current response in crisis management has its limitations (Boin and McConnell, 2007). Teams are insufficiently trained or response plans are unavailable (Deloitte and Forbes, 2016). Nevertheless, training and planning are not enough to avoid incidents or to bring unexpected events to a desired end. According to Kayes (2015) it is all about learning from experiences. Birkland (2009) conducted research on the learning effects of disasters and found barriers that hinder effective learning. Even if organizations learn from incidents there is room for improvement in order learn effectively. However, each incident has its challenges regarding employees, response, and organizational learning (Hagen et al., 2013).

Objective

This study aims to give insight in incident learning in organizations with a more visionary goal to help them to enhance effective learning from internal fraud and to become more resilient to fraud. A case study is used to compare two fraud responses from a public and a private sector to establish if and how organizations could learn from a fraud incident and from each other in order to become more resilient.

Thesis question

(9)

“How do private and public organizations learn after an internal fraud incident and what could they learn from each other to become more resilient to fraud?”

Sub research questions

The objective of the sub questions is to support the central research question. In this study the following sub questions are used to answer the main research question:

1. (How) does a public organization learn after an internal fraud incident? 2. (How) does a private organization learn after an internal fraud incident?

3. What are the similarities and differences between public and private organizations with respect to the concept of resilience when learning from an internal fraud incident?

1.2. Relevance

Fraud seen from a crisis management perspective has not been studied yet. This study is an attempt to reduce this gap. This research identifies and analyses organizational approaches to manage a potential crisis situation related to an internal fraud incident. Next to the gap of fraud crisis management, there seems to be a knowledge gap in organizational crisis management. Less is known about how organizations respond and learn in the post-incident phase, especially regarding an internal incident. The aim of this research is to contribute to the current body of knowledge about the relation between the response to an incident, learning potential, and organizational resilience after an internal fraud incident. The post-incident phase receives little attention in the current post-incident response literature (Shedden, Ahmad and Ruighaver, 2010). That is why this study takes a stocktaking approach by selecting several theories in order to find the best method to study this topic.

Based on literature review (a/o Birkland, 2009; Deverell, 2010; Shedden, Ahmad and Ruighaver, 2010), the aftermath of incidents is an undervalued phase in the field of crisis management. “Hence, for practice and academia alike there is a need to increase the knowledge on how to analyse organizational learning during and after crisis, and to find out more about what criteria should be part of the analysis” (Deverell, 2010, p. 124). Empirical data regarding the response to an incident and the learning process in the aftermath of this incident is lacking, particularly when it comes to fraud. This study aims to fill this gap.

(10)

2. Body of knowledge

This thesis uses a stocktaking approach to find the best combination of theories to support the research. This chapter discusses a variety of theories to have a solid basis that supports this research. This study is multidisciplinary and the used theories are related to different research fields such as crisis management, organizational resilience, learning, and public administration. The relevant theories are analysed, and used to explain the concepts. Paragraph 2.1. elaborates upon the concept of fraud within organizations. Paragraph 2.2. explains the concept of crisis management and incidents towards organizations. Paragraph 2.3. describes incident response and the response to fraud. Paragraph 2.4. explains the term (incident) learning regarding organizations. Paragraph 2.5. outlines the term organizational fraud resilience. Paragraph 2.6. concludes with the characteristics of public and private organizations.

2.1. Fraud

This paragraph explains the concept of fraud. The concept of fraud is important in order to understand what kind of internal threat this could entail for organizations. The concept of internal fraud is explained and can be seen as an opportunity for learning, development and change(s) in the organization.

Firstly, fraud in general is outlined. Secondly, the term internal fraud is explained. Thirdly fraud is described from a behavioural perspective. Finally, the résumé gives a summary of this paragraph.

The concept of fraud can be used in different ways for example as organized crime, financial crime or as white collar crime. According to Gottschalk (2010a) financial crime is “based on attempting to secure an illegal gain or advantage and for this to happen there must be a victim. There must also be a degree of loss or disadvantage” (p. 442). Sutherland (1941) defines white collar crime as “a violation of the criminal law by a person of the upper socioeconomic class in the course of his occupational activities” (p. 112). Fraud can be categorized in many ways. Within financial crime Gottschalk (2010a) positions ‘fraud’ next to the pillars ‘theft’, ‘manipulation’, and ‘corruption’ (figure 1). The circle shows the scope of this research and in which pillar this is located.

(11)

Incident learning to make organizations more resilient to fraud – R. Vollebregt Page 11 | 74 Figure 1 Main and sub categories in financial crime (Gottschalk, 2010a, p. 443)

In order to grasp the concept of fraud, several definitions are considered. Gottschalk (2010a) defines fraud “as an intentional perversion of truth for the purpose of inducing another in reliance upon it to part with some valuable thing belonging to him or to surrender a legal right” (p. 442). Fraud is a phenomenon without a generally accepted definition. Literature shows (Gottschalk, 2010a, 2010b; Gottschalk and Solli-Soether, 2012; Peltier-Rivest, 2009; Smith et al., 2011) different definitions of fraud. The definition of fraud depends on which study field is involved (e.g. sociology, criminology, and accountancy). This means that deception is used in order to reach or gain something the person wants, and which was not possible to get otherwise.

