Expert Commentary

Creating a Culture Hostile to Fraud

April 2007

Do you believe your grandmother could perpetrate a fraud? The subject of my first fraud investigation was a grandmother, an employee who had been with our company for 20 years. Everyone knew her, everyone trusted her, and no one believed she would steal.

by Scott Langlinais
Langlinais Fraud and Audit Advisory Services

Management gave her responsibility over cash—a lot of responsibility over cash. She had access to the safe. She had access to the cashier drawers. She accounted for the daily cash inflow from customers, she prepared the daily deposits for delivery to the bank, and she ultimately reconciled the bank statements to her own accounting.

Every day her center would collect several hundred customer payments, mostly in checks, but some in cash. She set aside one day's checks and took the cash across the state line to Nevada to parlay it into some more money. She planned to return with all of the seed cash (don't we all plan to return from Nevada with money?) and then make the deposit whole, albeit a day late. For awhile it worked. But when the losses mounted, she had to start lapping the cash. She would gamble Monday's cash, lose it, and replace the losses with Tuesday's intake. The snowball built into an avalanche—the more she lost, the later the deposits got, until she got to the point where she was completely missing deposit cycles. She always intended to repay the $60,000 she "borrowed."

Does $60,000 grab your attention? If not, how about $1.3 billion? That is the amount of losses incurred by Baring's Bank thanks to Nick Leeson. Mr. Leeson was a derivatives trader for Baring's Bank in Singapore, a 233-year-old entity that he managed to destroy. Mr. Leeson's managers allowed him to perform his job as Chief Trader and settle his own trades—functions that are typically segregated. In addition, Mr. Leeson had the ability to book his trading losses in a black-hole account. Not only did he have authority to make lousy trades without review, but he also had the ability to hide his $1.3 billion in losses. Over 1,000 employees lost their jobs, investors lost their savings, and Dutch Bank ING assumed nearly all of the bank's debt and acquired Baring's for £1.1

Beliefs and Systems Matter

Was management guilty in these two frauds because they allowed these employees so much control? Guilty, no; the grandmother and Mr. Leeson were the ones who perpetrated the frauds. But it would be unreasonable for their managers to claim no responsibility; they placed far too much trust in these employees and thus established an environment that enabled the frauds.

There is a link common to these and many other frauds I've witnessed or investigated. It lies in a belief I've heard from managers many times: "There's no fraud in my organization because we only hire trusted employees."

Such a management belief inherently contains one logic flaw and one very serious unintended consequence. The flaw is not in the idea of trusting employees; it is in the implication that there is a strong cause and effect correlation between trust and trustworthiness. The unintended consequence of the over-reliance on trust is that it can lead managers to ignore checks-and-balances and details and thus yield enough opportunity for employees to cause some real damage.

Is the solution then to not trust our employees? No, but many managers I speak with seem to believe in an inverse relationship between controls and trust. Increasing one decreases the other. Armed with this belief, managers are more likely to fail to install checks-and-balances and review transactions. They aggravate the situation if they also believe proper controls are too expensive, or there is not enough time to implement them. But good controls keep the business flowing, provide the necessary constraints, and allow employees to act ethically within a well-defined system.

Consider our traffic control system. Red light, stop; green light, go; yellow light, go faster. What makes us stop at a red? There is no gate that drops to prevent cars from entering the intersection. Most of the time, there is no law enforcement there to watch every car. So why do we do it? Because we have bought into the system—it does a pretty good job of managing the balance between safety and traffic flow at a reasonable cost. Or because we believe the consequences of violation outweigh the benefits. It is not an absolute control to prevent all violations and accidents. Because there is no physical impediment to our running a red (other than crossing cars), the system is designed with the trust that we will abide by the law and operate properly within the constraints of the system.

Managers believe it is important to hire good people that they trust. But to prevent fraud, it is even more important for them to design good systems for their employees to operate in. Research conducted in several different industries has demonstrated that a great system is often more important than great people.2

To illustrate the effect of bad systems on good people, we can look at mistakes made at NASA that contributed to two shuttle explosions. Without ever having set foot in NASA headquarters, most of us can agree that an organization that can put men on the moon and take close-up photographs of Jupiter's moons has to have some highly intelligent, motivated, process-oriented people. So how does evidence of imminent danger get ignored before the explosions of Challenger and Columbia?

