Ditch the Tickbox: How to make governance work

Show Notes

Governance is one of your most powerful defences against fraud, yet too many people treat it as a box to tick once a year. In this episode we ask the real question: how do you get people at every level of a business to actually care about it?

With our guests we explore why generic frameworks fail to change behaviour, how to make training role-specific and continuous, and the benefits of a culture where people feel confident to flag concerns. We also look at how good governance can become a genuine commercial advantage, rather than an obstacle to growth.

Guests:  

• Rachael Johnson, Head of Risk and Corporate Governance, ACCA
• Nikki Bowker, Partner and Head of Litigation and Dispute Resolution, Devonshires

Host: Guy Ruddle

Producer: Ed Adams

Series Lead: Mark Rowland 

Episode recorded: 19 May 2026

A Hack Creative and First Touch production for the Business Fraud Alliance

Transcript

[Teaser audio] Nikki Bowker: I would encourage organisations and businesses to see it as a commercial opportunity and talk about that as a positive aspect of your business.

[Teaser audio] Rachael Johnson: Just instilling that mutuality, that interest, the KPIs, that we're all in this together, and to be able to build a culture where you can raise concerns.

Guy Ruddle: Hello, and welcome to another episode of Fraud Matters, the podcast exploring what it's really like to be affected by fraud, and how to make sure it doesn't happen to you and your business. I'm Guy Ruddle and today we're talking about something that people find hard to get excited about, but is actually a critical element in fraud defense. So the question we're asking today is, how do you get people to care about good governance? Joining me to talk about this are two experts in corporate governance. Nikki Bowker is a partner and Head of the Litigation and Dispute Resolution team at Devonshires. She specialises in complex commercial litigation, including advising boards and the C-suite. Welcome to the podcast, Nikki.

NB: Hi, Guy.

GR: What got you into litigation?

NB: I just always loved arguing, I think is what my dad would always have said about it. But I just always knew the law was for me.

GR: Well, that sounds like it bodes well for the next fifteen, twenty minutes or so. Does a lot of your work involve fraud?

NB: It does, yeah. That's a significant proportion of what we do, both on a criminal and a civil side as a firm.

GR: Great stuff. Rachael Johnson is head of risk and corporate governance at ACCA. Welcome, Rachael.

RJ: Thanks for having me.

GR: What got you into corporate governance then?

RJ: Well, I've always been, in my long career, interested in how we bridge risk and accounting, and I think where that intersects with corporate integrity is where my sort of interest in governance lies.

GR: What do you think is the biggest misconception about governance that you find frustrating? Do people always say, "Oh it's boring," and it just isn't?

RJ: I think that it really sits in today's fast-moving world, we find that it just sits in policy statements and just creates these silos rather than it being lived and operationalised.

GR: Well, maybe we can delve into that in the next half an hour or so. I expect that most people who are listening probably have a decent understanding of the idea of corporate governance and what good corporate governance looks like. But how does it particularly relate to fraud, do you think, Rachael?

RJ: Yes. We've been finding that fraud has just been this most pervasive, silent killer, and really uncomfortable truth in conversation, that boards and even down the ladder that people are afraid to talk about. And it really has proven to be a real test of governance.

GR: Your organisation, the ACCA, did a big piece of research, didn't you, last year about this very topic?

RJ: We did. It's called Combating Fraud and the Perfect Storm, and you can probably picture that in your head, given AI, the economic crisis, the geopolitical conflicts, this polycrisis norm, and why it's just advancing so fast to become such an existential risk that people really weren't really prepared for.

GR: Were there any standout findings that took you by surprise or made you sit up and think?

RJ: Definitely. So we knew that this was something we needed to lead on because they're often labeled as accounting scandals, but we knew we shouldn't do it alone. Really, for the first time in fraud literature, we pulled together seven professional bodies. So how do we collaborate? We invited them to participate in the survey, so there wasn't anything out there that looked at the different perceptions of fraud across functions and professions. To answer your question, the real main takeaway was that it was a real wake-up call for all of us. Because once a fraud is revealed, all of the different professions and functions are engaging in the fraud in some way or another. But the real black hole was that no one was proactively preventing it.

GR: Nikki, apart from your role as a litigator and dispute resoluter, if that's a word- I think it is now. You've also been a non-executive director of various organisations. When Rachael was saying that fraud is a thing that nobody really wants to talk about, were you conscious of that as a NED?

