4 minute read
Organisational fraud: your obligations as a director or officer
However, the hidden cost to an organisation runs much deeper, including the loss of business reputation and new business opportunities, and the impact on employee morale.
Organisational fraud is therefore serious business, raising questions about where responsibility lies and if there’s any come-back on directors or officers.
A note to HRIA member directors
Director duties arise from common law and commonwealth legislation, particularly the Corporations Act 2001 (Cth) (Act). After the initial shock of finding organisational fraud and subsequent urgent endeavours to mitigate the impact, what responsibility do the directors and officers bear for what has occurred? The main directors’ duties that come into play are:
• the duty to act with t he degree of care and diligence that a reasonable person, in that position and in the corporation’s circumstances, would exercise.
• the duty to act in good faith in the best interests of the corporation and for proper purpose
There’s a common misconception that fraud is outside an organisation’s control and that a director or officer bears no responsibility for the incident or consequences. However, this may not always be the case. Directors and officers may be personally liable for losses suffered by an organisation if they fail to ensure the risk of fraud is not sufficiently mitigated. The cost of fraud to an organisation includes: the fraudulent activity, where money is redirected by an employee; forensic investigation and remediation of the fraud; and managing the fallout with media or through introducing new systems.
These two duties also apply to ‘officers’ of a corporation. This includes a company secretary and anyone who makes or participates in decision making that affects the whole, or a substantial part of the business, or who has the capacity to affect significantly the corporation’s financial standing or in accordance with whose directions or instructions the directors usually act. For example, this could potentially extend the duty to the CEO, and other key players in executive management.
Directors and officers have a duty to ensure adequate processes, systems and policies are in place to minimise the risk of fraud and create a culture of compliance. With cyber fraud recently in the global spotlight, does that mean directors and officers expected to be IT experts? The short answer is no, however, they are expected to understand the risk presented to cyber security by these threats. Yet a recent survey of 600 board members in 12 countries showed that only 54% of Australian responders were confident their board of directors understood the system risks presented by cyber threats.
A risk management framework can help to identify areas of risk with a focus on fraud. The framework requires an analysis of the internal and external fraud risks to the business, and encompasses all aspects of the business, including physical, financial and cyber security. The Fraud and Corruption Control AS 8001:2001 is a good guide to assist in this risk assessment exercise.
Are duties a ‘one size fits all’?
Director duties are not a ‘one size fits all’. The standard of care and diligence is an objective test measured against what a reasonable director or officer would do, considering the position held, the responsibilities of the particular director or officer and the corporation’s circumstances.
There is, however, a minimum standard of care, in that HRIA members should take a ‘diligent and intelligent interest’ in the information provided to them (or appropriately ask for) in looking at fraud risk to the organisation and what systems and processes the organisation has in place. If an organisation has no policies dealing with areas of fraud risk, disaster recovery plan, checks and balances, auditing procedures to monitor compliance or similar items commensurate with the size of the organisation, how will a director or officer satisfy themselves, any regulator or court that they can meet the minimum standard? Remember, there is no point in having compliance programs if they have no practical effect.
In terms of what an organisation should spend on systems and controls, this will depend on what is reasonable in the organisation’s circumstances and whether what they put in place reasonably addresses the risk.
Risky business
A key part of carrying out duties that apply to directors and officers, is to make risk a regular agenda item at meetings. An organisation should understand:
• what the risks are
• the impact of the risk
• the likelihood of the risk occurring
• the consequences of the risk against the likelihood (to determine the risk exposure level)
• if the risk level is acceptable
• the effectiveness of the controls the organisation has in place
• whether after implementing those controls the risk level is still within an acceptable level.
Organisational fraud risk can happen in all shapes and forms. Directors and officers should have a good understanding of the risks and ask questions that test the organisation’s exposure.
Taking action
Are you satisfied that your processes, policies, controls and compliance systems would reasonably mitigate the risks posed by organisational fraud? Members should conduct reviews regularly, especially as new risks emerge.
• If your organisation has already been subject to organisational fraud, what did the debrief following the incident reveal and how did you act on these points to improve your processes and further minimise the risk of recurrence?
• Have you recently reviewed your board and senior officer composition to ensure they are adequately informed and equipped to discharge their duties or should training be put in place?
• Does your organisation’s insurance policies include cover for organisational fraud and if so, what are the inadequacies in your systems and conduct that may result in a claim being denied?
The information in this article is intended only to provide a summary and general overview of the matters discussed and does not constitute legal advice. Legal advice for your particular circumstances should be sought separately.
If you require assistance with your standard form contracts or would like any advice on the current UCT regime, please contact Gavin Stuart or Nicole Marcus from Bartier Perry Lawyers. www.bartier.com.au
