Organizations often implement policies to ensure they remain compliant with laws and regulations. These policies can contain multiple elements. However, in the context of this chapter, the most important element is fiduciary responsibility.

Fiduciary refers to a relationship of trust. A fiduciary could be a person who is trusted to hold someone else’s assets. The trusted person has the responsibility to act in the other person’s best interests. He or she should avoid conflicts of interest.

Once someone trusts a fiduciary, a fiduciary relationship exists. Notice that this relationship requires two separate entities. The fiduciary responsibility can take many forms. Examples of fiduciary responsibilities are:

• An attorney and a client—The client trusts the attorney to act in the best interests of the client.
• A CEO and a board of directors—The board trusts the CEO to act in the best interests of the company.
• Shareholders and a board of directors—Shareholders trust the board to act in the best interests of the shareholders.

A great deal of trust is granted in a fiduciary relationship. Because of this, the fiduciary is expected to take extra steps to uphold this trust. Two steps that can be taken are due diligence and due care:

• Due diligence—The fiduciary takes a reasonable amount of time and effort to identify risks. It investigates risks so they are understood. Failure to exercise due diligence can be considered negligence.
• Due care—If a risk is known, the fiduciary needs to take reasonable steps to protect against the risks. Failure to take due care to protect assets can also be considered negligence.

Exercising due care and due diligence doesn’t mean that all risks should be eliminated. Residual risk is the amount of risk that remains after controls have been applied, which is also referred to as acceptable risk.

A fiduciary is expected to understand and weigh the risks. By exercising due care and due diligence, the fiduciary is less likely to be accused of acting recklessly or being negligent.

Other elements of an organizational policy could include:

• Mandatory vacations—Employees may be required to take an annual vacation of at least five consecutive days. The purpose of a mandatory vacation is to reduce fraud or embezzlement. If an employee is required to be out of the office, someone else must perform the duties, which increases the likelihood of discovering the illegal activities.
• Job rotation—Employees may be rotated through different jobs. When an employee is transferred into a new job, past transactions are often reviewed and examined. This oversight can uncover suspicious activity. Job rotation helps prevent or reduce fraudulent activity. It is also done for cross-training to expand the skills of employees.
• Separation of duties—Separation of duties ensures that no single person controls an entire process. It helps prevent fraud, theft, errors, and conflicts of interest.
• Acceptable use—An acceptable use policy (AUP) defines acceptable use for IT systems and data. Companies often inform employees of acceptable use when they are hired. Some companies use banners and login screens to remind personnel of the policy.