Recently, the United Kingdom (UK) government announced that it will be introducing a new bill to make “failure to prevent fraud” a criminal offense. The new provisions of the Economic Crime and Corporate Transparency Bill are going through parliament and are expected to be similar to the “failure to prevent” offenses for bribery and tax evasion.[1]
This is an important milestone in the UK’s continued fight against fraud and making firms more accountable for the crimes committed within their organizations. It’s not just the UK, as we are seeing more governments across Europe discussing similar legislation. But is it enough to discourage fraud?
Each year, EY Forensic & Integrity Services publishes its Global Integrity Report, and the findings continue to show that despite numerous high-profile cases, corporate collapses—and the significant increase in regulatory and legal enforcement actions—the level of fraud in organizations seems to have remained consistent over the last 10 years.[2]
There are many complex reasons behind this, but the key factors include:
-
Increased opportunity due to organizations refocusing away from anti-fraud controls and on to other risks, such as corruption.
-
Increased use of rapidly developing technologies to perpetrate fraud.
-
Increased incentives and pressures for individuals—including corporate executives—to commit fraud as a result of market volatility and the rising cost of living.
It’s fair to say that introducing new regulations will not necessarily be enough to encourage people to do the right thing. However, it will give firms an incentive to make sure that they are creating an ethical culture within their businesses and refocus on fraud controls, ensuring they have the right operations in place to make sure the opportunity to commit fraud is as low as possible.
Setting the tone from the top . . .
To build a strong corporate culture successfully, it is crucial that both boards and executive management define the culture they want to develop and then take action to engage and empower employees by clarifying both desired and undesirable behaviors within the organization.
Unless there is a clear tone from the top about what is required from employees, and unless senior management actively tries to influence and shape their desired culture, there is a serious risk that the process defaults to one of box-checking, which can easily lead to a static culture of “but this is the way we do business.”
Corporate cultures are embedded the right way when conversations within the organization shift from “Is this allowed?” to “Is this right?” One of the biggest challenges is how the company exemplifies what is right so that all stakeholders understand that the organization’s culture of integrity is more than just “integrity washing” to make the organization look good.
. . . and from the middle
A detailed approach is the key to setting up an appropriate corporate culture that encompasses fraud risk management. In this respect, the tone from the middle (i.e., set by the immediate line of supervisors) is equally vital.
It’s a huge team effort. An effective fraud risk management program needs support not only from finance departments but from other key stakeholders in the business, such as internal audit, compliance, and risk management, and, of course, buy-in from employees at all levels of the organization.
The importance of the hiring and onboarding process
While an organization’s ethical code is integral to developing a strong corporate culture, it is crucial to apply this approach during job interviews to spot potential bad actors before they join. Situational interview questions and paying extra care to references from previous employers can play a valuable role here.
For those hired, one of the fundamental elements of the induction process should be a solid and repeated emphasis on the values the organization holds dear.
Finally, to make sure these values are retained, the code of ethics must be constantly socialized and discussed within the company—rather than being a document safely filed somewhere and drawn out only when needed.
How to measure progress
Once the desired corporate culture has been established, it is essential to keep it both relevant and alive, and one way to do this is to track any deviations from the agreed culture.
Surveys are generally a good starting point, but for them to be effective, results need to be delivered through storytelling. That way, dry facts are converted into a more interesting and relatable format that consequently becomes more memorable to the recipients.
Companies can also use behavioral sciences to help measure how their culture is developing and performing by drawing parallels between current and historic behaviors. For example, a company’s procurement managers might respond to a survey stating they had successfully implemented strong controls around third-party onboarding, while behavioral data analytics might reveal varying results in the time it took for each procurement manager to approve and clear any red flags. Based on this information, management can provide a more targeted intervention to improve the corporate culture in those departments.
Developing an effective fraud risk framework
To start, fraud risks should be translated into something tangible by defining areas most at risk of fraud and any specific pain points for the organization. As modern businesses operate increasingly in a global, virtual market, this may seem complex, particularly as organizations can be more vulnerable to both internal and external threats (even if they are physically quite remote). However, an effective starting point is to perform a fraud risk assessment across the business.
Generally speaking, fraudsters evolve faster than organizations may anticipate, and many organizations will not be able to protect against every risk. To that end, it is imperative to identify what is regarded as an acceptable level of fraud risk tolerance and identify the fraud risks that would have the most serious impact on the organization. Impact should not be defined just by value or materiality; it should also consider reputation and legal risk.
Some professionals recommend using a risk framework that allows companies to assess and group together different risk layers. This approach provides a baseline to promote dialogue between different business functions. More practical discussions can be based around managers adopting “do as I do” examples or different levels of executive leadership, creating memorable stories based on tangible and not theoretical cases. Our experience has shown that examples drawn from an organization’s own issues or current news topics can be beneficial as a learning tool.
Another critical step is to determine who owns the fraud risk. We see this as one of the most challenging aspects for an organization. In practice, it is something that everyone must own, with responsibilities spread and communicated across functions. However, it is fundamental for an organization to task one individual with responsibility for pulling together the overall fraud prevention and detection framework. In practical terms, ownership protocols should be developed by starting with the finance division, bringing in other associated functions (such as procurement, supply chain, risk management, and human resources), and then defining potential risk crossovers between them. Each function must contribute to understanding the risks and blind spots and then determine how the means to detect and prevent potential fraud.
When talking about possible solutions for fraud detection, an effective whistleblowing system can be the most efficient tool. Research by the Association of Certified Fraud Examiners reveals that 43% of all frauds are initially detected by a tip-off, out of which 50% of the whistleblowers are the companies’ own employees.[3]
While this is one of the most tangible fraud risk management tools, only by establishing, promoting, and protecting a speak-up culture will employees feel confident that they are protected if they use the system.
Invest now to pay less in the long term
While the processes involved in establishing and promoting corporate culture and in building up an effective fraud risk management environment can be heavy in use of time, resources, and costs, there are considerable benefits to having a strong ethical culture in place to drive fraud risk management.
Recent examples of enforcement actions and corporate failures that result from significant frauds reveal that, as always, the cost of fraud prevention is far less expensive than the result of experiencing it.
As we look at the year ahead, companies should use this as an opportunity to take a fresh look at the measures they have in place to prevent fraud and the steps they should take to create a strong culture of doing the right thing.
The views reflected in this article are the views of the author and do not necessarily reflect those of the global EY organization or its member firms.
Takeaways
-
The United Kingdom (UK) government recently announced that it is introducing a new bill to make “failure to prevent fraud” a criminal offense. This is an important milestone in the UK’s continued fight against fraud.
-
Despite increased regulation and legal enforcement actions, the EY Global Integrity Report found that the level of fraud in organizations has remained constant over the last 10 years.
-
To prevent fraud, boards and executive management need to look beyond regulation and focus their efforts on building a strong culture of integrity across all levels of their organization.
-
Once a desired culture has been established, firms can keep it relevant and alive by measuring their progress and tracking any deviations from the agreed culture.
-
While building a strong culture of integrity requires time and resources, there are considerable short- and long-term benefits in doing so.