Skip to main content

Insider threat - Managing people security

Published on 22 January 2020

The Fraud Ratio

It is widely accepted in fraud prevention circles that there is a fraud ratio of 10-80-10, that is: 10% of people will never commit fraud; 10% of people will always commit fraud given the opportunity and the remaining 80% of people could go either way depending on their circumstances at any given time.

The prevention of fraud is enhanced by adopting a ‘business excellence model’ that promotes governance, ethics and leadership, whereas the detection of fraud is best viewed as a function of Cressey’s Fraud Triangle (Riney, 2018).

The fraud triangle by criminologist Donald Cressey suggests that every fraud involves three variables; incentive, rationalisation and opportunity.


People can be motivated to commit fraud for a variety of reasons. Often their motivation comes from pressure within their private life. For the 80% of people who may commit fraud, personal circumstances are a huge factor: relationship breakdowns (workplace or personal), debts, addictions, fear of losing their job and even malice can be factors which tip people over the edge to the point where they see committing fraud or some other damaging act as a reasonable option.

Public sector bodies have a duty of care to their employees. Without medalling in personal affairs, it is not unreasonable for a manager to enquire after the wellbeing of their employees or to notice and comment on a change in an employee’s circumstances. In fact, by maintaining an interest in employees wellbeing, it is possible that managers will notice circumstances that may cause a normally trustworthy member of staff to commit fraud.

This is not to say that everyone who experiences something negative in life is going to commit fraud, but evidence from CFS investigations supports the expert view that these pressures are often a factor in causing people to act against their employer’s interests.


People who commit fraud against their employer often do so by reasoning that they are entitled to whatever it is that they are taking. They may believe that they are not getting paid enough for their role or they have been passed over for a development opportunity or there could be any number of other beliefs (true or invented) at play. They also reason that they will not get caught; a factor worsened when organisations fail to communicate the detection of fraud and the sanction of offenders. These beliefs allow people, who may never have considered committing a crime before, to rationalise their actions and to convince themselves that they are not doing anything wrong; it is a one-off, victimless crime.


The opportunity to commit fraud against an organisation often arises where there are weak controls, a poor verification/check regime and where policies and procedures are not enforced.

By having clear policies and procedures which set out the obligations that employees have towards the organisation and by making sure that all employees are aware of and have read these policies, the organisation should be in a better position to hold people to account for their actions. Certain policies may even require the employee to sign a declaration to confirm that they have read and understood their contents. This approach reduces the opportunities for a rogue employee to claim that they were unaware of their responsibilities and may prevent some fraud by positively impacting on the rationalisation that precedes it. Leaders should identify more robust methods for carrying out tasks which pose a higher risk to the organisation.

It follows that just as important as having policies and procedures in place, is making sure that they are enforced. Weak internal controls allow for shortcuts to creep in to working practices, creating vulnerabilities which can be exploited by someone with knowledge of the systems, checks and controls. Consider reducing fraud opportunities by ensuring adequate security measures are in place to protect organisational assets: this could mean installing CCTV to cover vulnerable areas; ensuring that computer based systems are password-protected to allow for audits to be carried out; and regularly reviewing/updating access levels to digital and physical assets.

Finally, we must also be conscious of the interest that organised crime groups may have in our organisation. It is recognised that Organised Crime Groups (OCGs) assume the guise of legitimate businesses to further their criminal means, whether to commit fraud or to hide the proceeds of crime by laundering it through genuine business bank accounts. Of even greater concern is that OCGs may try to infiltrate our organisation by colluding with existing employees or coerce them with threats of violence or blackmail.