Friday, 21 July 2023

By Anya Gielen and Cameron Anderson 

While there’s no shortage of better practice guidance on risk management, this doesn’t mean it’s easy or that organisations do it well. 

Most advice includes the usual cycle of risk identification, evaluation, treatment, monitoring, and feedback. But with fraud, it’s not that simple. The breadth of risks and ever-changing approaches by fraudsters mean assessing risks can be a detailed process requiring knowledge of both business processes and fraud tactics. It’s a challenge for many organisations to allocate the time and resources to do this proactively. Sadly, those resources become available to many only after an event draws attention to their vulnerability in the worst possible way. 

Even though such an event can have significant consequences, a common, yet flawed approach taken by organisations is the encapsulation of these many different fraud risks into a single, enterprise-level risk. Understandable, when you consider that those charged with governance, by nature must take an enterprise-level helicopter view. But in this area, there’s not one fraud and corruption risk; there are many. And the controls needed to address fraud risks associated with one process differ significantly from those required for another. To enable a single view on the overall level of fraud risk within an organisation, the fraud risk owner at the enterprise level must seek input and guidance from process owners across the business. Engaging with these process owners also sends the message that fraud control is taken seriously. 

This is important because perhaps the most overlooked aspect to risk evaluation is risk culture: the underlying values and attitudes that can drive behaviours and risk appetite regardless of procedural rules. For this reason, common approaches to risk identification like workshops and surveys can be misleading because they tend to focus on what the organisation knows, rather than what it doesn’t. In our experience, starting with an independent review of policy, procedure, and key personnel can help identify potential vulnerabilities that process owners may gloss over, or simply not see. 

Assessments need to cover all the separate operations and processes across the organisation: from recruiting to payroll and performance management, from identification of procurement need to accounts payable, and from operations to financial reporting and even governance. Rather than conducting surveys on how they manage risk, organisations should ask, “If I were the fraudster, how would I game our system?” 

Of course, identifying risk is just the start of the cycle. Organisations then need to evaluate risks, assess controls, and monitor them on an ongoing basis. The Australian Standard for Fraud and Corruption Control AS 8001 recommends testing the controls’ operational effectiveness with reactive look-back exercises as well as ‘pressure testing’ – live testing of controls with real-time scenarios. We agree and suggest going a step further by testing controls on a rolling/rotational basis as part of a fraud control monitoring plan. The tests should vary in intensity and frequency, as easy and repetitive tests can become a tick box exercise and cease to be effective. 

Risk management is a crucial component of an overall fraud and corruption system, but it can also be one of the most challenging. It requires a comprehensive look at each business process, and many organisations struggle to gain buy in from operations as to its value. 

We know perception of value can be subjective. It tends to change before and after fraud happens. We want our clients not to experience the after.