When insider threats come right from the top

Insider threats hitting the headlines tend to be perpetrated by middle or lower management, but when fraud is carried out by the C-suite, the costs can be eye-watering

While CEO fraud may not be common and is certainly the least talked about, it can be the most costly to an organisation.

According to the Association of Certified Fraud Examiners’ 2018 Report to the Nations, company owners and senior leaders may commit only 19 per cent of all frauds perpetrated, but such crime results in a median loss of $850,000 (£670,000) an incident.

This figure is nearly six times higher than the median loss brought about by middle managers and seventeen times more than that caused by low-level employees.

The study points out that high-level fraudsters generally have better access to an organisation’s assets. They also have greater technical ability to commit and conceal fraud, and can use their authority to override controls or hide their crimes more easily than those further down the corporate ladder.

What does CEO fraud really look like?

Such fraud can take a number of forms. In some cases, says Jose Hernandez, chief executive of organisational change consultancy Ortus Strategies and author of Broken Business, it is simply about senior executives circumventing company controls for their own personal gain. Invoice fraud, in which individuals submit invoices for suppliers that do not exist, is an example.

More commonly, leaders rationalise their unethical actions, such as tax avoidance or evasion, by convincing themselves they are necessary to deal with pressing business problems, says Mr Hernandez.

“It may involve individuals falsifying documents and financial records and presenting them to external auditors,” he says. “Another form we encounter in global corruption investigations relates to using sham contracts with third parties to divert corporate money to improper beneficiaries, such as government officials.”

It’s embarrassing as it implies your governance isn’t great and, because it’s about your reputation, rivals jump on that to try and leverage it as an opportunity

But the implications for an organisation are significant at every level. Not only can subsequent investigations cost millions as they are often complex and take months or even years, but CEO fraud also leads to major reputational damage, both internally and externally, not to mention the financial impact.

A key issue is this kind of behaviour undermines the trust and integrity of the entire company, which is why it is so rarely discussed. Indeed, misconduct at this level potentially has serious criminal and civil implications, not just for individuals, but also for the corporation, leading to falls in share price and a leadership vacuum.

How to tackle the insider threat

As a result, says Ben Rose, chief underwriting officer at insurance company Digital Risks, the initial instinct of most businesses is to try to conceal the situation, even from their own staff.

“In my experience, internal fraud, especially at the senior level, is a real blow for an organisation,” he says. “It’s embarrassing as it implies your governance isn’t great and, because it’s about your reputation, rivals jump on that to try and leverage it as an opportunity.”

To protect against CEO fraud, the first, relatively simple, step is to ensure there are policies in place relating to separation of duties, whereby more than one person is required to complete a given transaction, such as authorising payments.

Ceri Charlton, associate director at security and risk assurance services provider Bridewell Consulting, explains: “If two people have to do something, it dramatically reduces the likelihood of misconduct. Typically for collusion to occur, you need a peer to co-operate, who is generally at the same level as you, and overtly asking someone to commit fraud is really quite a big step for most people to overcome.”

Corporate culture can be the root of the threat

Other reasonably straightforward actions to prevent CEO fraud include introducing vetting procedures for all senior appointments and ensuring there are adequate controls, compliance programmes and processes in place to investigate allegations of misconduct.

Rather more difficult though is finding ways to change the company culture and its underlying governance to deal with the root causes of such behaviour. As Mr Hernandez points out, misconduct usually results from a combination of a “toxic culture, inadequate oversight and pressure to cheat or cut corners”, all of which need to be addressed effectively.

This is particularly true in the case of command-and-control leadership cultures, in which managers and employees alike are usually afraid to question or challenge the status quo.

“Organisations can best protect themselves by fostering a speak-up culture that empowers whistleblowers and encourages dialogue on ethical dilemmas,” Mr Hernandez concludes. “But they can also successfully address fraud by regularly assessing risks, communicating expectations for conduct and making necessary changes to excessively risky strategies, practices and business models.”