Strategic fraud risk management. Fraud risk management is a strategic process that starts from the top of the organization, which is the Board of Directors (BoD). BoD sets the tone from the top and cascades the strong message of avoiding and minimizing fraud risks. Management of the organization follows the message from BoD and develops fraud risk management processes and implements those processes at all levels in the organization. Risk management practices require the implementation of the complete cycle so that all fraud risks are not only identified but assessed and responded to appropriately.
Strategic Fraud Risk Management: The “4Ts” Approach
Fraud Risk Management Cycle
The risk management cycle involves an interrelated process of identifying fraud risks, assessing their financial and reputational impacts, and prioritizing actions to control and reduce such fraud risks.
The fraud risk management cycle involves the following steps:
- Establish a fraud risk management group and set goals.
- Identify fraud risk areas.
- Understand and assess the scale of fraud risks.
- Develop a risk response strategy.
- Implement the strategy and allocate responsibilities.
- Implement and monitor the suggested controls.
- Review and refine the process and do it again.
Establish A Risk Management Function And Committee
A risk management function is established whose main task is to facilitate and coordinate the overall risk management process, including fraud risk management.
The risk management function is headed by Chief Risk Officer (CRO). The risk management committee is formed, including different members from the organizations such as Chief Financial Officer (CFO), Heads of Planning and Sales, Head of Investments, and Head of Information Technology. All these members work together as part of committee members to ensure that fraud risk factors are identified and addressed appropriately using available resources. CRO acts as the secretary to the risk management committee and presents the agenda items to the committee members, including significant fraud risks, fraud incidents, available mitigants, and controls.
Members of the committee meet from time to time to ensure that any possible fraudulent activities are identified and mitigated. The risk management committee members promote the understanding and assessment of fraud risks and facilitate the development of a targeted strategy for dealing with the fraud risks identified.
Identification And Analysis Of Fraud Risk Areas
Each fraud risk required to be explored, to identify how it may potentially evolve and impact the operations and business of the organization. Careful analysis of the fraud risk scenario helps assess the impact and chances of fraud in any specific department or process.
To assess areas where the possibility of occurrence of fraud is high, different techniques are used, such as:
- workshops and interviews,
- process mapping,
- comparisons with other organizations,
- discussions with peers.
Understand And Assess The Scale Of Risk
Once fraud risks have been identified, an assessment of the impact and likelihood of occurrence of fraud risks is performed. Specific parameters and assessment grids are used to assess the impact and likelihood of fraud risks.
Fraud risks are analyzed and prioritized based on Impact and likelihood analysis and risk scoring. Fraud risks are broken down into High, Medium, and Low-level fraud risks. Such a classification enables directing the available resources to address the High and Medium level fraud risks.
Where the net likelihood and the target likelihood for a particular risk differ, this would indicate the need to alter the risk profile accordingly.
It is a common practice to assess the likelihood in terms of:
- high – probable
- moderate – possible
- low – remote.
The fraud risk analysis is performed in the fraud risk register. Most of the organizations include the assessment of fraud risks in all risk registers prepared for different departments and functions.
Some organizations also prepare detailed fraud risk registers that consider the possible fraudulent activity. The fraud risk register often directs the majority of proactive fraud risk management work undertaken by an organization.
Fraud risk is categorized as operational risk, which focuses on the risks associated with people, processes, and system failures. A fraud risk assessment considers whether these focus points are identified and if such focus points are identified, then it indicates the possibility of occurrence of fraud.
Develop A Risk Response Strategy
Once the fraud risks have been identified and assessed, strategies to deal with them are developed by the management and employees of the organization in collaboration with the risk management department.
Strategies for responding to fraud risk fall into one of the following categories:
- risk retention by choosing to accept small risks;
- risk avoidance by stopping the sale of certain products to avoid the risk of fraud occurrence;
- risk reduction through implementing controls and procedures;
- risk transfer (transferring risks to insurers
Fraud risk appetite is established for the organization by the risk management function. Risk appetite is the level of risk that the organization is prepared to accept, and the board should determine this. The appetite for fraud risk influences the strategies to be developed for managing the fraud risks.
Implement The Strategy And Allocate Responsibilities
The chosen fraud risk management strategy should be communicated to those responsible for its implementation.
For effective implementation of fraud risk management strategy, the responsibility for each specific action must be appropriately assigned to the appropriate employee and staff, with clear target dates.
Implement And Monitor Suggested Controls
The chosen fraud risk management strategy may require developing and implementing new controls. Employees and staff who are allocated with the responsibilities to implement the strategy must ensure that relevant and effective controls are implemented to counter the fraud risks.
Fraud risk management controls are required to be monitored to assess whether or not they are desired objectives are achieved, and fraud risks are reduced and mitigated. The risk management department performs such monitoring. If weak controls or ineffective implementation of controls is identified, steps are then taken to strengthen the weak controls or effective implementation.
The “4Ts” Approach
Fraud risks are uncertain and they may happen anytime, therefore, it is important to understand that the fraud risks may have pervasive impacts on the objectives and profitability of the organization.
A good way to summarise the different responses to fraud risks is with the 4Ts of risk management:
- treat and
Tolerate: In cases when the likelihood and impact of the fraud risk are low, then organizations may decide to simply retain the fraud risk because they are within acceptable limits. The management must log and monitor the fraud risks retained because retaining fraud risks should always be an informed decision by the management.
Terminate: Some fraud risks may be outside the fraud risk appetite limits or assessed as having such a severe impact on the organization that stopped the particular activity causing it. For example, organizations may decide not to continue with a business activity in a particular region or country.
Treat: Organizations may decide to take action on the most severe fraud risks to reduce the likelihood or the severity of the fraud risks. For example, installing a firewall to reduce the likelihood of an external intrusion to the application system.
Transfer: Organizations transfer fraud risks by entering into Insurance arrangements. The cash management function of the company may be insured so that if the fraud occurs and cash is embezzled, then the organization may be compensated for the loss.
Risk management is a broad and all-encompassing term. It extends to and beyond finance, affecting every aspect of a company’s operations. The integration of all risk-related activities across an organization is critical not only to understand, but also to build management strategies around, especially for enterprises. This method is referred to as enterprise risk management (ERM).
ERM is a process used in strategy setting and across the enterprise by an entity’s board of directors, management, and other personnel to identify potential events that may affect the entity and manage risk to be within its risk appetite, in order to provide reasonable assurance regarding the achievement of entity objectives.