Ray Flynn, Independent Corruption Risk Consultant and Non-executive Director, Institute of Risk Management
Fraud can represent a significant risk for many organisations, yet very few adopt a risk-based approach to its management.
Fraud is a special category of corruption – a bedfellow of bribery, nepotism and anti-trust behaviour, each with its peculiarities, each requiring a different approach to prevent. A recent report estimated that the UK loses more than £190 billion per year to fraud, with the average amount stolen £3.66 million. As well as this financial loss, an organisation’s reputation can be seriously damaged by fraud, which can adversely affect business in general. Staff morale can also take a hit.
All organisations face the risk of fraud, and you would expect to see adequate measures in place aimed at mitigating this risk, yet businesses are continually hitting the headlines having been defrauded. Something isn’t working.
Both the Ministry of Justice guidance to the UK Bribery Act and the US government’s Foreign Corrupt Practices Act Resource Guide emphasise the importance of carrying out specific corruption risk assessments, urging the adoption of a risk-based approach that “recognises that the threat to organisations varies across jurisdictions, business sectors, business partners and transactions”. It advises companies that “an initial assessment of risk […] is therefore a necessary first step” in any compliance programme. The FCPA Resource Guide also highlights the importance of carrying out a bribery risk assessment: “Assessment of risk is fundamental to developing a strong compliance program”.
However, it appears that a lot of organisations skip this vital step in the process. Establishing detailed anti-fraud policies and procedures and conducting fraud training of staff can be great tools in the fight against fraud, but in the absence of a specific fraud risk assessment these can prove to be inadequate.
It is only through identifying and assessing where fraud risk exists that effective mitigation measures can be adopted.
The Institute of Risk Management has produced two guidelines for managing corruption risk, one on competition law risk and the other dealing with bribery risk, and in each is a detailed approach to managing corruption risk that can be applied to fraud. In conducting such a risk assessment the usual prerequisites apply: it should have board-level commitment, involve the right people, be comprehensive and realistic, properly documented, and done regularly. An overall fraud risk assessment should be carried out for the organisation as a whole, and it is then likely that more detailed assessments will need to be carried out at a business, functional or country level – for example, for any division of the enterprise that represents a distinct set of risks and risk factors.
As with any type of risk assessment, information can be gathered from interviews, workshops, questionnaires and so on. But there may also be a wealth of information available from internal audits and reports and external sources, such as on country risk, local laws and previous investigations in the public domain. What is important is that the assessment is practical, appropriate for the organisation and clearly documented. The best advice to take on board is to think like a fraudster! Get everyone involved to imagine they are desperately short of money and ask them how they would go about obtaining it fraudulently from their employers, either using inside knowledge or by attacking weaknesses in the system from outside.
At the end of the day, it may well be that measures already in place in the organisation are sufficient to mitigate the risks identified. At the very least, having done the risk assessment, existing measures can be mapped to risks identified, with gaps highlighted and addressed. The alternative could well be a scattergun approach, which is wasteful of resources and may miss the mark.
Ray Flynn CMIRM is Independent Corruption Risk Consultant and Non-executive Director of the Institute of Risk Management