This is the first in a two-part series on anti-fraud culture.
Fraud continues to impact companies across industries and around the globe, with bad actors constantly switching their tactics to circumvent new controls. In the case of fraud, when one door closes a fraudster will find an open window. Combatting this ever-growing threat requires a multi-faceted approach, and your people are one of the strongest tools in your anti-fraud arsenal. Culture is the cornerstone of a high performing fraud risk management (FRM) program. It can make or break your anti-fraud efforts. For example, when it comes to internal fraud, tips have been the number one way in which fraud is detected – a recent study found that 42% of internal fraud identification resulted from an individual reporting suspicious activity (see Figure 1). Without a strong anti-fraud culture, employees may not know how to report suspicious activity or may not feel comfortable doing so – meaning the organization loses out on a key control to support fraud detection.
Despite its great importance, anti-fraud culture maturity varies widely from one organization to the next. Building a strong anti-fraud culture, and knowing where to start, can be an elusive and moving target. There are many definitions, approaches, and methodologies for fostering an effective anti-fraud culture. With so many different approaches available, how can you determine where the source of truth lies? In reality, there’s no one-size-fits-all approach. The specific steps that one organization takes to achieve an effective anti-fraud culture might vary vastly from another.
The good news is that across the varying ‘sources of truth’, there are some commonalities.
To bring that target into focus, we have outlined the key elements of an effective anti-fraud culture.
Table 1: The Key Elements of Effective Anti-Fraud Culture
Each key element consists of multiple components that help cultivate an effective anti-fraud culture. There’s a core set of steps that establish the baseline for a functional anti-fraud culture. You can then build on that baseline by applying common best practices or choosing a more tailored, comprehensive approach to create a best-in-class anti-fraud culture program. Determining where to land on the maturity scale should be driven by your organization’s priorities, including the level of fraud risk, the current maturity level, and the resources needed to build program maturity.
The key to setting a tone that permeates all levels of the organization is a strong, strategic, and consistent message that translates into concrete action. Figure 2 outlines the milestones needed to achieve a baseline, common or best-in-class tone at your organization.
Figure 2: Tone Maturity Scale
Key considerations for Tone:
- Codify the tone in organizational policy. It is important for organizations to state the types of conduct that would not be tolerated. It is equally important that the organization follows through in enforcing that policy. If a company consistently “looks the other way” regarding certain violations, employees begin to realize those violations are not serious ones.
- Communicate consistently. An annual email from senior leadership on fraud awareness or the importance of doing the right thing is not sufficient. There should be consistent, ongoing communication from the top that provides clear, concise messaging to set the tone of integrity for the organization.
- Reward integrity. It is important to implement effective disciplinary measures and follow through with reports of misconduct. However, it is just as important to reward integrity – this can be done through compensation programs, performance reviews and other mechanisms.
Think of your anti-fraud culture like a house. If tone is the foundation of your anti-fraud culture, structure is the framing and walls – representing the pieces that build on the foundation to create something functional. Once you’ve established a sound foundation, you can start to build an effective anti-fraud program structure. Figure 3 outlines what is needed to achieve a baseline, common or best-in-class structure at your organization.
Figure 3: Structure Maturity Scale
Key considerations for Structure:
- There is not a one-size-fits-all FRM policy. The specific contents and language of your policy should be tailored to your organization’s objectives, environment, and risk profile. At a minimum, it should cover the background and scope of the FRM program, roles and responsibilities, definitions, and examples of internal and external fraud, actions taken when fraud is identified, ways to report suspicious activity, and whistleblower protections.
- Don’t set and forget your mandatory FRM training. The fraud landscape is constantly changing. Your FRM program, business, or industry likely also experiences shifts and changes. These should be reflected in your training curriculum. For example, periodically adapt the training to address new fraud schemes, regulations, policies, and any other new environmental factors.
- Define roles and responsibilities for the FRM program. The FRM roles and responsibilities of all personnel should be formally documented. This includes the board of directors, audit committee, senior management, business-enabling functions, risk and control personnel, legal and compliance personnel, and all other employees, as well as other parties interacting with your organization, such as contractors and customers.
Promoting awareness among your employees about both the threat of fraud and their capacity to combat it is essential for creating an anti-fraud culture and can be a vital tool in fighting fraud in your organization. The need for awareness initiatives can vary greatly from one organization to the next, so there isn’t a straightforward way to classify maturity, but there are some tried and true best practices to consider:
- Implement role-based or targeted anti-fraud training to build on the mandatory training
- Host periodic fraud awareness events and activities
- Publicize information on anti-fraud efforts, such as high-level results following a fraud risk assessment or the annual anti-fraud strategy
- Weave frequent fraud discussions into your daily activities, such as all hands calls or asking management to include fraud as a topic in team meetings
- Celebrate wins; when someone prevents fraud, adheres to established anti-fraud controls resulting in a reduction in fraud or goes above and beyond, celebrating them will positively reinforce anti-fraud culture
You can’t stop with simply instituting awareness efforts. You need to periodically assess the effectiveness of those efforts and track progress or gaps over time. Examples of how you can assess the effectiveness of awareness efforts include:
Table 2: How to Assess Effectiveness of Awareness Initiatives
Building an effective anti-fraud culture is a marathon not a sprint. While achieving an anti-fraud culture is a long-term journey, it won’t happen by accident. Achieving an effective anti-fraud culture requires strategic, dedicated focus to bring it to life. An effective anti-fraud culture will arm your employees with the know-how they need to combat fraud in their unique role and function. Whether you have already begun efforts or are just now turning your focus to anti-fraud culture, take proactive steps today to empower one of your most steadfast and largest fraud fighting weapons – your people.
In the next part of this series, we will cover the key steps in assessing your anti-fraud culture. This insight will enable your organization to level-up your anti-fraud culture and move towards best-in-class.