NB: Yeah, absolutely. I felt, given my background, that it was incumbent upon me to make sure that it was being talked about. What I always say, whether that's an organisation that I'm working with on that basis or with clients, is that there will be fraud happening in your organisation. I can guarantee you that. You may not know about it, and some level of fraud will always go undetected. With the best governance in the world, you won't stop everybody who has nefarious intentions, but what you can do is mitigate that risk. I think one of the issues with it is where within the governance structures and the functions of an organisation accountability for tackling fraud sits because it's across all of them, so in a way it's across none of them, I think is one of the issues that sometimes you see. So there's the sort of ambition to be able to talk about it and to understand it, but to integrate that into somebody's day job or various people's day jobs can be really challenging.

GR: But that's interesting because I completely get the concept of, 'someone's got to own it'. But as we said right at the very beginning, in a way, you want the whole organisation to be engaged in it at least, don't you?

NB: Yeah, absolutely. I think what you do need people to feed into across the organisation is to focus in on the risks that sit within their particular areas. So I would expect anybody in an IT background is going to understand the risk around phishing and cyber attacks and scam emails and things like that. So that would be pretty high up on their priority list. But if you're talking to somebody who's in customer services or client-facing, that might not necessarily present so obviously to them what their role is in tackling fraud.

RJ: Yes, we agree. One of the interesting findings from our survey too, was just the lack of effectiveness of training. So you're only going to look for what you're trained to look for, and really how they have this confirmation bias that, "Oh, we're doing this training exercise once a year, therefore, we're protected." Well, actually it's a waste. As Nikki says, I totally attest. What you are training someone in a call center to do will be different than someone who's out in the sales, in meetings or on a trading desk, for example.

GR: How do you fix that? How do you combat that?

RJ: Training shouldn't be a once-a-year exercise. It needs to be continuous, targeted, and role-specific, and relevant to the different roles. It needs to be collective. You can't just have one person understand fraud. Everyone needs to learn together. Otherwise, people just switch off.

GR: It has to keep carrying on, does it? Because, otherwise, as you say, if it gets out of date quickly, there's no point in doing it once a year, I suppose.

RJ: It needs to be active, not passive, not just ticking a box on a video and there we go, we're compliant. It needs to be talked about collectively.

NB: One way organisations, I think, can really focus on that is to use the resource that they have internally. So ask the people within your organisation to deliver or input into the training and so that it continues to be their lived experiences rather than relying on solely third-party training providers. Have the input directly within your organisation.

GR: We talked in the last episode about culture a lot, and that's obviously a factor in good governance. Is it about frameworks that you put in place, or is it just about getting everybody to think in a different way and be conscious of this thing this concept of governance all of the time?

NB: I think it is important to have in place the policies and procedures that people can refer to, not least because you will otherwise invest a huge amount of people's time answering questions about things which might be relatively easily answered in documents. What should give you cause for concern? What are red flags? But then coupled with that, the policies and procedures frameworks are embedding the culture within your organisation as well, and I think it's really important that it's a combination of both.

RJ: I would say organisations have a lot of frameworks. They've got policies, risk registers, training again, but they don't translate into behavior, and that's because they're often generic and disconnected from real roles, real life, like you said earlier, and people don't understand how it applies to them. So the issue isn't lack of frameworks, and let's also point out, I'm sure you'd agree, a lot of these frameworks were designed in a world that no longer exists. So it's about how do you engage and evolve them? Governance has to be lived and not just documented. Again, how could we not mention AI? AI is amplifying and accelerating everything, so being able to keep the governance up to pace, by the time you write a policy for governance around AI, it'll be outdated. So it's, rethinking how you build resilience and decision-making under pressure in today's world.

GR: Everyone's working really hard to, in this competitive environment, to run a business and everything. It's really hard to get people to do more than fill in a box. So how do you get past that?

NB: I think one thing to try and encourage people to consider is that those governance frameworks are not an obstacle to being commercial and to have growth and success. Often that's how they can be perceived, particularly on perhaps your more business growth-focused side or client-facing or commercial side of the organisation. Perhaps it's a combination of carrot and stick in that sense. So you need to demonstrate the significant impact that could be felt by the business and them personally, potentially, for failures, but also the opportunity that it can be providing. That could be reputational, confidence of clients in your ability to keep safe money, data, information, whatever it might be, that it can be a driver of growth rather than an obstacle to growth.

