A Business Process Rant
Back in the days when I had a corporate job, there was a mania for process documentation. The rule was ‘document what you do and do what you document’. This made greatest sense in the financial departments, where it was vital to have a process with minimal risk of fraud and a financial audit trail. Thus, for example, the process for receiving incoming cheques said that post received by the finance department was opened by the Finance Manager’s secretary. Cheques received in that post were passed to the finance clerk who recorded them in the ledger and passed them to the chief cashier for banking. A secure process with an audit trail for a cheque passed through three pairs of hands.
This was brought to mind by my dealings with Local Education Authorities. They have processes for dealing with new suppliers to ensure that they do not leave themselves open to fraud. They need to guard against both internal and external fraud. External is more straightforward: the fraudster sends in a bill for a service the authority has not received (on the assumption that the authority is so busy that it never checks its invoices).
Internal fraud has various more complex forms. Say, for example, that members of the LEA staff create a scam where they say that they have received a service, they then set up a fictitious company who send an invoice for the service, which is then authorised and paid. It is essential that LEAs protect themselves against this sort of activity. They do it by having a business process that checks the bona fides of any new supplier. I have no quibble with the need for a process, and some of the LEAs make checks in an entirely rational way. On the other hand, I get very annoyed by those that don’t do it rationally. There are some organisations who, on receiving an invoice from a new supplier, use the information on the invoice to ask the new supplier to send a standard set of information, most of which is already on the invoice. The process here would seem to involve asking the same person for the same information twice in the hope of spotting a different answer.
I get even more annoyed when part of that standard set of information is the bank account details for BACS payment (see the invoice!) together with the signature of a responsible manager. Now, the receiving organisation does not have any way of verifying that signature; the most they can do is examine it in a post hoc investigation of fraud and say “now I come to look at it, that really does look like the writing of Bob the Janitor”. For a large supplier, that doesn’t really matter. For a small supplier, the responsible manager is quite likely to be the person who signs the cheques. Consequently the LEA keeps on file a set of signatures matched to bank account details just waiting for a disgruntled employee to indulge in a spot of forgery. So rather than protecting the LEA from fraud, the process involves a (small) increase in the risk of fraud against their suppliers.
I would feel more confident in the LEA’s processes if, rather than asking the supplier to complete a form, it asked the LEA’s financial officer what checks they had undertaken to verify that the supplier was genuine, supplied the goods invoiced and that the details of the invoice were genuine. The ways of doing that could be different for each supplier (in our case, the Internet would be a good place to start), but would require the purchasing officer to apply some thought. Without that thought, it’s just a box-ticking exercise; to my mind, there is no point in having a process unless it is capable of achieving its objective.
Which brings me back to the process in which Glenda, the Finance Manager’s secretary passed incoming checks to Glenda, the accounts clerk who booked them in the ledger before passing them to Glenda, the chief cashier for banking.
I should probably add that the company had only one employee named Glenda.