Risk assessments are part of the discipline of risk management, where enhanced frameworks and techniques have emerged. Risk management comprises the identification, assessment, and prioritization of risks followed by the coordinated and efficient use of resources to monitor, minimize, and otherwise control the impact of the risks on the organization.
Risks arise in many forms and can range from uncertainty in financial markets, operational failures, natural disasters, and pandemics, to legal liabilities and reputational harms.
This writing will focus on fraud risks, a subset of the overall risk universe of the organization.
We live in a disruption-intensive world, and complacency is no longer an option!
To support my statement is the DOJ and their writing on the Evaluation of Corporate Compliance Programs (“Evaluation”), which states “prosecutors should also consider ‘[t]he effectiveness of the company’s risk assessment and how the company’s compliance program has been tailored based on that risk assessment’ and whether its criteria are ‘periodically updated.’
(See, e.g., [Justice Manual] 9-47-120(2)(c); [Sentencing Guidelines] § 8B2.1(c) (‘the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement or modify each requirement [of the compliance program] to reduce the risk of criminal conduct.’”)
The Evaluation further states, “prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.”
When the original Federal Sentencing Guidelines for Organizations (“the Sentencing Guidelines”) were issued in 1991, there was no mention of a risk assessment as part of compliance programs. It was not until the Sentencing Guidelines were amended in 2004 that this alarming omission was remedied. But even then, the risk assessment had not fully “arrived,” as some of the early compliance program requirements in FCPA settlements failed to include a risk assessment component.
As risks continue to expand and intensify, many struggle to ring-fence them and manage them appropriately. Relying on manual processes like spreadsheets, email, and other disparate methods, more likely than not, are not effective.
The recipe below must be adapted accordingly. Also, the risks identified during the risk assessment process need to be appropriately monitored. I suggest you strongly evaluate and consider automating, where possible, the management of risks and controls with the mindset of continuous improvement or tuning of the fraud risk management program.
Fraud Risk Assessment
In addition to establishing an ethical environment, board members and management must also take the lead in implementing and maintaining a formal fraud risk management program. One key element of such a program is a fraud risk assessment, which should be updated annually at a minimum or more frequently if conditions warrant, and they often do!
Recall that GRC means, Governance, Risk, and Compliance because it’s a waterfall concept – meaning that good governance includes risk management, and risk management should be driving the compliance initiative or program. Why? Because how can you design an effective compliance program to deter and detect ethical breaches, or worse, fraud, including bribery and corruption, unless you understand the risks your organization faces.
The risk assessment, which some say is easy and I disagree, should focus on the possible bad actors or criminals and the crime (Advanced Meta-Model of Fraud shown below) and at a minimum identify the fraud schemes and the acts that could potentially occur, possible concealment strategies that could be used by the fraudster to avoid detection, possible conversion tactics, the individuals or gatekeepers who pose the highest risk of committing fraud, controls that are in place to deter or detect fraud and a list of warning signals or “red flags” that are useful in many ways, including assessing the design of controls.
The success of the fraud risk assessment process hinges on how effectively the results are reported and what the organization then does with those results – in other words, “How is it operationalized”? – See Practice Pointer below.
Here is My Recipe or Methodology*
Having a documented risk-based methodology will help in many ways, including appropriately tailoring and enhancing your internal audit and compliance programs.
- Inventory the various risk assessments within the organizations. Ensure risk ratings are clear and consistent.
- Identify, understand, and evaluate the company’s business, its strategy, and operating environment along with the pressures that exist.
- Understand the legal and regulatory aspects of your business. For example: If your organization is subject to the Foreign Corrupt Practices Act (“FCPA”), then your risk assessment will, in all likelihood, need to be expanded to include the appropriate elements to assess FCPA risk, which should focus on foreign government “touchpoints”.
When assessing FCPA risk, many miss the mark here as they focus on sales/revenue. Sales volume and materiality shouldn’t matter – again, focus on foreign government touchpoints!
- Consider the strategy and objectives put forth. This helps with assessing pressure and potential for overriding controls, then link the objectives to controls.
- Review the Business Fraud Risk Framework (See graphic above), and document your fraud risk universe.
- Identify the business processes and consider differences across the organization.
- Review your ethics hotline data.
- Review prior allegations of fraud and actual frauds. Understand the root cause(s) of the real frauds.
- Consider at a minimum audit results (internal and external), investigations, results of root cause analysis, recent litigation or settlements, compliance complaints, employee claims, industry enforcement trends, and the existence and sufficiency of policies covering an area.
- Identify the Process Owner for each Process and understand their duties and roles. Throughout the risk assessment exercise, consider segregation of duty conflicts and document them so they can be remediated.
