Managing fraud risk in five steps

Fraud is a very real risk but something that tends not to be discussed enough in charities despite figures showing it’s on the rise.

According to Action Fraud there was a 44% increase in the value of frauds between January and November 2022 compared with the same period last year1.

Also, a survey found that almost six in ten charities believe the risk of fraud will increase in 2023 with misappropriation of funds by staff now posing the biggest threat2.

Charities identified the economic downturn and the cost-of-living crisis as potential catalysts, while 40% of respondents felt that hybrid working had increased their fraud risks.

Charity fraud is an important issue for charities to address, not only because of the financial loss but because of the potential reputational damage which could affect future income, as well as the charity’s ability to recruit and retain staff.

Several factors about the current working climate could have contributed to the rise in fraud. There has been a growing reliance on technology; more people are working remotely and cost cutting in organisations which has meant workforces are more streamlined and there is less time to oversee people and processes.

There is also the cost-of-living crisis so staff and volunteers will be experiencing this in varying degrees. It’s therefore vital that charities focus identify their weaknesses and risks and put measures in place to help prevent fraud.

Below are five steps to managing fraud risks:

1. Accept fraud exists.

Fraud is a real risk both externally and internally, so charities need to accept this. It could be the dominant CEO, the trusted finance manager or someone on the board of trustees. It could be a volunteer in a retail shop, or the office temp. Fraud is conducted by people so it could be anyone inside or outside the organisation.

Cybercrime through phishing emails and ransomware is an area of growing concern too. Last year it was reported that one in eight charities had been affected by cybercrime in the past 12 months3. Also, people using a charity’s name to fundraise is something organisations need to be aware of and monitor.

2. Understand vulnerable areas.

When thinking about fraud risk charities should take a step back and think through where the opportunities are for fraudsters to commit fraud. They will be different for each charity but the common areas where fraud occurs are:

  • Payroll and expenses
  • Payment and procurement processes
  • Fundraising activities
  • Grant making
  • Cyber risks

It’s the duty of management teams to identify weak spots and to regularly assess these.

3. Build awareness and the right culture.

Build awareness of where fraud could happen and develop a culture where people are willing to challenge non-compliance. Openly discussing the risks and developing genuine accountability which is part of good governance is essential.

The senior management team and trustees should always lead by example and ensure they adhere to policies. Charities also need to encourage the management team to test policies and try to go outside of the guidelines to see if staff reject requests that do not follow due process.

Some charities don’t have fraud, bribery, and corruption policies but it’s important to create these and ensure they are aligned with other procedures and that they are transparent across the organisation. Also having a culture that regularly communicates fraud risks such as reminding staff not to click on phishing emails can help prevent fraud.

Finally, whistleblowing is a common route for becoming aware of fraud but charities need to consider where whistleblowing reports go and who is responsible for what happens if someone highlights a potential fraud. It’s important that staff and volunteers see that action will be taken if they do report something, otherwise it can feel like a waste of time or that the organisation doesn’t care.

4. Review and assess your controls.

As working practices have changed with more people working at home, it is a good time to review what controls are in place and check they are still fit for purpose.

This may feel like just one more thing that charities don’t have time to do as they are already stretched but it’s really important to be proactive in this area. For charities that haven’t considered fraud as a high priority risk area now is the time to re-evaluate this.

Thinking about how the organisation would respond to an allegation of fraud and having a fraud response plan is vital too. This should include how the charity decides if they have the skills and capacity to investigate internally and whether those with the right skills are suitably independent.

5. Report and take action.

If fraud does occur, it should be reported to the appropriate organisation, which may be the police, Action Fraud, or the Charity Commission. It’s also essential to think about whether insurers, donors or auditors need to know, as well as brief spokespeople if it’s expected to be picked up by the media.

To conclude

Most frauds are identified by having good internal controls so making sure these are robust and fit for purpose is the first arm of defence. Whistleblowing is the next way fraud is uncovered but charities must make sure they have a process for collating and dealing with these allegations.

Taking time to understand the organisation’s vulnerabilities, and having policies and response plans in place that are transparent and communicated across the organisation will help safeguard the charity, as far as possible from fraud.

We recently ran a webinar on fraud which offers tips for managing fraud and outlines the ‘fraud triangle’ – a model that predicts the conditions that lead people or companies to commit fraud. To request a recording of this informative session, click here.

Other recommended resources include:


1https://www.civilsociety.co.uk/news/charity-fraud-losses-up-44-in-2022-data-shows.html
2https://fundraising.co.uk/2022/12/15/almost-6-in-10-charities-expect-fraud-to-rise-in-2023/
3https://fundraising.co.uk/2022/10/17/1-in-8-charities-affected-by-cyber-crime-in-past-12-months/