Principle 2: Know your risks — ECCTA countdown to compliance

Introduction: Preparing for the deadline

Organisations have until 1 September 2025 to ensure reasonable procedures are in place, to demonstrate compliance with ECCTA.

The fraud prevention framework put in place by relevant organisations should be informed by the following guiding six principles:

1. Top level commitment
2. Risk assessment
3. Proportionate risk-based prevention procedures
4. Due diligence
5. Communication (including training)
6. Monitoring and review

The principles are intended to be flexible and outcome-focussed, allowing for the huge variety of circumstances that relevant bodies find themselves in.

To assist with preparations and as part of our commitment to clients and organisations, we will be delving into the Government’s guidance on each of the six guiding principles in the lead up to the September deadline. Here we turn to principle two, risk assessment.

Understanding Principle Two: Risk Assessment

2.0 Risk assessment

Organisations should assess the nature and extent of its exposure to the risk of employees, agents and other associated persons committing fraud in scope of the offence. The risk assessment is dynamic, documented and kept under regular review.

Relevant organisations may already undertake a range of risk assessments relating to fraud and other economic crime. In this case, organisations may find it most effective to extend their existing risk assessments to include the risk of frauds in scope of this offence (UK Corporate Governance Code; Public sector organisations – ECCTA Guidance, GOV.UK).

Since the definition of an associated person is wide, organisations may wish to start by identifying typologies of associated persons. For example: agents, contractors providing a particular service for or on behalf of the organisation, or staff in specific sensitive roles, including reasonable procedures to cover potential supply chain issues.

Using these typologies, nominated risk owners in the organisation may then consider a wide range of circumstances under which associated persons could attempt a fraud in scope of the offence (Fraud as set out – ECCTA Guidance, GOV.UK). Different associated persons may present different fraud risks. For example, fraud by false representation can be committed by a range of associated persons, while frauds by failure to disclose information, false accounting or abuse of position are more likely to be committed by those in certain roles.

It is not possible to anticipate all potential fraud risks. We suggest that the nominated risk owners develop typologies of risks by considering the three elements of the fraud triangle:

• opportunity
• motive
• rationalisation

The Fraud Triangle: Mapping Out Risks

Opportunity

• weak controls
• inadequate oversight

Motivation

• financial stress
• meeting targets

Rationalisation

• no harm
• resentment

In developing these typologies, nominated risk owners should consider the territorial scope described in Sec 2.5 of the Act (Territoriality scope – ECCTA Guidance, GOV.UK).

Identifying Specific Risks

2.1 Opportunity

Nominated risk owners may wish to consider the following questions:

• do the associated persons have the opportunity to commit fraud?
• which departments or roles potentially have the greatest opportunity to commit fraud in scope of the offence, for example finance, procurement, investor sales, marketing?
• are there risks associated with taking on agents or contractors who provide services for or on behalf of the organisation? Or are existing contractors and agents exposed to new situations which could increase risk?
• do some associated persons operate with minimal oversight?
• how likely is detection of any fraud?
• does churn of staff increase the opportunities for fraud (for example, cutting corners while the organisation has vacancies in key roles)?
• do emerging technologies (such as AI) open new opportunities for fraud?
• could changes in regulation affect the opportunity for fraud?
• has a previous internal examination or audit highlighted any risk factors for fraud that need to be addressed?
• have any existing fraud prevention procedures been weakened or neglected?

2.2 Motive

Nominated risk owners may wish to consider the following questions:

• does the reward and recognition system (including commissions or bonuses) incentivise fraud?
• are there particular financial or operating pressures on the company, for example by way of financial targets / results, an upcoming merger, contract, flotation, or other capital raising, loan, permit or licence, grant (e.g. sustainability), or financial reporting dates?
• do time pressures encourage staff to cut corners, potentially fraudulently?
• does the corporate culture (including sanctions and penalties) disincentivise whistleblowing when fraud is discovered?

2.3 Rationalisation

Nominated risk owners may wish to consider the following questions:

• is the organisation’s culture quietly tolerant of fraud, particularly fraud that might be perceived as securing contracts or jobs for the organisation?
• is fraud prevalent in this business sector?
• is it difficult for staff to speak up if they have concerns? Do they face adverse consequences?

Where to Look: Sourcing Risk Information

2.4 Sources of information about potential risks

Sources of information about potential risks include:

• data analytics
• previous audits (which may have flagged potential fraud risks)
• sector specific information, best practice advice or toolkits from relevant professional or trade bodies or regulators (Professional & Trade Bodies – ECCTA Guidance, GOV.UK)
• regulator enforcement actions (for example, FCA enforcement actions in the financial services sector)

Over time, there may be prosecutions and /or, in England and Wales, deferred prosecution arrangements (DPAs) related to the offence (Deferred Prosecutions – ECCTA Guidance, GOV.UK). Since these are in the public domain, they may be useful for other businesses in the sector when conducting risk assessments.

The Role of Emergencies and Classifications

2.5 Emergency scenarios

Fraud risks may increase during emergencies. By emergencies, the Act refers to events that pose a risk of widespread loss of life or damage to property, or significant financial instability, and that require ameliorating action by the authorities. Failing to undertake any risk assessment for emergencies may mean that the organisation is not considered to have ‘reasonable fraud prevention measures’ in place.

For this reason, organisations may choose to include a risk assessment for relevant potential emergency scenarios, while recognising that it is not possible to foresee every emergency.

2.6 Classification of risks

The initial risk assessment refers to the ‘inherent’ risks (those risks that exist before any additional fraud prevention measures are put in place).

It may be helpful to classify each inherent risk by its likelihood and impact, and to provide a description of why that classification has been chosen. Public sector organisations in scope should follow the relevant risk classification procedures published by the Public Sector Fraud Authority and the government counter-fraud profession (Government Counter Fraud Profession Standards and Guidance – ECCTA Guidance, GOV.UK) or relevant public sector counter-fraud authority (Relevant public sector counter-fraud authority – ECCTA Guidance, GOV.UK).

Ongoing Vigilance

2.7 Review

The risk assessment should be kept under review. The frequency of review is a matter for the relevant organisation, but risk assessments are typically conducted at consistent intervals once every two years. Organisations should also consider whether various external factors should trigger an earlier review or a partial review. As part of the review, the risk typologies may be amended as experience is gained and investigations arise.

If the risk assessment has not been reviewed, a court may determine that it was not fit for purpose and therefore that ‘reasonable procedures’ were not in place at the time of the fraud.