PRIMA Public Risk July/August/September 2025 by Moire Marketing Partners

GREEN

ADDRESSING FRAUD IN WORKERS’ COMPENSATION: STRATEGIES FOR IDENTIFICATION, INVESTIGATION, AND MITIGATION

FRAUD

PRIMA INSTITUTE 2025 BIG IDEAS.

The Industry’s Premier Risk Management Educational Program

October 20–24 // Columbus, OH

PRIMA Institute 2025 (PI25) is an innovative educational symposium comprised of fundamental risk management curriculum, outstanding faculty, and excellent networking opportunities. PI25 is aimed at new and seasoned risk management professionals who want to learn more about emerging trends and best practices.

EARLY BIRD REGISTRATION ENDS AUGUST 31

JULY/AUGUST/SEPTEMBER 2025 | Volume 41, No. 3 | www.primacentral.org

JEFF GREEN

By Nick Baker

By Angela Sarno

By Kevin Lederer

The Public Risk Management Association promotes effective risk management in the public interest as an essential component of public administration.

PRESIDENT Steve M. LePock

Risk Manager

Virginia Beach City Public Schools

PAST PRESIDENT

Adam F. Maxwell, CLRP

Director of Administration

City of Grandview Heights, OH

PRESIDENT-ELECT

Jennifer Hood

Safety & Risk Director

Montgomery County (TN) Government

DIRECTORS

Cathie T. Chancellor, JD, MS, CRM

Risk Manager City of Norfolk, VA

Joe Costamagna

Risk Manager

Schools Insurance Authority

Chester Darden Director of Loss Control Public Entity Partners

Jamee Higgins Safety & Risk Manager

City of Midland (TX)

Michelle Jordan

HR Manager: Risk, Benefits and Compliance

Clayton County Water Authority

Robert Warren, CRM

Risk Manager

Trinity River Authority of Texas

NON-VOTING DIRECTOR

Jennifer Ackerman, CAE

Chief Executive Officer

Public Risk Management Association Alexandria, VA

EDITOR

Nick Baker

703.528.7701

nbaker@primacentral.org

ADVERTISING

Nick Baker

703.528.7701 nbaker@primacentral.org

Public Risk is published 4 times per year by the Public Risk Management Association, 700 S. Washington St., #218, Alexandria, VA 22314 tel: 703.528.7701 • fax: 703.739.0200 email: info@primacentral.org • Web site: www.primacentral.org

Opinions and ideas expressed are not necessarily representative of the policies of PRIMA.

Subscription rate: $140 per year.

Back issue copies for members available for $7 each ($13 each for non-PRIMA members). All back issues are subject to availability. Apply to the editor for permission to reprint any part of the magazine.

Where To Begin? How To Conduct a Financial Risk Assessment in Your Organization

SEPTEMBER 17 | 12:00 PM – 1:00 PM ET

SPEAKERS:

Chris Mandel, President and Managing Consultant, Excellence in Risk Management, LLC

Soubaghya Parija, Consultant and Former Chief Risk Officer, FirstEnergy Corp.

Risk leaders everywhere have often struggled to understand and add value to how financial risks are managed within their organizations, trusting that CFOs and treasurers are the experts. Yet, to be effective, all risk leaders need to understand how these risks should be managed and how they fit into the overall risk profile of their organizations. This session will address financial risk assessments and explore how to ensure these are prioritized and fit into the broader scheme of risk management.

ATTENDEE TAKEAWAYS:

1. Learn the fundamentals of key financial exposures and how they affect organizational success

2. Understand the assessment tools and techniques that are used to manage these risks

3. Know who the key stakeholders are and how they see these risks fitting into the risk profile of the organization

4. Walk away with a clear understanding of how financial risk fits into the big picture

IOur Journey Continues…

am both thrilled and humbled to serve as the president of PRIMA. It was incredible to see so many of you in Seattle for the 2025 Annual Conference; what a phenomenal gathering! Without a doubt, this moment marks the pinnacle of my professional career.

To my fellow PRIMA Board members, the outstanding PRIMA staff who orchestrated such a remarkable event, and to our dedicated members, committee volunteers, retirees, and corporate partners: YOU are what makes PRIMA the #1 professional educational resource for public risk managers.

And the best part? We get to do it all again in Fort Lauderdale next June for the 2026 Annual Conference and I’m already counting the days!

Announcing the award winners on stage this year was an unforgettable honor. I was truly inspired by the accomplishments of our colleagues who continue to elevate the risk management profession. And a special congratulations goes to Jeff Green, who received PRIMA’s highest honor: Public Risk Manager of the Year. Well deserved, Jeff!

I remember my very first PRIMA Annual Conference in Long Beach, CA in 2014. I barely knew anyone. Of the five people I did know, four were vendors! But that changed quickly because I met so many risk management colleagues, many of whom I saw again this year in Seattle. I was hooked from day one—the educational sessions were top-notch, the networking unmatched, and I stretched every minute of each day. PRIMA quickly became my professional home.

