There really is just one defence for a business facing a failure to prevent fraud charge. The organisation must demonstrate they had reasonable compliance processes in place at the time of fraud.

Lawyers can challenge arguments put forward by the prosecution that the offence wasn’t fraud or that the fraud didn’t benefit the company, but if no anti-fraud policies were in place, it will be a difficult case to fight.

Most cases don’t tend to end in prosecution. Instead, there’s often a ‘deferred prosecution agreement’ whereby there’s an agreement not to prosecute in exchange for the organisation complying with a range of conditions.

These usually include paying a large fine, agreeing to a list of compliance obligations and then paying out for an independent monitor to ensure these conditions have been met on a three-to-five-year basis.

This can be hugely expensive, but it avoids the reputational, financial and regulatory damage a criminal conviction would incur, particularly for listed companies.

Implementing fraud prevention policies

Large businesses must implement robust fraud prevention policies if they haven’t already. It’s also recommended that small businesses start thinking about this too, although there is no legal requirement for them to have frameworks in place. Large organisations might insist on compliance as part of contractual terms for their suppliers.

Every compliant risk framework must start with a risk assessment. This is the bedrock of any compliance framework. Top level commitment is necessary to make this work; the board and senior leaders need to take responsibility for  ensuring that adequate controls are in place and resourced effectively.

Risk assessments

Risk assessments should be tailored to the business, not ‘off-the-peg’ templates found online. These assessments should be an in-depth look at the business itself and identify areas where it’s likely to benefit from fraud, directly or indirectly.

There might be ‘weak’ spots that are easy to manipulate or interfere with, or gaps in processes that are easy to exploit. Areas to look at might include looking at payroll processes, procurement, financial statements and reporting and supply chain policies. 

Comprehensive, concise policies

Businesses sometimes fall into the trap of ‘kitchen-sinking’ their policies; adding so much that they become practically unreadable. No one is going to read hundreds of pages and not every employee is going to understand legal speak.

Policies need to be staff-friendly. Concepts, controls and procedures must be distilled down so it’s easy to read. The aim is to ensure employees are aware of the policies, including who to escalate concerns to. They need to be sufficiently equipped so if they spot a fraud red flag, they know who to escalate it to.

Staff training

Communication and training is a key part of any risk framework policy and in the case of fraud, it’s crucial. Staff need to know how to spot the signs of fraud and identify any red flags, as well as what to do with information relating to fraud that concerns them.

Review, review, review

Corporate fraud prevention policies must remain fit for purpose. There is always a need to review and update periodically.

For organisations breaking into a new market, offering a new service or branching into a new jurisdiction, this is especially important. Any business change should trigger a risk assessment review, because the risk profile has changed.

The fundamental question is: how can you demonstrate as a business that your policies, controls and processes are reasonable if you haven’t assessed risk – or any new risk – that your business actually faces?