Why your company needs a fraud risk policy

open plan officeToo many businesses are failing to properly plan for fraud. The Fraud Advisory Panel explains why your company needs an anti-fraud policy.

Fraud is now officially the most common crime in the UK, and is believed to affect a significant number of businesses each year. This means that for many organisations, it is now a case of ‘when will we become a victim’, rather than ‘if’.

Yet many businesses, especially smaller ones, still think that fraud won’t happen to them, and fail to take adequate steps to protect their money and assets.

Why is it important to think about fraud?

Fraud can damage the financial health of any business, as well as its image and reputation. While small, isolated frauds may only cause mild inconvenience and minimal business disruption in many cases, at the other end of the spectrum, larger or more systemic frauds can lead to widespread job losses, or even corporate collapse, as seen in recent high-profile cases.

This is why managing the risk of fraud makes good business sense. Planning for fraud and taking steps to reduce its likelihood and impact on the business can be a much more cost-effective approach than dealing with the consequences of inaction later. In fact, it has been estimated that the actual cost of some frauds can be 14 per cent more than the initial amount lost, once factors such as regulatory action, staff disciplinary and recruitment processes and investigations are taken into account.

What is an anti-fraud policy?

Good fraud risk management begins with good governance and the right culture. Therefore, the purpose of an anti-fraud policy (sometimes called a counter fraud policy) is to set out the business’s stance on fraud and the responsibilities for its prevention and detection.

The policy should be simple, concise and widely communicated. It usually begins with a short statement about the organisation’s commitment to prevent, detect and investigate fraud and to take action against fraudsters. It will then move on to explain:

  • who the policy applies to, and the behaviour expected of staff
  • what fraud is, and what it might look like in the context of the business (sometimes providing practical examples)
  • the responsibilities of senior management and staff for preventing, detecting and reporting fraud (including who has overall responsibility for the policy)
  • how, and who, to report suspicions to

It may also set out an organisation’s whistleblowing policy and/or fraud response plan, if these are not documented separately elsewhere, or refer to them where they do exist. Other relevant policies, such as those on gifts and hospitality, may also be mentioned.

Understanding the risks

Important initial considerations for a business when creating its fraud risk management framework are:

  • what are the threats?
  • where are the threats coming from?
  • what form will the threats take?

Of course, fraud risks vary between businesses, so understanding the risk profile of your organisation is important. The key stages are: to identify, assess, manage and review.

Many frauds are quite simple and succeed because people have either been too trusting, and have not questioned what they have been asked to do, or have (un)intentionally circumvented lax or non-existent internal controls.

So, think about the money, information and other assets that you hold, how you keep them safe, and what would happen if you lost them. View these from a fraudster’s perspective: is there any way that your controls could be easily circumvented? Test them to see whether they are working properly and watch various jobs in action to see what really happens in practice, and then act on the results.

Periodically review the policies, procedures and systems that have been put in place to manage the risk of fraud to ensure they remain current, relevant and appropriate to the business needs. 

Be fraud aware

Keeping well-informed about common scams, and making your staff aware of them too, can be a good risk reduction exercise. One scam that is currently catching many businesses out is CEO fraud, where a fraudster impersonates the chief executive to request an urgent bank transfer. Action Fraud, the UK’s national fraud and cybercrime reporting centre, regularly issues warnings on its website, and offers practical, preventative advice.

What to do if fraud is discovered

It’s important to have a clear idea about what to do if fraud does happen. Acting quickly on discovery of fraud can reduce further losses and increase the chances of recovering assets. For smaller businesses without in-house expertise, this may mean engaging external professional support at the earliest opportunity. Having these details ready and to hand – including company names and contact numbers – will be very useful.

About the author

The Fraud Advisory Panel is the UK’s leading anti-fraud charity. It publishes free helpsheets on a range of topics designed to help businesses protect themselves from fraud, including how to create an anti-fraud policy.