Fraud – Risk management of management risks.

High-profile corporate failures have led to a proliferation of reports and standard setting exercises. In September the Internal Control Working Party at the English ICA published the Turnbull Report, which recommends that internal control processes be embedded within the normal management procedures.

The Turnbull Report requires additional disclosures to be made in the annual reports and accounts in connection with the identification, evaluation and management of significant risks to which the enterprise is exposed.

In December the Financial Services Authority published a consultation paper on senior management arrangements, systems and controls. It proposes to place obligations on regulated businesses to ensure appropriate systems and controls are established and maintained, and that associated responsibilities are properly apportioned among directors and senior managers.

And it doesn’t end there. In January the Organisation for Economic Co-operation and Development released draft guidelines on the behaviour expected of multinationals, including proposed new standards of corporate governance.

The guidelines require multi-nationals to comply with the standards in all countries in which they operate, even if such countries are not among those represented by the OECD’s 29 participating nations.

The upshot is senior management teams of large businesses have been bombarded with guidance on corporate governance, risk management and internal control. But will this guidance result in fewer catastrophes in corporate life?

There are a variety of causes of unexpected corporate collapse, but the principal cause emanates from corporate fraud. An analysis of the prosecutions brought by the Serious Fraud Office during the last decade shows that the majority of corporate fraud cases involved the active participation of individuals in senior management positions within their organisations.

Similarly, a study of a sample of major fraud cases conducted by the Auditing Practices Board in 1998 shows that directors and other senior managers were actively involved in most of the cases included in the APB’s sample. In other cases such as Barings, catastrophic consequences were brought about by the actions of an empowered employee whose activities were either not supervised or not supervised effectively.

Businesses have long since realised the need for vetting prospective employees as an integral component of their risk management procedures, especially in relation to candidates for positions of influence within the organisation. However, few businesses are currently alert to the ongoing need for existing staff members holding, or proposed for promotion to, positions of influence to be vetted on a regular basis.

There are two principal reasons for this. First, prospective employees are relatively unknown to the organisation, and the resulting uncertainty gives rise to a degree of anxiety which is mitigated by the performance of candidate vetting procedures.

Second, established employees are usually known to colleagues, including supervisors and managers, so there exists an implicit trust. The psychological contract between the employer and the employee is assumed to be operative, so there is a presumption of loyalty on the part of the employee towards the employer.

However, there is evidence that established employees are likely to present greater risks to their employers than new recruits because, in general, established employees are likely to hold more senior positions, and hence possess more influence in the organisation. The greater the seniority of an employee, the more likely it is that he or she will:

– be responsible for determining the culture of the organisation, particularly as regards the standards of behaviour expected of the organisation’s staff members;

– be responsible for contributing to the design and maintenance of the organisation’s systems of internal control;

– be responsible for supervising the activities of others – activities which, if not carried out properly and effectively supervised, may have consequences for the organisation;

– be empowered by the organisation to enter into binding agreements with third parties with consequential risks of split discounts etc;

– possess commercially sensitive information of the organisation such as strategies to be pursued, research and development initiatives, tender information etc, all of which is of value to competitors.

It is well understood that no system of internal control can offer complete protection from the risk that an organisation will fail to achieve its business objectives, and this is emphasised in the Turnbull Report. Providing that an organisation’s systems of internal control have been thoughtfully designed and redesigned as an integral part of the inevitable and unrelenting changes in business processes, the single most important source of potentially catastrophic risk results from the abuse of corporate influence:

– senior management over-riding internal control systems;

– failure by supervisors to discharge their supervisory responsibilities effectively;

– abuse of the empowerment bestowed on staff members by the organisation, and;

– abuse of commercially sensitive information possessed by staff members.

Those who possess corporate influence are thought by their employers to be valuable. They are assumed to respect their psychological contracts with employers. They are invariably assumed to be entirely trustworthy.

Any action which results in a diminution of the value of the psychological contract as perceived by a staff member possessing corporate influence will undoubtedly risk harm being caused to the employer, particularly as businesses place increasing importance on their ‘human capital’.

Considerable skill and experience are required in performing management vetting if it is to meet its twin objectives of establishing the integrity and the potential vulnerability of staff members who possess corporate influence and, assuming that there is no reason to call into question the integrity or vulnerability of individuals, avoiding damage to the psychological contracts between employers and their employees.

It is only when reliable management vetting procedures become embedded within ongoing management processes there will be fewer corporate failures.

For years the security services of many governments throughout the world have appreciated the risk-mitigating benefits to be derived from the performance of vetting procedures on those holding positions of influence.

It is now time for the business community to embrace management vetting as an integral part of its risk management procedures.

Related reading