RJ: I might add really about just instilling that mutuality, that interest, the KPIs, that we're all in this together. To be able to build a culture where you can raise concerns. What can affect or what the growth or what vulnerabilities do you have that will affect you all?

GR: Yeah that surely has to be one of the key things, that it has to be a collective effort. But I suppose in a way, that's in almost any organisation that's true of everything. The organisations that operate in a collective way tend to be more successful and more, operationally better. Does it have to come from the top? Can it be bottom up ever, do you think?

NB: I think leadership of a business is ultimately responsible for setting the culture, and whether that's around fraud or any other sort of aspect of the culture that is important to you in your organisation. So it's very important that messaging is coming down from the top and including at board level as well. This is something that we care about, we're interested in, we're going to keep asking you questions about and asking you to improve on. It's, I think, harder for people lower down in an organisation if there isn't that culture, particularly around openness and transparency at the top. But what people can do is within their own individual roles, do the best that they can to identify risks and red flags. It's in some ways then out of their hands how the business chooses to escalate that or do whatever they might with it after they've raised it.

GR: Do you have examples where you just think, "Well, that was so obviously going to happen because of the culture or the lack of governance there," or, "Wow, they did a really good job in that instance"?

NB: Yeah. I think in terms of poor culture, one thing that crops up quite regularly, particularly in very large organisations, is things around conflicts of interest, declaring personal relationships. We all understand that a driver of business is relationships, particularly say, if you looked at the real estate sector, that's a really important feature of how people do business in that sector. So, of course, as an organisation, the last thing you wanna do is discourage people from forming those relationships so people pick up the phone to you first or whatever. But blurring the lines between what is a sort of professional relationship and a personal relationship and ensuring independence of decision-making. If you see an organisation where culture is weak around that or the lines are very blurred, you're almost just waiting for the other shoe to drop and to discover that something more untoward has happened.

GR: On, on the flip side, Rachael, are there organisations that you know that you think, "Yeah, if any other people did it the way they did it, we'd be in a better place than we are"?

RJ: Well, I think if you look at the many cases, culture is the secret sauce. Fraud is inevitable. Cyber, everything, is amplified, it's inevitable. But I think just back to some of Nikki's points, I think governance must be challenged. Yes, they set the tone at the top, but it must be challenged. The top must be challenged as well. The board sets the tone and provides oversight, and they should be asking more questions, but also the right ones, The leadership, they translate that into the culture, how we do things around here. But you also have to be thinking about how leadership looks at the desired behaviors and how they exemplify them. Staff, at the end of the day, are the front line of defense in this world. They're the ones that see those issues day to day, as you said, Nikki. And that's where it often does break down, is in the middle. Because if managers aren't reinforcing expectations, the whole system breaks down.

NB: I think for me, one of the indicators of good governance is an organisation where people are regularly and routinely raising concerns and issues about things, and it might be that people are going too far and there's nothing to be concerned about. But in a way, I'm not worried about that in an organisation that I would be advising or involved with. What gives me more cause for concern is when organisations say, "Well, we've had zero whistleblows this year. We've had no fraud." And I said, "That cannot be possible. It cannot be possible that there is zero fraud in your organisation, so you're just not finding it. And why are you not finding it?". Those are the questions that the board should be asking, and certainly in any NED role that I would be asking if those are the sorts of figures that they were coming back with.

GR: Does it make a difference the size of the business? Is it very different for big businesses versus smaller businesses, do you think?

NB: As a smaller organisation, in a way, you have more control because you have more direct oversight over the individuals that are part of your business, but then you don't have the benefit of independent internal functions, whether that's internal audit, general counsel, or a HR function. So that can be challenging for small businesses. What I would encourage small businesses to do is to find peers, so whether that's people within your sector or your network or your local area, speak to them about their 'horror stories', if you like, and learn from shared experience and expertise. But similarly, you'll find, and I'm sure Rachael sees this as well, at very senior levels you'll have heads of internal audit at essentially competing organisations but that meet regularly to talk about these types of risk because of the value of that shared experience.

