Fraud is all around us, grabbing the headlines every single day, highlighted by recent scandals at Latvia’s ABLV Bank and India’s National Bank of Punjab. Fraud is a high impact, low-probability risk with the potential to destroy a firm’s integrity and reputation very quickly.
Many firms focus on the low probability nature of fraud, and consequently fail to employ both resources and structure to address this risk. A typical fraud risk management framework includes the following components: governance, assessment, strategy and evaluation.
Let’s now take a look at four steps a firm can take to develop and maintain an effective fraud risk management program:
1. Create a dedicated governance structure to manage fraud risk.
The first requirement is to build an organizational culture to combat fraud at all levels of the firm; this should demonstrate a senior-level commitment and set an antifraud tone that permeates the culture. To oversee all fraud risk management activities requires the development of an antifraud entity that, among other things, will (1) serve as the repository of knowledge on fraud risks and controls; (2) manage the fraud risk-assessment process; (3) lead or assist with trainings and other fraud-awareness activities; and (4) coordinate antifraud initiatives across the program.
2. Create a fraud risk assessment.
The next stage is to plan regular fraud risk assessments that are tailored to the fraud risk management program. To further this goal, the firm should identify specific tools, method, and sources for gathering information about fraud risks, including data on fraud schemes and trends from monitoring and detection activities. Buy‐in involves relevant stakeholders in the assessment process, including individuals responsible for the design and implementation of fraud controls.
Requirements include (1) identification and assessment of risks to determine the program’s fraud risk profile, starting with inherent fraud risks affecting the program; (2) assessment of the likelihood and impact of inherent fraud risks, with the consideration of the nonfinancial impact of fraud risks, including impact on reputation and compliance with laws, regulations and standards; (3) determining the firm’s’ fraud risk tolerance, examining the suitability of existing fraud controls and prioritizing residual fraud risks; and (4) documenting the program’s fraud risk profile
3. Design and implement an anti-fraud strategy with specific control activities.
Based on its fraud risk profile, a firm should develop, document and communicate an anti-fraud strategy to employees and stakeholders that describes the program’s activities for preventing, detecting responding, monitoring and evaluation. The following questions can be used to guide the firm’s resource allocation in response to fraud:
- What is the program doing to manage fraud risks?
- When is the program implementing fraud risk management activities?
- Where is the program focusing its fraud risk management activities?
- What are the specific control activities to prevent and detect fraud?
- How is the suitability of existing risk controls assessed, and how is residual risk prioritized?
- How does the program respond to identified risks?
- Why is fraud risk management important?
4. Conduct risk-based monitoring and evaluate all components of the framework.
Collection and analysis of data – including data from reporting mechanisms and instances of detected fraud – is a must in the monitoring of fraud trends and in the identification of potential control deficiencies. Moreover, it is important to evaluate the effectiveness of preventive activities, fraud risk assessments, anti-fraud strategy and fraud controls/response efforts.
A risk-based approach to monitoring should also be implemented. This approach should consider internal and external factors (e.g., organizational changes and emerging risks) that can influence the control environment.
Every fraud risk management program can be further enhanced by fraud-awareness training and by communicating results (e.g., instances of fraud that have been identified and corrective actions that have been taken) to employees.
Following these four steps will help to prevent – but not eliminate – fraud. Most fraud can be staved off by a comprehensive risk management program, but, as criminals and morally-compromised people concoct new forms of deceit, financial institutions must remain vigilant.
John Thackeray is the founder and CEO of Risk Smart Inc., a consulting firm that specializes in the writing of risk documentation. Over his long career, he has held many risk positions, including CRO posts at Societe General and Penson Worldwide Holdings, where he interacted and engaged with US and European regulators. He frequently contributes articles on his risk insights to the Financial Executives Networking Group (FENG). #risksmartinc