To keep our journeys moving in the right direction, it’s vital that we’re equipped with the right mix of knowledge, resources, and

My mission is simple: to inspire, to give back, and to help others lead. If you’re already in a leadership role— please reach out and mentor someone passionate about public risk.

relationships. PRIMA provides all of that— and we’re adding even more to the mix.

I encourage you to join us at the 2025 PRIMA Institute (PI), taking place October 20–24 in Columbus, Ohio. PI offers a one-of-a-kind educational experience with the intimacy of a smaller conference but the quality of a national event—perfect for both new and seasoned risk professionals. You can register at primacentral. org/education/prima-institute.

I’ve had the honor of serving at the local, regional, and state levels, including with my home chapter, Virginia PRIMA. Those experiences have shaped who I am, and I’m excited to now bring that perspective to the national stage as PRIMA’s president.

My mission is simple: to inspire, to give back, and to help others lead. If you’re already in a leadership role—please reach out and mentor someone passionate about public risk. Don’t just seek mentors. Be one!

PRIMA thrives because of the incredible risk management professionals who volunteer their time and expertise—across 29 chapters and numerous committees. I want to give a heartfelt thank you to those behind the

scenes who make it all possible, including my colleagues on the PRIMA Board of Directors, who continue to lead with vision and dedication. Together, we will ensure PRIMA remains resilient, relevant, and forward-thinking.

To everyone who joined us in Seattle: thank you! I hope you reconnected with old friends and made a few new ones. Our amazing PRIMA staff and the Conference Planning Committee are already hard at work to make Fort Lauderdale unforgettable with engaging sessions and plenty of exciting things to see and do.

And finally, remember that PRIMA’s success depends on you. Please consider getting involved, sharing your ideas, and helping PRIMA continue to lead in public risk education.

If you’d like to connect or contribute, don’t hesitate to reach out to me at slepock@vbschools.com.

Sincerely,

Steve M. LePock

PRIMA President 2025-2026

NEWS Briefs

FLOODS ARE INCREASINGLY COMMON. OUR WATER INFRASTRUCTURE IS UNPREPARED

Flood events are bigger and more frequent. Governments can’t change the weather, but they can invest in infrastructure that is better able to handle it.

By Carl Smith, Governing magazine

The deadly floods in Central Texas, which had killed more than 100 people in July, have become a flashpoint for discussions of government preparedness for flood emergencies. Kerr County abandoned efforts to build a more robust warning system, reportedly due to budget issues; officials also appear not to have issued evacuation orders at the start of the flood.

But one expert tells Governing that local officials across the country should also be using this moment to reflect on the need for updated water infrastructure, the first line of defense for communities experiencing extreme rain events.

A 2024 report from the American Society of Civil Engineers and the Value of Water Campaign estimated that the country is billions of dollars short in investments needed to update water infrastructure for 21st-century needs, including a new normal of extreme rainfall events.

Floods are the most common and expensive natural disaster, and the warmest years since record keeping began in 1850 are all in the last decade. Warmer air holds more moisture; higher temperatures increase evaporation.

Emily Simonson directs the Value of Water Campaign for the U.S. Water Alliance, a nonprofit organization that focuses on water challenges.

Water leaders are in Pittsburgh this week for the One Water Summit. The event gathers some of the brightest minds across disciplines and communities working to elevate needs,

spread what works, and test new approaches, Simonson says.

The Texas disaster will be top of mind for attendees. Simonson spoke to Governing from Pittsburgh about the importance of keeping focus on infrastructure needs amid post-event controversies. The conversation has been edited for length and clarity.

What do you hope people will take away from recent events?

Tragedies like these are moments where you want to not just ask what we can do better but to actually see lessons learned and implemented. We need to have that conversation in a way that can bring people together to get it done, rather than turn this into me versus you, Republican versus Democrat.

In our 2025 polling, we were surprised to see that 1 in 5 Americans reported experiencing an extreme weather event that affected them in a water-related way in the past five years.

We also asked whether they were concerned about weather-related water impacts in the future. Seventy-four percent of voters — red, blue, women, men, rural, urban — said yes, they are concerned. And 70 percent believe that it’s extremely important for the federal government to reduce the likelihood of water challenges in future national disasters.

Read the full article at: https://www.governing.com/resilience/ floods-are-increasingly-common-our-waterinfrastructure-is-unprepared

LESSONS LEARNED FROM THE FSU SHOOTING

The response to the FSU shooting demonstrated what effective planning can look like while exposing vulnerabilities that must be addressed.

By Brian Higgins, Campus Safety

We’ve become all too accustomed to the horror of school shootings. From elementary schools to sprawling university campuses, the question is no longer if an incident will happen—but when. And while the public may feel helpless, those responsible for campus safety—law enforcement, administrators, and emergency managers—must remain vigilant. The recent shooting at Florida State University (FSU) in April 2025 serves as a critical reminder: emergency planning, training, and continuous assessment save lives.