RJ: Yeah, I think also you need to touch on this accountability vacuum, no matter what size or sector you are talking about. We've found that fraud becomes everyone's job and therefore no one's job. Let's face it, SMEs aren't going to have a dedicated fraud team. To be fair, lots of larger organisations don't, depending on the sector they're in. But just to add another anecdote from our survey was that reporting confidence was lowest in SMEs and smaller firms. But it drops even lower than what it was in SMEs in organisations, large or small, that lack strong ethical leadership. Overall, across all of the professional bodies who participated in the survey, out of ten fraud drivers, ethical leadership was third behind technology outpacing controls.

NB: That really chimes with what I see as well, that it's the importance of leadership and challenge amongst leaders. Even if you're people who have built this business from the ground up and you've worked together twenty years, whatever, if you see, for example, of blurring of that professional and personal lines or a lot of work being diverted to a particular company that perhaps has some personal connections, and those personal connections could be valuable to your business. It could have been a driver in where you've got to. But there has to be that challenge at a senior level, because if you don't have that, then people underneath, why would they risk their jobs or their reputations in their sector to say, "I think the FD is— there's something funny going on with purchase orders and invoices", or whatever it might be. If you don't believe that the people around them are going to take it seriously and if they're going to close ranks, then I think that can be really detrimental in bigger organisations.

GR: That must be right at the heart of it I'd have thought. If we're talking about an SME, it doesn't matter how many people we're talking about, but say it employs a couple hundred people or something like that, around that sort of area. The top bosses, perhaps even the founders, are honest. They're committed to doing a good job. They don't want any of this stuff to happen in their organisation. But something's going on at some level. Does someone always know?

NB: Yes, I think so, or at the very least, people will have suspicions. There'll be whispers about it. It could be that there are some, honest people at a senior level who would very much like to hear about it or to have some evidence that substantiates what people are concerned about. But generally speaking people are talking and employees and staff know perhaps far more than organisational leaders might think that they know or that they pick up on. So yes, I think there's somebody who will always have suspicions.

GR: That's really interesting, Rachael, because if that's true, then actually combating it isn't about the accounting system or whatever. It's entirely about governance. It's entirely about the culture and the governance that you've created that allows somebody to say that. That brings us right back to the beginning of the original question, how do you get people excited about this as much as he or she is excited about winning a new client off a rival?

RJ: Well, back to that secret sauce on culture, it's really about getting all these things into the conversations and making them inclusive. I have seen in when you ask what good looks like, I have seen things like shadow boards, fraud councils, you can call them what you want. But when you have that mutuality again across different functions and senior levels of seniority, it really does work. The leaders need to go out there, walk around and ask them on the front line, "What concerns you?" Or, "What do you think about when you're making a decision?", What risks concern you?". That makes them feel good, like part of the strategy. But I think also something we haven't really touched on yet today is just the misconception about fraud today. It's not episodic. It's not an accident. It's not technical. It's human. It's operational. It's embedded in the systems. It thrives through all these gaps, and not least the culture and governance gaps. That's why the silos definitely need to be addressed. I think since COVID it's not just working from home, it's a new way of working, isn't it? It's just enhanced the silo way of work.

NB: I agree, Rachael. When you're talking about how you get people to care at lower down the sort of food chain, if you like, I think one thing that organisations can do is recognise and reward positive behaviors and attitudes. If you have an organisation where culture is weak around, for example, people feeling like they can say if they've made a mistake and trust that there is a team or leaders who will step in to help them, then you've also likely got a weak culture around people raising concerns about fraud or concerning behavior on the part of employees or suppliers or leadership. So that recognition and reward of positive behaviors, I think, can be a helpful driver.

GR: Quite a long time ago in this conversation, we talked about fraud being one of those things that isn't talked about. Would it help if people did talk a lot more, if people shared bad stories or were happy to share things that had gone wrong?

NB: Absolutely. That's one of the things we try and do with clients who are willing to do that, and we will work with them in different ways to allow them to share. So, for example, within the last few months, we organised a discreet call of various people in different organisations where on a confidential basis a client of ours shared with their peer group. I know, for example, that the head of internal audit at some of our clients will meet regularly, and they will talk about it again, with suitable anonymity or whatever else that you need to have in place. But one message that we get is people really value that shared experience and we try and encourage clients, particularly clients that are very prominent in their sector— leaders, and say, "It happens to us, too." There's a concern about reputationally— is that an indicator of weakness? Whether that's to investors or stakeholders and employees or partners, whatever it might be. But that, I think, can be a really important way of engaging people as well, is real lived experiences, and these were the consequences for us as an organisation, not to be embarrassed about it. It will happen to every organisation and business at a point in time. As I said, even on an SME level, find peers, share stories and experience, and there's value in that as a business as well anyway. So strengthening relationships or forming ties with people has a commercial value as well as a governance value.

