Staying ahead of the Fraudsters.

Professor Rob McCusker is SSP Senior Partner Compliance & Risk Management.

London, United Kingdom, 15 March 2021

Fraud and corruption risks within the business environment, whether in terms of businesses constituting the target or facilitator, are a fixed part of the corporate landscape, and Covid-19 has become one of its most recent and impacting features. Thus, one unnamed EU company, identified by Europol, recently transferred €6.6 million to a company in Singapore for the purchase of alcohol gels and face masks, but the goods were never received. As a direct result of increased remote working by staff during periods of lockdown there has also been an increase in business e-mail compromise (BEC) scams, whereby emails purporting to emanate from CEOs, suppliers or other trusted sources are sent to isolated financial or administrative staff to request, for example, large money transfers.

Many business organisations adopt a 'three lines of defence' approach to risk management, comprising management control (first line), risk and compliance (second line) and internal audit (third line). There are of course several issues that may arise in relation to the roll-out of such an approach and such issues may have an impact upon the propensity for any organisation to identify and respond effectively to a particular threat vector. It might be prudent for organisations to attempt to ascertain whether there might be ambiguous responsibilities for key activities and whether this lack of clarity may lead to those responsibilities becoming blurred, and control and monitoring subsequently weaker. Where such ambiguity arises, there may be a consequent lack of first line accountability, whereby a tendency might exist for first line mangers to neglect their responsibilities and leave (advertently or otherwise) the second line of defence to 'take up the slack'. It is important for the three lines of defence to operate separately, in terms of their contribution to effective management, monitoring and assurance, but not to operate in silos – that is, there must be a shared understanding of risks and controls so that there are no gaps in risk coverage. Where there is a lack of objectivity, authority and critical mindset, this may lead, when combined with poor business and communication skills, to professionals within the second line of defence operating without the requisite stature, credibility or willingness to speak up when the situation demands that they do so. The role of the second line as a countervailing power cannot be underestimated.

When new risks emerge, that should trigger the search for new expertise, processes and tools.

Risk governance and the organisational structure require constant alignment with the changing business landscape such that new risks that emerge trigger the need for new expertise, processes and tools etc. Reaction to a major breakdown in controls may lead to the introduction of yet more controls in the form of policies, procedures etc. However, these will not be effective unless 'soft' controls, in the form primarily of risk governance principles and behaviour, are also inculcated into the organisation.

Risk management should ideally be based on two connected presuppositions. First, that risks are identified, analysed, the consequences of those risks measured, and the consequences of those risks acted upon effectively. Secondly, and crucially, there must be, within the organisation, a highly developed knowledge of current and prospective threats to the organisation and to the sectors and jurisdictions in which it operates. What must be considered more specifically, however, because not to do so threatens risk management stratagems, is the oft-used 'risk appetite'. There is an inherent danger with this concept in that it is often used inversely. Thus, the question an organisation poses tends not to be 'how much will it cost to mitigate the risk?' but rather 'how much risk can be mitigated for the sum the organisation is prepared to expend?' Adopting the latter line undermines the ability of an organisation to fully anticipate risk. What should always be the focus of the corporate mind is a determination to adopt a holistic approach to the consideration of all relevant drivers that can directly or indirectly cause changes in the future threat environment of the organisation.

Professor Rob McCusker is the Transnational Crime Director at Global Risk Alliance Ltd in London , the Co-Convenor of a forthcoming International Standard (ISO) on anti-fraud controls, the former Director of the Centre for Fraud and Financial Crime at Teesside University in the UK and the former Transnational Crime Analyst at the Australian Institute of Criminology (part of the Attorney-General's Department).