Despite the heartbreak of loss, the FSU incident also demonstrated what effective planning and response can look like. With zero student fatalities and a law enforcement response time under two minutes, it’s clear that some things were done right. However, it also exposed vulnerabilities that must be addressed and security measures that must be enhanced before the next crisis.

What Went Right During FSU Shooting Response

1. Immediate Emergency Alerts: FSU’s emergency notification system “FSU Alert” functioned as intended. Students and faculty received immediate alerts via text, email, and app notifications, allowing them to take action without delay.

2. Students Knew What to Do: Thanks to previous lockdown drills and awareness campaigns, students across campus initiated “lockdown protocols.” Many took protective actions: securing themselves in classrooms, staying quiet, and moving away from doors and windows.

3. Law Enforcement Responded Rapidly: FSU campus police arrived on scene less than two minutes after the first 911 call—a response time that is among the best in the nation. Their swift, decisive action stopped the attacker before he could cause further harm.

4. No Student Fatalities: While the shooting was tragic, no students were killed—a

With zero student fatalities and a law enforcement response time under two minutes, it’s clear that some things were done right. However, it also exposed vulnerabilities that must be addressed and security measures that must be enhanced before the next crisis.

testament to both preparedness and sheer luck. The response undoubtedly saved lives.

What Areas Need to Be Enhanced

1. Casualties Near the Student Union: Two workers near the student union were killed, and five others injured. The victims were not in a locked space, raising questions about access control and communication reach during chaotic moments, including emergency notification in open air spaces.

2. Gun Access: The 20-year-old suspect, an FSU student, used a firearm belonging to his stepmother—raising concerns about how easily dangerous individuals can access

unsecured weapons in their homes. While beyond the campus’s direct control, it emphasizes the value of prevention efforts that extend beyond institutional walls.

3. Door Locking Issues: Not all rooms on campus could be locked from the inside. This critical vulnerability, common at many higher education institutions, puts lives at risk during an active shooter incident.

Read the full article at: https://www.campussafetymagazine.com/ insights/lessons-learned-from-the-fsushooting/171492/

JEFF GREEN

THE 2025 PUBLIC RISK MANAGER OF THE YEAR

GOES ABOVE AND BEYOND IN LARIMER COUNTY

BY NICK BAKER, PRIMA

FOR A RISK MANAGER, LARIMER County, Colo., presents a unique set of challenges. Sitting along the northern border with Wyoming, it’s nearly twice the size of Rhode Island and includes five municipalities, with Fort Collins being the largest. It’s also home to Colorado State University, mountain towns like Estes Park and portions of Rocky Mountain National Park and the Continental Divide.

Jeff Green addresses attendees at PRIMA25 in Seattle.

Green’s current and past coworkers continually point to one characteristic that makes him stand out: his dedication to the next generation of risk managers.

Whether it’s ensuring his team obtains the latest designations or attends workshops and seminars, he’s committed to ensuring they have the knowledge and tools to carry out their roles.

He has also designed and facilitated safety training programs tailored specifically to new employees and supervisors. The trainings utilize an enterprise-wide approach, incorporating collaborations with subject matter experts from various fields, including occupational health, emergency response, and law enforcement, to ensure that training content is relevant, current, and impactful.

Larimer County Attorney Bill Ressue said Green goes above and beyond the requirements of his job. “He engages with all the county departments. People in Larimer County know who Jeff is. They know what services he can offer; people know that he can help,” he said.

“We’ve become an integral partner to our operating groups. It’s been very successful to get to know all our operating units, their business and develop personal relationships,” Jeff said. “It’s fostered a culture of risk management around the county.”

“The challenges you face here as a risk manager are the breadth of the exposures,” said Jeff Green, Larimer County Risk Manager and PRIMA’s 2025 Public Risk Manager of the Year (PRMY). “I characterize Larimer County as a corporate entity with 26 subsidiaries all doing something different.”

Green became Larimer County’s risk manager in March 2008, bringing a unique background that included risk management in the private sector, as well as experience as an insurance broker and underwriter.

“He is a unicorn in this arena,” said Lorrie Lopez, finance director for Larimer County. “He has both technical skills and people skills. He uses that combination to run a very effective program.”

Larimer County had about 292,000 residents when Green started working for the county and it now has over 374,000 – an increase of nearly 30 percent. In that time, it has experienced several large-scale natural disasters, including the 2012 High Park Wildfire and the catastrophic floods of 2013. The historic 2023 Cameron Peak Fire burned more than 208,000 acres in Larimer and Jackson counties over

several months, forcing the evacuation of more than 6,000 residents of Estes Park and smaller communities. Throughout these ordeals, Green worked closely with the Larimer Office of Emergency Management to implement effective loss mitigation strategies, keep the public safe, and provide crucial support to county employees.

