The biggest risk to business is not knowing what your risks are.
The typical organisation loses 5% of its revenue to fraud, according to the global Association of Certified Fraud Examiners’ (ACFE) ‘Report to the Nations’ survey released in 2012. Applied to the 2011 Gross World Product, the figures in this report translates into a projected annual fraud loss of more than USD3,5 trillion (www.acfe.com).
The report also found that fraud reported to ACFE had lasted an average median of 18 months before being detected, and was more likely to be detected by a tip-off than by any other method.
What Are The Major Risks?
KPMG is about to release its updated risk management report for South Africa. However, research conducted in November 2012 found that the biggest risks perceived by local companies are: increased competition (primarily from foreign sources); new technology; a lack of integrated IT systems; poor infrastructure (particularly electricity and rail); the state of the economy; and finally, an increasingly complex regulatory and legal environment.
The latter is also viewed internationally as one of the biggest risks – the irony being that regulations are being introduced internationally to reduce levels of risk in the wake of governance failures, sub-prime irregularities and the Lehmann Bros collapse.
KPMG risk director Johan de la Rey, points out that regulation is clearly not a risk – the cost and complexity of implementing often highly technical regulation should be seen as a short-term challenge and cost. The differentiating opportunity is to integrate governance, risk and compliance processes, and assurance, realising an efficiency gain on the competition while reducing costs in the process.
“Therefore, it’s only a risk to those affected companies which do not react positively,” says De la Rey, who goes on to say that “Eleven out of 15 industries surveyed saw regulation and growing compliance demands as a risk, both in terms of cost and implementation challenges, as well as the risk of management taking its eye off the ball, operationally.”
Anton Roux, CEO of Aon, explains why regulation is seen as a risk, saying, “Even within my own firm, I employ more lawyers than accountants today. With globalisation, a firm such as Aon has to comply with sets of regulations applicable to South Africa, the US, where we’re listed, and the UK, where our head office is.”
Roux, himself a CA(SA), says it is not only audit\firms that need to have layers of peer review, but industry-specific regulation such as South Africa’s FAIS means that an insurer broker such as Aon also requires peer review regarding the advice it provides.
Risk has to be seen in the global context
Roux cites supply chain as an important risk to companies, listing examples such as the Japanese earthquake and tsunami which disrupted global supply chains, as well as the banking crisis in tiny Cyprus that jolted stock markets all over the world.
“The attitude to risk management has therefore changed. It is more about looking at a business’s entire supply chain and global political risks. In addition, in an environment of increased regulation and accountability, liability risk (especially for professionals such as auditors) has to be top of mind. For instance, medical malpractice cover is becoming increasingly difficult to obtain,” says Roux.
The Aon Global 2013 Global Risk Management Survey says: “In today’s interdependent environment, risks to business, no longer isolated by industry or geography, are becoming complex in nature and global in consequence.”
Unpacking the other major challenges, De la Rey explains that companies viewed increasingly open trade as a challenge to local industry, which is clearly perceived as less competitive than many foreign firms. “Linked to this is the issue of technology, where foreign firms leverage new, competitive technology to break into local markets. In addition, two-thirds of respondents saw the lack of economic activity in South Africa as a risk. As a country, we largely escaped the 2007/8 global slowdown, but the current one is certainly being felt,” says De la Rey.
Weak identity systems lead to cyber-fraud
“Cybercrime is completely out of control,” says Hedley Hurwitz, MD of Magix Security, “with South Africa ranking only behind Russia and China in number of victims. Identity theft is the root of much of this type of fraud, and South Africa’s weak identity systems leave us particularly vulnerable.”
As a result, Magix has seen an exponential increase in its business over the past 18 months, seeing as it implements systems in companies to detect this type of fraud. Hurwitz claims that when he commences work at a corporate client, “the forensics people know what’s happening, but lack the IT systems to be effective.”
As to the explanation for the growth, Hurwitz says: “The economy is under pressure and companies are struggling to increase revenue. Therefore, they are looking to cut every cost, and amounts they were possibly previously content to simply write off , they’re now focusing on to both cut the cost and even get physical recovery,” says Hurwitz.
Be risk-wise without being too risk averse
Karen Pepler, the Finance Director of short-term insurer, Sasria SOC Ltd, and herself a CA(SA), notes how important it is to see risk management as a positive tool, one capable of enhancing the profitability of an organisation by inculcating a deeper understanding of the risks the business faces. “Accountants, as a class, tend to be arguably too risk averse, without appreciating that the taking of risk is how we make money. Only once companies understand their specific risks are they then able to mitigate them,” Pepler explains.
