Risk assessments are part of the discipline of risk management, where enhanced frameworks and techniques have emerged. Risk management comprises the identification, assessment, and prioritization of risks followed by the coordinated and efficient use of resources to monitor, minimize, and otherwise control the organization’s risks.
Risks arise in many forms and range from uncertainty in financial markets, operational failures, natural disasters, and pandemics to legal liabilities and reputational harms.
Why Conduct a Fraud Risk Assessment?
- Fraud is a significant business risk (financial, reputation, moral)
- Every organization has inherent fraud risks arising from internal and external conditions.
- Fraud risk assessment helps to identify and manage these risks.
- The assessment helps identify and prioritize fraud risks inherent to the business.
- Fraud risk assessment is an essential component of the Committee of Sponsoring Organizations (COSO) integrated antifraud programs and controls framework.
- Reduce residual risk for fraud
Here are some general protocol issues relating to risk assessments.
Understand the difference between Inherent and Residual Risk
- ABC conducts thousands of credit card transactions and “inherently” faces a high likelihood of security risk of lost or misappropriated credit card data. Not because controls are good or bad, but because they inherently have a high daily transactional volume of this data.
- As a counter-example to the above, XYZ only collects cash as payment, thus carries a low “inherent” likelihood of credit card data security risk. They don’t receive this kind of data, so they can’t have this kind of risk.
- ABC has cutting edge encryption technology, highly sophisticated firewall protections, and tightly administered manual controls around credit card transactions and data maintenance to ensure that the likelihood of this risk happening is greatly minimized.
Therefore, ABC believes their “residual” risk is low.
Inherent risk is the risk that exists in an environment without the benefit of controls. In other words, what is the risk that an event or activity could materially impact the company if management did not have activities in place to manage the risk?
Understand Risk Factors
- Fraud Risk Factors are those events or conditions that indicate incentives/pressures to perpetrate fraud, opportunities to carry out the fraud, attitudes/rationalizations to justify a fraudulent action, the arrogance to not care, and/or the competence to socially control the situation.
- Fraud Risk Factors do not necessarily indicate the existence of fraud; however, they often are present in circumstances where fraud exists.
Does the Risk Assessment Take into Account One or More of the Following Areas?
- Code of conduct?
- Other risk assessments?
- Historical, ethical violations and their root cause?
- Investigation results?
- Reporting Systems and trends?
- Organizational culture-differences and perceptions?
- External environment (i.e., the economy, political unrest, corruption perception index, sanctions, etc.)?
- Internal Policies/Procedures?
- Employee awareness of standards?
- Propensity to engage in wrongdoing?
- Tone and conduct from the Top?
- Tone from the Middle?
- Training and communication?
- Vendor/third-party agent compliance?
- SEC/DOJ/Other enforcement trends?
- Industry trends?
- Hiring/background check systems?
- Disciplinary Systems?
- Feedback from others?
Next is a list of questions that a prosecutor might ask and require you to defend your risk assessment.
- What resources were appropriated?
- How do I know the risk assessment was objective?
- Were risks in the C-suite and Boardroom addressed?
- How was risk examined at the vendor/agent level?
- If the raw work product was not retained, does the final report provide sufficient detail on methodology?
- Was culture and attitude evaluated (tone and conduct from the top)?
- Was knowledge assessed?
- Was anyone terminated or disciplined as a result of the risk assessment?
- Who among the governing authority of the corporation received the final report or was briefed on the outcome?
- How were the risk assessment outcomes used?
The following list contains some of the common pitfalls I have seen in risk assessments and the overall process.
- Carrying forward old assumptions and ratings.
- Risk ratings are not harmonized.
- Believing people are honest in brainstorming sessions.
- Ignoring the human element.
- Expectations (unclear, undefined, unrealistic).
- Unrealistic deadlines.
- Lack of resources.
- No true ownership.
- Poor coordination.
- Lack of objectivity, credibility.
- Qualitative skew.
- Narrow and deep vs. shallow and wide.
- Document availability (e.g. ,policies).
- Too much focus on the perceived “priority” risks.
- Lack of follow-through.
- One-time event – “set it and forget it.”
- Failure to communicate the actual results.
If you have a common pitfall that is not included above, send it to me, and I will add it to the list.
Click here for more on the fraud risk assessment process.
Bes safe and stay well,