- Identify how Fraud may occur (fraud schemes) in each process and at each location through carefully planned interviews and meetings.
- Understand if the scheme involves financial statement fraud, asset misappropriation, or corruption. Note: It may include all three.
- Look at the potential fraud manifestations (scenarios) within each process and location.
- Identify the parties and profile (not stereotype) the individuals who can commit fraud. Process Owners, Gatekeepers, etc., who are competent and arrogant enough to override or circumvent controls, if they exist.
Advanced Meta-Model of Fraud Developed by Jonathan T. Marks, Richard Riley, and Scott Fleming
- Evaluate the likelihood that each of the identified frauds could occur and be significant/material as well as the persuasiveness of the potential fraud without considering controls and the possibility of management override of those controls.
- Consider the motive and strategy to commit and conceal the fraud and the conversion to determine the effort/controls required to prevent, detect, and deter the fraud.
When it comes to conversion, remember with few exceptions, perpetrators spend what they steal—because of this, looking at spending patterns is a primary investigation technique.
- Document the inherent risk.
- Identify red flags by reviewing the fraud schemes, scenarios, concealment strategy, and conversion. This helps in evaluating the controls that are or should be in place and the design. These “red flags” are organized into four general categories:
- Transactions conducted at unusual times of day, on weekends or holidays or during a season when such transactions normally do not occur;
- Transactions that occur more frequently than expected — or not often enough;
- Accounts with many large, round numbers or transactions that are unusually large or small; and
- Transactions with questionable parties, including related parties or unrecognized vendors, which may or may not be disclosed.
- Missing or altered documents;
- Evidence of backdated documents;
- Missing or unavailable originals;
- Documents that conflict with one another; and
- Questionable or missing signatures.
Lack of Controls
- Unwillingness to remediate gaps;
- Inconsistent or nonexistent monitoring controls;
- Lack of clear management position about conflicts of interest;
- Inadequate segregation of duties;
- Lax rules regarding transaction authorization; and
- Failure to reconcile accounts promptly.
- Rationalization, changes in behavior, contradictory behavior or recurring negative behavior patterns;
- Lack of stability;
- Inadequate income for the individual’s lifestyle;
- Resentment of superiors and frustration with job;
- Emotional trauma in the home or work life;
- Undue expectations from family, company or community; and
- Attendance! Perfect attendance or severe absenteeism.
- Determine the inherent risk.
- Evaluate the design of internal controls if they exist.
- Determine the appropriate audit response and investigate the characteristics of potential fraud manifestations within each process identified, where “Residual Fraud Risk” exists.
- Determine the fraud risk expectancy (quantify).
- Document the residual risk.
- Remediate fraud risk by designing control activities or exiting/ending the activity, relationship, etc. Use the “four-eyes principle”. Ensure there is an appropriate segregation of duties.
Also, use this exercise to ensure you have proper insurance coverages.
- Harmonize. Make sure the fraud risks identified are evaluated similarly and are in sync with your Enterprise-wide Risk Assessment and other risk assessments you have done. A savvy regulator will pick up on this and could conclude that from a governance perspective, your risk management program is deficient – siloed.
- Use the “red flags” identified as part of your training! Teach people what to look for and how to report any suspicious activity.
- Review the fraud risk assessment frequently, especially after an event – like a fraud, change in senior leadership, merger, acquisition, reduction in force, system upgrade, crisis, etc. There is no predetermined schedule for updating the assessment!
When reviewing or updating the fraud risk assessment during a crisis (depending on the severity of the crisis, the organization might be in business continuity mode), seek to understand how the event is impacting operations. Ask senior management, compliance, internal audit, legal, and other key stakeholders where the organization is vulnerable. Evaluate new or emerging risks carefully and close gaps quickly.
Compliance, internal audit, legal, and the organization’s stakeholders can use the results of, or operationalize, the fraud risk assessment, which includes the identified “red flags” to fine-tune or strengthen controls, policies, procedures, training, and testing strategies/programs.
Risk assessments are critical today more than ever, especially because they drive the compliance program.
Having a risk assessment may help in resource allocation and prevent punishment for areas not in scope.
Please reach out to me if you have any comments or questions.
*Note: This is a standard approach. It has been customized and modified accordingly over the years. Also, for a complete assessment, there are other procedures that more likely than not need to be performed to assess the risk of bribery and corruption properly.
Advanced Metal Model of Fraud was modified to include Marks’ Fraud Pentagon™. The original writing can be found here https://www.fraud-magazine.com/article.aspx?id=4295002447
Albrecht, W. Steve; Albrecht, Chad O.; Albrecht, Conan C.; Zimbelman, Mark F.. Fraud Examination
Fraud Pentagon –