I’m often am asked what can be done to make a fraud risk management program better, assuming one exists. To make something better, one must recognize and come to terms with any gaps or weaknesses.
Here a few things to think about when it comes to your fraud risk management program.
- Have you defined your risk universe (see below)
- Are you looking for fraud (internal audit and compliance programs)
- Do you truly understand your culture?
- Have you reviewed the human factor (i.e., gatekeepers) when it comes to designing internal controls?
- Are you listening to what your hotline data is telling you and are you learning from other failures or frauds (schemes, trends, etc.)
- Was there ever an independent review of your governance framework?
- Are you sure your “Tone or Conduct at the Top” resonates down, through, and across the organization, or is there “Rot at the Top“, meaning bad apples, are creating bad bunches. Ultimately there is a bad crop (A-B-C Theory of Bad Behavior)?
- Do your key stakeholders truly understand the business, its strategy, and its objectives?
- Are you using the meta-model of fraud to conduct your risk assessments?
- Is your training limited, inadequate, or non-existent?
- Are you treating symptoms vs. identifying the probable root cause of compliance failures or incidents of fraud?
- Have you operationalized your compliance program?
- Listen, really listen to your employees while they are employed and on their way out the door.
- Understand that fraud comes in many forms. So do its causes.
- Designing the right fraud risk management program depends
on a few things, including your fraud risk assessment and your control environment.
- A problem in your control environment should be a full-stop moment.
- The control environment is defined by the “Tone at [from] the Top”, or now referred to as “Conduct at the Top”. The Control Environment encompasses the culture, ethical values, teamwork, morale, and development of employees.
- Close or remediate all gaps, if possible.
Fraud risk management should be viewed as an evolution and not a revolution. Learn from prior incidents and frauds. Use the information garnered from hotline data, surveys, audits, and continuous and on-ongoing monitoring activities to tune or calibrate your programs.
Update the risk assessment as changes happen, not at predefined intervals!
“You ultimately need to understand the risks within the organization, but you also need to understand the risks outside the organization and within the ecosystem the organization operates.” JTM
I welcome your comments and suggestions.
Jonathan T. Marks