Internal fraud

Internal fraud is a specific topic within fraud. Internal fraud often involves a victimized organization and a disrupted employer/ employee relation. There are several fraud schemes related to internal fraud. Some examples are; corruption, asset misappropriation, and financial statement fraud. In this thesis the scheme of asset misappropriation is chosen to use for this research.

Peltier-Rivest (2009) defines occupational fraud as the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets. Any fraud committed within an organization be it by an individual or executive may be considered occupational fraud, sometimes called internal fraud (Gottschalk, 2010a, p. 443-448). The operational definition of internal fraud for this research is “the personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets” (ACFE, 2016: p. 90).

Fraud • Occupational • Identity • Mortgage Theft • Fraud • Cash • Intellectual Manipulation • Cyber crime • Laundering • Insider trading • Bid rigging Corruption • Bribery • Embezzlement • Kick backs • Extortion

(12)

An internal fraud scheme is asset misappropriation, which is defined as “a scheme in which an employee steals or misuses the employing organization’s resources” (ACFE, 2016: p. 90). This definition is applicable to the cases used in this research.

Peltier-Rivest (2009) researched Canadian organizations that were victims of occupational fraud. The top three of frequent fraudulent activities consists of asset misappropriation (cash and non-cash), corruption, and fraudulent statements. This form of internal fraud is selected because asset misappropriation results in high costs for victims (ACFE, 2014c).

The ACFE uses an extended version (figure 2) regarding the categories of Gottschalk (2010a). Especially, asset misappropriation is divided into more categories, which shows a detailed overview about the existing kinds of internal fraud. The path of asset misappropriation, which is used for this thesis, is marked by the circles and ends at the misuse of non-cash assets.

(13)

Fraudulent behaviour

Fraud can be seen from an individual or organizational perspective. Fraudulent behaviour has been studied on an individual level. The organizational perspective on fraudulent behaviour is a knowledge gap in the literature, especially towards internal fraud. In this thesis the research is about the organizations’ behaviour towards a fraud incident. When confronted with fraud the organizations’ behaviour should include response, adaption, learning, and changing. Cultural rationalizations of the organization could have influence in the organization. Especially, the organizations’ culture plays an important role in the effectiveness of the crisis management team (Pauchant and Mitroff, 1992).

Résumé

A singular definition for the concept of fraud does not exist. Fraud is considered as an incidental threat for organizations. This thesis focuses on internal fraud involving asset misappropriation. Public and private organizations both are confronted with internal fraud. It is unclear if and how these organizations respond to such incidents. Every fraud incident is an incident to learn from. If there is no adequate response, a fraud incident could become a potential crisis incident. The next paragraph explains the difference between a crisis and an incident.

2.2. Crisis management

The former paragraph outlined the concept of fraud. Depending on size and impact fraud can be seen as a particular type of an incident, potential crisis. Fraud is acknowledged as a potential incident and inside threat by organizations (COT, 2015; Kaspersky, 2015). Literature of crisis management could provide valuable insights in how to handle a fraud (crisis) incident.

The management of a crisis is used to explain what an incident/ crisis is, and how to deal with crisis incidents. The crisis aftermath is an understudied field in the crisis process. (Boin, 2004). A crisis is seldom the subject of theorization, and its role in the organizational theory is also often ignored (Roux-Dufort, 2007, p. 106). That is why this research will focus on the aftermath of an incident. Firstly, crisis management in general will be elaborated upon. Secondly, the concept of an incident will be explained. Thirdly, the concept of a crisis combined with crisis management will be handled. Fourthly, the organizations’ behaviour regarding a crisis or incident will be outlined. Lastly, the resume will give a short overview of this paragraph.

(14)

Crisis management in general

Crisis management is a “systematic attempt by organizational members with external stakeholders to avert crises or to effectively manage those that do occur” (Pearson and

Clair, 1998, p. 61). The concept incident is used in the light of this thesis as an abrupt event, which is probably unexpected, and has a negative occurrence, which is seen from an organizational perspective (Hagen, et al., 2013). The terms crisis and disaster are social constructions and there is not one definition that is used on a similar basis or that is applicable to all situations. For the purpose of this thesis the term crisis is: “a serious threat to the basic structures or fundamental values and norms of a social system, which, under conditions of time pressure and very uncertain circumstances, demands the bringing of critical decisions” (Rosenthal et al., 1989).

In crisis management literature there is less theorization, and there is no agreement of the term crisis management (Roux-Dufort, 2007). The used theories regarding organizational crisis management are mostly based on emergencies with extensive media attention (Deverell, 2010, p. 88).

In this research an incident is seen from a crisis management perspective. This perspective is based on the idea of Roux-Dufort (2007) where crisis management should analyse the crisis incident as a process of organizational reaction (Roux-Dufort, 2007, p. 108). Roux-Dufort (2007) concludes that crisis management should be a process instead of a reactive approach. He states that a crisis should not only been seen as an event but also creates the opportunity to look at the causation and the post-event futures (Roux-Dufort, 2007). Today, effective crisis management is key for organizations to operate (King, 2002).

Crisis in general

When an incident is not managed properly, the incident could result in a crisis situation. According to King (2002) a crisis is “an unplanned event that has the potential of dismantling the internal and external structure of an organization” (p. 237). A crisis affects not only employees, but also the public and stakeholders. A crisis is a threat to any organization (e.g. non-profit organizations, governmental agencies, and multinational organizations) because they are all sensitive to a crisis (King, 2002, p. 237).

