The Role of Boards in Fraud Risk Management
All organisations experience fraud in some form or other, and while damage has been mitigated or minimised in many cases, there have been instances which have begged the question of what the Board was doing, for such an incident to have happened. But what exactly does a Board do, when it comes to fraud risk management? Most experts opine that fraud prevention – and therefore fraud risk management – starts with the Board. When it comes to the role of the Board in fraud risk management, what should underpin all efforts are accountability and good corporate governance, clear policy, robust oversight, insightful strategy, and the right tone at the top.
All this is in addition to the regulations, procedures and processes that are required by law and are binding on Board members. Their task is onerous but they are responsible, at the end of the day, to shareholders and stakeholders for every aspect of the organisation’s continued existence, growth and sustainability. Of course, even with all the right elements in place, fraud may not successfully be prevented but it does indicate the extent of the Board’s responsibilities when dealing with fraud, and the possible extent of the damage which can occur if the risk is not identified and managed.
While all parties in an organisation must collaborate to deter any untoward or questionable financial, ethical or moral practices, the Board’s role is a special one when it comes to fighting fraud. So much of fraud prevention hinges on the kind of culture prevalent in an organisation but it cannot be denied that instituting the right tone at the top from the very start, is pivotal. Staff at all levels will think twice about committing fraud if they know that such practices will not be tolerated, and the Board shows that it is serious about ethics and “doing the right thing”. Board members must be aware of the extent of their accountability, and that they have to be the examples for others to follow.
But first, there needs to be a clear policy that states the stand of the organisation on the matter of fraud. It is the duty of the Board to put one in place and ensure that it is followed although, in this, management support and organisational cooperation will be necessary. For an appropriate policy to be developed and implemented, the Board will need to be thoroughly conversant with the business of the organisation and the issues facing it, as well as the prevailing organisational culture. In other words, the Board needs to know what it’s up against, and the current – and future – risks faced by the business.
Only when it understands this, will it be able to give appropriate direction on how fraud is to be handled and, more importantly, be able to provide the appropriate oversight of the checks and balances that need to be set in place to mitigate the risk of fraud. Policy, strategy – which are the purview of the Board – as well as preventive and mitigative measures also need to take into account the kind of culture that staff have to contend with, within the organisation and externally; there should be channels of communication which keep them abreast of industrial and market developments with respect to fraud. They also have to be aware of the social environment – the pressures, opportunities and rationalisation – that influence behaviour and lead to the commission of fraud.
Fraud is deception perpetrated with the intention of obtaining personal or financial gain, and can result in significant damage to a company’s finances, assets and ultimately, its reputation. This in turn could destabilise the organisation, leading to the disruption of its operations and uncertainty among staff. Fraud risk management relies to a great extent on knowing where to look and what to expect, i.e. being aware of signs and symptoms that point to the perpetration of fraud. It is necessary therefore for Board members to have the skill and experience to identify areas which may be more at risk, and set checks and balances that provide the prerequisite oversight.
Members in the relevant Board Oversight Committees have to work closely with the second line of defence to monitor results of strategic planning and policy implementation. In this, members have to be particularly careful, and be able to ask the right questions; a certain level of discernment and scepticism is necessary. The Board should change policies to improve risk management and internal controls where necessary, especially if it means improving staff skills to increase awareness of fraud, or instituting controls which make fraud reporting more expedient. Increasing staff awareness of the possibility of fraud in the organisation is a two-pronged approach: it shows that the Board and management recognise that such things can happen, and encourages staff to “say something when they see something” which supports fraud risk management.
This is an integral part of setting the tone at the top but it will work only if the people at the top demonstrate their own integrity and non-tolerance of corrupt practices. Playing an effective part in managing fraud risk also involves applying an independent outlook when making assessments and decisions, and ensuring that such decisions are taken with the organisation’s best interests in mind. Where third parties are involved, transactions should always be arm’s-length, transparent and able to withstand scrutiny. Board members have to be constantly on their guard in the battle against fraud; they cannot afford to be complacent, or take things for granted in the course of their duties.
Fraud risk management is an ongoing activity because fraud can happen at any point or time during the organisation’s operations. A deeper understanding of how things work in the organisation is therefore necessary, together with the extent of the impact of the disruption caused by the perpetration of fraud. Members of the Board are expected to achieve many things in the course of their tenure but they could best manage the risk of fraud perhaps by committing themselves to the highest standards of ethical behaviour, leading by example, and holding themselves accountable for the health, wellbeing and improvement of the organisations for which they are responsible.