5 Principles of Effective Fraud Risk Management
As part of the annual fraud awareness week, we wanted to bring you a quick summary of the principles of fraud risk management. These points are based on an extensive review titled Managing the Business Risk of Fraud: A Practical Guide.
As the Practical Guide emphasizes, “An organization should strive for a structured as opposed to a haphazard approach.” The Guide is a good place to start developing a fraud prevention and detection program as part of your overall risk management efforts (or structuring a review of an existing program). But as always, diving into the details of organizing and implementing a program like this requires significant effort. Skipping steps or making assumptions about risks and mitigation practices without systematic assessment will often lead to gaps or weaknesses in the plan.
Let’s look at the five principles:
1. Fraud Risk Governance
Fraud risk management needs to be embedded in an organization’s DNA in the form of written policies, defined responsibilities, and on-going procedures that implement an effective program. There needs to be a clear role for the Board and top management in setting these policies with reporting in place to convey the required information about the program and its performance to them. The tone from the top will be reflected in the perception of fraud prevention and detection throughout the organization.
It is important to have a responsible person with adequate resources and access to top management running the program. This person should be charged with designing and evaluating the program, and for communicating it throughout the organization as appropriate. Since organizations vary greatly in complexity, inherent risk, and size, there is no one-size-fits-all program, but all programs will address issues such as:
- Roles and responsibilities
- Fraud awareness
- Conflict disclosure
- Fraud risk assessment
- Reporting procedures
- Whistleblower protection
- Investigation process
- Corrective action
- Quality assurance
- On-going monitoring
2. Fraud Risk Assessment
The foundation for the prevention and detection of fraud is a structured risk assessment that addresses the actual risks faced by the organization as determined by its purpose, industry (products or services), complexity, scale, and exposure to network risks. The goal of the assessment is to determine the type, likelihood, and potential cost of risks in a traditional expected value framework. This allows the organization to tailor program efforts toward cost effective mitigation, which may include a greater or lesser toleration of a specific risk.
Assessing fraud risks necessarily involves looking at how employees—including top management—interact with the resources of the organization. Their incentives and opportunities compose one of the legs of the Fraud Triangle that is mostly determined by the organization itself. As such, the risk assessment effort has to be very clear and detailed about how controls, policies, and procedures interact with specific roles. It is important to note that the sources of these risks may be external as well as internal, especially in highly networked and data dependent operations.
3. Fraud Prevention
Preventing fraud is far preferable to detecting it after the fact. In practice, the same systems and controls established to prevent fraud may help in detecting it (e.g., segregation of duties for a certain procedure may help boost the chances that someone will be in place to report potential fraud).
However, prevention is rooted in a culture of fraud awareness, understanding common policies and procedures, a safe harbor for whistleblowers, and continuous communication about the importance of fraud prevention from the top on down. When everyone knows that fraud is possible and a serious problem for which the organization has developed detection mechanisms, it is less likely to occur.
4. Fraud Detection
Controls, monitoring, and reporting promote faster detection of fraud. Key detection measures include a whistleblower policy, reports designed to highlight potential and common indicators of non-standard outcomes over time, and other controls that alert people to potential fraud. It goes without saying that installing these indicators will have no effect if they are not monitored.
5. Monitoring and Reporting
Creating information that does not get to the right person to take action is useless. One of the key elements in the initial planning for a fraud prevention program is to set up responsibilities and processes to ensure that timely information is reported to someone who can address a problem. These systems trigger responses that have strong legal implications, so one of the essential components is review for legal rights of affected parties and compliance with applicable law.
Fraud can be taken down a notch, even if it cannot be completely eliminated. A systematic program following these five principles is the place to start.