A crisis incident could also be seen as an opportunity for change (e.g. improvement) (Boin, 2004). Crises occur in organizational systems when the routine processes are disrupted (Boin,

(15)

2004, p. 169). A crisis could also be used by the organization as a trigger to respond and as an opportunity for organizational change/ learning (Deverell, 2010). According to Boin (2004) two perspectives can be used to research a crisis incident: (1) the operational perspective that concentrates on the management of the crisis itself, and (2) the political-symbolic perspective that tries to map out how crisis managers and the rest of us make sense of the crisis (p. 167). For the purpose of this research only the first perspective is taken into account.

Organizational crisis

There are two views in literature on organizations and crisis. First, due to organizations crises are able to arise (e.g. lack of good governance) (Boin, 2004). On the other hand organizations are seen as important partners in crises prevention and crisis management (Boin, 2004). A more specific term regarding organizations and crisis is ‘organizational crisis’. Hermann (1963) divides an organizational crisis in to three elements: (1) “threatens high-priority values of the organization, (2) presents a restricted amount of time in which a response can be made, and (3) is unexpected or unanticipated by the organization” (Hermann, 1963, p. 64).

Human errors play a crucial role in organizational crises. Human errors can never be completely avoided, it is only possible to reduce their impact (Boin, 2004). However, in case of fraud the human action is taken on purpose, it is not an error but a man-made incident. Turner (1992) states that a rationally organized bureaucracy can trigger human errors that become crisis outcomes in a modern society; a normal crisis consists of normal human errors within normal organizational forms. In this case (internal) fraud can be seen as (a man-made) incident, and meets the requirements of the definition of an organizational crisis by Hermann.

Incidents in general

The theory distinguishes several phases in crisis, incident or emergency management (Boin, 2004; Hagen et al., 2013). The several phases have one thing in common; the underlying idea that the process can be divided into a pre-incident and a post-incident phase.

In the pre-incident phase the organization takes actions to prevent an incident or have measurements in place to reduce potential damage by an event; for example risk management to prevent/ mitigate certain risks or threats that could become an incident.

An undesired situation for organizations is the post-incident phase. The incident has occurred and the organization responds to the incident, and take actions to minimize the effects

(16)

(Ckonjevic, 2006). The aftermath of an incident should include the evaluative remarks regarding the organizations performance, and lessons learned (Boin, 2004; Shedden, Ahmad and Ruighaver, 2010). The other paragraphs will elaborate upon incident learning and response.

Hagen et al., (2013) divides the levels of impact into; incidents, major incidents, disasters, and catastrophes. According to the levels of impact an internal fraud case falls into the category of incidents. Due to the local impact to the organization, and the local response to the fraud. However, each incident could become an (organizational) crisis if the incident is not managed adequately.

Résumé

This paragraph shows that organizations have to deal with potential crisis incidents. Organizations see fraud as a potential (crisis) incident. Fraud as an incident in crisis management has not been researched yet. Crisis management can be used to adequately respond to incidents in order to prevent an organizational crisis. Fraud is seen as a man-made incident, and is frequently assessed as a small impact incident. Larger the incident, the bigger the impact, and greater the challenges. So fraud can become a crisis or worse if the organization does not have proper response plans and an adequately approach.

2.3. Incident response

Crisis management describes several phases. This paragraph will focus on the response phase, i.e. the aftermath of an incident or crisis. Incident response is seen as a part of crisis management. From this perspective ‘fraud’ is used as an incident, whereby fraud response is seen as an element of crisis management.

Incident response is normally illustrated by ICT breakdowns, disasters, and catastrophes (Deverell, 2010; Hagen et al., 2013). It is quite rare that an internal incident is used to study incident response. Small incidents happen rather often but effort is needed to keep these incidents small (Hagen et al., 2013). Literature does not mention an organizations’ response to an internal incident. General incident response will be used in this thesis to compare organizations’ responses to internal fraud. The most important part is to determine whether learning is included in the incident response phase. Firstly, the general concept of incident response will be outlined. Secondly, the fraud response will be elaborated upon with several strategies, which organizations could use. Lastly, the resume will briefly summarize the paragraph.

(17)

Incident response in general

The definition, which fits this research best, is: “Incident response is an organized approach to addressing and managing the aftermath of an incident (e.g. security breach). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs” (Search Security, 2005). This definition of incident response can be used for an internal fraud incident. It is important for an organization to respond quickly to internal fraud. A shorter response time has a positive impact on limiting damages and costs (ACFE, 2014c).

No organization can be absolutely confident of preventing an incident. Just a few organizations have a comprehensive incident management plan ready in the prevention phase. Others focus on response and enhancement their internal controls. However, some organizations cover all elements of prevention, detection, and response. This enables organizations to handle an incident efficiently and effectively, minimize damage, and learn lessons (Caldwell, 2012).

An organization should be able to effectively respond to a crisis because this is relevant to an organization’s survival (King, 2002). Incident response includes three levels of management in the organization: strategic, tactical and operational (Hagen, et al., 2013). Deverell (2010) notes that an organizational response to events should include strategy change and translate this change into the managerial and operational level in the organization. The role of the manager is to change the organizational strategies aimed at stakeholder relations and internal employees. Schein (1992) states that managers should adjust tactical and operational levels in the organization (p. 375).

