Framework for Effective Fraud Risk Management

5 mins

Fraud Risk Management

Fraud and misconduct can seriously undermine and expose an organization to legal, regulatory, or reputational damage. This is why institutes work to ensure that they have an effective approach to mitigating these risks. This is especially important to them, as they are part of an environment that is always under intense scrutiny and rising enforcement. Fraud risk management has been attracting mainstream attention: various stakeholders have now begun to understand the negative effects of uncontained risk. In Deloitte’s 2012 report on ‘The Internal Audit Fraud Challenge’, 58% of respondents stated that the new regulatory environment led them to have an increased focus on fraud risk management, which is a positive sign. Keeping a strong anti-fraud stance, along with a comprehensive approach to combating fraud, has now become a prerequisite. As such, any institute that fails to protect itself in the required manner could face increased vulnerability to fraud.

For firms to have an effective fraud risk management approach, they need to encompass controls that have three key objectives:

  • The first is to prevent instances of fraud from occurring in the first place.
  • The second is to detect instances of fraud and misconduct when they occur.
  • The third is to respond appropriately, and take necessary action when integrity breakdowns arise.

Fraud Risk Assessment 

What steps should an employee take when they suspect fraud or unethical behavior? Firstly, they need to keep detailed and precise records of all the events that took place, starting from what they were asked to do, who asked them to do it, and what the employee did in return. All these records are easy to locate, along with clear evidence of the occurrence: date, time, and the individual who wrote it. Secondly, the employee needs to report their concerns through an independent, anonymous hotline, or to a board member in the financial institute. A lot of the time, the whistleblowers are provided with meaningful protection from reprisal and are even eligible to avail a financial reward. This is due to the useful information they provide to law enforcement.

Apart from the fraud risk assessment, what can be done to prevent fraud in the initial stage, before it takes place? Here is a five-stage fraud risk management framework:

  1. Identify the fraud risk appetite: There needs to be a written statement designed by the firm and converted into a risk-tolerance limit. This risk-tolerance limit is of a quantifiable amount, which is the maximum that the financial institution is willing to lose. It is also a translation of the fraud risk appetite statement put into a number/digit. In order to determine the amount, various factors are considered, such as the previous history and the institute’s appetite and attitude.
  2. Ensuring that the institute’s culture and structure are conducive and open to fraud risk management. The firm must create a structure with a dedicated entity, along with a department or individual, which can lead all activities related to fraud risk assessment.
  3. Planning regular fraud risk assessment and assessing the risks to determine a fraud risk profile.
  4. Designing and implementing a fraud hotline, or a reporting system. Along with managing the hotline, firms need to determine risk responses. They further need to document an anti-fraud strategy based on their fraud risk profile and form a plan, outlining how they will respond to an identified instance of fraud. The firms should regularly engage with stakeholders, alongside any updates.
  5. Keep risk-based monitoring and assess all the components of the fraud risk management framework. Firms should focus on measuring their outcomes, then communicate the results.

Fraud risk management framework: Fraud is a risk to institutions, both internally and externally. Indeed, fraud can be seen as a symptom of a firm’s culture and requires the highest sense of surveillance, to ensure that it does not become endemic.

The US Government Accountability Office (GAO) Fraud Risk Management Framework 

To help the managers of federal programs combat fraud and preserve integrity in agencies and enforcements, the U.S. Government Accountability Office (GAO) has identified the best practices to manage fraud risks. They have organized them into a conceptual framework called the GAO Fraud Risk Management Framework (the Framework). This Framework entails control activities that help to prevent, detect, and respond to fraud, along with an emphasis on prevention. Alongside this, they focus on the structures and environmental factors that influence or help the managers achieve their objective to mitigate fraud risks. GAO Fraud Risk Management Framework also highlights the importance of monitoring and incorporating feedback, which is an ongoing practice that applies to the following four components described below:

  • The first is to commit to combating fraud. This is achieved by creating an organizational culture, as well as a structure that is conducive to fraud risk management:
    • It would mean a demonstration at a senior-level commitment to combat fraud, involving all levels of the program to set an anti-fraud tone.
    • To designate an entity within the program office, which will lead the fraud risk management activities.
    • To ensure the entity has defined responsibilities, along with the necessary authority to serve their role.
  • The second is to plan regular fraud risk assessment and assess the risks that determine a fraud risk profile:
    • This implies to tailor the fraud risk assessment according to the program, with involvement from the relevant stakeholders.
    • To assess the possibility and impact of fraud risks and to determine the risk tolerance.
    • To examine the appropriateness of the controls that already exist, make the residual risks a priority, and document the fraud risk profile.
  • The third is to design and implement a strategy with specific control activities to mitigate the assessed fraud risks, then collaborate, which can help ensure effective implementation:
    • This means to develop, document, and communicate an anti-fraud strategy, focusing on preventive control activities.
    • To take in the benefits and costs of controls. To prevent and detect potential fraud, as well as to develop a plan for fraud response.
    • To establish collaborative relationships with the stakeholders and to create incentives that will help to ensure the effective implementation of the anti-fraud strategy.
  • The fourth is to evaluate the results using a risk-based approach and adapt the activities to improve fraud risk management
    • This includes conducting risk-based monitoring. Also, to evaluate the fraud risk management activities by focusing on the measurement of the outcome.
    • To collect and analyze the data from reporting mechanisms, as well as the instances of detected fraud for the real-time monitoring of fraud trends.
    • To use these results of monitoring, evaluations, and investigations for improvement of fraud prevention, detection, and response.

Importance of the Framework of Government

The risk of fraud can impact the integrity of federal programs, which can, in turn, diminish the public’s trust in the government. The managers of federal programs need to maintain their primary responsibility: namely, to enhance the program’s integrity. The legislation, with guidance by the Office of Management and Budget (OMB), and the new internal control standards, has increased its focus on the need for program managers to take a strategic approach to manage improper payments and risks, which also includes fraud. Furthermore, based on prior reviews, GAO highlights the opportunities for federal managers to take a further step: a more strategic, risk-based approach to manage fraud risks and develop effective anti-fraud controls. The driven fraud risk management is meant to facilitate a program's mission, as well as its strategic goals, by ensuring that the government services serve their intended purposes. The program’s objective is to identify the leading practices and to conceptualize them into a risk-based framework that can help the program managers to manage fraud risks.