By Jonathan Le Roux
Before one starts to unpack, Fraud Risk Management, do type it into Wiktionary first, as I did on the 7th August 2014 at 8:51pm and see what you get. The answer I got was really quite simple:
“There were no results matching the query.”
Does this mean that Fraud Risk Management does not exist? Absolutely not, but it does mean that there appears to be an approach to look at fraud from a risk management perspective. It’s kind of like approaching a Rhino slowly and quietly from downwind so they don’t smell you.
If we do liken fraud to a Rhino and regard it as a wild beast that is not afraid of its predator, we would be led into a false sense of security where we might end up on the wrong point of the Rhino.
Just by reading through the latest , mention is made that the typical organization loses 5% of revenues each year to fraud.
This might not sound like a lot, but if we took the Gross Domestic Product 2013 figures as listed by the World Bank (see link below) and stated in millions of US Dollars, we find the United Kingdom (ranked 6th) with $2,522,261 and South Africa (ranked 33rd) with $350,630 and if we took 5% off the GDP for potential fraud, we would be looking at a potential fraud loss of $126,113 and $17531 for the UK and SA respectively!
But this is just speculation.
“We need to build a fraud risk management approach that consists of several single threads which will become the basis of the web structure”
It does make one think though, with both the UK and SA’s robust legislation governing fraud, corruption, bribery, money laundering, etc. We still seem to read those headlines (or is it tweets now) on a regular basis about those who got caught out.
Often those that are being caught out are really the unlucky ones!
No seriously, as the 2014 ACFE Global Fraud Survey corroborates, over 40% of all cases were detected by a tip-off and the fraud took approximately 18 months to be detected from when the fraud started.
So fraud and our approach to it, needs to be see more as one of a spider and a web.
We need to build a fraud risk management approach that consists of several single threads which will become the basis of the web structure. As we build this web, we need to move to different points to strengthen or add to it.
Just as spiders walk along their initial structural threads and lay more frame threads between various anchor points, so too do we need to lay more structure onto our Fraud Risk Management approach.
So here are my nine (9) Fraud Risk Management SpiderWeb considerations:
- Spin the Web
– This is all about the Fraud Strategy you deem appropriate to your organisation
– Are you going to be Reactive or Proactive?
– Are you following a Corporate Governance Framework?
– Are you following an ISO31000 Risk Management Standard approach?
Note: You get what you build, so knowing your framework helps ensure the Fraud-Web you are building is based on a robust and sustainable model.
- Position the Web
– Planning is critical in how you intend to approach Fraud for your organisation
– This deals with who is accountable for managing the Fraud risk within the organisation, what is their mandate, what budget do they have, what timeframe do they to implement their strategy, etc.
Note: If the person responsible for Fraud Risk is doing this as 10% of their KPI or job, then chances are it will not yield any ROI. Get the right person and ensure they spend 100% of their time doing this
- Information to Insight to Intelligence
– Without access to information and people within and outside of the organisation, it will be difficult for any fraud specialist to effectively and intelligently identify anomalies, irregularities or suspicious activities within the organisation
Note: If access is limited or restricted, so too will be you results, impact and survival
- Detection is core to the Web
– Without proper detection capability within your organisation to monitor people, transactions, data, etc. your organisation will always find itself responding to fraud incidents after they have happened
– The use of technology-enabled analytic tools to shadow, trend and mirror those business transaction that do not match or meet your business rules is vital to detecting those transactions in real-time and ‘red-flagging’ them for escalation and resolution
Note: Technology is your friend. Don’t use it at your own peril
- Environment scanning
– The importance of knowing all things prevalent within your environment, will enable you to manage your fraud risks more proactively
– Many companies focus on a P.E.S.T.L. E. (Political, Economy, Social, Technology, Legislation and Environment) approach in managing their environment more strategically
Note: An environment scan should be a continuous activity and not scheduled to only happen monthly or quarterly
- Risk Assessment is key
– For Fraud Risk Assessments, this is more of an art than a science, but the ACFE does refer to a Fraud Risk Index framework which consists of a view of the organisation based on three areas of (a) The environmental risk index (b) The culture quotient and (c) The prevent / detect index
Note: Don’t rush this process and choose the right framework for your organisation
– This is not a race to get things done quickly. Pace yourself and build your Fraud Risk Management solution effectively.
– If there is no engagement with the people (including staff, suppliers, contractors) in the organisation about their role in assisting the organisation, then there will be no commitment or buy-in.
– One needs to show those individuals why they should care about fraud in their organisation
– It all comes down to ensuring the business has the basic controls in place first like segregation of duties, authorisation levels, etc.
– If your foundation of controls has not been set, your foundation is unstable
Happy Spider Web building.
About the Author
Jonathan Le Roux is a Certified Fraud Examiner with over 20 years’ experience spread across Internal Audit, Operational Risk and Fraud Risk Management. He is currently the Chairperson of Johannesburg ACFE Local Interest Group and holds memberships at the ACFE, IIA and EthicSA.
Jonathan’s Linked Profile – http://za.linkedin.com/pub/jonathan-le-roux-cfe/11/761/557/