According to Chuvakin (2005) the biggest mistake in incident response is the lack of effective learning. This conclusion has been acknowledged by several researches where the lack of effective learning is caused by a narrow view of the organization (Shedden, Ahmad and Ruighaver, 2010). When dealing with an incident organizations want to take immediate actions and control the incident. This short-term view lacks attention for the effectiveness of policies, procedures, controls, and training to improve the organization’s incident response capabilities (Cooke, 2003; Hadgkiss, 2006). In incident response it is essential to include feedback, lessons learned and follow up after the incident. It could be useful to have an incident database so the information on prior incidents is not lost to the organization (Shedden, Ahmad and Ruighaver, 2010). A database with enough relevant information about incidents could be helpful to predict future incidents.

(18)

Research provides different methods for an effective approach in responding to an incident (Shedden, Ahmad and Ruighaver, 2010). An incident could be managed by the incident management capability that starts with anticipating and planning for the unexpected (Hagen et al., 2013). For this thesis the methods of the SANS Institute and of the National Institute of Standards and Technology (NIST) are used. These are well known methods in the field of incident response.

The model (figure 3) shows the relevant phases, and introduces the feedback loop that makes the organization more resilient.

Figure 3 Incident Response Management Process by NIST

The other method to analyse a post-incident is of the SANS Institute (SANS). This includes six steps: preparation, identification, containment, eradication, recovery and lessons learned also known as the ‘PICERL’ model (Northcutt, 1998; Murray, 2007). This model (figure 4) is a continual process that contains the step of ‘lessons learned’, which is similar to the feedback loop of the NIST model.

Figure 4 PICERL model based on SANS principles

The information from the lessons learned phase is relevant to assess if changes should be made to the current policies, procedures, systems, training requirements or other organizational matters.

Pokladnik (2007), uses this method to provide a way to handle security incidents. However, this method was only used for small and medium businesses dealing with technological

Prepare Identify Contain Eradicate Recover Lessons learned

(19)

incidents. This model could also apply to incident response in the case of fraud, and could be useful for public organizations. The most important steps are the ‘lessons learned step’ to the ‘preparation step. This is the phase where the organization actually learns from the incident, and takes action to do something about the current status of the organization. The NIST model shows this step with the post-incident activity and its feedback loop. Without the feedback loop there is no learning experience, and the organization does not gain resilience after the incident.

Fraud response in general

Organizations respond directly to disasters that is already known, but unknown is if this reaction is similar to fraud incidents. As stated fraud is treated as a potential incident. In this paragraph fraud is seen as an incident that needs a response to prevent a crisis situation. Incident management takes care of an incident to avoid a crisis situation, whereas fraud response management is a manner to handle fraud incidents. An organization that has an effective fraud response could reap the benefits of lower costs, loss recovery and prevention, increased detection of internal fraud, and an efficient use of resources. The objective when responding to fraud is to protect the organization from reputational and financial damage (Deloitte, 2009).

Fraud response includes the actions to a fraud incident in order to prevent or mitigate (reputational and/ or financial) damages regarding the organization (Deloitte, 2009). This definition is used in the thesis because it describes exactly what the purpose of fraud response is.

A fast response is necessary to limit the losses, and to avoid panic. This applies to all organizations. A reaction to fraud should be described in an organization’s fraud policy or fraud response plan. The fraud response plan is geared to all policies (e.g. ethical, legal) of the organization. The fraud response plan is distributed to all employees of the organization, but also to stakeholders, third parties (e.g. suppliers), and in case of a private organization also to the shareholders. However, not every organization has a fraud response plan (PwC, 2016).

According to Samociuk and Iyer (2010) the goal of dealing with fraud is not to reduce every fraud risk to zero. Just being in business is a fraud risk. The objective is “to prevent high-impact frauds and reduce the hidden costs of fraud, whilst implementing a minimum number

(20)

of controls to enable the business to function efficiently” (Samociuk and Iyer, 2010, p. 8). However, not all organizations respond to fraud in the same way. Below four models of Wilhelm, Samociuk and Iyer, KPMG and the Chartered Institute of Management Accountants (CIMA) are outlined to illustrate how organizations respond differently to fraud in order to prevent a similar incident or a crisis situation.

Wilhelm (2004) invented a ‘fraud lifecycle’ which consists of eight stages: 1) deterrence, 2) prevention, 3) detection, 4) mitigation, 5) analysis, 6) policy, 7) investigation, and 8) prosecution. The ‘fraud lifecycle’ is used as a theoretical framework, which should be dynamic, adapting and evolving to enhance effective fraud management. “A continuous fraud management improvement is the most effective way to compete with continuously evolving fraud methods and tools” (Wilhelm, 2004, p. 35). The lifecycle is applicable to all kinds of organizations.

Samociuk and Iyer (2010) argue that if an organization implements or improves its anti-fraud strategy, this strategy should be based on previous fraud incidents. The strategy includes the reduction of risks, and the prevention of similar incidents. “An effective fraud risk management strategy should consider all of these factors and treat the identification and reduction of fraud as a separate part of an organisation’s overall risk management strategy” (Samociuk and Iyer, 2010, p. 7). This approach will enhance the fraud response, and make organisations more resilient to fraud (Samociuk and Iyer, 2010).

