Strategies for fraud risk management encompass the implementation of advanced techniques, such as comprehensive fraud risk identification and assessment cycles, robust risk response strategies, and the integration of artificial intelligence technologies for effective control and mitigation.
Fraud risk management is a strategic process that starts from the top of the organization, which is the Board of Directors or BoD. BoD sets the tone from the top and cascades the strong message of avoiding and minimizing fraud risks.
Management of the organization follows the message from BoD and develops fraud risk identification and assessment techniques for identified processes and implements the techniques at all levels in the organization.
Advanced fraud risk identification and assessment techniques require the implementation of the complete fraud risk management cycle so that all kinds of fraud and other financial crimes are not only identified but assessed and responded to in an integrated manner.
Effective Strategies for Fraud Risk Management Identification, Assessment, and Mitigation
Fraud Risk Identification and Assessment Cycle
The fraud risk identification and assessment cycle involve an integrated process of identifying fraud risks, assessing their financial, operational, compliance, and reputational impacts, on the business, and prioritizing risks and related mitigation actions to control and reduce such fraud risks.
The fraud risk identification and assessment cycle involve the following steps:
1 Establish a fraud risk management committee.
2 Identify fraud risk areas and processes, including digital processes.
3 Understand and assess the scale of fraud risks.
4 Develop a risk assessment and risk response strategy.
5 Implement the risk response strategy and allocate owner responsibilities.
6 Implement and monitor the suggested fraud risk mitigation controls.
- Establish a Risk Management Committee
A risk management function is established whose main task is to facilitate and coordinate the overall risk management process including fraud risk and financial crime risks identification and mitigation.
The risk management function is headed by Chief Risk Officer (CRO). The risk management committee is formed which includes different members from the organizations such as the Chief Financial Officer (CFO), Heads of Planning and Sales, Head of Investments, and Head of Information Technology. The committee provides supervision to the employees, on various risks and strategies, including fraud risks.
All these members work together as part of committee members, to ensure that fraud and financial crime risk factors are not only identified but appropriately assessed in an integrated and responsible manner.
CRO acts as the secretary to the risk management committee and presents the agenda items to the committee members including significant fraud risks, financial crime risks, fraud incidents, available mitigants, and controls. Members of the risk committee meet from time to time, to ensure that fraud risks and incidents are thoroughly reviewed with their root causes. The committee members are responsible to ensure that they deploy and implement controls to prevent losses and bring improvement in the controls to eliminate or avoid the occurrence of fraud and financial crimes.
- Identification and Analysis of Fraud Risk Processes, including digital processes
Each process, including processes dependent on digitalization or technology, is required to be explored, to identify how fraud risks may potentially evolve and negatively impact the business operations of the organization.
Careful analysis of the fraud risk scenario helps in assessing the impact and chances of occurrence of fraud in any specific department or process.
To assess areas where the possibility of occurrence of fraud is high, different techniques are used, such as:
- Workshops and interviews
- Process mapping
- Comparisons with other organizations
- Discussions with peers.
- Understand and assess the scale of fraud risks
Once the fraud risks are identified from different sources, the likelihood of the occurrence of fraud is assessed. Assessing the likelihood is a subjective process because usually relevant data or information is not available to the organization that accurately predicts the likelihood of particular fraud risks. Specific parameters and assessment grids are used to assess the impact and likelihood of fraud risks.
To assess the likelihood of fraud risks, the organization may consider various factors such as past incidents, the prevalence of fraud risk in the industry, internal control environment, available resources to address fraud, fraud prevention efforts by management, ethical standards followed, unexplained losses, customer complaints, etc.
Based on Impact and likelihood analysis and risk scoring, fraud risks are analyzed and prioritized. Fraud risks are broken down into High, Medium, and Low-level fraud risks. Such a classification enables directing the available resources to address the High and Medium level fraud risks.
Where the net likelihood and the target likelihood for a particular risk differ, this would indicate the need to alter the risk profile accordingly.
It is a common practice to assess the likelihood in terms of:
• high – probable
• moderate – possible
• low – remote.
The fraud risk analysis is performed in the fraud risk register. Most organizations include the assessment of fraud risks in all risk registers prepared for different departments and functions. Some organizations also prepare detailed fraud risk registers that consider possible fraudulent activity. The fraud risk register often directs the majority of proactive fraud risk management work undertaken by an organization.
