Culture: Biggest defence or biggest weakness? Artwork

Fraud Matters

Fraud Matters is the podcast from the Fraud Advisory Panel that cuts through the complexity of fraud to help business owners, directors, and senior managers understand what they're really up against — and what to do about it.

Hosted by Guy Ruddle, each episode brings together leading legal experts, investigators, and practitioners to explore the fraud threats that affect businesses of every size. From supply chain fraud and corporate impersonation to insider threats and emerging digital risks, Fraud Matters takes you beyond the theory and into the real world, where fraud is varied, costly, and often closer to home than you'd think.

Whether you're a founder, a finance director, or a senior manager, this podcast will help you spot the warning signs, ask the right questions, and build the kind of culture and processes that make fraud harder to hide.

Prevention is always better than cure. Fraud Matters gives you the knowledge to start.

New episodes monthly. Subscribe now and never miss a conversation that could protect your business.

All Episodes

Fraud Matters

Culture: Biggest defence or biggest weakness?

May 13, 2026 • A Hack Creative and First Touch production for the Business Fraud Alliance • Season 1 • Episode 2

0:00 | 25:53

In the second episode, we’re looking at the ways in which culture can impact the risk of fraud in an organisation – for better and worse. We explore the factors that can potentially enable people to commit fraud, and the ways in which a strong company culture can encourage honesty and integrity.

Guests:

Laura Hough, Fraud Advisory Panel Trustee
Brendan Weekes, Associate Director of Forensic Services, S&W

Host: Guy Ruddle

Producer: Ed Adams

Series Lead: Mark Rowland

Episode recorded: 21 April 2026

[Teaser Audio] Brendan Weekes: The typical fraud arc—you start small, and then it grows into something big. But if you've got a good culture, you stop that small stuff.

[Teaser Audio] Laura Hough: Improving the culture of your organisation has so many other benefits. Staff morale is better. They're more hard working. They stay for longer.

Guy Ruddle: Hello and welcome to Fraud Matters, the podcast exploring what it's really like to be affected by fraud and how to make sure it doesn't happen to you and your business. I'm Guy Ruddle, and today we'll be looking at company culture and how it can be your first line of defence or your biggest weakness. We've got two people joining us who are incredibly passionate about the role of culture in combating fraud. Laura Hough is a trustee of the fraud advisory panel, a former forensic accountant and an expert in fraud prevention and ethical leadership. Laura, welcome to the studio, thanks for being here.

LH: Thank you for having me, it's great to be here.

GR: What got you into fraud? I mean prevention, rather than committing!

LH: Very good to emphasise that. So, I've always been really interested in justice and fairness, so this seemed like a natural progression of that. Once I finished university, it sounded interesting to start looking into that area.

GR: Are there any overall things, in all your time, that you would say are the key lessons about fraud?

LH: That it's all about people. We think about processes, transactions, money, but at the end of the day, the individuals are committing fraud and they have a motivation or a pressure or something like that, that makes them do it. That psychology is just really interesting.

GR: Well, that's going to play right, I think, into what we're going to be talking about for the next 25 minutes or so. Brendan Weekes is an Associate Director of Forensic Services at the accountants S&W. How long have you been working on fraud investigations, Brendan?

BW: 2010 is when I started, but I have had an interest since I started training back in South Africa.

GR: And when you're investigating fraud, I mean, this might seem a bit of a silly question, but is it ever like on TV? That's the moment when you see something and you can go all the way through from there to discover what's been going on?

BW: I wish it was the case, but in my 16 years of doing fraud investigations, there's only been one light bulb moment, one smoking gun. It's not something that you really want to find as a consultant who gets paid by the hour.

GR: So we're talking about fraud and company culture. How do they overlap?

LH: I think the company culture really can embody the environment in which a fraudster can take advantage of that or not. So if you have a culture there that's very honest, very ethical, very open, everyone raises their concerns when they come across them, then I think you're much less likely for a fraud to happen. But then if you've got an environment where nobody follows the policies, then you're obviously leaving a much bigger gap for fraud to take place.

GR: Yeah and there's a sort of legal responsibility within companies to not allow fraud to happen within them?