Figure 5 Fraud Risk Management Strategy (Samociuk and Iyer, 2010, p.7)

Another strategy towards fraud response is an ongoing process of prevention, detection, and response. To develop this model KPMG (2006) used a survey based on corporate fraud and misconduct in international companies (figure 6). The response phase contains “corrective

Strategy Develop anti-fraud culture Assess fraud risk Treat fraud risk Detect fraud Manage incidents Measure fraud resistance

(21)

actions to limit the harm caused by fraud or misconduct” (KPMG, 2006: p. 3). These responsive controls (e.g. investigation) should be supported by protocols containing investigation, enforcement, accountability, disclosure, and remedial action. (KPMG, 2006: p. 7).

Figure 6 Fraud strategy based on prevent, detect, and response (KPMG, 2006: p. 20)

KPMG’s model (2006) is useful for this thesis because detection is needed to find the fraud, which is only possible if detection controls are in place. The fraud response follows detection of the fraud, and consists of investigation and other controls to prevent further damage (ACFE, 2014b). After the fraud is detected and responded to, evaluation is necessary to enhance the prevention phase. This model is based on a survey with international enterprises, but the model could also be used for public and private organizations in the Netherlands. This model is used to analyse the response phase to make the organization more resilient due to improvement of the prevention stage.

In this model the step of ‘prediction’ could be added after the response. Because when organizations document and analyse their information regarding incidents in databases, it is possible to predict future incidents (MacDonald, 2015). When (prior) knowledge is added to information, it becomes useful intelligence. This will enhance the prevention phase.

Additionally, CIMA (2008) developed an anti-fraud strategy for organizations to deter potential fraudsters. The model of CIMA (2008) is also based on the stages prevention, detection, and response (p. 25). CIMA (2008) describes that an effective fraud response that could prevent future incidents includes: reporting mechanisms, investigating fraud, disciplining the persons responsible, recovering stolen goods or funds, and adjusting current anti-fraud policies/ strategies. After the fraud investigation, the follow-up should be clear. Several steps are possible after the fraud investigation; taking internal disciplinary actions,

Detection

Response Prevention

(22)

recovering losses through a civil court case or through criminal court or a combined approach (e.g. theft) (CIMA, 2008, p. 50).

Another objective of the organization could be to learn from incidents, failures or occurred fraud. An evaluation between fraud investigators, and staff could be useful to establish how and why the fraud happened, and what should be done to prevent this in the future. Possible improvements could be made in communication, procedures, policies, systems or a combination. An evaluation report gives a proper overview on what went wrong, which is input for the lessons learned. To reduce weaknesses and vulnerabilities, changes should be made. Improvements or changes should be implemented as soon as possible. Disciplinary actions towards fraudsters should be widely communicated throughout the organization (CIMA, 2008).

The CIMA findings are based on practical experience in the field of fraud risk management. The findings are not based on scientific research. Besides, there is less scientific knowledge about this topic. Therefore these practical findings are important to take into account not only for the private sector but also for the public sector. The CIMA comments are used in this study to see if these are applicable in a broader field regarding organizational learning instead of fraud risk management. The model is created to help businesses with their fraud strategy; based on prevention, detection and response. In this model the prediction phase is also missing but there are more specific actions to embed in the response phase compared with the KPMG model.

The four models of Wilhelm, Samociuk and Iyer, KPMG and CIMA are outlined. All these models are designed on a strategic level in the organization. No models or procedures are found for fraud response on a tactical or operational level. Organizations do not fully adopt one model according to literature. A framework on how to respond in order to enhance the organizational resilience should be developed (Burnard and Bhamra, 2011). This means that there is no effective model or framework available. There is not one common model or agreed definition for incident response to response to fraud incidents in an adequate way. Nevertheless, this research combines the two models of KPMG and CIMA. These two models seems to be the most useful because the CIMA is very detailed, and therefore easier to analyse, which elements should be embedded. The KPMG model includes the most important steps for an organization to take into account during fraud risk management. The

(23)

other two models are too broad, and not specific enough to analyse these with the research results.

Résumé

Incident response is necessary for organizations to handle fraud incidents. There are two models which are often used in the incident response the NIST and SANS model. Generally speaking, organizations respond to fraud incidents differently. Also, there are different models, strategies and approaches on how organizations can effectively handle fraud incidents. These different responses are not specifically applicable to one kind of organization. The response to fraud can differ depending on whether it is an approach on individual or organizational level. Public and private organizations can use the same model to deal with fraud or to respond to an incident. Most models show a cycle to illustrate a continuous process for organizations to manage fraud. This research uses the model of KPMG to focus on the response phase. In addition the findings and suggestions of CIMA are used regarding the response phase in order to enhance the prevention stage.

2.4. Learning

Learning is key for organizations to develop the organizational system. To understand if and how organizations learn, it is important to know that learning occurs during or after an incident. Ideally, learning is implemented as a part of the post-incident phase (Kayes, 2015). Firstly, learning in general is explained. Secondly, the learning from an organizational perspective is clarified. What is organizational learning and what is incident learning from a crisis management perspective? The paragraph concludes with a short résumé.

