All sectors face the risk of fraud, bribery and corruption, however with challenges such as high turnover of staff, cash-heavy transactions and the ‘customer is always right’ ethos, it leaves the hotels industry particularly vulnerable. Fraud is a form of dishonesty, involving either making a false representation, failing to disclose information or an abuse of position, undertaken in order to make a gain or cause loss to another; bribery is the giving, offering, or promising of something (not always cash) in order to make someone carry out their duties improperly.
Losses (combined detected and undetected) are estimated at between 3% and 8% of turnover; in addition, reputations are at stake. The variety and varying scale of the risks makes detection and investigation difficult, therefore the old adage ‘prevention is better than cure’ applies here more than ever; it is estimated that one pound spent on prevention can save you seven in the long run in terms of losses and costs of investigation. It is therefore essential to ensure you create and embed a strong anti-fraud/ bribery/ corruption response to deter, prevent, detect and investigate.
Often, the focus on prevention and detection is targeted at the threats presented by guests through stolen credit cards and theft; unfortunately, many of the risks lie closer to home with staff, contractors and suppliers.
Why it happens
The main components (pressure, opportunity and rationalisation) of the traditional ‘Fraud Triangle’ as designed by Donald Cressey still stand. Pressures (personal or organisational) drive fraud, as can job dissatisfaction, a poor tone from the top and because the reward often outweighs the risk. The landscape is being complicated by other factors such as challenge, malice and capability as the world of cyber evolves. Increasingly, attacks are being made to disrupt and gain hacking ‘bragging rights’, therefore the focus has to be on not just financial data, but all angles. One area under increasing attack is loyalty schemes: 92% of UK adults belong to one or more loyalty schemes (worth around £5.7bn) and it is easy to convert these into cash yet, all too often, these are overlooked from a security point of view.
The variety of risks is a challenge and we have seen frauds ranging from a ferry operator losing £4million as a result of the poor operation of their bars and restaurants, through to leavers not being removed from the payroll (resulting in a £42,000 loss at a leisure centre), plus the usual suspects of point-of-sale voids, refunds, etc. Another common threat is the bank mandate fraud, a scam whereby a fraudster rings the hotel pretending to be a supplier and changes the bank account details. Sounds too easy? Latest figures show $21bn worldwide was lost last year across the globe, with many attacks having succeeded in the UK.
The following are a few examples of the types of activity by staff that should be regarded as fraud/bribery:
• using false identity documents to secure employment;
• lying on or inflating a cv/credentials/application forms;
• over-claiming of hours worked and/or expenses;
• staff ‘turning a blind eye’, or abusing their position for some kind of advantage;
• theft/ misuse of assets, including cash, data, stock and vehicles;
• manipulation or misreporting of financial information;
• staff working for another employer whilst claiming to be sick;
• failing to report a Conflict of Interest.
Contractors and supplier risks
Suppliers and contractors might:
over-charge/under-provide for services;
• inflate their credentials/capacity in order to win work;
• fail to report a conflict of interest;
• misuse assets;
• operate in a cartel to fix-prices.
Each of the above risks should have proportionate controls that are operated to the depth and frequency necessary to provide assurance.
Controls should be both preventative and detective and include:
• segregation of duties;
• supporting documentation;
• proper authorisation;
• physical control over assets;
• analysing variances, outliers, anomalies, etc;
• inventories/ stock checks;
• whistleblowing and complaints.
• When did you last undertake a fraud and/ or bribery risk assessment (strategic and/ or operational)?
• Do you have the expertise to respond to and undertake investigations (criminal, civil, disciplinary, regulatory), or do you require training or external support?
• Is your counter-fraud/ bribery strategy properly designed, up-to-date, and working? And how often are your key policies and controls evaluated for relevance and effectiveness?
• Would your staff know what to look for and how to respond to suspicions of fraud, and how effective are your whistleblowing arrangements?
• Have you undergone (or are planning) any major changes in personnel, structures and/ or systems? If so, have the fraud risks/ controls been re-visited/ considered?
• What is your anti-fraud/ bribery culture and what is the quality of the fraud awareness training (if it is) provided to your staff?
• How effective are your pre-employment vetting and due diligence processes?
• Is your IT security and capability fit for purpose?
Please get in touch with John Baker if you would like any help or advice.