What is fraud risk management and how to deal with it?
Fraud has many definitions but is generally regarded as anything illegal that benefits the perpetrator. Because of the various permutations of fraud, it is often also difficult to prove; the main challenge being to actually prove that fraud has taken place. This can be complicated if there is no obvious monetary gain, for instance – although “everybody” will tell you that “they know something is going on!” Changes in the environment also influences the kind of fraud that transpires. Fraud is an operational risk, and fraud risk management is one of the components of the Operational Risk Management and Enterprise Risk Management frameworks.
Risk professionals therefore have to take the lead in designing the policies that underpin fraud risk management processes and their administration. Defining fraud is critical when crafting a policy that manages it, especially when there is no hard and fast rule about what actually constitutes fraud. However, despite the many permutations and definitions, all commissions of fraud have one thing in common: the element of dishonesty or deceit. The negative effect of fraud may not be immediately obvious; its repercussions may take some time to surface but may be detrimental to the firm – such as the loss of reputation resulting from deceitful behaviour of an organisation’s staff – in the long run.
Fraud and corruption are closely linked; both have a negative impact on the people who depend on the integrity of those in positions of authority, who abuse that authority for private gain. Research has shown that fraud is mostly perpetrated by senior management and people in high positions but anti-fraud and anti-corruption measures tend to be directed mainly at the majority of non-management employees. Additionally, management is often reluctant to report fraud because it reflects badly on them. But not taking a hard line with fraud further encourages dishonesty; stakeholders will become aware, sooner or later, of cover-ups, and the integrity of the entire organisation will then suffer.
Any strategy to combat fraud should combine preventive, detective and responsive measures for optimum effect. Fraudsters are usually a few steps ahead of those on their trail, so it may be more effective to apply preventive action rather than detection and responsive action after the fact. Risk professionals will have to utilise a combination of tools like audits and analytical review to ensure processes are in place to combat fraud in their respective organisations. Data should be combed for anomalies or outliers, which may indicate something unusual happening in the system. But every organisation should have a holistic strategy for managing fraud.
Such a strategy should include sound internal control systems supported by fraud risk training and awareness; channels through which staff can report anomalies or whistleblow; and regular fraud risk assessments. Organisations should also work on developing a sound ethical culture, in parallel with their fraud risk education and awareness training programmes. All these anti-fraud measures have to be reinforced by the tone at the top. The tone at the top is essentially the guiding light for a fraud-aware organisational culture. The standards set by the Board and senior management for themselves should be higher than what is set for the rest of the firm.
Board and management must be perceived to be committed to ethical practices before the rest of the organisation can be expected to follow suit. One of the best ways to deal with fraud is to discuss it openly. This not only sets the tone from the top but leaves no room for doubt over how it will be dealt with in the organisation. And there needs to be follow-through action if there are infringements of rules. This will demonstrate that the organisation is serious about compliance and will enforce adherence as well. A major challenge with this approach is its appropriateness from the cultural perspective.
Fraud risk management practices can be further complicated for trans-national companies as cultural norms may differ between countries where they may be present. What may be perceived as unacceptable in one culture, may be perfectly acceptable in another. In these instances, it may be helpful to localise policies and fraud risk management practices by establishing tailored codes of conduct, risk appetites and tolerances. This will not stop fraud from happening but it will spur more robust vigilance on the part of the firm. It will still need to work on two aspects, however: the “hard” aspect such as putting in the necessary systems, and the “soft” aspect of training and awareness of fraud, its identification. In the long run, this will cultivate the right organisational culture where fraud is concerned.
Discussion about why fraud happens in the first place, should be part of the organisation’s fraud awareness education. Many employees commit fraud because they feel they have been treated unjustly, or the amount they steal will not damage the company. Conversations about fraud have two effects. Firstly, they demonstrate that the organisation is aware of how, where and when fraud can be committed, which is a deterrent. Secondly, such conversations emphasise the consequences of committing fraud – another deterrent. Transparency, good corporate governance and the right tone from the top are all as important as anti-fraud measures.
Better transparency leads to higher levels of integrity; integrity is imperative to the development of a culture of ethical behaviour. One of the best ways to deter fraud is to have one rule that applies to everyone at all levels. Employees have to understand that fraud – and corruption – will not be tolerated. Fraud, under any circumstances, is wrong. Organisations should also have whistleblowing processes and procedures in place, and staff should be apprised of them. Setting the right tone, encouraging ethical behaviour and developing an anti-fraud culture leads to more robust corporate governance and, ultimately, to a more productive and valuable organisation.