Updated: Jul 31
Taking a first step in providing anti-fraud training and raising awareness or undertaking an organisation fraud risk review are positive steps forward in mitigating fraud risk. However, if there is no complementary long-term plan to develop an anti-fraud culture that includes buy in from and consistent leadership of the CEO and senior management of an organisation, then any attempt at culture change is likely doomed to fail.
Defining organisational goals, mission, vision and values, publishing policies and procedures that align with each other is one thing and using such phrases as ‘walking the walk’, ‘talking the talk’, ‘practicing what we preach’ and ‘leading by example’ is another, but if we don't have real and demonstrative leadership and ownership in terms of an anti-fraud culture then how can we expect compliance and support from the rest of the organisation when we seek to create and disseminate such cultural change?
There are a number of key areas that are incongruent with building an anti-fraud culture that would need to be addressed before an organisation was able to introduce a successful fraud risk mitigation framework.
Is anti-fraud communicated from the top, is it a priority for the CEO and board and are their actions documented and visible to the organisation?
Is there an anti-fraud owner, definitive action taken where fraud is identified? Is the culture consistently part of the discussion and issues raised acted upon or is it just empty words? We have seen too many organisations globally that have an anti-fraud message and policy but have still been prosecuted for their actions or inaction to prevent it or have punished whistleblowers for their disclosures.
Are values and behaviours published and practiced, are we clear on values or are there acknowledged and accepted grey areas such as conflicts of interest, gifts and hospitality and the lack of declaration, reporting or response where non-compliance is known? Do the published values and behaviours form part of our performance review?
How can we inspire staff to protect the organisation’s revenues when typically, their views aren't sought on culture, risk identification and mitigation both at the crucial stage of setting out organisational policy and during day to day operations of the organisation?
How do we ensure that we communicate to the whole organisation and if we don't seek their views and professional expertise how can we reasonably expect culture to change?
How do we introduce regular and honest communication that is rapidly, demonstrably and effectively responded to?
How can staff report fraud when there is no, or limited, awareness or fraud training? What do current fraud typologies look like and what controls are available to reduce the risk?
Why would staff report fraud if they aren't protected from reprisals because of a lack of confidential and objective internal reporting routes and/or a whistleblowing protection framework?
Is there accountability and are staff that breach organisation codes of conduct or anti-fraud policies dealt with correctly? Many organisations may, for example, seek merely to remove the identified fraudster without establishing the flaws in systems or processes which facilitated his or her activities and thus leave the way open for subsequent fraudulent activity.
How do we communicate to staff, partners and suppliers that we take fraud seriously and act?
Do we measure our anti-fraud culture performance, does it translate into an increase in risk identification, reporting and mitigation?
Do we look for continuous improvement, measuring success and impact of the anti-fraud culture and where flaws are identified ensuring that those are rectified immediately? Equally, it is important that any document enshrining the culture does not become dormant but evolves as the situations the organisation finds itself in do.
So, before we introduce a anti-fraud strategy, we should plan to ensure that we have an anti-fraud culture. We must first be clear about the result we want to achieve. If an organisation lists staff integrity and ethics as its values, do we really ‘walk the walk’ and ‘talk the talk’ or simply provide empty rhetoric which, in our experience, demotivates staff who may feel patronised by senior management? Once we know where we are then we can start designing a roadmap.
To understand what our current culture is we must have our staff assist us including in the solicitation and full consideration of their views in what we need to do to make the change. We often hear about the ‘tone at the top’ but we rarely consider the ‘mood in the middle’ or the ‘reality at the bottom’. Only with this engagement do we have a greater chance of success because the staff on the ground know from practical experience how the reality of business operations can undermine many of the principles the organisation stipulates that it abides by.
Thus, for example, the organisation may have a strict policy on refusing all gifts tendered by a supplier in pursuance of a contract, but it might be asking a great deal of a sales executive in a far flung jurisdiction to potentially scupper a deal by ‘offending’ that supplier and refusing to take the gift. This is the type of pinch point which demonstrates the true value of any anti-fraud culture – could the sales executive in reality refuse the gift, scupper the deal and walk back into his organisation and receive a pat on the back from his managers? If the answer is no, then the anti-fraud policy may not be as robust as management perceive it to be.
How do we communicate our culture and anti-fraud stance to our partners and suppliers? Having the correct message may have the impact of reducing external fraud attempts because fraudsters realise that there is a greater chance that they will get caught.
Introducing an anti-fraud culture is only one part of an anti- fraud strategy but is an important component in achieving success in profiling risk and introducing risk mitigation. If we want our staff, partners or suppliers to report fraud and assist us in risk mitigation, to allow our organisation to profile the fraud risks that directly affect the organisation, to introduce an anti-fraud culture we need to define what we are doing right and what needs to be done in order for us to succeed.