For the last ten years, since Institute of Forensics and ICT Security (mustaphabm5.sg-host.com) started fraud awareness initiative, I have visited several organisations and met with so many CEOs and top managers in the region.
Most of the leaders don’t want to acknowledge the extent of the fraud problem within their organisations.
Yet the statistics are clear:
“A typical organisation loses 5% of its annual revenues to fraud each year”, Association of Certified Fraud Examiners, Report To The Nations, 2012.
Applied to the annual gross revenue of your organisation, the total annual loss to fraud is big. Yet, this is where the problem starts. Few, if any, organisations have put in place tools to measure the extent of the fraud problem.
Many times, I have been called to undertake fraud investigations in banks and insurance companies. As investigators, when we start the assignment, the focus goes on who, did what, where, when and how. Fraud is intentional misrepresentation of a material facts, to cause a gain to one party and a loss by another party.
Every day, people are committing fraud. And this is done clandestinely. The total failure by the top leadership to acknowledge fraud as the biggest business risk is a major challenge of managing the fraud risk.
How do you manage a problem you cannot recognize?
How do you get proper medical treatment for an ailment you have convinced yourself you don’t have?
At a recent fraud awareness presentation, one of the senior staff told me; “We have not reported any fraud incident since I joined in this company four years ago.” His CEO, looking rather excited that he is a good leader added; “that is a clear testimony that our controls are working. We have zero tolerance for fraud.”
This reveals a lot about the extent of fraud problem in such an organisation.
Business leaders are living in self denial. The people responsible for protecting shareholder value and ensuring business going concern don’t want to acknowledge the biggest threat to their mandate – fraud and corruption.
As a CEO, if my Internal Auditor or the Head of IT told me that we have no reported fraud case since the year started, I would be more worried.
If an Internal auditor or IT manager or management cannot detect any fraud it is likely the fraudsters are too smarter.
As fraud researchers have put it, “because fraud inherently involves efforts at concealment, many fraud cases will never be detected, and of those that are, the full amount of losses might never be determined or reported. Consequently, any attempt to quantify total occupational fraud losses will be, at best, an estimate.”
Failing to record a fraud case could be a sign of a bigger problem.
All NGOs, telecom companies, banks, insurance companies and government are at a higher risk. The general control environment is weak. In any organisation, all staff are potential fraudsters if three things are present: (i) motive or incentive, (ii) rationalization and (iii) opportunity. The first two are inherent to every staff. The organisation can control the last one. Because many fraud cases involve collusion and override of controls, if staff decide to commit fraud, they will bypass any internal controls in the system and fraud will go on undetected.
I am often required to register my laptop when accessing most big companies at the security check point. When I ask, why are you registering my ipad, the common answer a security guard gives is “this is the procedure.” People have not been told why controls are in place.
You would expect an answer like “we don’t want you to lose your laptop in our premises and we fail to trace it for you. Or, don’t go inside with an old laptop and exchange it with the company’s brand-new model.” Or “don’t go instead with a new laptop and exchange it with an old one which has company secrets that are invaluable to us.” That would mean that at registration and exit, the security guard is alert and keen on details like laptop serial number, make and model.
Such general lack of appreciation of why certain things/ controls are done is so big when it comes to implementation of controls and systems.
Staff see certain things as burdensome instead of appreciating them for value addition.
© Mustapha B. Mugisa, Mr. Strategy 2019. All rights reserved.