Inside every business there is another hidden business with its own operatives, processes and clients. Alongside every public service there is a parallel operation providing benefits to an unauthorised set of recipients. And shadowing almost every other form of economic activity, from the smallest corner shop to the greatest multinational enterprise, there's another phantom activity at work. This parallel, shadowy activity is fraud.

The full extent of fraud is, by its very nature, unknown. The reason for this is that a big proportion of fraud in organisations - 85 per cent, according to Ernst & Young - is perpetrated by employees. Clearly, employee fraud varies in scale from “doing a Nick Leeson” to small expense-claim fiddles, where the cost disappears in the roundings. But between these extremes, there's a category of significant fraud that can often be detected and prevented using a technique known as profiling.

This is a risk-based, proactive way to spot both the people and the processes that are susceptible to fraud. Its purpose is to provide a clear idea of where the greatest risks lie in the organisation and to identify individuals who operate these vulnerable processes. In assessing the extent of risk, it's usual to adopt a matrix approach by separately assessing the probability of a fraud and the impact on the organisation were it to occur. In the absence of reliable statistics on the past incidence in the organisation, the probability estimate is likely to be qualitative, based on the management's judgement, and assessed simply as low, medium or high. The potential impact may be easier to assess quantitatively, although it's important not to focus too much on the numbers and thereby forget the wider issues, including the impact on the organisation's reputation and morale.

Profiling people means identifying employees, current and potential, who might be tempted to commit fraud. This process should occur at three stages: before recruitment; when someone assumes a key position of trust; and when their behaviour or circumstances change.

Pre-employment checks are, unfortunately, often neglected. References should always be pursued. Past employers are often reluctant to give written references containing explicit or even implicit criticisms of former employees, but it's sometimes possible to detect hidden clues in what they've written. Where there is doubt, it's usually wise to follow up with a phone call, since referees may be willing to say, off the record, something that they won't put into writing. CVs and qualifications should also be checked. Excessive gaps between jobs and unusual career moves - from a senior role to a more junior-sounding position, for example - should be challenged. Professional bodies and universities will normally respond quickly to queries about their members and graduates.

Some potential fraudsters will join an organisation in a job where they don't immediately have a chance to do damage, but may later enter a higher-risk role. Unless an organisation ensures that all staff who enter such positions of trust are included in the profiling process - this can be a way for white-collar criminals to undermine an organisation's defences. It's quite common for long-serving employees who joined at a much junior level to commit fraud.

Motive and opportunity must coincide for someone to do the crime. The third stage of profiling people is concerned with identifying those changes, either in the way someone behaves or in his or her personal circumstances, that might lead an otherwise honest person to commit fraud. Profiling should seek to identify a number of variations - the most obvious being a sudden change in lifestyle. Clever fraudsters who are regularly embezzling small sums may have the self-control to conceal this from their colleagues, but many do not. It's amazing how often people are able to flaunt inexplicable improvements in their lifestyles - bigger houses, flashier cars, expensive holidays or private schooling for their children - without anyone seeming to wonder how this has come about. A well established profiling system requires supervisors to be aware of the personal circumstances of their subordinates and alert to a sudden change, including a deterioration in fortunes. This might be created by divorce, the bankruptcy of a spouse or unexpected financial drains caused by the illness of a family member.

This is not to suggest that you should pry into the personal affairs of your staff, but a thorough and sympathetic understanding of subordinates' overall circumstances is part of the job of an effective manager - and not only for fraud detection purposes. It is merely good management practice to know enough about your people to be able to put their behaviour at work into context.

Profiling people is, therefore, no more than good management. Its distinguishing feature is that it is a proactive process that focuses on those individuals who could do the organisation harm. It must be conducted sensitively to avoid the suggestion that everyone is constantly under suspicion, which is why it needs to be risk-based. But it can have positive effects: in the same way that members of the security forces who hold the highest levels of security clearance are proud that they have been tested and found to be reliable, it's possible to deliver the same sense of pride in those who are known to have passed a rigorous profiling process.

The part of profiling that many organisations neglect is systematic identification of high-risk activities. The jobs where large amounts of cash or easily realisable assets are handled will be obvious, but many firms don't pay enough attention to other areas that may become high-risk owing to changes in the way the business is conducted or where only a few people really know what is happening. Activities such as the operation of financial derivatives, the management of intellectual property and the negotiation of M & A transactions all come to mind. It's important that the profiling of jobs is not a one-off activity. It should become a regular part of risk management and be kept under constant review.

Much of the benefit of profiling is delivered by making the whole organisation aware that the process is in place. This is as much for the protection of the innocent as it is for the detection and prosecution of the guilty. Handled properly, profiling can promote the feeling in an organisation that fraud will not be tolerated, that the guilty will quickly be identified - and that the integrity of the innocent will be recognized.

---

Mike Brooks is a business writer who delivers courses on fraud and internal audit for Kingdom Management. This article is contributed by CIMA (The Chartered Institute of Management Accountants) and it first appeared in Financial Management, CIMA's monthly magazine for its members.