Heather MacMillan, Larimer County Purchasing Manager, noted that the county has undertaken more than $130 million in new construction in the past several years. She said Green and his team have been instrumental in providing specific insurance requirements for any request for proposal (RFP). “It’s important for us to set those insurance requirements early for vendors so they’re aware of what they need to purchase if they don’t have those lines of insurance,” she said.

Larimer County has more than 2,200 employees, and despite all the new construction the county has undertaken, Lopez says there have been fewer workers’ compensation injuries in 2024 than 15 years ago. “I think that’s a testament to Jeff and his (risk management) program,” she said.

That culture can be attributed to Jeff’s dedication to ensuring every employee understands the importance of risk management. He routinely writes safety articles for the employee newsletter and he serves on several boards and committees, which range from identifying and mitigating threats before they occur to enhancing the safety of vehicle fleets. He also collaborated with the Larimer County Office of Emergency Management to create the Larimer Prepared program, an initiative that equips county employees and their families with the essential skills to enhance their personal safety and recovery readiness.

“He cares both about the organization and employees, and it comes across that way,” Larimer County Manager Lorenda Volker said. “He’s a strong mentor for his staff. He’s active in his state association and he’s been appointed by the governor to serve on committees. He’s a well-rounded risk manager.”

Green’s current and past coworkers continually point to one characteristic that makes him stand out: his dedication to the next generation of risk managers. Whether it’s ensuring his team obtains the latest designations or attends workshops and seminars, he’s committed to ensuring they have the knowledge and tools

to carry out their roles. And when one of his employees has an opportunity to utilize their expertise and experience at another entity, he encourages them to take it. His past employees have gone on to be risk managers at Denver International Airport, Los Angeles County Community College District, Platte River Power Authority, and the Town of Windsor, Colo.

Natalie Spear transitioned from an administrative role for Larimer County to progressively taking on more risk management responsibilities. “I didn’t know what I wanted to do until I took this role. I found my niche in risk management, and Jeff was the one who gave me that foot in the door,” she said.

Spear gained professional knowledge and experience while working with him, which eventually led her to take a position as the enterprise risk manager at the Platte River Power Authority. She attributes his guidance to helping her recognize her potential. “He always encouraged us to learn more, to

trust ourselves, and to push higher in risk management. He’s building something for risk management, both here in Colorado and nationally.”

Jeff tells his team to build their network of industry professionals and think creatively. “I encourage my staff to get involved in PRIMA, both at the state chapter level and nationally; it’s a great resource for their career development.”

The aspect he enjoys most about his job is the diversity of things he’s involved with. “The bottom line is that it’s not boring. There’s always something going on somewhere around the county that creates new challenges,” he said.

“This recognition from PRIMA is not just about me. It reflects the incredible team I’m proud to be a part of at Larimer County. Your expertise, hard work, and dedication are the reason our program continues to thrive,” he said upon accepting the PRMY Award at PRIMA25 in Seattle. “As I look out across the

room, I’m excited about the future of public risk management. With PRIMA’s commitment to excellence in risk management education and this group of professionals here today, I know we’ll keep raising the bar together.”

to r: Jose Peralta, AON; Jeff Green, 2025 PRMY; and Adam Maxwell, 2024-2025 PRIMA president, at PRIMA25.

SCAN TO WATCH JEFF GREEN'S PRMY VIDEO.

ADDRESSING FRAUD IN WORKERS’ COMPENSATION: Strategies for Identification, Investigation,

and Mitigation

BY KEVIN LEDERER, DAVIES NORTH AMERICA

WORKERS’

COMPENSATION FRAUD IS

A

SERIOUS

issue that poses significant challenges and financial risks to organizations.

It can undermine workplace integrity, compromise workplace culture, adversely affect employee morale and be costly if not mitigated.

To effectively combat this challenge, companies should adopt a comprehensive approach that involves first identifying fraud indicators, secondly, investigating suspicious scenarios, and finally proactively mitigating their exposure.

IDENTIFYING FRAUD INDICATORS: KEY METHODOLOGIES

From a claims perspective, the first line of defense against workers’ compensation fraud is scrutinizing claims from the initial report through to resolution. A methodical approach involves:

1. Collecting thorough documentation: Accurate and detailed documentation

is essential. Claims should include clear descriptions of the incident, medical reports, witness statements, and any other relevant evidence. Consistency in documentation helps establish the legitimacy of claims and provides a robust framework for investigation.

2. Facilitate consistent communication: Maintaining open lines of communication with injured employees, medical providers, and claims adjusters can uncover

discrepancies and assist in validating claims. Regular follow-ups can ensure that claims are progressing appropriately and help identify potential fraud.

3. Recognize red flags: Organizations should train claims adjusters to look for common indicators of fraud, such as:

Inconsistent injury reports: A lack of consistency in the details of the injury, such as how it occurred and/or the severity of the injury, should raise suspicion.