Pepler lists the biggest risks that companies currently face: “The top risk is of market volatility and a subdued macroeconomic environment. These put pressure on profits and cash flows, increasing the fraud risk as there is pressure on companies and individuals.”
The ACFE Report to the Nations 2012 survey found that most occupational fraudsters are first time offenders with clean employment histories, yet the higher their authority and the longer their term of employment, the higher the fraud losses were. Pepler points out that not all fraud is perpetrated for personal financial gain, but as in the Enron case, can be associated with meeting increasingly complex regulatory and compliance requirements, or tough shareholder profit targets, both from a company and director or officer’s perspectives.
“From an insurance perspective, a major challenge is the wave of new regulations that emerged at the same time as the recession. Regulations are costly to adhere to and time consuming to implement. Among the sophisticated regulations that insurers have to deal with are those aimed at treating customers fairly, scheduled for next year. Another is the solvency assessment and management rule requiring long-term and short term insurers to align their capital requirements with the underlying risk, so that they can pay out multiple claims from policyholders.”
South Africa among world leaders
De la Rey says that South Africa is among the world leaders in risk management, thanks primarily to the global leadership role of Professor Mervyn King, coordinator of the three King Reports.
Whereas 15 years ago most companies would have been reluctant to look at risk management, thinking that they’re adequately insured for all risks and that anything further would be an unnecessary expense, De la Rey claims that there is a much higher level of awareness today of risk management processes and regulatory compliance in South Africa. “We’re slightly ahead of the rest of the world,” he says. The raising of risk awareness often comes in the wake of a major ‘wake-up call’, as is currently occurring in the construction industry.
“These tend to be defining moments in the history of a company or an industry, where companies suddenly realise they need to change their entire risk culture. Though this is a step in the right direction, the problem is still one of complacency in the rest of the economy – does each company or industry need to have its own ‘defining moment’ before it wakes up?,” asks De la Rey.
Sometimes these ‘defining moments’ are uncovered by a risk management programme. De la Rey gives the example of one railway company in which KPMG tabulated the real cost from certain incidents/risks at R3 billion a year. Shocked into action, the company accepted KPMG’s programme, which resulted in mitigating steps and the reduction of the cost in future years to a more normalised R400 million a year.
“This demonstrates that risk management really works and creates sustainable businesses and profits,” says De la Rey.
Changing the culture implies viewing risks as either calculated, or avoidable through preventative measures. Most of the advisory firms today offer risk management programmes that assist companies in identifying their risks, prioritising them, and more importantly, producing solutions which link and integrate risk and assurance efforts. The weakness of risk management in the past, says De la Rey, was that risks within companies were addressed in pockets. For example, with health and safety being in one pocket, corporate governance in another, and financial compliance such as internal audit, in a third.
“We’ve developed a process at KPMG which joins all the dots for clients. It is a differentiator that enables companies to view all their risks and assurance at a glance. However, risk management properly implemented is less about individual risks and more about changing the very culture of an organisation. If the tone at the top isn’t right, you’re nowhere – if right it’s simply about the successful roll-out of the programme,” says De la Rey.
Pepler agrees: “Preventing fraud starts with having effective corporate governance, and specifically fraud risk governance. This then encompasses all the required elements to prevent fraud from happening in an organisation, such as training of employees, anonymous reporting, internal policies and appropriate internal controls. It is with regards to the latter that automation of checks is becoming more important.
By removing the human element (or at least, some of it) from internal control processes, its effectiveness and efficiency is radically improved. The complexity in today’s business environment also requires this.”
Hotlines are effective
“Industry research and surveys from organisations such as the ACFE, as well as from the big four audit firms, consistently show that fraud is more likely to be detected by means of a fraud hotline than any other method. There is no doubt that these hotlines are effective and are an absolute necessity for any organisation that is serious about addressing the risk of fraud,” says Pepler.
De la Rey is more sanguine about the efficacy of fraud hotlines, saying that his experience at audit meetings is for one or two phone calls to be listed, half of which are wrong numbers. “However, where hotlines come into their own is in raising awareness of fraud and contributing to a culture of fraud risk management. Incidents may be reported through other channels, but you could find awareness about the hotline was the catalyst,” he explains.
