Safeguarding your business through risk mitigation

Business risk specialist Darren Hickman of ComplianceAssist gives advice on how to keep your business financially secure.

There is no doubt that running a business comes with a level of risk. The best ideas might start as a small venture but as clients and revenue grow so normally do the risks. The company now has enough money to make it interesting to criminals, regulators will pay closer attention and should something go wrong it may be newsworthy.

Watching the pennies

Financial control is the foundation of your business, so before looking any further you will need to make sure this is strong. Lack of control provides opportunity and faced with opportunity some people will take advantage, even people with no previous history. The main rule is to ensure everything is double checked so one person is unable to take money from your business on their own. This shouldn’t matter who they are or how long you have known them.

Here are a few tips:

  • Validate invoices before payment, checking you have actually received the goods or services. If an invoice is bogus, has been manipulated or you are just being overcharged will this be picked up?
  • Ensure you have dual release of payments set-up. I hear of companies where one person checks invoices and pays them. Then they wonder what went wrong when they finally notice thousands of pounds have been syphoned off. Always ensure two people are needed to get money paid out.
  • Double check you are paying the right people. Calling a supplier and validating their bank details is a simple process and should be followed especially after you receive a letter asking you to change where a payment is made. This is not only for small companies. The Olympic Delivery Committee received a letter allegedly from a supplier to change their bank details and an invoice for a very large amount ended up in a criminal’s account.

Ensuring your technology doesn’t leak

High on the agenda of any company should be the IT infrastructure that you have in place. The majority of businesses will be storing information electronically and loss of IT can bring you to a standstill. If this loss includes sensitive data it can destroy your reputation. Getting this right will ensure your business runs smoothly, costs are under control and the risks of fines and reputational damage from data loss are managed.

Obviously, the extent of your IT infrastructure and amount of investment will depend very much on the nature and requirements of your business. At a basic level the cost might equate to a few thousand pounds, although for larger organisations with more complex IT needs you are probably looking at tens of thousands if not more.

Basic steps should always be taken to ensure all information is stored in an encrypted form. There are many products available, some even for free, so there is no excuse. If you need to send data via email it is simple to encrypt a .zip file. One tip though, don’t send the password in the same email. I have seen this too many times and always wondered why bother encrypting in the first place.

For lots of systems companies are now turning to the cloud in large numbers and this is for a good reason. Like all companies, cloud-based providers are only as good as their last mistake so are going to great lengths to ensure there aren’t any mistakes. The onus to keep technologies up to date, maintained and evolved becomes the service providers issue rather than your own. They must provide a service that is secure, up to date, has a high availability and fully managed.

Yet how risky are cloud-based services and is it really safe to have your data held anywhere apart from within your own walls? In general it is safe, probably even safer. Carrying out a little ground work doesn’t go to waste though. Firstly, read the terms and conditions. Remember that a lot of the protection consumers receive, such as distance selling rules, don’t apply when it comes to business to business purchases. These are sometimes long and look designed to make sure you won’t read them, but do and ensure you are getting what you need. Find out the steps taken to keep your data safe and where it is physically.

Knowing your employee

At some point all businesses need to take on employees. Be this as the business expands or the replacement of staff who have decided to move on.  Employees are fundamental to any business and they can have a big impact. The right employee can be a shining light, helping the company to grow and building your reputation. However, this can easily go the other way.  Employees have access to your internal workings.  If the wrong person is let in and they are given the opportunity they can damage the business and with the right access, exploit weaknesses.

A structured staff vetting process should be in place from day one. Get this ready and then when the time to hire comes and you are busy with other things it won’t create too much of a delay. Make sure the vetting is proportionate to the role. Where access to money is involved you may wish to add in criminal record checks and more in depth background checks. But as a minimum ensure the person is who they say they are. Check their identity, right to work and validate those references.

If you are a business handling sensitive client information also consider the additional risks. If your employee was to download this data the damage could be costly.

Once they are part of your business keep your staff happy. The majority of criminal acts carried out by employees are when they are unhappy, they feel undervalued or that the company owes them. They will then justify an act they may have never considered as it is only something they are due.

Knowing your customer

For many businesses, bad debt, or untrustworthy customers are another areas where money can seep out of your business and one where a risk assessment needs to be undertaken. Making sure you know your customers and that they haven’t been involved in any criminal activity or had restrictions placed on them before you do business with them is prudent. For some businesses this is a legal requirement, for some it is a good practice, however for all making sure your customers are who they claim they are can be essential for the future of your business.

Knowing where clients operate is another reason for understanding their business, especially if you are exporting. In March 2014, a businessman was sentenced to two and a half years for exporting £3 million worth of valves to Iran.

One such way to do this is by undertaking some screening. There are services that can run identity verification checks on individuals and companies, as well as highlighting any who might have political links, negative reports in the media and those who are subject to financial sanctions. If exporting, remember to check against control orders issued by the government.

Monitoring of your clients should be an ongoing process. Companies are aware of the risks that come with new customers and only provide a small or restricted line of credit until the clients has proven themselves. However, criminals are adapting to this and willing to play a longer term game. They will set up a business to use your services, over time make purchase and even make sure they pay on time. This enables them to secure a good line of credit until the time is right. This is when the big order comes in, you think you have won it through providing a good service, but as soon as they have the goods they are gone. Ensure you are keeping your view of the client up to date.

Know your supplier

This covers a wide range, from your accountant to IT support, unreliable providers can provide a weak link in your business, opening you up to more opportunists and damaging your financial stability and reputation. As an extension of your business knowing the companies in your supply chain is of great importance. Unethical business practises, bribes or criminal activity will reflect on your business.

Where access to your finances is being provided ensure you retain the ultimate control. Yes, provide your accountant or book keeper with banking access to view your accounts but never provide free reign to make payments. Remember the dual release, it may never happen, but no matter how much you trust them, just don’t create the opportunity.

If it is your IT they will have access to there are further steps to take to ensure your technology doesn’t leak. Should they have access to sensitive data don’t be scared to impose controls on them.

Ensure you know:

  • Who is accessing your data?
  • How do they protect your data?
  • How well do they know their staff?
  • Are their offices and systems secure?

And finally, don’t be afraid to audit your supplier. It is one thing saying they do something, but it is another to do it, so make sure they are.

At the end of the day it is your business, if something goes wrong it will be your problem to deal with. You can try to pass the blame on to the person that caused the problem, but that will mean little if you haven’t taken any steps to prevent it in the first place.

Further reading on security

Leave a comment