5 Fraud tips every business leader should act on

It’s International Fraud Awareness Week – how well do you respond to the risk of fraud in your business?

Understanding the risk and having ideas to act are a good start – we can help you develop a plan to turn those ideas into real actions and controls that can protect your business. Contact us to set up a time for us to talk through your business risk and see how we can help.

How do perpetrators conceal their frauds?

It’s International Fraud Awareness Week – a good time to reflect on the risks that face our businesses and how we can control them.

Controls don’t stop bad things from happening, but they can help you prevent bad things, detect that they are happening or mitigate the impact of those bad things when they do happen. To build effective controls you need to understand the vulnerability and then design controls to fit the profile of the risk.

We can help you understand your vulnerabilities and your risk profile so that you can build effective controls to keep your business safe. Contact us to arrange a time for us to meet and discuss your risk needs.

Returning to appetite

In a few of these blog posts I’ve referred to a risk appetite. There’s no way I’m going to try to sell you that an appetite of risk is comparable to a tasty morsel of any sort. All businesses carry some degree of risk – the risk appetite is how much you’re prepared to carry in your business. The risk you’re prepared to carry is called the residual risk and the risk that exists assuming you do nothing about it is called the inherent risk. It’s very rare that you would find (or should accept) that the risk in the environment (inherent) is what you’re prepared to accept – because it means you’ve either underestimated that risk or you’re over-exposed. To bring the risk down from inherent to residual requires you to invest time or money in planning or building contingency and controls for your business. The work associated in doing that is often called a “Return to Appetite” plan – because you’re bringing the risk to within your acceptable appetite.

A ”Return to Appetite” plan (or RTA) usually includes outlining some key measures or metrics that will be tracked to tell you when you have achieved your return and are now within appetite.

In my experience chasing the numbers is a horrible strategy because once you achieve the numbers it can often result in complacency where you linger under the false belief that the numbers are good, so everything is fine – but what if the numbers have missed something. Don’t misunderstand me – you absolutely need the numbers to keep you honest and help you to monitor progress, but it’s a far better strategy to build a good framework, implement discipline and a strong risk culture – start doing the right thing and the numbers will gradually start to improve organically. Chasing numbers for numbers sake means the depth of culture and improvement is not there and your return is superficial. You’ll end up in a constant cycle of being within appetite and then dropping out and then returning and then dropping out again.

Building discipline around frameworks, processes and systems, is a much more enduring strategy and with that increased rigour you’ll see the numbers improve on their own. Manage risk appropriately because you want to manage it well for your business, not because you’re just trying to make some box on a chart turn green.

To be honest, that oversimplifies what’s involved in a good RTA. A good RTA requires a thorough understanding of not only the risks of the business, the appetite settings, but also the controls, the state of those controls and reporting. Essentially an RTA is a litmus test of the entire end to end risk management environment within a business and then on top of that, identifying the work or tasks required to improve the environment. All of this sounds like a lot of work and expense – and it can be – but how much work is up to you. You can adjust the appetite to say do less work, but be prepared to accept more risk, so if an event were to occur, you’d rather absorb the impact of that event on your business. Ultimately the appetite setting is yours and the RTA should be integrated to your business risk profile. So how well do you understand either of those for your business?

Remember it’s quite possible that not all risks will be out of appetite for your business at the same time. The first time you do the exercise, yes, it may be a lot of work and could be expensive. There’s a peace of mind that comes with that and following that initial success, an annual review and minor tweaking should be all that’s required. It’s really only inaction or material change to your business or environment that would lead to a major piece of work like that again.


Risk Strata specialise in helping businesses understand their risk profile and implementing processes, controls and frameworks to effectively manage those risks so that you can make informed decisions to keep your business safe and healthy. We can tailor a package of services to meet your needs from basic profiling right through to the design and implementation of control frameworks, reporting metrics and appetites and training for yourself and staff. If you want to understand your business better, “let’s talk”.

The Risk Onion

Over the last few weeks there have been numerous reports in the news media of ram raids of similar delinquency targeting a range of businesses, including small businesses. It got me to thinking about controls. There was one comment, in particular, from the owner of a chain of shops, with reference to ram raids. He said: “…forget about bollards [in front of shop doors], if they can’t crash through the door with a vehicle, they will take a hammer to the door instead…” [or words to that effect].

My initial reaction was a thought back to an old cyber-security lecturer I had, who suggested that there was no such thing as an infallible cyber-security mechanism. In cyber-security, just as in your own personal house, the determined burglar will find a way in – the best your security arrangements can do is to make the effort unpalatable or slow them down sufficiently for you to take action. As I thought about that, I don’t know why I was surprised, but it resonated with a general concept of risk management that I have reminded people in business of countless times. The purpose and object of controls is not to stop the risk from eventuating, but to contain it within an acceptable appetite.

In reality you wouldn’t just rely on a single control to protect your computer network or your house, but you would have layers of controls for that protection – the same is true for your business – you have layers of controls to protect against risks. In saying that, again, those controls are not designed to stop the risk from happening – you could do that, but it’s likely the controls would be extremely restrictive on your business.