Delayed reporting: Employers should be wary of reports that are submitted long after the incident occurred. In some cases, this could indicate fabrication or exaggeration.

Discrepancies in medical documentation: Pay close attention to documentation from medical providers. Conflicting reports or inconsistencies can signal potential fraud.

INVESTIGATING FRAUD: BEST PRACTICES

If fraud indicators or red flags are identified, organizations should have investigative measures in place to quickly examine the cases in question. Organizations should employ systematic investigative practices, such as:

• Technology-Driven Detection: Utilizing advanced data analytics, machine learning algorithms, and automation techniques, employers can effectively identify and flag suspicious trends and activities that may indicate fraudulent behavior, thereby enhancing overall detection capabilities.

• Medical Canvassing and Background Investigations: Companies can conduct research into a claimant’s history to construct a detailed profile, which involves reviewing various aspects such as litigation history, previous claims, medical records, and employment records to gather a complete understanding of the claimant’s background.

• Interviews and Recorded Statements: Conducting in-depth interviews with both claimants and witnesses to gather

additional information and confirm critical details related to the claim ensures that all relevant insights are captured and accurately recorded for further analysis.

• Surveillance and Social Media Monitoring : To validate the authenticity of claims, employers can implement a combination of digital and in-person investigations, examining both online activities (predominantly on social media platforms) and real-world behaviors to verify accuracy in injury reports or spot exaggerated claims.

PROACTIVE MEASURES TO MITIGATE FRAUD

From an employer’s perspective, implementing preventative measures can be the most effective strategy to mitigate their exposure to workers’ compensation fraud. To prevent fraud before it occurs, employers can implement several proactive measures, such as:

• Education of employees: By mandating regular training sessions, employers can educate employees about the importance of honest reporting as well as the consequences of fraud. Awareness campaigns have been shown to promote a culture of integrity and accountability among a workforce, while demonstrating the consequences of fraud can be an effective deterrent.

• Implement workplace safety programs: By prioritizing safety and health initiatives, organizations can minimize the risk of workplace injuries, which in turn can reduce opportunities for fraudulent claims.

• Clear reporting protocols: Establishing transparent and accessible reporting mechanisms will enable and encourage employees to report injuries promptly and accurately. This measure will promote timely and accurate reporting by injured employees, reducing the likelihood of delayed/inaccurate submissions and subsequent fraudulent claims.

• Pre-employment screening : Adopting pre-employment background checks verifies an applicant’s background and can reduce the likelihood of insider fraud, misconduct,

or conflicts of interest. This allows employers to avoid potential risks before onboarding, ensuring the candidate has a history of truthfulness and transparency.

UTILIZING STRUCTURED RETURN-TO-WORK PROGRAMS

An often-overlooked measure in fraud mitigation is the adoption of a structured return-towork program that allows injured employees to return to the workplace in a modified capacity.

From an employer’s point of view, these programs can significantly reduce indemnity costs by minimizing the duration of wage-loss benefits and facilitating a smoother transition back to full productivity.

For employees, the advantages are equally compelling; they often experience expedited recovery through gradual reintegration into the workplace, which fosters physical rehabilitation and psychological well-being. Additionally, modified work arrangements provide job security, allowing employees to retain their roles while managing their recovery.

What is often overlooked is how these programs can help mitigate fraud. By facilitating regular correspondence between employer and injured employee, transparency and accountability are promoted. Employees are actively engaged in their recovery process, which in turn promotes timely, accurate reporting of documents, thereby reducing opportunities for fraudulent misuse of workers’ compensation benefits.

CONCLUSION

Workers’ compensation fraud presents significant challenges to organizations. However, through comprehensive identification and investigative strategies, proactive employer measures, and effective return-to-work programs, organizations can mitigate risks and protect against this challenge. By fostering a culture of transparency and accountability, businesses not only safeguard their resources but also promote a healthier, safer workplace for all employees.

Kevin Lederer is senior vice president of the Special Investigations Unit with Davies North America in Orlando, FL.

PAYMENT FRAUD RISK STARTS WITH VENDOR ONBOARDING

BY ANGELA SARNO, PAYMENTWORKS

IT’S TIME FOR YOUR RISK team to rethink the role of the vendor desk.

Even though your entire organization relies on the data within your supplier file every day, vendor onboarding is usually seen as a logjam; it’s an annoying thing to just get through. While procurement, risk, finance, and business owners all make decisions, strike deals, and assess risk based on what has been input into your finance system/enterprise resource planning (ERP), very little thought is put into how organizations collect and verify this information.

With so much at stake, why do so many governmental organizations fail to consider vendor onboarding and management as more than a tactical, clerical function?

THE SOURCE OF VENDOR RISK: THE COLLECTION POINT

In early 2023, several regional banks closed, forcing thousands of businesses to scramble to open accounts with new banking partners.

