Commercial fraud is an ever-present risk to businesses both within and outside of the extractives sector. In 2014, a report from The BIS (Department for Business, Innovation & Skills) Information Security Breaches Survey reveled 81% of large organisations had fallen victim to security breaches at some level, the cost for this running to on average between £600,000 and £1.5 million.
Although larger organisations and businesses are often seen to be the attractive targets, owing partly to the ability to readily access large funding reserves and with fewer restrictions on payment limits. Smaller companies are also being viewed as easier targets by the fraudsters, owing to less emphasis they may place on their investment in security or fraud prevention measures.
Fraud can take many forms, with people generating the schemes becoming increasingly structured in their methods of deception to facilitate the misappropriation of business assets. To counter this, it is vital strategies are in place to assist in mitigating these risks, whilst ensuring risk management procedures are also kept current and in accordance with best practice. Fraud management should be viewed in the same regard as the industry views safety, with procedures and plans in place to monitor, counter or react to the risks as appropriate.
Ensuring you have a well documented fraud prevention policy is a vital step to safeguarding the business, however to ensure this is effective it needs to be implemented with the support of appropriate procedures and operating guidance and communicated to the appropriate people who this impacts on, with periodic reviews undertaken to ensure this remains up-to-date and in accordance with current guidance, whilst continuing to be relevant and in line with the businesses practice.
When devising a fraud prevention and risk analysis it must be ensured that this also takes into consideration not only current threats but additionally any potential emerging threats that could pose risks to the business in the future. Potential areas of vulnerability in the business need to be identified in order to ensure appropriate procedures and documented guidance can be put into place, with monitoring and potential review of any potential risks an on-going consideration.
In compiling a risk management procedure, the below steps should be taken into consideration:
Establishing the context
The first step is to establish the context of a businesses risk exposure. The relationship between third parties also needs to be explored as this will set out the areas of risk the business is exposed to, drilling this down to the grass root level to explore the outcome and impact the risk management procedure would both impact upon and benefits the implementation of this brings.
Identifying the risks
A comprehensive understanding of the businesses exposure to risk will only come from a comprehensive search from the analysis of all areas in the business. The more extensive this process is increases the likelihood of all items of potential importance being identified.
A systematic and comprehensive approach should be adopted to assist in identifying all potential risks that could be a potential area of concern. No possible risks should be overlooked; anything that maybe significant should be included to ensure the policy is as comprehensive as possible.
Analysing the risks
Analysis is required to evaluate the significance of the individual risks identified. This assists in placing them into context in accordance to the likelihood of these occurring and potential impacts on the business.
Evaluating the risks
The risk evaluation involves comparing the level of risk identified during the risk analysis process with the likelihood of this occurring matched up against the potential impact this would have upon the business and what control measures can be put into place. In the risk evaluation stage the financial impact fraud may have on the business should not be the only criteria taken into account here, potential impact on the businesses reputation should also be looked at.
Any risk evaluation process should ensure:
- Appropriate measures are in place to appropriately manage the level of risk perceived.
- If the activity should continue to be undertaken, or if alternative practices can be implemented to assist in mitigating the current levels of risk.
- The level of priority the implementation of procedures needs to take, in accordance with the level of risk perceived or identified.
- Through the consistent application of these criteria it will be possible to initially implement and further update any new or perceived risks into the policy.
Treating the risks
- Through the identification, analysis and evaluation of risks the business will be assisting in safeguarding itself against fraudulent practices.
- Treating the risks identified leaves us open to the following options:
- Accepting the risk as part of the business.
- Implementing systems to minimise the chance of the risk occurring.
- Applying procedures to reduce impact on the business if the risk occurs.
- Transferring the risk (if possible for this to be mitigated by a third party).
- Avoiding the risk though no longer undertaking the practice.
The treatment of the risk needs to be applied to each identified area taking into account the benefit of this (potential cost to the business weighed up against the feasibility of the control measures available).
The risk treatment plan being implemented should take into account:
- Proposed actions.
- Resources needed to implement these.
- The person or department that will be undertaking this.
- Timing for the implementation.
- Ongoing reporting and monitoring requirements that need to be in place.
Monitoring the process
Risks to the business are continually evolving and developing, to counter this a periodic, but continual review should be undertaken to not only review the existing systems in place and levels of risk that may have changed but to also evaluate and take into account any new processes or changes that may have occurred in the business that needs to be evaluated and taken into consideration.
Good risk management procedures involve regular evaluation of the businesses levels of exposure to risk and its control measures it has in place, taking into account any change of circumstances to the business or its operating environment. When undertaking any level of risk review any potential threats from both internal and external sources should be considered in addition to examining any potential emerging risks which could pose a problem to the business.
The potential impacts on a business from fraud can be wide reaching and extend beyond the financial implications this may bring, its could additionally cause disruption to the business, impact staff morale and cause damage to the businesses reputation. Ultimately the impact could result in the business no longer being able to continue trade and so it is vital any policies and procedures in place should be comprehensive enough to deal with any risks to the business.
Produced for the Institute of Quarrying, Technology in Minerals Group. Our Technology in Minerals group connects IT and technology professionals from across the mineral extractives sectors. Discussing ideas, solutions and providing a valuable support and resource base to professionals in our industry.