BW: Certainly from a company's act perspective, the directors have a duty to ensure that proper controls and procedures are in place They've got a duty to creditors, stakeholders, shareholders, and so encompassed with all of that, I think, is the responsibility that they have to make sure the company is operating as efficiently and effectively as it can. In charities there's a greater responsibility, I would argue. And then from an employee perspective, there's an implicit obligation for employees to act in good faith, and that includes acting honestly and not to undermine their employer, where they're going to have access to controls and procedures and be able to circumvent those things. So the employer is placing a lot of trust in their employee and the employee has a duty to respond to that trust that's been placed in them by not stealing £100,000 from their boss.

GR: Is it too simplistic to ask: what is culture? What constitutes the culture in an organisation? Are there good examples of culture that work all the way through an organisation that you know of?

LH: I think there are elements which you would say were key in organisations that have a positive culture. So I mentioned earlier that idea of people speaking up when they have a concern, so we don't leave it to go to the state of a whistleblowing allegation, where someone wants to leave the organisation or it's already catastrophic. Just in those everyday interactions people feel that they can speak their mind, they can challenge, they can say, "Oh, I've got this new idea. What do you think about that?" And that's all quite positive culture. Then also you have your framework of the policies and procedures there, and that people actually follow them. That they are the walk through in the organisation on a daily basis, not something that sits on a shelf that you get out every now and again—that it's actually living within the organisation. I think that's a positive culture. I don't know what you think, Brendan?

BW: I think I would maybe frame culture as the way in which people within the organisation behave and then the test of that culture is put those people under pressure and then see if their behaviour changes. We talk about tone from the top quite a bit—what are the leaders of the organisation doing? Are they acting as an example, a role model for employees and volunteers and those people who are associated with the business to behave in a good way? So if you got, dare I say, a rotten apple at the top, me as the employee will see that this sort of conduct is acceptable, and therefore I can get away with slight transgressions. And that's not the culture that we want the organisation to have. We want people acting in there in the best interests of the organisation.

GR: And I guess to a certain extent there's a difference between policy and procedure and behaviour?

BW: Policies and procedures are effectively what's written on a piece of paper, and the behaviour is how people respond to that. There are many examples that I've come across in the sort of investigation space where we have all the policies and procedures in place, but fraud still takes place, or misconduct still takes place. At the risk of going slightly on a tangent, I remember a client whose auditor said, "You need to have segregation of duty between the cash collection process and the cash banking process." That was for a hotel. And the general manager said, "Yeah, absolutely, we'll do that." And then what did they do? They collected the cash from the tills, and then they banked them. And what did the general manager also do? Stole £300,000 from the hotel over seven years. So that's an example of where you've had the right advice, the right policies and procedures, and someone in the position to ignore them just ignored them.

LH: I think, on the point about leadership and tone from the top that Brendan just mentioned, I think it's important to also reflect on localised leadership. So it's not necessarily just the CEO, CFO, that kind of C-suite leadership. It's also the local management. I've seen examples over my career where a local or regional office doesn't have really much oversight from the central HQ, and then the leader of that office is really ruling the roost there and bullying staff, harassing them, making sure they never speak up. They just do exactly as they are told by that individual, rather than following policies and procedures. I think that's often the localised culture that can have such a huge impact on whether frauds can happen or not.

GR: There are obviously lots of legal implications of getting it wrong and being the victim of fraud. But culturally, is it like a sort of death spiral?

LH: I think it can be. When a fraud happens in an organisation, it can have a massive impact on the morale of the staff who remain. They've worked really hard to see the organisation grow or the charity grow, they're really committed, and then this fraud happens and it can undermine everything that they've been doing. Maybe it gets in the press, and then reputationally, the whole organisation is damaged. Or, I've seen this quite a lot in my career, the fraud being mismanaged, hushed up, no action taken. Sorry to say this, but quite often a senior person might have been involved in a fraud, and they're promoted, almost sent off with a nice, big golden handshake to another more senior role. That contrasts often with a more junior staff member made an example of and sacked for doing a very comparatively minor misdemeanour, compared to this sort of senior person who then gets moved along just because it's easier. I think if you're the staff member and you see that it's really demotivating.

BW: My first investigation was at a charity. The financial controller was very well liked within the organisation, very popular. Bought drinks, was invited to weddings, and one tiny little mistake caught her out. The repercussions of that was quite damaging to morale. As Laura said, you've got people who are broken by the breach of trust, and you're stuck in a situation where your entire reality for the last umpteen years has been changed, because actually you realise that this person doesn't have the same values as you. So there's quite a lot of legwork that you need to do in trying to remedy that. Certainly, the fraud advisory panel's most recent charity survey references that trust is a key factor that prevents them from putting in more controls and procedures in place.