There were documents to submit, background checks to wait on, and facts that needed to be verified. That new bank wants to know if your business is what you claim it to be. They want to know that your CEO and CFO aren’t felons.

Many systems and processes are used to verify the information as submitted.

It can take days or even weeks to start using a new bank account. After all, millions of dollars could be at stake.

Now, think about how your organization sets up a new vendor in your ERP—a vendor you might be ready to pay millions of dollars.

What you do likely involves a PDF ‘vendor form’ and the exchange of sensitive information via unsecured email. This form and its information are likely to pass through several hands, and the information may or may not be verified against third-party sources. I’ll bet that the process for setting up a new vendor is likely not documented, and if it is documented, it’s likely not followed.

Here’s what risk managers need to understand: This PDF and email-based data collection is the foundation of your organization’s entire payment process. The risk is not when you pay the vendor, it’s when you onboard the vendor.

WHY FRAUDSTERS LOVE YOUR CURRENT VENDOR ONBOARDING PROCESS

Let’s play a game. Imagine your ERP is the foyer of a club everyone wants to join. In that foyer, your employees (the vendor desk) are checking IDs. While they’re checking IDs, they also need to pay the bills. They also need to answer hundreds of questions a week via phone and email, asking why the line is so long and why they can’t just let someone in the back door, just this once.

And by the way, your club has six additional unlocked entrances, an unlocked window in the restroom, and an open loading dock to the kitchen.

You get the picture. A lot of riff-raff are going to make it into your club. This club metaphor might seem heavy-handed, but it’s the reality of vendor desk staff in governments of all sizes.

Working on the vendor team is impossible. It usually comes with low wages and the stress of real money at stake with every keystroke. Vendor desk personnel are juggling way too many inputs to keep a tight and trackable

process. This is the faulty foundation upon which the supplier file, and subsequently, the payment file, is built. Why is this the case?

I know I am writing to an audience of risk managers, but I am going to say the quiet part out loud: Vendor management is an impossible job because finance and risk leaders don’t respect it. You think this is clerical work and that it’s just data entry.

And that is why your organization may soon be in the headlines.

THE DAILY RISK OF VENDOR DESK ROLES

In reality, vendor management is not clerical and it’s not data entry. It’s collecting data, sure, but then it’s verifying that data:

• Is this accurate, true, and correct?

• Did the person providing it have the authority to do so?

It’s also documenting what was checked, who checked it, and why decisions were made, ensuring a clean audit trail:

• Is this a valid tax ID?

• Is this bank account associated with that tax ID?

• Has every internal approval step been completed and documented?

Furthermore, it’s analyzing what’s on that form:

• Should this be an employee vs a contractor?

• Does this tax ID already exist in our system?

• Is this a new remit with that tax ID?

• Do we need another contractor for this service when we have agreements with two others?

All of this must happen before the vendor’s data is input into the ERP. But far too often, none of it is done. A form is simply gathered and re-typed right into the ERP.

IT’S TIME TO CHANGE THE PARADIGM

Automating the largely manual vendor onboarding and management process can

have an immediate impact on your entire organization, not just the vendor desk staff. Automation will also eliminate the need for your business team to play a game of telephone tag between vendors and accounts payable by removing them from the process of collecting and submitting vendor documents. Instead, they will have visibility into the status of any given vendor.

While there is an upside beyond risk mitigation when automation is used for vendor onboarding, we’ll stick to the benefits for your risk management team, particularly those related to vendor impersonation and payment fraud risk.

We can hardly go a day without reading another terrible news story about a successful social engineering fraud. This is a specific type of fraud in which a fraudster impersonates a vendor and tricks one of your staff into changing payment information in your ERP. The best cyber defense tools and training cannot stop a well-intentioned employee from being fooled. In the most recent Association of Finance Professionals (AFP) survey, a terrifying 80 percent of organizations reported they were the target of an attempted or actual fraud!

And that’s just the organizations that chose to report it.

If you had an 80 percent chance of getting hit by a bus when you walked out your front door, you’d likely reconsider leaving your house, right? Unfortunately, vendor desk teams are under immense pressure to handle their titanic workload quickly, and they have no choice but to move as fast as possible through their process. “Speed” does not usually equate to “careful” when it comes to following a process.

Specifically, organizations are at the most risk of being attacked at two specific times:

• When an existing vendor reaches out to change banking information

• When a new vendor is onboarding with you for the first time

You likely know how many new vendors you add to your supplier file each year. However,

Prevalence of Attempted/Actual Payments Fraud in 2023 (Percent of Organizations)

Source: 2024 AFP® Payments Fraud and Control Survey Report

an often overlooked risk point is updates to your existing vendor record. Across the board, an average of 30 percent of existing vendors change some information each year, most often their payment information.

To mitigate the risk to your organization, you can start with these few suggestions.

ACTION ITEM: ASK YOUR TEAM

• Does your organization have a documented process for verifying banking changes to existing vendors? (Documented is the keyword.)