You might have a username and password on your computer. That’s one layer. Perhaps you have a firewall. That’s another layer. Maybe remote access is controlled by a VPN. That’s another layer. You may operate Intrusion Protection Software. That’s another layer. For your house, you likely have locks on your doors. Perhaps you also have locks on your windows. You might have a burglar alarm. You could implement retinal scan, guard dogs, security patrols, electrified fencing and rotating invisible laser beams to detect movement or foreign bodies, but the cost of doing so – and the inconvenience – may well exceed the need for the risk – or outweighs the benefit of simply buying insurance. This is an example where there are a significant number of controls available, but our appetite to defend against the risk doesn’t extend so far as to incur that level of cost or comfort.

So, if you are facing an increase in ram raids, bollards may not stop them, but they do likely represent the first layer in your defensive controls. How far you go to implement additional layers of control depends on your appetite to defend against the robbery.


Risk Strata specialise in helping businesses understand their risk profile and implementing processes, controls and frameworks to effectively manage those risks so that you can make informed decisions to keep your business safe and healthy. We can tailor a package of services to meet your needs from basic profiling right through to the design and implementation of control frameworks, reporting metrics and appetites and training for yourself and staff. If you want to understand your business better, “let’s talk”.

Where is risk?

My wife and I visited a local coffee shop the other day and while we were sitting there enjoying the coffee, and the novelty of being able to go out and support the hospitality sector again, it got me thinking about the types of risks in their business. Obviously, the recent pandemic came to mind, but who could ever have predicted that. COVID in the multiple forms it took is (hopefully) a once in a lifetime event. It’s what we in the risk fraternity would refer to as a “black swan” event (I don’t know why – black swans aren’t all that rare – especially if you look around the central lakes of the north island). In fact, it’s the sort of event we try to imagine and plan for when “stress testing” our disaster or risk scenarios – that is we look at the scenario and let our pessimistic minds run wild to guess just how bad it could get. In saying that, I doubt many of us in any of our scenarios got quite as complex as COVID – we probably considered people dying or being off work, but the complexities of lockdowns, isolation, MIQ, labour shortages, etc, likely struggled to make it into those scenarios.

This is where the idea of thinking about risk for those businesses became particularly interesting. Most businesses look at risk and they think of an immediate event that has an immediate impact. In the case of hospitality, this could be something like, what do I do if one of my fridges breaks down? Where do I keep the food cold? How can I source another one? Or, based on historical experience in Auckland, what happens if there’s an extended power outage? You might even consider, what happens if the building I operate from is condemned or requires extensive repairs? Most of these are what we call “Business Continuity” Risk scenarios. They absolutely are risks, but they’re usually short term and unpredictable. Most often they would either be accompanied by some form of civil remedy (which, yes, could take ages to eventuate through the Courts) or would be accompanied by some form of Government assistance. In the case of COVID, certainly the government support was woefully inadequate – so what could those businesses have done.

Building risk scenarios is an important part of managing risk and building resilience in your business, so that when an event does occur, it doesn’t mean you aren’t affected, but it gives you peace of mind that you are protected, and the impact is contained to within an acceptable standard of risk. This containment is in the form of controls. You might have some offsite cold storage, or an emergency back up generator, or a shipping container or food caravan you can operate from instead. All of these are controls that don’t pretend to allow your business to operate at the same level as previously but give you peace of mind to know that they are there and will mitigate the impact should an event occur.

Understanding your business’ vulnerability and testing whether you have controls in place can give you peace of mind to know that you have some protection. It also means you’re putting mechanisms in place to protect your business rather than having to make knee jerk decisions under pressure that might have unintended consequences or may not deliver the best or most efficient outcomes for your business. It also means you’re thinking about your business and ensuring you have appropriate mechanisms in place to alert you to problems early – again for example regular monitoring of fridge temperature could tell you a fridge needs to be replaced which is a much better indicator than coming in one morning and discovering a fridge full of soiled product.

Would this process have predicted the COVID impact or response for many of these businesses? I doubt it. But we are learning all the time and we use our experience from the past to better prepare us for the future. I can bet you almost certainly that there won’t be many risk scenarios developed in the next twenty years, that won’t include some form of pandemic assessment and won’t use the experience of the last 3 years as a basis for evaluating the impacts of that scenario on any business. Few scenarios up until now would have included a line saying: “What if the government says we can’t operate for the next four to six months?”, but I bet from now on they will.

Remember, risk management isn’t about stopping events from happening – or saying that somehow they won’t impact you. It’s about doing your best to estimate what the event would look like and how it would impact you (and reassessing this year on year as you learn more) and then thinking about what you can do to manage it, to contain it within an appetite.

Is it feasible to bring all your customers into your ‘bubble’? Or to have all your staff and their families in your ‘bubble’ so you can continue to operate? No (although I do know of some businesses that did this), but it might give you pause to think of alternate distribution mechanisms – if your customers can’t come to you – how can you take your product to them?

When it comes to risk management “wait and see” and “hope for the best” are rarely ever the best strategies.


Risk Strata specialise in helping businesses understand their risk profile and implementing processes, controls and frameworks to effectively manage those risks so that you can make informed decisions to keep your business safe and healthy. We can tailor a package of services to meet your needs from basic profiling right through to the design and implementation of control frameworks, reporting metrics and appetites and training for yourself and staff. If you want to understand your business better, “let’s talk”.