Responding to residual fraud risk. Identity, evaluate, and respond to residual fraud risks that needs to be mitigated. After identifying fraud risks and performing inherent risk assessments for each identified fraud risk, the management maps the relevant internal controls against fraud risks as mitigants of fraud risks. Mapping and application of internal controls enable organizations to assess the residual risks.
Responding To Residual Fraud Risk: Step 7 In Fraud Risk Management
Residual risk is a risk that remains after the application of the control. Residual risk is an indication that either the mapped control is weak or the control is not operating effectively. The importance of residual risk assessment increases further if the residual risk score is calculated as High or Extreme.
Impact and likelihood of residual risks are performed, and a score is calculated to know the portion of fraud risk that remains after relevant internal control implementation. A residual risk score is calculated by multiplying the Impact of the fraud risk with the likelihood of occurrence of such fraud risk.
After calculation of residual risk scores for each fraud risk, the categorization of fraud risks is made as High, Medium, and Low fraud risks.
High And Medium Residual Risks
High and Medium residual risks need to be addressed on a priority basis because these are the risks that may turn into actual fraud incidents if not addressed through the application of more robust and enhanced internal controls.
All High-level residual fraud risks are consolidated for immediate management mitigation action. Significant residual risks are reported to the risk management function of the organization. The risk management function assesses high risks and prepares a validation report for the reporting to the Board Risk Management Committee (BRMC).
Additionally, the risk management function periodically follows up with relevant process owners to take feedback on the residual risks and relevant mitigants or controls enhancements. Process owners, being departmental heads or unit heads, are required to periodically provide residual risk assessments to the risk management function.
High Category Residual Risks
Unattended high category residual risks are reported to the BRMC periodically by the Chief Risk Officer of the organization. Such a periodic reporting of high-level residual risks enables process owners to take relevant measures in developing internal controls to lower the significance of residual risks from high to medium or low. All those residual risks, which were previously reported as high residual risks, downgraded to medium or low, are also presented to the BRMC as progress in the enhancement of internal controls.
Create A Fraud Risk Assessment
The following step is to plan regular fraud risk assessments that are specific to the fraud risk management program. To that end, the firm should identify specific tools, methods, and sources for gathering information about fraud risks, such as data on fraud schemes and trends gleaned from monitoring and detection activities. Buying involves all relevant stakeholders in the assessment process, including those in charge of designing and implementing fraud controls.
Among the requirements are:
- Identifying and assessing risks in order to determine the program’s fraud risk profile, beginning with inherent fraud risks affecting the program.
- An assessment of the likelihood and impact of inherent fraud risks, taking into account the non-financial impact of fraud risks, such as the impact on reputation and compliance with laws, regulations, and standards.
- Identifying the firm’s fraud risk tolerance, assessing the effectiveness of existing fraud controls, and prioritizing residual fraud risks
- Creating a record of the program’s fraud risk profile
Create A Dedicated Governance Structure To Manage Fraud Risk
The first requirement is to create an organizational culture that will combat fraud at all levels of the organization. This should demonstrate senior-level commitment and establish a culture of anti-fraud. To oversee all fraud risk management activities, an anti-fraud entity must be established, which will, among other things,:
- Serve as a knowledge repository for fraud risks and controls.
- Control the fraud risk assessment procedure.
- Lead or assist with fraud awareness trainings and other activities.
- Coordination of anti-fraud initiatives throughout the program.
Design And Implement An Anti-Fraud Strategy With Specific Control Activities
Based on its fraud risk profile, a company should develop, document, and communicate to employees and stakeholders an anti-fraud strategy that describes the program’s activities for preventing, detecting, responding, monitoring, and evaluating fraud. The following questions can be used to direct the firm’s response to fraud resource allocation:
- What steps does the program take to manage fraud risks?
- When does the program begin to implement fraud risk management activities?
- Where is the program concentrating its fraud risk management efforts?
- What specific control activities are in place to prevent and detect fraud?
- How are existing risk controls evaluated for suitability, and how is residual risk prioritized?
- How does the program address identified risks?
- What is the significance of fraud risk management?
Final Thoughts
Fraud is all around us, making headlines on a daily basis. Fraud is a high-impact, low-probability risk that has the potential to quickly destroy a company’s integrity and reputation. Many businesses focus on the low probability of fraud and, as a result, fail to employ both resources and structure to address this risk. Governance, assessment, strategy, and evaluation are typical components of a fraud risk management framework.
