Reducing the risk

The arrest of Patisserie Valerie’s finance director on suspicion of ‘accounting irregularities’ following the café chain’s shock discovery of a £40 million black hole in its finances, suggests there may be a new name to add to the list of high profile financial frauds. The once-thriving business is now under investigation by the Serious Fraud Office and the jobs of its 2,800 employees are at stake, but for every instance of fraud we hear about, there are countless others that don’t hit the headlines.

With levels of fraud and cybercrime rising to record levels, businesses worldwide face an unrelenting battle against fraudsters, scammers, cyberattacks and, regrettably on occasion, even their own employees. KPMG’s Fraud Barometer, which tracks cases of alleged fraud that result in losses of £100,000 or more reaching UK courts, recorded 252 cases in just the first half of 2018 – a figure that is 25% higher than for any other six-month period in the report’s history and just seven fewer cases than recorded for the whole of 2017.

Improving systems

Fraud means different things to different people, but it is essentially the act of deceiving someone or misrepresenting information for personal or financial gain. There tend to be three main types of fraud that affect organisations: asset misappropriation, fraudulent statements and corruption. This can occur in organisations of all types and sizes, across all sectors, with serious consequences including loss of cash, assets and reputation that put the company’s viability, along with jobs, at risk.

While fraud can be committed by sources outside the organisation – suppliers, contractors and even customers – a distressing proportion is insider fraud. This most commonly takes the form of embezzlement – stealing goods or supplies, skimming cash, writing fake cheques to themselves or relatives and then frequently committing accounting fraud to cover it up.

The findings of an AICPA Forensic and Valuation Services (FVS) Trend Survey, reveal that fraudsters commonly work in operations (29%), the finance department (18%) or sales (18%). This is reflected in the CGMA finding that senior management and executives commit a significant number of frauds – and invariably cause greater losses than more junior employees.

Indeed, early signs suggest this may be the case at Patisserie Valerie. It has emerged that overdrafts of £10 million were run up on two secret facilities with Barclays and HSBC with the company’s executive chairman Luke Johnson admitting: ‘We have to dramatically improve systems and controls.’

What can the board do?

One of the most important responsibilities of the board is to establish the ‘tone at the top’ through its directors’ attitudes, actions and communications. This stance defines the organisation’s culture and influences the behaviour of employees, customers, lenders and other stakeholders.

“This can occur in organisations of all types and sizes, across all sectors”

While no single measure can be 100% effective against a determined fraudster, a well-managed company will put in place a variety of systems and procedures designed to make it difficult for a fraud to be committed or, at the very least, committed without early detection. And it is the responsibility of the organisation’s directors to put in place reasonable and proportionate controls. Failure to do so could expose the business, and directors personally, to costs and liability.

Directors should ensure the business has implemented not only appropriate anti-fraud systems and procedures but also arrangements for dealing with the discovery of fraud. This will include identifying those individuals internally and externally who will need to be involved immediately a fraud is alleged or identified. While having a plan of action in place is important for all organisations, it is absolutely crucial for companies in a regulated industry.

The good news is organisations don’t need to reinvent the wheel. Best practice guidelines and legislation such as the Fraud Act 2006, Theft Act 1968 and Bribery Act 2010 mean there are prescribed measures directors should take to take to mitigate the risk of insider fraud. These can include:

• Considering fraud risk as an integral part of overall corporate risk management strategy
• Drawing up an integrated strategy for fraud prevention and detection
• Developing policy and procedure manuals that define ethical behaviour, acceptable and unacceptable behaviour and the relevant sanctions. As a minimum, policies should include anti-fraud, bribery, expenses and whistle-blowing. These standards should be actively promoted throughout the organisation
• Maintaining a system of internal controls that spell out standard operating practices, which should include segregation of duties and appropriate review
• Implementing effective hiring practices: clearly outline expectations of the role, perform verification of qualifications and background checks
• Introducing a confidential reporting hotline
• Addressing concerns or allegations promptly: follow up complaints of wrongdoing, or poor employee performance promptly
• Identifying key fraud risks: pinpoint the areas where fraud could occur, establish appropriate authorisation limits and reporting
• Producing a conflict of interest policy defining when a conflict is considered to exist and how it will be resolved.

Of course, it is not enough to simply set policies and hope for the best: the board is also responsible for monitoring activities to ensure they are consistent with the organisation’s policy, strategic plans and budget. If any aspect appears to be out of line with expectations, the board is responsible for following up and asking questions until they are satisfied with the answers.

External factors

So far, I’ve focused mainly on the internal threat but that is not to underestimate the considerable risk posed by external scammers and cyber attackers. The race by companies towards digital transformation to maintain their competitive edge opens up great opportunities but can also make businesses more vulnerable to cyberattack.

“ A well-managed company will put in place a variety of systems and procedures designed to make it difficult for a fraud to be committed”

A new report by PwC shows the top fraud in the UK in 2018 was cybercrime, suffered by 49% of these respondents who had experienced fraud in the past two years. As a developed economy, the UK is a particularly attractive target with the number of phishing attacks 20% higher than the worldwide average.

Consequently, cybercrime is high on the agenda for UK boards. One sign of this is that 82% of Chief Information Security Officers (CISOs) in the UK report directly to the board, compared to only 61% globally.

Countering the ransomware threat

With businesses heavily reliant on their data, ransomware attacks - in which company data is literally held to ransom - dominates the world of IT security today with Kaspersky Labs calculating that a company is hit every 40 seconds. According to another cybersecurity expert, roughly 60% of malware payloads were ransomware in 2017 and this trend looks set to continue throughout 2019 and beyond.

When it comes to preventing ransomware attacks there is no silver bullet: it is a companywide problem that cannot be solved by a single product or range of products without organisations also undergoing significant cultural change. However, according to Dr Sandra Bell, head of resilience consulting at Sungard Availability Services, companies that adopt an offensive stance at an organisational level are most successful at managing the risk. In her thought-provoking whitepaper ‘Four things every CEO should know about ransomware’, she advises how to deal with this pernicious threat.

Scamming threat likely to grow

It seems as if every day our email inboxes bring new scamming attempts. Some of the clumsier efforts are easy to spot but, with cybercrime now a multi-million pound business dominated by international criminal gangs, fraud attempts are becoming increasingly sophisticated.

Technology company Darktrace believes we will soon see cunning cyber criminals exploit the power of Artificial Intelligence (AI) to launch targeted, automated campaigns.

For example, technology has reached the point where malware can train itself to recognise how our writing styles differ according to who we are contacting and leverage this nuanced understanding to send tailored, contextually relevant messages to our contacts.

With cybercrime now one of the leading risks for businesses demanding board-level oversight, company directors must do more to meet the growing cyber threat. It has never been more important to have robust governance systems in place. 

Ibi Eso is Managing Director of Bridgehouse company secretaries