Risk Management: The New Fraud Squad

In this time of financial turmoil, the temptation to commit corporate fraud in the financial sector could be greater than ever. after all, it could be a matter of saving the company instead of lining the pockets, so risk management needs to be even more vigilant and sophisticated. Michael Peer of kPmg’s forensic practice tells gary Flood how banks will need to police themselves in the recession.

A loan application has been made and trading statements filed quite
properly at Companies House – then re-filed, with, shall we say, ‘significant
adjustments to the asset pool,’ once the money hits the applicant’s account.

Documentation presented in support of a restructured debt contains an audit report attached to financials that is a complete forgery. ‘Sleeper’ employees are found embedded in organisations, with false CVs and bogus employment references – waiting to gain just enough authority to be trusted with company cash.

These are all real cases being encountered on a growing basis by that obscure branch of forensic accountancy, fraud risk management – which is telling us that not only is financial sector fraud an endemic issue, it is becoming more sophisticated and widespread as the credit crunch goes on.

Bankers should be responding differently to the mounting evidence that points to
increased exposure to reputational and fiscal harm from fraud. Part of that response, argues Michael Peer, a partner at the advisory firm KPMG in Central and Eastern Europe, is to take the breakpoint represented by the current economic cycle to completely overhaul the way fraud is dealt with in the organisation.

But is there really such a need? A survey involving over 500 senior managers involved in risk management from leading banks around the world certainly suggests so.

The researchers found a worryingly high 76% of respondents felt that, despite a more prominent profile, risk is still ‘stigmatised’ as a support function, and nearly half (45%) admitted their Board lacked risk knowledge and experience.

Peer’s action plan to ameliorate this situation and also better protect banks from
fraud includes a number of cultural changes, some investment – primarily in people, not process or systems, note, which are almost certainly already in place – and management attention around a new form of risk management ‘culture’.

‘Fraud will always happen,’ says Peer. ‘The problem is that times like these both
exacerbate the risk that it will be on a bigger scale and also provide the rationalisation for some people to take part in it.’

Pre-existing fraud is likely to be revealed, for one. As financier Warren Buffett has
observed, only when the tide goes out do you discover who’s been swimming naked. As access to credit becomes more difficult, fraudulent operators will become more exposed because they can’t continue to flush money around their activities to conceal them.

But the same circumstances may tip others over into doing equivalent illegal things as they get more desperate to stave off collapse.

‘There will be more people who start to find a basis to justify their imminent fraud.
They’ll start saying: “it’s just to get us through the immediate crisis,” and classify what they do as “little white lies,”’ Peer predicts.

This applies just as much to individuals under pressure as to company leaders, of course. it is simply the case that organised crime finds its way to such contacts
and as noted above, the level of ‘project management’ these types can provide their new helpers is getting much, much better.

Realistic solution
‘Fraud is always going to happen and is already happening in your organisation,’ says Peer. ‘the issue is not to prevent fraud but to have better responses to it.’

in effect, we are talking a hygiene response here. A line in the sand needs to be drawn, very clearly, and the organisational response posture made clear. this needs to extend all the way across the organisation.

‘staff need to know the answers to questions like, “Where is the boundary, what
do i do if i see a colleague doing something suspicious, what are the likely consequences?”

But wasn’t that what all our recent hard work on security systems and reaction to
legislation was meant to deliver? not quite.

‘The mistake too many business leaders have made is to assume that meeting the compliance strictures was enough – it just isn’t,’ says Peer. ‘But too often the compliance function is an adjunct to the process, and, while based on excellent technology and achieving great coverage of data, still needs intervention by people, and not just junior people but experienced individuals who are empowered both experientially and by the organisation to make decisions and take appropriate action.’

The thought is that vigilance around exposure to fraud is embedded into each and
every significant business decision, from salary reviews to new loan applications.

‘We have seen cases where a client with previously impeccable credit comes back to restructure a debt and makes business predictions that just don’t make sense, like saying they will export X amount of y to a country where the annual total
consumption of y is a third of the projection. if exposure to fraud is not a component of risk management there is a real danger things like that will not get raised and exposure to serious operational, reputational and fiscal damage increases.’

What, then, is the rational organisational response to the fraud issue as it becomes more of a danger in the current climate?

The cost of protection
KPMg’s wide experience on advising clients in a range of industries on a global basis suggests that three things need to be put in place: a clear fraud policy, a fraud response plan and an adequate fraud detection mechanism. in other words, ask yourselves this: if you or anyone else sees such activity, what is the right way to centrally report it and what are the defined reaction postures of the organisation, and, if we suspect fraud and it isn’t being reported, what do we need to do to pick it up?

these may be good things to do, but we started our enquiry looking for cost
justifications – do we have them?

‘Experience shows getting there is an investment, yes, but we also have proof that
such investment gets repaid and justified very quickly. And it also turns out that previous technology investment means the information needed to create such responses is already there, the infrastructure probably already exists – it just needs the right sort of staff in place to truly embed a fraud risk assessment element in all significant organisational activities.’

note that this plan also includes check points for communication (of existing policies, not the creation of new ones) and training of staff in the new fraud-resistant company culture.

so what happens if an organisation takes all the above on board, but still declines to make the investment, perhaps ‘rationalising’ that it can wait for improved trading conditions? Peer’s response is simple: ‘if you don’t do it, your neighbours will, and so the fraud will be piped your way, as this stuff always finds the path of least resistance. it’s really a question of whether you want to be in the papers one day as the employer of the next nick Leeson.’

the message is that fraud is already happening where you are, it’s probably on
the upswing; what you need to do is take a hard look at the way you are responding to the risk such realities represent. FBA Reference: The Economist Intelligence Unit Survey, October 2008.

Further information
KPMG’s forensic practice


Michael Peer
tel: +420 222 123 359
e-mail: mpeer@kpmg.com

www.kpmg.com