5 Key Components of a Fraud Risk Management Policy
All organizations are vulnerable to occupational fraud, and that fraud costs an enormous amount of money ($652 billion a year in the US according to ACFE research as summarized in this occupational fraud infographic). As a result, a comprehensive fraud risk management policy is an essential component of an overarching enterprise risk management plan.
Your fraud risk management policy stems from the risk analysis that must underlie the policy. That is, identifying the concrete organization-specific fraud risks that must be mitigated.
Systematic planning and implementation across these five basic areas will put your fraud risk management program on the path to success.
1. Identify a “risk owner” in your organization.
Upper management must be engaged in policies aimed to mitigate risk. Part of this is that responsibility has to be clear – wishful groupthink won’t cut it. With respect to fraud risks in particular, a member of upper management should be charged to organize and carry out the risk analysis, including how identified risks should be managed. As with every important management function, this function will include process definition, goal setting, measurement, and reporting on a timely basis.
2. Analyze your organizational structure and functions to identify fraud risks.
Assessment of risks will be part structural (e.g., reporting or control over access to information and finances) and part functional (e.g., how specific activities are organized to achieve objectives). The assessment may be part of an ongoing or regularly scheduled process, and it may also be triggered by significant changes in the organization’s purposes or by growth. What is clear is that you cannot mitigate risks you do not perceive or understand – the assessment is crucial.
3. Determine which, if any, risks should be rejected.
Based on your analysis, you may determine that the costs associated with the fraud risks of a business service or product exceed their value. This important outcome might be associated with new business opportunities. In other words, it would be part of your evaluation of new markets or new lines of services or products.
4. Determine which risks can be mitigated via risk-sharing arrangements.
Of course, insurance is the most common form of risk sharing in any organization. Determining whether losses due to fraud are adequately covered will be an important part of your analysis. In some cases, you may be able to mitigate risks further through expanded insurance coverage, depending on the character of the risks.
You may also find ways to share or transfer risks via contract to partner or supplier organizations. This suggests that analyzing your contractual relationships with other organizations would be part of your basic fraud assessment. Mitigating fraud losses within contractual relationships may require negotiating greater visibility into contractors’ financial performance, for example.
5. Identify how to manage risks that are retained.
The risks you retain fully will be intrinsic to your core organizational activities. Every organization has to manage finances, people, and routine relationships with vendors, customers, partners, and regulators. In all of these internal activities, you may identify fraud risks that require deliberate management through effective controls of different sorts. The final step in your fraud risk management policy is to define what these controls are and how you will measure their effectiveness. This can be a big job, but it will help create a better performing organization.
Corporate fraud will continue to present a threat to people, brands, and profits for the foreseeable future. As your organization strives to address these risks while maintaining compliance with anti-fraud regulations, it’s easy to get lost in the details or to become overly reactive.
The fundamentals of a corporate fraud risk management policy, outlined here, should remind you to approach risks with a structured and systematic approach.