GR: It's interesting talking about charities, because one can think that it's all about big organisations, but charities tend to be a bit smaller, and lots of businesses are smaller, right? Is it particularly hard for a smaller business, or is there a size of business where it's particularly likely to be prevalent?

LH: So from my perspective, the different sizes of organisations face different risks of fraud and different sectors face different types of risk. So it's really a question of thinking about what specific risks your organisation could face from fraud, because I think it's a bit overwhelming just to say, 'think of all the possible fraud risks and do something about it'. I think really focusing on the ones that your organisation actually is vulnerable to is really helpful. I partly think there's a question about speed of growth. So if an organisation goes from being small to being big really fast, there isn't the time there to reflect on those policies and procedures and compliance teams and activities, because it's just all happened too quick. But if you take that more slowly, perhaps there's more time to build that in.

GR: Yeah, but if it's my business, I want to grow fast, right?

LH: Yeah, exactly. But probably bear in mind, when you are growing fast, what's the new risks that come on? You know, you've got a more complex supply chain, perhaps, if your organisation's bigger. So what do you need to think about when you're growing like that?

GR: And I suppose the other thing is that in businesses that are growing fast and businesses that are doing well, there's a snowball or a flywheel effect, where there's pressure to continue to be growing fast and I guess that can probably put a bit of pressure on people to perform and does that potentially lead to a problem as well?

BW: Yes, definitely. The difference between big companies and small companies, I think, both companies are still driving for the same growth, the same success rate. What is really challenging is, regardless of the size of the organisation, fraud is not at the top of the agenda. It is this growth. It is this compliance with regulations, if it's an international organisation in a tricky situation, maybe that has supply chain issues with current world events, that's their number one priority. Surviving is the number one priority. Making sure the organisation has enough cash in the bank to pay salaries is a number one priority. Then compliance professionals such as myself or investigators come along and say, "By the way, have you thought about your controls and procedures and your adherence to those controls and procedures?" "Well, actually, we got to get payroll out. Can we do that first and then maybe speak to me next week?" I don't want to name and shame companies, but...

GR: Go on! No you better not.

BW: I have been speaking to a charity from January last year about looking at their controls and procedures to comply with the economic crime and corporate Transparency Act. I've got large retailers that don't have the resources to do it.

LH: Do you think they'd find the resources if they were the victim of the fraud?

BW: Absolutely, yeah. Because that's the number one game changer, right? Once you get burned, then the entire approach to fraud changes.

GR: That's a whole road we might go down in a minute. Just a thought occurs to me, we're talking about culture, culture as a risk, but culture as defences as well against fraud. I wonder how, whether you've got examples where there is a culture of growth as a culture of, you know, wanting to perform really well, but also of responsibility. Irresponsibility and rapid growth don't have to go hand in hand, right? They could be separated, you know what I mean?

LH: I do agree with that. I don't think high growth necessarily equates to poor controls, but it's about having that in mind, isn't it? Having that risk assessment in mind when you're going to grow and building that into your culture every step of the way. I think when we think about culture, it's not just about fraud. We always have this challenge in fraud prevention work of convincing people of the importance of investing in fraud related activity, but actually improving the culture of your organisation has so many other benefits. Staff morale is better. They're more hardworking. They stay for longer. All of those kinds of things are also a consequence of having in place that positive culture.

GR: We are tending to talk about the negative side. You've dragged us, not kicking and screaming, but you've dragged us towards the more positive side. But just before we get there, if you've got into a situation where you've got this bad culture and something has happened and it's out there, how do you drag that? How do you change that? How do you pull that back? Are there mechanisms in organisations where actually you can change that culture and get to a good place?

LH: I think people are very heavily influenced by their environment. Behaviours can become normalised within an organisation because everybody's doing it. So one example that's been in the news quite a lot recently is cheating on corporate compliance tests. So people sharing answers to those internal counter fraud and AML and all those compliance trainings we have to do. Within those organisations, it feels as if that behaviour was the normal way to behave. So if you ask someone the question, "Would you ever do this?" They'd probably say "No", but then all of a sudden they find themselves doing it. So I think that kind of cultural context is really, really important. But I do also think that most people are honest, but I think we're just very influenced by our social environment. You know, we're social beings, aren't we, humans?