Fraud risk is categorized as operational risk, which focuses on the risks associated with people, processes, and system failures. A fraud risk assessment considers whether these focus points are identified and if such focus points are identified, then it indicates the possibility of occurrence of fraud.
Based on the general assessment and utilization of available information, the fraud risk assessor develops or designs the preventive and detective controls in various processes and activities of the organization. The preventive and detective controls are mostly implemented in high-risk processes, which are those where the chances of occurrence of fraud are high. Such processes include cash handling, cash management, treasury, operations, etc.
Once the likelihood of fraud is assessed, then the frequency of occurrence of the fraud is assessed. The frequency is assessed based on the availability of past or historical information about fraud incidents.
The frequencies of occurrence of fraud may be defined as follows:
- Very frequent
- Reasonably frequent
- Occasional and
Very frequent means the fraud risk is expected to occur daily or even multiple times in a day. Such fraud risks may not impact high but due to a large number of occurrences, the impact may be high over a particular period. An example may include pocketing of cash by the person receiving cash at the counter.
Frequent means the fraud risk is expected to occur frequently which may be once a day after every two days or weekly. Such fraud risks may also not impact high but due to a large number of occurrences, the cumulative impact may be high, over a particular period. An example may include cash pocketing or stealing small physical assets from office premises.
Reasonably frequent means the fraud risk is expected to occur every week or month. Such fraud risks may have a high impact due to a lesser number of fraud incidents, over a particular period. An example may include cash pocketing or stealing small physical assets from office premises.
Occasional means the fraud incident does not occur frequently but on certain occasions the fraudster conducts fraud. Such types of frauds may have high impacts because they may be backed by proper planning by the fraudsters, to gain as many personal benefits as they can. An example may include money laundering activities.
Rare means the fraud incident occurs once over years but impacts high both in terms of reputational and financial losses to the organization. Such types of fraud usually involve a large number of fraudsters who may be dispersed in different jurisdictions and locations. Examples may include cyber-attacks on large national organizations, to gain and use confidential information.
- Develop a risk response strategy
Once the fraud risks have been identified and assessed, strategies to deal with them are developed by the management and employees of the organization, in collaboration with the risk management department.
Strategies for responding to fraud risk fall into one of the following categories:
• Risk retention by choosing to accept small risks,
• Risk avoidance by stopping the sale of certain products to avoid the risk of fraud occurrence,
• Risk reduction through implementing controls and procedures,
• Risk transfer (transferring risks to insurers).
Fraud risk appetite is established for the organization by the risk management function. Risk appetite is the level of risk that the organization is prepared to accept and this should be determined by the board. The appetite for fraud risk influences the strategies to be developed for managing fraud risks.
- Implement the risk response strategy and allocate owner responsibilities
The chosen fraud risk response strategy should be communicated to those responsible for its implementation including the process owners working in different departments. For effective implementation of fraud risk management strategy, the responsibility for each specific action must be appropriately assigned to the appropriate level of employees and staff, with clear target dates to mitigate the responses.
- Implement and monitor suggested fraud risk mitigation controls, including artificial intelligence (AI) controls
The chosen fraud risk management strategy may require the development and implementation of new fraud risks mitigation controls, such as enhancing the level of monitoring, or deployment of advanced technology, such as the use of artificial intelligence (AI) and machine learning (ML), to perform real-time data access, transactions analysis, fraud and other financial crime risks identification and rectification.
Employees and staff who are allocated with the responsibilities to implement the fraud mitigation strategy must ensure that the suggested controls, including AI, are implemented at the process level, to counter the fraud risks.
Fraud risk management controls are required to be monitored, to assess whether or not they are desired objectives are achieved and fraud risks are reduced and mitigated. The risk management department performs such monitoring and in case weak controls or ineffective implementation of controls is identified, then steps are taken to strengthen the weak controls or effective implementation.
Implementing advanced fraud risk identification and assessment techniques is crucial for organizations to effectively manage and mitigate fraud risks. By establishing a strong fraud risk management cycle, from the Board of Directors down to all levels of the organization, a comprehensive approach can be adopted.
This involves forming a dedicated fraud risk management committee, identifying and analyzing fraud risk processes, assessing the scale of fraud risks, developing a risk response strategy, allocating responsibilities, and implementing robust fraud risk mitigation controls, including leveraging artificial intelligence (AI) technologies. Regular monitoring and evaluation of the implemented controls ensure continuous improvement and a proactive stance against fraud. By adopting these proactive measures, organizations can safeguard their financial integrity and reputation while minimizing the impact of fraud risks on their operations.