In its latest Global Economic Crime Survey, pwc has delivered a report that will raise eyebrows at all levels of the enterprise. It calls out the rise of the silver fraudster, double standards by senior management, the woeful state of fraud risk assessments and the rise of cybercrime. There is little in this report for anyone to be cheerful about and suggests that there is much to be fixed in order to reduce the level of fraud and cybercrime experienced by companies.
Using the title Old Dogs, New Tricks the top five numbers from the report are:
- 55% of UK organisations have experienced economic crime
- Of those who’ve experienced economic crimes, 44% have also experienced cybercrime in the last two years
- 18% of fraud is committed by senior management
- Cybercrime incidents in the UK up 20% since 2014
- 30% of UK organisations say they have no cyber response plan
- Almost 60% have no confidence in UK law authorities dealing with cybercrime
None of those numbers look good for UK businesses especially at a time when UK companies are having to deal with political issues such as the In/Out referendum on Europe that is coming up.
Andrew Gordon, PwC’s Global & UK Forensics leader, commented: “While the prevalence of traditional fraud, such as asset misappropriation, has fallen since 2014, there has been a huge rise in organisations reporting cybercrime. Technology is driving almost every other area of economic crime as well.
“Business needs to minimise the opportunities for economic crime through rigorous fraud risk assessment, supported by a culture based on shared corporate values and robust policies and compliance programmes.”
Failure to do risk reports is making fraud easier
In an age of compliance it seems strange to still be talking about risk reports as if they were some alien concept. Every time there is a data breach the issue of risk assessment comes up. New technologies such as cloud are constantly being subjected to risk assessments to ensure that data is safe and that by storing data in a cloud service a company isn’t risking a compliance issue and large fine.
Despite this, pwc discovered that 20% of respondents had NEVER performed a fraud risk assessment and only 13% had done so just once in the last two years. The last time the Fraud Act was updated in the UK was 2006. Since then we have had the Bribery Act 2010 and a lot of changes to money laundering rules that require enhanced reporting. With all this legislation it should be that enterprises are better equipped in terms of process when it comes to dealing with fraud and bribery.
Not everything is as dark as it seems. It turns out that 44% of UK companies do carry out an annual fraud risk assessment with 15% doing it more than once per year. It is also important to note that fraud risk management in the UK detects around 14% of all frauds compared to a global average of 8%.
Process is no excuse for not changing people and culture
While shoplifting from staff is often used as an example of problems with retail it is rare to see numbers around organisational fraud. In this report pwc reports that 31% of organisational fraud was committed by insiders often with the collusion of their colleagues. The ability to commit fraud has always been tied to opportunity and access and as a result it should come as little surprise that internal fraud is the same.
Using numbers from 2014 and 2015 pwc reports fraud by position in 2015 works out at:
- Junior Staff 28% down from 45%
- Middle management 36% down from 42%
- Senior Management 18% up from 7%
There is also an age correlation with more than half the fraud committed by those over 40 while fraud from those over 50 trebled from 6% to 18%. The reason for this, according to pwc, is that as people get older they are less likely to change their ways. This suggests that there has always been a dishonesty in business but without numbers going back 30 years it is hard to evidence this. It also suggests that if we accept the statement about people not changing their ways, we may be moving towards an age where people are going to be more honest.
What the report also does is look at how staff feel and their awareness of organisational values and codes of conduct. It appears that the respondents admit to being aware of what is required of them. At the same time the responses show that training on the relevant codes of conduct stands at 60%. While this is far from perfect is it well above the level of training companies often talk about when it comes to cybersecurity.
When it comes to bribery it seems that 85% of corporate management are very clear that business partners should avoid bribery and even be prepared to lose deals. Unfortunately this positive approach is undone by the fact that only 77% feel their own management are as honest as they expect others to be. As the report says: “There seems to be a certain double standard here.”
Compliance spending up but results not improving
On average 49% of companies increased their spending on compliance over the last two years while the same number kept their spending the same. In the next two years 44% will increase their spending while the remainder will keep spending at current levels. That latter figure is presumably because they believe they’ve done enough to get control of the situation.
Unsurprisingly it is financial services that have invested the most and who will continue to invest. They are heavily regulated and have spent a lot of the last two years exposed to the harsh glare of the media spotlight. Sadly the report doesn’t break down the other industry many of whom are spending far less than the financial services industry and it would be interesting to know which industries believe the problem is solved.
With legislation such as the EU GDPR coming on stream soon, it should concern many that the level of compliance spending is being reduced. Regulators will take a dim view of companies that breach compliance due to a lack of investment and with the level of fines rising, money spent on training should reduce the level of fines down the line.