Fighting financial crime in your organisation requires a robust system of controls.
After identifying and defining the key risk areas in your specific business, you need to ensure that there is a robust series of controls in place to detect, monitor and prevent financial crime.
Policies are a bedrock of risk management. An organisation should have policies on key risk areas (see the following table) including data privacy, gifts and hospitality, expenses and procurement. These policies should be board-approved and have buy-in from senior leadership.
All new employees should receive training about key policies and be required to attest to the fact that they have read and understood them. It may also be appropriate to require annual training and attestation on certain policies. Many organisations for example require annual training on the company code of conduct or ethics, and information technology and security policies.
A senior manager should be a designated fraud or financial crime champion. Some organisations have a chief fraud officer, whilst others will assign it to the CFO or a risk specialist to manage financial crime risk. No matter how it is done, someone at the board level should have financial crime risk specifically assigned to their role and responsibilities.
Another key element of any financial crime governance plan is a simple and effective way for employees and third parties to report concerns. Vitally they must have the option to do this anonymously should they wish and must be confident that they will not face harassment or put at a disadvantage as a result of making a report. A common way of doing this is through offering a whistleblowing or ‘speak up’ service, often run by a third-party provider which allows reports to be made via a phone call or online. This may not be specific to financial crime – the same service can often be used to report any concerns of breaches in a code of ethics or conduct. All employees should be aware of how to access this service, and it should also be available to other stakeholders including contractors, vendors and potentially end users or customers.
An organisation should have a fraud response plan, which lays out how the organisation will respond to an incident. The plan should be available to all employees to ensure that everyone is clear about their responsibilities. Publicising the plan may also help deter fraud as potential perpetrators will be aware of the potential consequences.
The plan should include:
An explicit statement requiring every member of staff to report suspected fraud. There may also be specific duties for line managers.
Who is responsible for running investigations into concerns when they are raised.
How the investigation will be run, including departments which will be involved and communication back with the person who has made the report.
An escalation plan up to board level, including triggering reporting when designated thresholds have been breached.
A plan for reporting to internal parties (such as internal audit) and external parties (such as regulators or law enforcement) if required.
It is also key that the plan links to a business continuity plan, which outlines how the organisation will continue to operate should it be affected by fraud or financial crime. For example, this could include how the organisation would operate should access to IT systems be lost due to a malware or ransomware attack.
