Businesses Urged to Strengthen Their Defenses Against the “Triple Threat”
US businesses need to put in place stronger protections against potential business losses resulting from fraud, compliance failures and cyberattacks.
This is the overriding message of KPMG’s 2022 Fraud Outlook report, A triple threat across the Americas.
Two-thirds of U.S. executives surveyed by KPMG said their companies had experienced external fraud in the past 12 months, but only 35% of those companies had a program in place to prevent, detect and respond to fraud. Moreover, more than half of these companies do not intend to increase their budgets for anti-fraud measures.
This leaves businesses vulnerable to increased losses from a triple threat of external fraud, compliance failures and cyberattacks, according to the report, which also found that:
- Nearly half of US respondents (42%) said their company suffered losses of 0.5% to 1% of company profits due to fraud and crime.
- The majority of US respondents (62%) said their company expects a loss due to regulatory fines and/or compliance failures ranging from 0.1% to 2.5% of profits.
- 38% of US respondents said their companies expect the risk of fraud committed by outside perpetrators to increase somewhat over the next 12 months.
- 43% of U.S. respondents said their companies indicated that the shift to remote working increased the risk of fraud.
Fighting the “threat loop”
In addition to being widespread and growing, the three threats of fraud, compliance risk and cyberattacks are also woven into a “threat loop”. Businesses need to examine and defend against the damage these threats can cause together, rather than just focusing on the risks each threat poses in isolation.
For example, an employee who steals their company’s customer data while working from home raises all three threats simultaneously.
To combat the threat loop, companies must confront dangers through an interconnected collective effort, according to the report, which recommends a five-step process for mitigating risk.
- Set the right tone from the top: In addition to promoting a culture that encourages ethical conduct and a commitment to compliance, the board and senior management should establish standards and procedures to prevent and detect fraud, mitigate compliance risks and cybersecurity and monitor the company’s compliance with these standards. Companies must also implement protocols to ensure that the board of directors is sufficiently informed to exercise reasonable control over compliance and ethics.
- Carry out a risk review: Companies should develop and deploy a comprehensive enterprise risk assessment process that focuses on real, not hypothetical, risks related to compliance, cybersecurity, fraud, and misconduct. Management, the board, internal audit, compliance operations, and other stakeholders should work together to identify risk areas and design controls to mitigate those risks.
- Communicate effectively: Senior management should ensure that it communicates clearly to everyone involved that they must take their control responsibilities seriously. Additionally, employees should receive targeted training that helps them understand their personal role in protecting company assets and improving internal control systems.
- Enhance detection: Companies should develop and publish ways for employees and affected third parties to report suspected wrongdoing and seek clarification and guidance on laws, regulations and company standards of conduct. Employees play a critical role in uncovering major fraud and misconduct. Companies must create a culture that encourages employees to raise their hands to report misconduct without fear of retaliation from management.
- Create a culture of application and accountability: Companies would do well to consider updating their policies and protocols with non-punitive elements of accountability and enforcement. For example, a company could embed ethical behavior, integrity, and principles into employee performance reviews and offer rewards for achieving ethics-related or performance-related goals. Such changes convey the message that disciplinary measures for fraud and non-compliance are applied consistently, regardless of rank, seniority or function.
KPMG surveyed 642 executives across the Americas, with 34% of respondents based in the United States and 42% in North America. Respondents are roughly evenly split across seven industries: consumer products and retail; energy; financial services; industrial manufacturing; Assurance; life sciences and pharmaceuticals; and telecommunications, media, entertainment and technology.
Firms also varied in size, with 40% having annual revenue of less than $1 billion, 34% annual revenue of $1-10 billion, and 26% annual revenue greater than $10 billion. billions of dollars.
— To comment on this article or suggest an idea for another article, contact Jeff Drew at [email protected].