Learning in general

There are many types of learning (e.g. individual or organizational), and what it means. A definition of learning, applicable for organizations is “reflecting upon, drawing lessons from, and taking action upon prior experience” (Kayes, 2015, p. 3). For the purpose of the thesis the following description is used; “organizational learning is an organization, which learns powerfully and collectively and is continually transforming itself to better collect, manage, and use knowledge for corporate success” (Marquardt, 1996, p. 4).

(24)

Learning involves gaining knowledge, this knowledge can be derived from prior experience(s) (Kayes, 2015). Before learning occurs there should be an open environment in which processes, lessons learned, and operational details can be analysed. Learning should also occur after failures, decisions, and errors (Kayes, 2015). It is easier to learn when a system or database can be consulted in order to monitor what went wrong and why. This stored information can be relevant input for learning, and implementing lessons-learned in the organization. When trustworthy information is up-to-date, and uploaded in a database this could be used to enhance future learning.

Organizational learning

The learning process of discovery and collection of insights depends on the gained experience of the organization (Kayes, 2015, p. 9). The focus of the concept ‘learning’ is how organizations learn from incidents, and take actions to improve their current status.

Marquardt (1996) states a “learning organisation has the capability to: 1. Anticipate and adapt more readily to environmental impacts.

2. Accelerate the development of new products, processes, and services. 3. Become more proficient at learning from competitors and collaborators.

4. Expedite the transfer of knowledge from one part of the organisation to another. 5. Learn more effectively from its mistakes.

6. Make greater organizational use of employees at all levels of the organisation. 7. Shorten the time required to implement strategic changes.

8. Stimulate continuous improvement in all areas of the organisation. Organisations that learn faster will be able to adapt quicker and thereby achieve significant strategic advantages” (p. 3).

Birkland (2009) researched learning in the aftermath of a crisis. Learning, which in the aftermath of an incident is relevant to the thesis. Post-incident reports are often based on an organizational self-evaluation and the focus is on an operational level. This is called ‘single-loop learning’ (Argyris and Schön, 1996). There is also ‘double-‘single-loop learning’, which is learning on strategic level, so lessons learned are implemented in the entire organization (Birkland, 2009).

(25)

In the organizational learning field there is a discussion about whether learning is individual or organizational (Kayes, 2015). When individuals learn from experiences and incidents, this learning process could make the organization more resilient (Kayes, 2015).

Maslow (1954) divides learning in to four stages; (1) unconscious incompetence, (2) conscious incompetence, (3) conscious competence, and (4) unconscious competence. These stages are applicable to individuals, groups, and organizations. In stage 1 there is a need for awareness. In stage 2 the focus is to learn and improve in order to be ready for stage 3. In stage 3 lessons learned should be implemented and used in daily business to get to the next level. In stage 4 learning should be done automatically and embedded in the organization in order to start again from stage 2 to learn and improve. Maslow (1954) argues that if a person can change, a group can change, and so can an organization.

The individual level in the organization is briefly taken into account but individual functions/ roles are out of scope. In order to explain if and how organizations learn, the people in the organization cannot be fully ignored because eventually they are the ones who make the decisions (Kayes, 2015). When individuals learn within organizations they are the ones that could change or develop the organizational norms, daily routines and procedures. Individuals make the decisions to act and to improve the organizational system. However, there are not many persons who have personally experienced a crisis. Therefore it is important to train individuals on key functions how to deal with crises and incidents (Kayes, 2015).

The success of an organization in a crisis depends on well trained teams. These teams should consist of well-trained people from all levels. Learning happens before, during and after the incident. Therefore it is important that individuals understand the event, and develop with each other an effective response for the future. Teams that are most effective have had good training opportunities and can improve their response to incidents (Kayes, 2015; King, 2002).

Incident learning

Learning is sustained into an organization, and is essential to normal functioning. However, learning is not often recognized as an important activity of organizations. Without learning organizations become vulnerable to undesired changes, shifts in procedures, and errors. This concept is about learning from experiences or learning from incidents (Kayes, 2015). Organizational learning could be used to improve and strengthen the incident learning process of an organization (Shedden, Amhad, and Ruighaver, 2010).

(26)

The learning process in the organization is relevant before, during and after the incident. Learning improves the effectiveness of the response to different aspects of failure. In the aftermath of an event, learning should help to understand what has happened, and to identify lessons learned in order to improve the response (Kayes, 2015). Lessons learned from an incident should be noted, and repair actions should be undertaken. According to Hagen et al., (2013) the long-term aftermath of the incident, which could be months or years, should include the experience and lessons of the incident, which should be translated into incident planning and training solutions.

In the aftermath of an incident learning should be incorporated. Incident learning in an organization can also be applied to the three levels as mentioned before: individual, group and on organizational level. Individuals should be interviewed and debriefed. Afterwards these persons should know the lessons learned. On group level, the group reviews and evaluates the reactions towards the incident. On organizational level the lessons learned should be documented, stored in a database and implemented (Crossan, Mauer and White, 2011).

