Risk-based approach to fraud risk management. The impact of fraud in an organization has created the need to focus on areas where fraud risks are relatively high to allocate available resources most effectively. Effective implementation of a risk-based approach to manage fraud risks, considering organizations’ internal policies, procedures, and risk parameters is crucial in maintaining the strong governance structures to fraud risk management.
Risk-Based Approach To Fraud Risk Management
Organizations conduct internal fraud risk assessments to develop relevant fraud risk management policies and procedures. These policies and procedures are implemented at all levels in the organization to identify, assess, manage and mitigate fraud risks on an ongoing basis. It is always advisable that measures to prevent fraud risks are commensurate to the fraud risks identified for effective mitigation.
Fraud risk assessment may generally be based on subjective judgment, perception, and actual organization experiences. Organizations develop departments and functions to periodically perform a fraud risk assessment and analyses using different tools and techniques.
To implement an effective risk-based fraud risk management culture, the organization must identify its crucial activities and areas where the chances of fraud are very high and high. These areas may be identified through the audit reports, inspection reports, regulator’s investigation, and past fraud incidents. To consolidate and document the potential fraud risks, various methods are used, such as:
Quantification Of Risk Through Risk Matrix
A risk matrix is a tool that identifies and documents risks with the related mapped controls.
The organizations may develop a risk matrix that quantifies the likelihood and impact of fraud risks, thereby categorizing fraud risks as low, medium, and high depending on the severity levels of particular fraud risks.
Without appropriate quantification of fraud risks, it is difficult for organizations to decide which fraud risk is to be addressed first.
Preparation Of Fraud Risk Register
Risk registers are an effective tool for documenting and assessing the risks related to different activities and processes. Risk registers enable performing inherent and residual risk assessments, identifying key and non-key risks for a particular process or department.
Usually, process owners prepare and maintain fraud risk registers; however, the fraud risk management department ensures that these risk registers are prepared effectively and efficiently by all departmental heads and process owners.
A fraud risk register may be developed by organizations, whereby fraud risks emanating from various business aspects are documented and accounted for. The fraud risk register comprehensively covers all the fraud risks related to the activities and processes of the organization.
Fraud risks are sequentially documented for each identified activity and process, and related mitigating controls are mentioned against each fraud risk. Risk scores are calculated based on the defined risk assessment grid to assess the impact of each documented fraud risk. Risk registers are periodically reviewed to check the effectiveness of documented controls and risk scorings. Fraud risk registers are updated on an ongoing basis when the need arises or new fraud risk is identified or reported.
A risk-based approach entails understanding the risks that your organization faces and developing controls for these risks based on the damage they can cause. The approach frequently used by compliance teams, focuses efforts based on the level of risk.
For many areas of compliance, regulators are increasingly favoring a risk-based approach over prescriptive measures. In terms of Anti-Money Laundering (AML), the Financial Action Task Force (FATF), an intergovernmental body that establishes international AML goals, stated in 2012 that “the risk-based approach (RBA) is central to the effective implementation of the FATF Recommendations.”