Fatal Flaws in Fraud Risk Management
Boards of directors face a tall task in overseeing an organization’s enterprise risk management (ERM) function. Nowhere is the need to ask questions and understand the process more important than in the area of fraud risk management. According to the most recent Global Fraud Study from the Association of Certified Fraud Examiners, the typical organization loses 5 percent of revenues each year to fraud―a significant financial loss. Knowing what questions to ask and what discussions to have is essential to successful oversight and enterprise-wide risk mitigation.
Every entity faces many types of fraud risk. And the costs of fraud go well beyond the direct financial losses. Investigation costs and indirect costs associated with loss of productivity, morale and reputation can dwarf the initial loss from the crime itself. Complicating matters is that fraud risks are in a constant state of flux―more so than the board may realize. In today's evolving risk environment, having ongoing discussions about fraud, often in connection with other conversations, is essential to establishing effective risk governance. However, two critical elements of these discussions are frequently missing – understanding drivers and recognizing the cross-functional nature of fraud risk – resulting in a hindsight-focused and incomplete consideration of fraud. Board members can take action to put the organization on a path towards a more proactive approach to fraud risk management.
Risk Identification Should be More than a Listing Exercise
Fraud risk management follows a similar path to the broader enterprise risk management process: management must first develop a contextual framework to allow for assessment of individual fraud risks, with oversight and approval from the board. The assessment often begins with individuals or small groups developing a list of potential fraud schemes based on a variety of sources – past experience, commonly reported or published fraud activity, surveys, interviews, etc. While this approach alone can produce an adequate depiction of organizational fraud risk, it neglects to factor in that fraud doesn’t occur in a vacuum. Fraud is not a random event; some set of circumstances or events create the opportunity and motivation for fraud to occur. These same forces may also alter an existing fraud risk, by changing how a fraud is executed or increasing or decreasing its likelihood or impact. Thus, the additional consideration of these drivers of fraud risk is much more likely to put the organization ahead of the curve, in a position to anticipate, rather than merely react to, fraud.
What drives fraud risk? The answer to this question can differ from one organization to another, but the following forces usually have the greatest influence– creating new risks and altering others:
• People (attitudes, morale, etc.)
• Internal environment (corporate culture, management changes, etc.)
• Economic conditions
• Regulatory and enforcement environment
Similar to performing risk management as part of strategy setting, fraud risk management is more effective when the underlying forces of fraud are used as the starting point in risk identification. Discussion about drivers of fraud risk is also more likely to fully engage a board of directors and create valuable dialogue instead of limiting their review to a list of fraud risks. Engaged board members should ask questions of management and other relevant parties. How have the company’s deployments of new technologies in our operations been factored in to the consideration of new fraud risks, or changes in existing fraud risks? What new fraud risks have been identified in connection with the changes likely to come about as a result of our new strategic plan? These are the types of questions that are logical extensions of discussions the board is hopefully already having. They provide necessary context to identify where potential opportunities for the occurrence of fraud exist. This consideration of what drives fraud risk in an organization inevitably results in a significantly better fraud risk assessment and the subsequent design of plans to mitigate risk.
Risk Assessment Should be Cross-Functional
Most organizations classify their risks into common categories, such as strategic, compliance, operating or financial buckets. In the typical ERM classification system, most risks exist and can be effectively managed within one functional area or department, with limited input from other groups. There might be interactions between risks in one department with risks of other departments, but most of the assessment and mitigation can be developed in a single area.
Not so with fraud risks. Fraud risks are often driven by issues that overlap and connect multiple departments or functions. For example, in order to properly assess a single type of disbursement fraud, input may need to be gathered from individuals in accounting, procurement, information technology, human resources, receiving, and several other functions. Due to this need for input from multiple areas, fraud risk management, if performed in isolation, can be the weak link in an enterprise risk management function.
To illustrate this cross-functional importance, consider the simple example of fraudulent travel and entertainment expense reporting by sales representatives. To properly assess this risk, the relevant considerations go well beyond gathering information in the sales department. Human resources may have useful information about pressures, incentive plans or training provided to salespeople and expense report reviewers that may influence a potential fraudster to commit fraud. The IT department should weigh in from the standpoint of gaining an understanding of the vulnerabilities in customer relationship management systems and expense reporting systems used by the company. Internal audit will play a key role in connection with understanding the nature and extent of data analytics and testing that can be or is being performed. The list goes on and on. Clearly, numerous functional inputs are necessary to fully and properly evaluate this one risk and to develop an appropriate risk mitigation strategy.
There are also important relationships between certain fraud risks and other categories – categories that are often evaluated in isolation. Taking the preceding expense reporting risk one step further, changes in its likelihood may be driven in part by strategic risks associated with changes in sales goals, strategies and plans. There may be an important link with compliance risks if the company is operating in a regulated environment, such as healthcare or financial services. If an organization's distribution channels cross international borders, fraud risk may also be impacted by the risk of Foreign Corrupt Practices Act violations or enforcement actions by other international regulatory bodies.
What Should Board Members Do?
Along with the issue of what drives fraud risk, the cross-functional nature of fraud risk management is another opportunity for healthy discussion at the board level. While management of fraud risk is primarily the job of senior management, board members can ensure a robust fraud risk management function is operating effectively through the focus on and consideration of these two important issues.
Scheduling board agenda time for fraud risk discussions is the obvious place to begin. Beyond that, directors are strongly encouraged to look outside of the management team to better understand impacts from changes to policies, operations or functions, particularly at geographically dispersed locations, as well as to identify relationships with external parties that may present additional risk.
Risk driver discussions should further leverage the experience of auditors – both internal and external – along with legal counsel and other advisors about trends and instances of fraud that they are seeing in practice in similar environments and industries. The goal of such board activities is to create broader awareness of the incentives, opportunities, and pressures placed on the organization’s employees and determine how well management truly understands these issues and any additional capabilities that may motivate fraudulent behavior.
Good fraud risk management requires boards to seek continuing education about cross-functional fraud risks and their drivers, as well as new or emerging fraud trends. Directors should both demand and review management and employee fraud education in the same fashion. Each of the action items listed previously can be considered elements of continuing education along with attending periodic and complementary formal learning opportunities.
Finally, a key element of board oversight is ensuring that appropriate tone and messaging is being widely distributed throughout the organization on a regular basis. Companies with clear-cut no tolerance policies for unethical behavior coupled with actively engaged boards may significantly decrease the risk of fraudulent activity committed by employees within organizations or in collusion with others.
Amy Rojik directs BDO's external Corporate Governance and Financial Reporting Center, which is designed for financial executives and those charged with governance of both public and private companies.
Gerry Zack is a managing director in the Global Forensics practice of BDO Consulting. In addition to serving clients, he has been on the faculty of the ACFE since 2006, providing anti-fraud training in North America, Europe, Africa, Asia, and Australia.