Limited learning

Birkland (2009) found barriers that hinder effective learning after an incident. Birkland (2009) states that learning documents (e.g. evaluation reports) should explain what could be learned from the incident in a broader perspective, and its underlying problem. However, these documents often become fantasy documents. Clarke (1999) states that fantasy documents are documents which are spread for rhetorical purposes. An evaluation report is often used as evidence for actions after the incident. The underlying purpose of such a report is to be better prepared next time when a (similar) incident occurs. In most situations there is an evaluation report, but the transition from paper to practice (e.g. adjust policies) is missing. Organizations lack implementation of lessons learned from incidents in order to become more resilient to a possible event in the near future (Birkland, 2009; Kayes, 2015).

Birkland (2009) mentions different aspects that diminish effective learning from a disaster: (1) Time pressure. (2) The evaluation of the disaster has a too narrow focus, this is caused due to a narrow focus of learning (single-loop versus double-loop learning), or due to ‘superstitious’ learning or due to the human tendency for bounded rationality. (3)

(27)

Self-Incident learning to make organizations more resilient to fraud – R. Vollebregt Page 27 | 74

interest or group’s interest. (4) The pressure to learn or to act, and (5) lack of institutionalization of lessons learned.

When it comes to crisis management time pressure is always present. Second, the evaluation of the incident has a too narrow focus for effective learning. Birkland (2009) described several forms regarding this narrow focus. Single-loop learning is more common than double-loop learning. Single-loop learning is operational but is not key in the learning process. The missing aspect herein is the effort to broaden the strategic learning within the entire organization. This advocates the need for double-loop learning.

‘Superstitious’ learning, attempts to learn from, apparently similar incidents but actually are not. In most cases this causes a mismatch in the outcomes.

Bounded rationality is the human tendency to find simple explanations for a complex situation. It is common to focus on one or several aspects rather than search for the real cause of the problem. The third aspect is the self-interest or group interest. The findings of the lessons learned and/ or the proposed solutions will be in line with the interests/ motivations/ ideologies of these individuals/ groups. The fourth is the pressure to react and learn from an incident. The benefit of lessons learned is that this could prevent a similar incident. Finally, there is no framework how to actually learn from incidents. Each event will be evaluated in a different way. This could be caused by the lack of institutionalization of lessons learned. During and after each incident organizations will reinvent the wheel to respond and learn.

Wildavsky (2012) states that managing incidents is done by trial and error. “Without trials there can be no new errors; but without these errors, there is also less new learning” (p. 17). So when organizations do nothing to improve, there are no failures but also no lessons learned, which hinders (organizational) learning.

Kayes (2015) notes that optimism and short-term thinking also limits learning. He states that optimism causes people to believe that current problems will disappear in the near future or resolve themselves (Kayes, 2015, p. 63-67). This causes disengaged individuals, who are not willing to learn, adapt or change anything in the organization because the current situation is already satisfying (Kayes, 2015).

Résumé

This paragraph shows what lessons need to be learned, and how organizations could learn from incidents, but also what hinders effective learning. Organizations should have a learning

(28)

potential to improve its system, processes, procedures, people and policies. Learning should be present at three levels; organizational, group, and individual level. However, learning only occurs if the organization has an open culture. Organizations however, hardly bring lessons-learned into practice. Also, faulty evaluations, several kinds of pressure, self-interest, optimism, and a short-term vision limit organizational learning.

2.5. Resilience

The former paragraph showed that when learning is an integral part of incident response, learning could be effective. The organization’s learning objective is important to increase resilience to similar incidents. This paragraph explains the concept of resilience. Furthermore, this paragraph sees resilience from an organizational perspective and explains the concept. This paragraph handles resilience as a part of crisis management.

Resilience in general

In academic literature there is no agreed definition for resilience. In each field resilience is used from a different perspective (Bhamra, Dani and Burnard, 2011). “Ecologists call it adaptation, economists call it coping capacity, anthropologists call it bounce back better, and in engineering it is best known as the capacity of a structure to withstand shock while retaining function” (Dahlberg et al., 2015, p. 44). Furedi (2008) defines resilience as “the ability – at every level – to anticipate, pre-empt and resolve challenges into healthy outcomes” (p. 647). Wildavsky (2012) argues that anticipation is to predict and prevent potential dangers before damage is done and that resilience concerns hazards that have been occurred (p. 77). Reich et al., (2010) combines resilience with multilevel analysis “the study of the processes of recovery from adversity, and the processes underlying sustainability of purpose” (p. 16). Labaka et al., (2015) describes resilience as “the capacity of a system to prevent the occurrence of a crisis, and when a crisis does occur, the capacity to absorb the impact and to efﬁciently recover the normal state of operation” (p. 92).

Resilience is related to Neoliberalism (Walker and Cooper, 2011; Aradau, 2014). The term is used in many practises nowadays like; business continuity management, supply chain management, and disaster management (Furedi, 2008; Bhamra, Dani and Burnard, 2011; Aradau, 2014; Bourbeau, 2015; Dahlberg et al., 2015). The term resilience was first used by Holling (1973), he used resilience for cognitive development (Aradau, 2014). Nowadays,

(29)

resilience seems to be the solution to all kinds of incidents, undesired situations, and security issues (Boin and Van Eeten, 2013).