GR: I want to turn things around a little bit right at the end of this because we talked a lot about it being human and about being cultural and all that sort of stuff, and what people actually do. But are things like guidelines, templates... the Business Fraud Alliance has a load of templates on how to deal with all this sort of stuff, which I'm sure we'll have in the show notes below this podcast. But are those things really helpful in getting people to a place where it can be about the human stuff?

RJ: Yeah, we have playbooks, don't we? But the question is, are they just collecting dust, or are they actually rehearsed and practiced? The scenarios are evolving so fast, there needs to be not this once-a-year passive learning exercise. There needs to be real-life scenarios put to test, and I do see that happening, but it's usually companies that have been forced to do that because they've had an incident. I think, again, just on the culture side, we see a lot of companies that just are drowning in fraud signals, so they have this avalanche of information and they see that awareness. It's the action that's not happening. It's the triaging that's not happening. What are they doing with that? Even in our survey about fraud risk assessments, two-thirds of them are doing fraud risk assessments, but they're not being acted on. A lot of people, I think, fear retaliation or fear speaking up, even like you said. Of course, they suspect it's embedded in the system. It's industrialised. I think people are aware it's organised crime, and there's state proxy threat actors in all of this, but they don't see or believe that it will be followed through. So just back to your point, Nikki, about making those cases transparent, and that's the best way to learn right now, is to learn from mistakes and root causes.

NB: I think that's a really good point, Rachael, in that if people don't feel like organisations are going to take them seriously, and of course there is a balancing exercise to be done, so you get a whistleblower, there are various considerations around that from a legal point of view and preserving the integrity of an investigation. But it might be at a later date you're able to share what the outcome of it is or at least say to the person who has made that whistleblower or flagged that matter, that it's been heard, it's been taken seriously, it will be independently investigated. Now, they might not be able to be told what the outcome of that is, but they might see the outcome of that in a result of weeks, months down the line, and so demonstrating that behavior, that showing that it's taken seriously, and that there is a value in that beyond flagging fraud concerns. People who are generally concerned, whether it's HR issues or conduct issues or whatever that might be, a culture where those are taken seriously and escalated is really valuable.

GR: So before we leave the studio, I've got one more task or challenge for you. I want to leave on a more optimistic note. Nikki, you said right back at the beginning, every organisation, if you think your organisation hasn't got fraud in it, you're wrong, and everyone has. Rachael, you said fraud's everywhere. I want people to go away with a more positive thought or an idea or something they can do. Rachael, you go first. Give us a positive thought!

RJ: Well, I think that you'd all agree that fraud prevention really requires a mindset shift, and to understand, like we said, what it is, understand the different perceptions. The real takeaway for me is if the audience goes out and does something different, is to challenge something they trust. With AI today, fraud is a norm, cyber is a norm because of AI amplifying it, and we live in a world we'll never trust, always verify, always check. So yeah, my takeaway is to go check a number that you think is real, and then see what you find.

GR: That's just the right side of positive. Nikki?

NB: I think I would encourage organisations and businesses to see it as a commercial opportunity and to mark yourselves out from competitors by saying, "Well, actually we're very rigorous in our procurement approach. We're really confident that we can pick up fraud within our supply chains," and talk about that as a positive aspect of your business when you're going out to market and something that sets you apart.

GR: Fantastic. Thank you both so much for that. Every day's a school day on Fraud Matters, at least it is for me. So thank you for being here. Hopefully we'll see you again in the future episodes. Thank you very much for listening to Fraud Matters. Our next episode will be focusing on corporate impersonation. If you've enjoyed this podcast, be sure to subscribe on your favorite app so you never miss any of our future episodes, and please leave us a rating or a review to help us find a bigger and wider audience. For more information about the frauds discussed in this episode and how to deal with them, the Business Fraud Alliance has a stack of resources, so be sure to visit businessfraudalliance.com, and links to some of those resources will be in the show notes beneath this episode. Thank you again for listening, and see you next time.