Preparing for the worst can pay dividends in business where fraud can hit a company’s reputation as well as its revenue. So a successful recovery depends on planning and forensic readiness, writes Rod Newing
The financial and reputational threats that fraud, both physical and online, increasingly presents to businesses can be minimised and mitigated in advance.
Organisations should draw up policies, plans and processes for appropriate and effective responses, so that if the need arises, they can act quickly and appropriately to protect their reputation, carry out a forensic investigation and recover their assets.
“In a crisis, there is so much that has to be done and it has to be done all at once,” warns Jeremy Outen, head of fraud investigations and compliance at KPMG. “The more you have thought it through, identified advisers who have been through it before, planned for it and are ready for it, the better off you are. However, there are very few of these plans around.”
The first thing organisations need to consider is their public attitude to response. Some financial institutions prefer to keep fraud quiet to preserve their reputations; some organisations like to report it to the police and move on, while others have a policy of aggressively and publicly pursuing fraudsters, to act as a deterrent.
William Christopher, a partner in the litigation and compliance team at law firm Pinsent Masons, always advises clients that the fact that they have detected the fraud and are now mounting an effective response can be used as positive PR.
“It is important to get this message across in any PR strategy,” he says. “This is both to assist with reputation management and to send out a signal that fraud in your organisation will not be tolerated, that it will be discovered and proceedings will be brought to recover money taken.”
Whether the fraud is physical or online, computer records will usually lie at its heart
The organisation needs to plan who will be in charge of response to each type of potential fraud. It could be the chair of the audit committee, head of internal audit, security officer or a third party.
Mr Outen says that it is important to isolate the actual incident, so that those in charge are independent and a subsequent investigation cannot be tainted by people who could possibly be connected with it.
The most urgent response in the plan is to prevent further damage by revoking the fraudster’s access to the organisation’s computer network, applications and data. Their internal authorities must be revoked, including cheque signing, bank mandates and company credit cards. Mr Outen warns that they all have to be done at the same time.
Ben Luddington, a director in the forensic investigation services at Grant Thornton, says these actions prevent a disgruntled person under investigation from causing a lot of damage very quickly.
Various potential advisers, including media handlers, should be identified and vetted in advance, so they can start work immediately. “You must understand what each is capable of doing,” says Mr Luddington.
The company must be prepared for forensic investigations. Whether the fraud is physical or online, computer records will usually lie at its heart. Digital evidence will be required for edisclosure requests, data breaches, commercial disputes or employee disciplinary actions.
The organisation’s back-up policy will be tested, as they will need to quickly locate and retrieve data potentially associated with the fraud. They must also deploy, in advance, appropriate specialist software to identify and recover electronic documents and messages.
“Adoption of a forensic readiness policy is a mandatory requirement for government departments,” says Keith Cottenden, director at CY4OR, a forensic services firm. “If you work with, or plan to work with, a government department, they may require or expect your organisation to have a forensic readiness policy.”
The overall budget of the Serious Fraud Office has reduced for five successive years. The police are more likely, therefore, to pursue a criminal prosecution if the organisation bears the burden of the investigation and presents them with strong evidence. This may involve conducting interviews in accordance with the Police and Criminal Evidence Act. Mr Outen advises encouraging the police to leave asset recovery to the organisation.
Mr Luddington says that it is important to have a clear employee code of conduct and policies on computer usage. This makes it easy to demonstrate that an employee has breached such policies and enables the company to take immediate action, including accessing their e-mails and hard disk. “It means, if it actually happens, you don’t have to go through ‘soul-searching’ and talking to lawyers,” he says.
Minimising the loss involves recovering as much of the missing assets as possible. However, organisations should not be deterred for fear of increasing their losses through incurring more fees.
Nick Ward, the partner who heads asset recovery at Grant Thornton, advises victims to start with an initial high-level investigation, to see if the fraudster is worth pursuing. Automated tools allow experts to do this for £3,000-£4,000, which may be payable only if the assets are worth pursuing.
“We have been involved in cases, after the fact, where a company has won a substantial judgment and the other company just liquidates itself,” says Mr Ward, “so it was a waste of time.” He also says that an increasing number of innovative companies will offer to fund a court case. “If we think the case is sufficiently strong, we can easily get funding for it,” he says.
Mr Outen points out that it isn’t important just to trace the location of the assets, but to assess how resiliently they are being protected, because in a criminal case assets can be jealously guarded. “A prison term comes to an end,” he says, “so fraudsters often invest more, emotionally, legally and financially, in clinging on to the assets than avoiding jail.”
He has been doing asset recovery for 20 years and finds it to be a long, challenging, fraught and uncertain exercise. Organisations have to gear up for it with their resources, finances, energy, emotion and resilience, but it can be incredibly effective if they get it right.
“The key to an effective response is acting quickly,” Mr Christopher concludes. “An organisation is much more likely to be able to do this if it has a response plan in place to assist with quick decision-making.”
Benefits of forensic readiness planning
• Maintaining proportionality of litigation and investigative costs
• Increasing the speed at which digital evidence can be produced
• Acting as a deterrent to computer misuse
• Reducing the occurrences of digital technology abuse
• Assisting with internal security awareness training