I have wondered many a times what makes this topic interesting at once but dealt with in hush-hush tones when there is an anonymous whistle blown.
Why do organizations and those in the higher echelons postpone / neglect or trivialize the need to look at this risk a little closer (even before an incident happens)?
True (and rightfully so) all organizations give the utmost importance to improving their top line / bottom line revenues and profits, but one fraudster can create a devastating setback to what was built up over the years – reputation, goodwill, customer faith, vendor relationships and so on.
Behavioural analysis can reveal a lot about why such risks can happen and tell-tale signs of perpetrators. According to a study conducted by Association of Certified Fraud Examiners (ACFE) in 2016 for Southern Asian countries, (Courtesy: Report to the Nations on Occupational Fraud and Abuse), fraud perpetrators often show red flag behavioural characteristics associated with their crimes – living beyond their means, unusually close association with vendors, financial difficulties, etc.
In recent times there are many interpretations of what ultimately leads to a fraud. Here are examples of some of them.
- Failure of business integrity.
- Lack of ethics.
- Suspicious business transactions.
- Lack of business partner screening and approval.
- Unaware of company’s business between parties related to the organizations’ management and employees.
- Suspicious movement / physical entry of persons whether during or after business hours.
- Excessive authorizations / Breach of passwords / networks / servers / applications caused by either internal staff or external hackers.
- ………………………and the list can go on.
When broken down into several root causes like the ones cited above, it becomes easier to tackle the overarching subject of “risk of frauds”. You would realize that several arms of the business functions are responsible for proactively tackling these risks.
A closer analysis of the root causes for these risks related to frauds will point to the underlying factors:
- Insufficient or lack of business controls (aka internal controls).
- Lack of awareness of ethical standards and integrity in business dealings (lack of Governance principles).
Risks, Controls and Governance are intertwined and cannot be dealt with as isolated topics. In my opinion, there cannot be a debate on which one is more important than the other. One needs to have a holistic view of all three aspects – even if you are not able to tackle all of them at the same time due to either resource or cost constraints in the organization, at least be aware about the inter-relationships.
Even large multinationals keep these topics at arm’s length between internal audit, Board and Audit committee and operational departments, which I think confuses the whole issue at hand. Probably one of the reasons why topics like risk management programs, SOX compliance, technology implementations appear so daunting.
Clearly one has to structure these at a high level and follow a vision statement for effectively bringing in good governance, business controls and risk management programs in a phased manner, but never losing sight of the benefits of an integrated view.