• Is this process audited regularly to ensure it is being followed?

• Has your insurance company reviewed the process and declared it insurable?

RETHINKING THE ROLE OF THE VENDOR DESK

In light of the costs, impacts, and importance to your entire organization, I ask you to turn

your attention to the people — more likely the person — charged with inputting vendor data into your ERP. Compare their job description to what they actually do all day.

If your organization views this work as clerical but also expects your clerical staff to be analysts, CSI detectives, fraud and compliance experts, and always be right, 100% of the time, you have a faulty foundation – a foundation that will definitely crack, or maybe it already has.

ACTION ITEMS: WHAT TO DO TODAY

• Document the vendor onboarding and change management process from start to finish.

• Assign an internal person to review and update the process regularly.

• Get sign-off from your insurer that your process is insurable for social engineering fraud (i.e., scams that rely on tricking someone rather than on hacking systems).

• Regularly check the process against new fraud techniques and adjust as needed.

I have one last action item for you: the onequestion audit. Right now, get up and go ask your vendor desk staff what they do to verify vendor banking information. If you like what you hear, ask them to prove to you that they followed this process for the last 25 vendors.

You might not like what you learn.

For risk professionals, building your organization’s vendor onboarding process is key to reducing fraud risks. It’s not just about data accuracy; it’s also about making sure your insurance covers you against tricky social engineering scams. Taking vendor onboarding as seriously as you do cyber risks helps protect your entity from financial losses and, even more, ensures you a good night’s sleep.

Angela Sarno is Vice President, Marketing for PaymentWorks, located in Waltham, MA.

BEST OF THE BLOG

RISK GOVERNANCE OF THE FEW OR THE MANY, AND INSURANCE CERTIFICATE CHAOS

RISK GOVERNANCE OF THE FEW OR THE MANY

BY MARILYN RIVERS, RIVERS RISK CONSULTING, LLC

Risk is glorious in its technicolor explosions of fact, fiction, supposition and opinion. For those of us who manage those explosions, we often wonder if our primary role in governance is the herding of cats. Cats, you say? Well, cats are highly intellectual and independent entities. My cat Sherlock can stand in the middle of an empty room and bring everyone in the house to its center as he loudly expresses his displeasure at well…life in general. The fact that he has the capacity to control the existence of our household is a testament to the strength of his voice and his ability to manipulate our reality. Good or bad, when Sherlock speaks, the loudness of his convictions stops our time.

Sherlock’s analogy is real within all our workplaces. There is and will always be that one individual who brings chaos to the best of our risk and safety objectives and goals. They are that one individual in life who believes that their one voice, shouted at its loudest, can manipulate the masses and determine the outcome of our best-laid plans and our reality. It begs the question we all ask ourselves in difficult interpersonal situations – do we govern risk for the many or the few?

I have had many situations in which an individual has entered my personal risk workspace, flailed their arms, jumped up and down and demanded their way or the highway. For those of you who have attended many of my classes, I continually promote the practice of the steady glare in the mirror on a regular basis. Each of us as risk professionals embraces the old saying…been there…done that. The yelling, threatening, self-promoting, and childish machinations of an outlier usually bring out my best practiced blank stare to which I embrace my own oblivion. I liken the negative machinations to a child’s temper tantrum or Sherlock’s attempt for attention.

Risk governance can only thrive on consensus and managing the risk of the center of the communities we serve. As we seize opportunities for improvement, we understand the value of our diversity, but also understand the importance of collectively needing to govern

the needs of the vast majority of the communities we serve.

I will argue with my dying breath that COVID brought risk to its knees with all its emergency measures and demands. It skewed our approach to what governance means and what it in fact does. It gave opportunity for unilateral emergency orders and mandates that, quite frankly, often brought forth the very worst in governance and its role models. Let’s be retrospective, in your face risk management doesn’t work when it’s based on threat, fear and retaliation.

Best practice risk and safety governance is founded in its ability to embrace all the difficulties and diversified situations we face

on a regular, ongoing basis, with respect, the ability to empathetically listen, and our ability to achieve consensus through our non-biased communication of expectations, partnerships, and opportunity. Govern for the few or the many? Let’s argue that we, as risk professionals, govern individually and collectively for the totality of our communities in a holistic approach by embracing all who participate. Grant patience to ourselves for our Sherlocks, but let us remember our strategic risk mission is to achieve consensus with all of our community partners – the many, not the few.

Rivers, CPCU, ARM, AIC, is the CEO of Rivers Risk Consulting, LLC.

Marilyn

INSURANCE CERTIFICATE CHAOS: WHY

PUBLIC AGENCIES STRUGGLE WITH COMPLIANCE (AND

HOW TO FIX IT)

BY ASHLIE DITTFIELD, EVIDENT

Let’s be real: managing certificates of insurance (COIs) in a public entity can feel like herding cats in a windstorm.

