Traditionally, the practice of risk management comprises acceptance, transference, elimination, control, sharing, insurance – and the avoidance of a diverse array of risks. Risk management and internal control business models have subsequently been devised which cater for all eventualities, categorised by terms such as business, operational and reputational risk. How, though, does fraud perform as a risk, and where exactly does it fit into the risk management hierarchy? Fraud is very much the corporate ‘F’ word. It doesn’t appear in any management best-sellers, in MBA courses or as part of [security] management training and consultancy.
Business is awash with ‘best practice’ techniques on generating and maximising profit, but woefully lacking in knowledge of how to minimise and manage losses. And, as has become all-too-evident in recent years, a single fraud can wipe out years of profit, drive away investors, ruin a brand or even bankrupt the largest organisation.
Managing the risk of fraud
The practice of fraud risk management includes fraud prevention, deterrence, disruption reporting, detection, examination, investigation, enforcement and recovery. These are all well-defined and well-honed disciplines in their own right, each with laudable objectives.
However, they’re seldom embedded in an organisation’s culture, or given significant management support to succeed. Rarely are they used in tandem, and all-too-often the investigation of fraud manifests itself as a knee-jerk reaction to a problem that’s badly out of hand. Sometimes merely for the want of basic controls.
Until recently, there existed few guidelines to underpin the implementation of fraud risk management in blue chip companies. Thankfully, this position has now changed, insofar as corporate governance initiatives have provided a framework for financial controls in a financial reporting environment.
That said, the framework for these models assumes that fraud is a business risk to be managed in the same way as any other business or financial risk.
If an organisation accepts that it could be exposed to fraud – and, let’s face it, absolutely no organisation is immune to it – then that firm (and in particular its security and IT specialists) needs to specifically address the subject of fraud prevention and control. Given the diversity and globalisation of fraud, putting in place comprehensive fraud countermeasures will take a given organisation a long way down the road towards accomplishing its usually long list of so-called ‘corporate governance objectives’.
Putting your plan in place
Any fraud prevention and control model should aim to achieve one (or all) of the five primary objectives. These objectives are as follows:
At the outset, consider fraud risk as an integral part of an overall corporate risk and security management strategy. Fraud is every bit as much of a threat to any organisation as changes in legislation, competitor action or indeed inflation. Its overall effect, then, needs to be fully understood and managed accordingly.
Attempt to develop an integrated strategy for fraud prevention and control. Every organisation should possess this capability in order to draw all of the elements of the strategy together in forming an holistic and complementary raft of fraud countermeasures. Those organisations with a strategy are far less likely to suffer catastrophic losses from fraud than those without.
Security teams and senior management must also develop an ‘ownership structure’ which cascades downwards through the organisation. Fraud prevention is everyone’s responsibility, of course, but management acceptance and ownership is essential if the strategy is to work. Specific ownership responsibilities may also be placed on individual managers, or on the internal audit department.
Introducing a fraud policy statement is crucial. The statement should emphasise an organisation’s attitude to fraud in its many guises, its determination to combat and prevent fraud and a commitment to punish those found guilty of wrongdoings. It should be simple, focused and easily understood by all members of staff. This is really the foundation stone of any organisation’s fraud prevention strategy. An ethics policy is equally important. Directly supporting the fraud policy statement, this should be a code of business conduct emphasising the norms and values expected in daily activity.
It may spell out an organisation’s approach to the payment of bribes, ‘commissions’ or ‘management fees’ (often relating to overseas business ventures), and ensures that all staff are aware of what’s expected of them. All of this effort could come to no avail if no-one knows about the policies. Staff cannot be made accountable for fraud prevention unless they are made fully aware of its importance, and the benefits arising from it.
Consideration should also be given to issuing personal copies to all members of staff, and to those with whom your organisation does business. This ensures that customers and suppliers know exactly where the company stands on fraud and ethical issues.
Establishing the control environment
Establishing a sound control environment requires a positive approach from all concerned. It’s very easy to become sloppy and take short cuts. Security management philosophy and operating style are important factors, as are the appropriate organisational structures and adequate staffing levels. In fact, senior management must lead by example, and provide the right direction.
Meantime, setting up operational control procedures requires the documentation and execution of policies developed by managers to counter all identifiable risks. Examples of this would include authorisation controls, segregation of specific duties, physical security measures and control over business transactions.
Education and training is all-important. All members of staff should be made aware of the general risk of fraud, whether the threat be internal or external. Specific threats facing staff in the workplace must be pinpointed, in particular those affecting their own job function (eg personnel, procurement or sales). Thereafter, staff must be trained to identify and respond to threats as and when they arise.
As far as introducing a so-called ‘whistleblowing’ policy is concerned, this must clearly indicate that senior management and the security team positively encourage people to come forward and report any instances of fraud and/or malpractice. It should emphasise that protective legislation is now in place, and allow for ‘anonymous’ reporting if a member of staff so desires.
A telephone reporting ‘hotline’ is an obvious add-on to this last measure, a direct line to that member of the security team dedicated to, or directly responsible for, fraud prevention. Such a service could actually be ‘bought-in’, increasing anonymity levels for staff members still further.
It may sound obvious, but policies and procedures can become obsolete very quickly. It’s well worth noting that, in many cases, it’s actually the control system that’s the first to go in the event of operational changes. Thus, fraud control procedures should always be revised after organisational restructuring, downsizing of the business or changes in the way that a company conducts its business. The same would also be true if a new computer set-up has been installed, or indeed there has actually been an incidence of fraud.
At the end of the day it may not be appropriate to use all of these approaches in your organisation’s continual fight against fraud, but even the deployment of one of them may go a long way towards mitigating the very real threat it poses.