GR: When you talk about it being easy for people to be influenced by bad behaviour, can the reverse be true as well?

LH: I think that's absolutely true. So if the normal culture within your organisation is not to cheat on these compliance tests, or to think, "Okay, maybe the compliance tests aren't working for us, What else shall we do instead?". So this kind of curiosity within the culture where people can voice any concern, they can speak up before it gets to that seriousness of whistleblowing, they can say "This isn't working". I think that, of course, you can definitely influence that, and that is about leadership. But I think leadership at all levels, at the top and at the middle and the local leadership as well.

BW: You can certainly incentivise good behaviour as well. Your bonus structure doesn't have to be purely based on profit. You can actually say "The bonus is based on profit, but bad behaviour will deduct that, or good behaviour will advance that." So there is one way to build in good behaviour within the financial incentives, but at the same time, you could have leaders who do little quirky things. So one of my clients had a CEO founder, who was a bit of a philosopher. They brought their 12 philosophical points within the organisation. Another client had an ethical decision making framework. So 'make sure that all your decisions are within these boundaries'. So there are multiple things that you can do.

GR: Let's get on to the positive side. We'll come back to the positive side because Laura's been dragging us there to be talking about the more positives. When you get this right, what does it feel like? How does it impact the organisation?

LH: This sounds very cheesy, but I think people are happier to go to work when the environment in which they work is more positive. Their colleagues are more positive. Maybe they even feel more productive. I think it's important that people see the relevance of those policies and procedures. I've also seen examples in my career where it feels as though, say, people involved in a procurement decision committee, they don't actually really understand what their role is and why they're there. They're just sitting in a chair because someone told them to go along to the meeting and sit in a chair, and they're signing whatever documents come past. But they don't really understand and are committed to that process. So I think they probably feel happier if they understand what they're doing, rather than just feeling like they're turning up and sitting there. There's a lot to be said for really taking the time to train people on those procedures so they feel kind of empowered, I suppose, to do their jobs.

GR: And Brendan, you spend your time investigating fraud, so you see the bad side a lot, I guess. But do you see the positive side as well? Do you see some great examples of culture that are preventing fraud happening in the first place?

BW: Certainly there are examples where the attitude to protecting the organisation's almost been cult-like, "We're all doing this because we’re all part of one big family. We all want to see this success". And whilst that is scary from a cynical investigator point of view, it's quite helpful, I think, because everyone wants to be doing the right thing or be seen to be doing the right thing.

GR: That's a great thing, though, being seen to do the right thing, and doing the right thing is very small. One sort of leads to the other, doesn't it?

BW: Yeah and there's a large case of faking it until you're making it. And the example would be that if you're trying to secure a sale, it's very easy to take the person who's making the decision on the other side for a nice fancy dinner, maybe slip them something in a gift voucher or some sort. But you kind of realise, "Well, if I do this, then maybe there's some consequences for doing that, and I really want to land this sale, but I know that's not the right thing to do. All right, fine. I'll obey the rules this time". And then the next time it becomes easier to obey the rules—you're trying to build a habit of compliance and good decision making.

LH: This is going to take us slightly back to the negative again, but I do think it's important that people see the consequences of their actions. There's some really good informational videos out there, I think, made by one of the law enforcement agencies that really go through, you know, someone thought, "No one will notice if I just give someone a brown envelope full of cash for this particular contract". But then someone did find out, and the consequence on their life is absolutely enormous. So I think the visibility of those sanctions is also really important within the organisation, so that people see that something is done, it's not just swept under the carpet or it is difficult to deal with. I've worked in internal investigation teams, and nobody likes you very much sometimes, but it's important that there's action taken, and that senior management are behind that action.

GR: That kind of leads on to the whole thing about whistleblowing. If we assume that we're in an organisation which basically has a decent culture, and it basically isn't a fraudulent organisation, but something is going on—does somebody always know? Somebody innocent always know? Is there always someone who probably doesn't want to say anything, or is it ever completely hidden?

BW: That's a very challenging question...

LH: It is a very tricky question.

