Fraud is never going to happen to us – are you sure?
What is fraud? It has often been defined as anything illegal that benefits the perpetrator. If you add a little extra to your mileage claims, that’s fraud. If you help yourself to office stationery because you’re running low at home, that’s fraud. If you take credit for a design that wasn’t yours, that’s fraud as well. And if you knowingly misrepresent facts and figures when reporting or documenting matters to make them look better than they really are, that’s definitely fraud. These examples are common and may slip under the radar without too much consequence but they can often be harbingers of bigger and worse cases to come.
At its core, fraud is dishonesty but it is often difficult to pin down because of organisational or regional culture, cultural or community attitudes, or entrenched bad behaviour. But in the long run, fraud can be extremely detrimental to organisations, damaging their reputation, and destroying shareholder and stakeholder confidence in their policies, processes and procedures. Ultimately, this could lead to a decline in the competitiveness and sustainability of the company, and negatively affect its value. The bad news about fraud is that it is practically impossible to totally eradicate it in the organisation; the good news is that if appropriate measures are put in place, its occurrence and damage may be limited.
Because environments differ between companies, policies, processes and procedures vary as well. But it is imperative that a clear policy that defines fraud according to the usual practices of the company, be set in place, and be made known to its stakeholders, including shareholders, staff, suppliers and other collaborators. Those who deal with the organisation on a regular basis, especially, should be made aware of what constitutes fraud, and there should be channels in place through which they can raise their concerns. Besides the rules, regulations, processes and procedures that will apply should there be fraud, the consequences of fraud should also be made apparent.
This should be a part of the organisation’s training and awareness programmes that are ongoing for staff, and induction programmes for new hires. The scope of the programme should extend to the reasons for committing fraud as well, such as employee dissatisfaction which could cause them to rationalise criminal behaviour, and information such as where, when and how to whistleblow if they are aware of actual or potential wrongdoing. Education, training and awareness-raising of this nature sends the message that management knows how, where, when and why fraud can happen, and has put in measures to mitigate it. Being open about managing the risk of fraud in this way can act as a deterrent.
Another, more potent, deterrent is publishing and communicating the consequences and punishment for fraud. There should be no ambiguity about what happens to those caught defrauding the company, and there should be one rule for everyone, with no exceptions. That means the policy and punishment for fraud will apply equally to everyone in the organisation, from Board members to the janitor. The attitude of the organisation towards fraud is shaped to a great extent by the tone from the top. The Board and senior management have to set the right tone; the employees look to them as role models and will base their behaviour on what they perceive.
Fraud is an operational risk, and fraud risk management is one of the components of Enterprise Risk Management. However, not many people understand how fraud risk management works. Risk professionals therefore need to be involved in the conceptualisation and design of fraud risk management policy, to effectively manage fraud risk. The policy should encompass a strategy which covers preventive, detective and responsive measures, with an emphasis on prevention because in the long run, the cost of prevention will be lower than that of detection and response. Risk professionals must recognise the macro fraud risk picture, and guide their organisations accordingly.