I’ve spent years in the trenches—reviewing COIs, chasing down vendors, and trying to stay ahead of expiring coverage before it turns into a liability for the county. And if there’s one thing I’ve learned, it’s this: COI compliance is rarely about the paperwork—it’s about the process. Or in many cases, the lack of one.

WHY COI CHAOS IS SO COMMON IN THE PUBLIC SECTOR

Here’s what typically happens in cities, counties, and special districts across the country:

• Decentralized Contracting: One department signs a vendor agreement. Another holds the insurance documents. And a third is on the hook when something goes wrong.

• Inconsistent Requirements: There’s often no standard language for indemnity or insurance across contracts, leaving each project team to reinvent the wheel (or forget it altogether).

• Manual Tracking Tools: I’ve seen COIs tracked in Excel, Outlook folders, even Post-it notes. When your “system” is a spreadsheet, things slip through the

cracks—especially during staffing shortages or leadership transitions.

• Delayed Follow-Ups: With dozens (or hundreds) of vendors, following up on renewals manually is nearly impossible. One missed email can mean an uninsured contractor working on public property.

• Misunderstood Risk Profiles: Not every project needs the same level of coverage, but we often see boilerplate requirements that either underprotect or overreach—both of which carry consequences.

These gaps don’t just create administrative headaches. They leave public entities exposed. An expired COI may seem like a small issue until an incident happens, and the agency finds itself footing the bill.

WHAT FORWARD-THINKING AGENCIES ARE DOING DIFFERENTLY

The good news? I’ve worked with public entities that have turned things around—and here’s what’s working:

1. Centralizing the COI Process

Instead of leaving risk management to individual departments, leading agencies are assigning COI compliance to a single point of accountability—whether that’s a

person, a platform, or a dedicated risk unit. It eliminates silos and ensures nothing gets lost in the shuffle.

2. Using Technology Built for the Job

Modern COI tracking tools streamline the entire process—automating renewals, flagging non-compliant vendors, and ensuring records stay current. That means no more digging through inboxes or hoping you remember when coverage lapses. You get timely, proactive oversight without the scramble.

3. Standardizing Contract Language

Legal, procurement, and risk teams are finally working together to define clear, defensible indemnity and insurance clauses. Once that’s standardized, enforcing it becomes a whole lot easier.

4. Right-Sizing Coverage Requirements

Blanket insurance demands can deter smaller vendors and create unnecessary friction. Smart agencies are tailoring their requirements based on the actual risk of the engagement, striking a balance between protection and practicality.

5. Training Staff and Setting Expectations

You can’t fix COI chaos without buy-in. The most effective programs start with education— helping teams understand why COI compliance matters and the real risks of ignoring it. When people grasp the bigger picture, they’re far more likely to catch red flags before they turn into legal headaches.

IT’S NOT JUST ABOUT COMPLIANCE— IT’S ABOUT CONFIDENCE

At the end of the day, COI management isn’t about checking a box. It’s about knowing your agency is protected when things don’t go as planned. That peace of mind is worth a lot—and it starts with cleaning up the chaos.

If your agency is still relying on outdated tools or crossing fingers that coverage is valid, I promise you, you’re not alone. But you don’t have to stay there. With the right process, tools, and a little collaboration, COI compliance can be something you trust, not something you dread.

Ashlie Dittfield is Insurance Certificate Operations Manager for Evident.

Trauma-Informed Leadership

OCTOBER 15 | 12:00 PM – 1:00 PM ET

SPEAKERS:

Ryan Gallik , Co-Founder, The Mental Hygiene Project

Michael Stahl, Managing Partner, The Mental Hygiene Project

Few organizational leaders have a clear understanding of trauma’s pervasive influence or how they can help employees address, manage, and overcome what we refer to as “experienced trauma.” However, there exists an approach that transcends traditional notions of management, one that acknowledges the profound impact of trauma on individuals and organizations. It’s a leadership approach that seeks to heal, empower, and foster growth: trauma-informed leadership.

ATTENDEE TAKEAWAYS:

1. Understand the prevalence of trauma and how that can impact the emotional and psychological needs of individuals and groups

2. Learn how to apply the four R’s (Realize, Recognize, Respond, and Resist) during courageous conversations and interactions with employees to ultimately resist re-traumatizing individuals and/ or groups

3. Strengthen awareness of the power of empathy, safety, and trust and how cultivating those can have both human and financial impact

4. Gain knowledge on how developing a trauma-informed organization can give your association a true competitive advantage in recruiting, retention, and engagement

ADVERTISER INDEX

HAS YOUR ENTITY LAUNCHED A SUCCESSFUL PROGRAM? An innovative solution to a common problem? A money-saving idea that kept a program under budget? Each month, Public Risk features articles from practitioners like you. Share your successes with your colleagues by writing for Public Risk magazine! For more information, or to submit an article, contact Nick Baker at nbaker@primacentral.org.