BW: I think there are examples of people wanting to believe that others are good. Let's go back to the hotel example. The general manager walked in on a Saturday afternoon. He wasn't supposed to be working on a Saturday afternoon, he would walk up to the bar, have a chat with the barman, take out money from the till, in full visibility of everyone. Then would walk over to the front desk, do some false accounting on the front desk to hide the fact that he just stole some money. So everyone knew.

GR: But no one said anything.

BW: No one said anything.

LH: I think people don't always know what they're looking for. Quite often, people who commit fraud are very good at social engineering. They are very good at persuading others to do things for them. So people don't always recognise it.

GR: See that's the point. I think what I'm trying to get at is that it's probably quite easy to be in a situation where somebody does know there's frauds going on for a very long time, but they just don't just don't want to... they're not certain, they don't want to say something just in case or whatever.

LH: I think that's definitely true, and that's why my experience is very important to have sort of a visible face of whoever the whistleblowing happens to, so that they're a real person. You can just have a chat with them, have a coffee with them so you feel comfortable just saying to them, "Oh, this thing's a bit strange. What do you think about that?" So that's one thing I think is important. Also, back to your question about people knowing. I think quite often people should have known, had they been doing their job properly. They weren't actually checking those credit card receipts, they weren't following the sign off processes. So had they been doing that, they would have seen something.

BW: It may be slightly unfair to place that expectation on companies. If you think about the British Transport Police, they've got that whole thing: "See it, say it, sorted". We hear that all the time on British Transport. We know what to look for, because it's been drummed into us. If there's a bag that's been left unattended, see it. Say it. Sort it. We don't have that level of awareness raising within organisations. We've got a manager coming in, he's the boss, he can do what he likes. I'm not going to question it.

LH: I think there's a question, isn't there, in people's minds of: is it worth it? If the consequences for you are going to be worse than the consequences for the situation you're talking about. I think that's where the culture piece is so important that these things are positive and are embraced rather than being, "So and so made a whistleblowing complaint. They're never going to work again now. We'll fire them" and whatever else.

GR: Also in a smaller organisation if you do that, not just for yourself, but you are rocking the boat in a smaller organisation. There must be a resistance to doing that, a fear of upsetting everybody and upsetting the whole apple cart.

BW: And there's a self interest point too, isn't there? If you think in a small organisation, probably everybody's going to know it was you? You know, if there's only five of you, and they're going to think, "Well, who could even have seen that document?", they'll quite quickly realise it's you. So that's why these kinds of processes are really important to protect whistleblowers. And so whether that's in the charity context, going to the board of trustees or you're going to the audit committee in an organisation, there's got to be some channel that would protect you from that, I think.

GR: So look, we started this whole conversation talking about culture being either your first line of defence or your biggest weakness. Overall, what are the best examples that you can think of, of it being your first line of defence? The greatest examples you know of companies that have got this absolutely right?

LH: One example that might sound slightly counterintuitive is I've worked in an organisation before which had very few reports of fraud made internally, and then that went really up exponentially because people became comfortable with reporting. They did feel free to speak up. They felt that they could come to us and tell us what they thought was happening, and I actually think that's a really good news story that often gets missed. That increase in reporting is actually a positive thing. As people are recognising the frauds are there, they know the signs potentially more clearly, and they feel more comfortable. So I think those are often very positive.

BW: It's that transparency thing. The more open you are with your organisation, the more the organisation can see that you're actually taking action, and if they can see that you've taken the right action, then they know they have a vested interest in doing something about the issue that they can see. Or there's a bit of misconduct, let's raise it in case it leads to something bigger. I think we haven't really spoken about the typical fraud arc. You start small and then it grows into something big. If you've got a good culture, you kind of stop that small stuff.

GR: And it never gets to the big stuff?

LH: You can intervene in a timely manner. I think that's the thing, isn't it?

GR: And I think that's pretty much the perfect place to end this conversation, because that's the positive—good culture can stop it happening in the first place. Thank you both very much for being here and explaining all that to us, and thank you for listening to this episode of Fraud Matters. Next month, we'll be looking at governance. If you've enjoyed the podcast, be sure to subscribe on your favourite app so you never miss any of our future episodes, and please leave us a rating or review to help us build a bigger audience. For more information about the frauds discussed in this podcast and how to deal with them, The Business Fraud Alliance has a stack of resources, so be sure to visit BusinessFraudAlliance.com and links to some of those resources will be in the show notes. Thank you again, you two for being here. Thank you very much for listening and see you next time.