One challenge with hotlines, and in fact fraud awareness in general, is that every individual has his or her own sense of right and wrong. What constitutes fraud for one person may not for another. This is where company value statements and values-based education become vital, and De la Rey believes this is the role of top management, supported by risk managers and the internal auditors.
“It’s all part of creating the required values and culture. We need to run regular culture surveys, including fraud risk assessments with our staff, more frequently, and annual declarations are increasingly coming to the forefront as a means of reducing management fraud and managing conflicts of interest,” says De la Rey.
De La Rey points out that, historically, people tended to assume that the greatest fraud risk lies in the procurement department, but ACFE research has demonstrated this not to be the case. “We find that increasingly the biggest risk is management over-ride of systems.” This is difficult to detect in the short-term, though Pepler says fraud is almost always detected in the longer term – the best antidote is changing the culture towards fraud or risk awareness.
Employee benefits see spike in claims
Risk management applies equally in the individual space, and Hollard Insurance is one of the bigger players in the company-sponsored employee benefits industry. MD, Franco Patrizi, says the same principles apply as with corporates. “There tends to be a high correlation between morbidity and economic recession – we find a sharp spike in people claiming for ailments, especially ones that are more subjective, such as depression and back problems. In many instances, this is found to be related to job security and there is an increased risk of companies trying to shift employees off their own balance sheet on to the insurers.’
“There is also an increase in genuine claims, but this too is often also related to job security. Fear of losing one’s job can key in a latent depression. Apart from an almost negligible uptick in suicides, economic conditions do not have the same correlation to death claims,” says Patrizi.
Patrizi goes on to say that employers tend to respond to this scenario in one of two ways: First, noticing an increase in premiums as a result of the increase in claims, companies tend to put their business out to tender and select a service provider offering a cheaper rate. The second solution is to introduce wellness programmes.
Patrizi cautions against the first option. By continuing to shop the market the company may be getting the cheapest rate available, but with a worsening claims experience, “it may be the cheapest rate available, but not necessarily the cheapest rate the company could get if it had effective risk management procedures in place”.
“The optimum solution is a wellness programme whereby proactive measures can be taken, based on absenteeism trends, to prevent warning signals from becoming actual claims. For most illnesses, on-site medical attention is the primary means of uncovering ailments such as high cholesterol or high blood pressure which, when medicated, improves health and reduces claims. Our experience is that an employer which actively supports a wellness programme experiences a significant reduction in claims. Apart from diagnosis, improved diet and encouraging a more active lifestyle improve wellness,” says Patrizi. ❐
Accounting Practice Risks
Mike Lledo, a CA and MD of Consolidated Financial Services, says: “From a business risk perspective, within every SME, such as an accounting firm, there are a number of factors that can have a significant impact on the business and its partners/shareholders, and ultimately, all stakeholders in such a business. Identifying these business risks is as easy as reading the balance sheet of the relevant SME.”
The balance sheet will provide clues on the need or necessity for:
• Key-man assurance
• Buy-and-sell agreements
• Contingent liability cover
• Group life cover
• Group capital disability cover
• Group income disability cover
• Funeral benefits
• Medical aid benefits
• Group retirement benefits
• Staff retention schemes (share options, deferred compensation, preferred compensation).
“The first three listed above are however the primary risks that an accountant/SME owner should be aware of, not only for his own practice, but also when advising clients on the different kinds of business risks that could occur at any time and without warning in any type of business,” says Lledo.
• Key-man cover refers to that individual (or individuals) in a business who holds the ‘key’ to the success or sustainability of the business or operation. The death or disability of such an individual can have a devastating effect on the business and all its stakeholders.
• A buy-and-sell agreement between partners/members/shareholders is a crucial document for the protection of the business interests of the surviving partners/members/shareholders and the business as an entity on the one side, and the deceased’s heirs on the other side.
• Contingent liability cover protects the business entity and its stakeholders in the event of death or disability of one or more of the partners/members/shareholders, and the consequent sudden repayment of an outstanding loan.
“Items listed from 4-10 above are important for other reasons in a business, as it normally addresses staff needs and allows for recruitment and retention of good staff, which in the medium to long run is crucial for the sustainability and growth any business. In most businesses, the staff are still the business’s greatest assets. Address their needs and you buy loyalty and service excellence,” says Lledo.
Author: Eamonn Ryan is a Business Journalist.