A Framework for Effective Fraud Risk Management

RISK dial.jpg

GUEST BLOGGER

John Thackeray
Founder and CEO of Risk Smart Inc.

There are now more reasons than ever to implement an effective fraud risk management framework for personnel in your organization. The focus on individual responsibility has dramatically altered and employees should now be educated as to the risks and repercussions, especially in the U.S. As a result of the memorandum titled “Individual Accountability for Corporate Wrongdoing” issued by former U.S. Deputy Attorney General (DAG) Sally Yates on September 9, 2015 — even those who merely had knowledge that something wrong was happening but didn’t report it would potentially face penalties.

Known simply as the “Yates Memo,” the directive signals the new priority in the U.S. Department of Justice’s (DOJ) pursuit of corporate wrongdoing — a priority of pursuing, punishing and deterring individual wrongdoers versus the corporation itself. According to the U.S. Security and Exchange Commission’s (SEC) annual report, issuer reporting and disclosure cases represented 20% of the SEC’s 2017 enforcement actions — the largest proportion in many years. 

What should an individual do when they suspect fraud or unethical behavior?

First, document, document and document! Keep detailed and precise records about what you are asked to do, who asked you to do it and what you did. Make sure that the records are easy to find, with clear evidence of date, time and author. Second, report your concerns through an independent, anonymous hotline or to a board member. In many cases, whistleblowers are provided meaningful protection from reprisal, and they may even be eligible for a financial reward for providing useful information to law enforcement.

But, what can you do to prevent fraud from happening in the first place? The considerations raised above should be incorporated into a five-stage risk management framework outlined below.

  1. Identify your fraud risk appetite. Design a written statement and convert into a risk-tolerance limit. A risk-tolerance limit is a quantifiable amount which is the maximum that the organization is willing to lose and is a translation of the risk appetite statement into a number. The determination of the amount is based on factors including previous history, the firm’s appetite and attitude.
  2. Ensure that the organizational culture and structure is conducive and open to fraud risk management. Create a structure with a dedicated entity, department or person to lead all fraud risk management activities
  3. Plan regular fraud risk assessments and assess risks to determine a fraud risk profile. 
  4. Design and implement a fraud hotline or reporting system. As part of managing the hotline, determine risk responses and document an anti-fraud strategy based on your fraud risk profile and develop a plan outlining how you will respond to identified instances of fraud. Remember to engage with stakeholders on a frequent basis with updates.
  5. Conduct risk-based monitoring and evaluate all components of the fraud risk management framework. Focus on measuring outcomes and communicate the results.

Fraud is pervasive, and there are risks to an organization both internally and externally. It can be seen as a symptom of an organization’s culture, and in that sense, it requires the highest sense of vigilance to ensure that it does not become endemic.

John Thackeray is the founder and CEO of Risk Smart Inc., a consulting firm that specializes in the writing of risk documentation. Over his long career, he has held many risk positions, including CRO posts at Societe General and Penson Worldwide Holdings, where he interacted and engaged with U.S. and European regulators.