Organizational resilience

The resilience of an organization is not often a subject for research. There is frequent attention to supply chains, critical infrastructure, and resilient behaviour in organizations, but organizational resilience needs further research (Bhamra, Dani and Burnard, 2011). An organization becomes more resilient, if it takes the role of learning serious, learns from prior events and implements these lessons learned in its day-to-day operations (Kayes, 2015). ASIS (2009) sees organizational resilience as “an adaptive capacity in a complex and changing environment, and the protection of critical assets” (p. 2). Organizational resilience is to take learning seriously, learn from prior events, and implement learning into daily routines (Kayes, 2015, p. 55). The definition of Kayes (2015) will be used because incident learning, and learning from fraud is used in this study. Organizations should implement the lessons learned in the daily practices to enhance effective learning. Organizational resilience is in this study used as a concept, which means that organizations learn from an internal fraud incident to become more resilient towards fraud.

ASIS International (2009) has developed an ‘Organizational Resilience Standard’ (OR Standard). This OR Standard includes requirements for organizational resilience and is applicable for public and private organizations. The objective of the OR Standard is to help management systems to improve actions like prevention, preparation, and response to disruptive incidents (e.g. crisis) (ASIS, 2009). The OR Standard could be used for “continual improvement to increase the probability of enhancing security, preparedness, response, continuity, and resilience” (ASIS, 2009: p. vii). The process approach for continuous improvement adopts the periodical actions of; “establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organization’s resilience should be integrated in the organizational system” (ASIS, 2009: p. vii). To enhance continuously learning, organizations should constantly update their response process (Kayes, 2015, p. 87). The OR Standard supports all phases of incident management to manage disruptive events to prevent escalation into a crisis. To enhance the process for continual improvement before, during or after an incident, the organization should have a prevention, preparedness, and

(30)

response/ continuity/ recovery policy in place. The OR Standard describes that it is the organization’s responsibility to establish, implement, and maintain procedures to prepare for and respond to disruptive events. The procedure should take into account the following; protect assets, image and reputation, prevent further escalation of the event, recovery operations (including evaluating improvements), reduce the recovery time, and if necessary save lives (ASIS, 2009: p. 12). There are various responses to a crisis. However, the approach does not matter as long as three elements are included in case of an event; emergency response (what is the first response of the organization), continuity (go back to normal or a new desired situation), and recovery (how to improve the organization, rethink operational requirements and strategy).

After the incident the organization should evaluate the post-incident phase. The OR Standard requires to gain knowledge based on the evaluation. These lessons learned are used to implement the required measures in order to improve the organization’s resilience (ASIS, 2009). So if the OR Standard is used in the incident response, learning will be included and used to gain knowledge to become more resilient in the future. This model has not been researched yet, it is a cycle that can be followed by an organization. The purpose of the model is to be of assistance for an organization to walk through all the steps in order to become more resilient.

Résumé

Resilience is a term that is used for all kinds of purposes and is derived from a Neoliberal ideology. This thesis focuses on organizational resilience. When there is organizational learning, and the learning purpose is to improve the organization this constitutes organizational resilience. Learning during and after the incident and the implementation of lessons learned could make an organization more resilient to similar incidents. Organizations can use the OR Standard in order to have a useful model, which consists of all relevant steps to become more resilient and to institutionalize this in the organization.

2.6. Public versus private organizations

In this paragraph the comparison between public and private organisations is made in order to have a proper understanding of what organizations are and, which elements are different and similar in public and private organizations. The comparison is relevant in order to determine whether differences and similarities influence organizational learning in the aftermath of

(31)

fraud. Firstly, organizations in general are described, secondly characteristics between public and private organizations are described, and thirdly New Public Management is briefly described. Finally, a resume is added.

Organizations in general

The term organization is often taken for granted. However, it is relevant to have a good understanding of what it actually means. An organization can be seen from different perspectives, and the term could be used in many ways. Buchanan and Huczynski (2004) state that an organization is “1) a social arrangement for achieving 2) controlled performance 3) in pursuit of collective goals” (p. 5). The social arrangement means that organizations are groups wherein people interact. This membership implies a social bond where common objectives are only achieved when cooperation exists among individuals. The third element is performance control which enhances the pursuit of goals. An organization’s performance assesses its continuity (Buchanan and Huczynski, 2004).

Organizations are often mentioned in organizational science as nodes in a social network, as aggregations of individuals or as a bundle of organizing processes (King et al., 2009, p. 290). Barnard (1948) defines a formal organization as “a system of consciously coordinated activities or forces of two or more persons” (p. 81). Bain and Company (2009) argue that an effective organization has integrated leadership, decision-making-structure, people, work processes and systems, and culture. An effective organization is important in a crisis situation, to be able to make quick decisions for example. However, it is also important that an organization wants to learn from a crisis or incident. Organizational learning involves five elements; organization, people, knowledge, technology, and learning (Marquardt, 1996). The latter is relevant for this research, as mentioned in paragraph ‘Learning’. According to King et al. (2009) an organization is also a social actor itself. This means an organization acts and behaves in its own way, is capable to make decisions, and be held responsible for it. So organizations are not the same, they behave and act differently.

There are two levels to analyse an organization; on a meso-level (organizational) or a micro-level (individual). Organizations consists of individuals, individuals form teams, teams are part of a department and departments are part of an organization. Organizations have individuals, groups, structures, processes, and management (Buchanan and Huczynski, 2004).