Why Disbursement Control Matters?

Risk is a part of business. There are many kinds of business risk, which may be defined as anything that threatens the organization’s ability to survive and succeed. There are many kinds of risk, both internally and externally—market risks, employee capabilities, various financial risks—that organizations must recognize and address.

Large businesses typically have risk management teams whose job is to avoid major financial losses, while small to mid-size organizations generally have an ad hoc approach to risk management. Risks include strategic, compliance, operational, financial and reputational. Financial risk, however, is not limited to financing. It includes the company’s cash and very specifically how it leaves the organization through disbursements.

Many risk analyses have a blind spot: they fail to realize the risk involved in the “back office” financial operation of accounts payable. But criminals go where the money is, and that’s not only in banks. Fraudsters target companies’ and organizations’ accounts payable disbursements. Increasingly organizations are learning the hard way that payment fraud has grown exponentially in methods, sophistication and number of schemes and attacks.

Fraud associated with disbursement represents one of the most financially damaging and operationally disruptive risks. From insider threat alone, according to the Association of Certified Fraud Examiners (ACFE), organizations lose an estimated five percent of annual revenue to fraud each year. That represents the floor, just from insider occupational fraud alone, to which the newer external cyber threat must be added.

According to the FBI's IC3, business email compromise (BEC) was the second costliest cybercrime category in 2024, generating close to $2.8 billion in reported losses. Nearly $8.5 billion in BEC losses were reported to IC3 between 2022 and 2024 alone. Critically, these numbers reflect only reported losses — the FBI acknowledges that cybercrimes are largely underreported. Add to BEC (and the more sophisticated vendor email compromise or VEC) text and voice compromise, all supported by deepfake audio and video attacks. (A criminal needs only a few seconds of audio—say, a live earnings call—to clone a convincing imitation of the CEO’s voice.) These cyberattack angles add a materially significant, rapidly growing external dimension that the ACFE data doesn't capture.

The Cost of Fraud

The monetary loss from a single mistake can be dramatic. But the costs go well beyond dollars. Reputational damage can erode vendor trust, investor confidence, and employee morale in ways that are difficult to quantify but long-lasting. For public companies, material fraud incidents may trigger SEC scrutiny or restatements, compounding liability exposure.

From a risk management perspective, the asymmetry is stark: the cost of preventive controls — robust approval workflows, segregation of duties, automated anomaly detection, and periodic audits — is a fraction of the losses incurred when fraud goes undetected. Treating disbursement fraud not as an accounting problem but as an enterprise risk, requiring structured governance and continuous monitoring, is the standard of care that today's operating environment demands.