The Columbia Accident Investigation Board issued a report on the causes of the 2003 shuttle explosion. The Board concluded that a culture of arrogance and over-reliance on past successes precluded evidence-based follow-up of the potential damage caused by the piece of insulating foam that detached and damaged a wing enough to cause the shuttle to burn up during re-entry. More disturbing is that the culture existed prior to the Challenger explosion. Though the people in the organization had changed, the bad systems remained. Consider this quote from the report:

  • In the Board's view, NASA's organizational culture and structure had as much to do with this accident as the External Tank foam. Organizational culture refers to the values, norms, beliefs, and practices that govern how an institution functions. At the most basic level, organizational culture defines the assumptions that employees make as they carry out their work. It is a powerful force that can persist through reorganizations and the reassignment of key personnel. [Emphasis added].

An effective contrast to NASA's culture is the U.S. nuclear Navy's. Nuclear-powered warships have traveled over 127 million miles without a reactor accident—roughly equal to 265 round trips to the moon. The success of the naval reactor depends on several factors: communication and action, with redundant paths of communication; relentless training and learning from mistakes; encouragement of minority opinions and bad news, with thorough management examination where minority opinions are absent; knowledge retention; and analysis of worst-case scenarios.3 The Navy's nuclear safety system is designed to circumvent and overcome arrogance, bureaucracy, and over-reliance on past success.

The contrast between these systems is telling because many factors in the study are constant; both are large, government-run organizations full of engineers and military personnel who put people into dangerous machines. Where the people, leadership, and mission stakes are similar, the difference in the control systems becomes stark.

It is, of course, optimal to have great people in great systems, but most of the frauds I've witnessed or studied were due to a severe flaw in the control structure that afforded a person too much opportunity and removed the manager from the process. Certainly bad people can circumvent good controls, but more often I see people tempted by an opportunity to perpetrate a fraud when they thought they wouldn't get caught.

Baring's Bank's system allowed one trader, Nick Leeson, to accumulate enough losses to destroy an entity that had seen the Napoleonic Wars. Mr. Leeson's trading practices were largely ignored because of his early success in generating income for the bank through trading prowess. My former company had a system that allowed one financially pressured grandmother to steal enough money to have a significant impact on the small branch she worked in and the people she worked with.

Culture Is the Foundation of Systems

Managers must overcome their beliefs that strong controls are unnecessary because they have hired trusted employees who are expected to do their jobs correctly. Also bankrupt is the belief that controls undermine trust.

Good systems make good business sense. The responsibility for establishing a strong system starts at the top with the executives who can affect widespread change. Executives and managers must drive the culture that is hostile toward fraud, a culture with no tolerance for unethical behavior, and frequent recognition of instances of ethical practices. What if you don't have access to the top? Then change the culture in your own sphere of influence. It is critical to examine and challenge your own organization's beliefs, and though it may be management's primary goal and desire to generate an excellent return for the stakeholders, there should be no evidence that those returns were generated from fraudulent activity, and there should be plenty of evidence that the right ethical choices were made in generating the earnings.

In subsequent articles we will discuss the practices specific to an environment hostile towards fraud:

  1. High-integrity management that exercises stewardship over corporate assets and expects ethical behavior.
  2. Processes designed to detect symptoms of wrongdoing and redundant communication lines open for people to report allegations.
  3. A strong ethics policy that defines unethical acts and the boundaries for investigation, and a communication process that enables the employees to learn from violations.
  4. Checks-and-balances and management attention to details that reduce the opportunity for someone to cause significant damage.
  5. A process to filter out those likely to perpetrate fraud.

1"Nick Leeson and Baring's Bank"

2Jeffrey Pfeffer and Robert I. Sutton, Hard Facts, Dangerous Half-truths, & Total Nonsense: Profiting from Evidence-based Management, (Boston: Harvard Business School Press, 2006).

3Columbia Accident Investigation Board, Report, vol.1 (August 2003).

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author’s employer or IRMI. This article does not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

More Risk Management Information from IRMI
Books, Manuals, Newsletters IRMI
Online 		SilverPlume
Sage
Practical Risk Management IRMI Online SilverPlume Sage
The Risk Report IRMI Online SilverPlume Sage
Construction Risk Management IRMI Online SilverPlume Sage
Contractual Risk Transfer IRMI Online SilverPlume Sage
Risk Financing IRMI Online SilverPlume Sage
Exposure Survey Questionnaire IRMI Online SilverPlume Sage
Guidelines for Insurance Specifications IRMI Online SilverPlume Sage
How To Draft and Interpret Insurance Policies
IRMI Insurance Checklists IRMI Online SilverPlume Sage
RMIS Review IRMI Online
Free Risk Management Articles in IRMI.com
Risk Management
Insurance Continuing Education Courses from IRMI
Litigation Management (CE)
Contractual Risk Transfer in Construction (CRIS CE)