Fraud risk assessment is an art, not a science. There is no one-size-fits-all approach, and not all fraud risk assessments are equally effective. A best-in-class fraud risk assessment is a comprehensive program that constantly takes the pulse on current and emerging risks, and provides a clear path to mitigation, monitoring and reporting across the enterprise.
Here are 10 ways you can strengthen your fraud risk assessment to move toward best-in-class:
- understand your complete risk universe. Identifying the full range of internal and external fraud schemes that could affect your organization is vital to an effective fraud risk assessment. Remember that risks evolve, so you should periodically review your risk universe to ensure that you stay ahead of emerging threats.
- narrow your focus. While you must identify your risks, don’t go overboard or try to boil the ocean. More is not always better. Instead, focus on identifying the internal and external risks most relevant to your organization.
- employ the right risk-assessment techniques. Risk assessments and risk-assessment techniques are not all equally effective. Many organizations rely heavily on surveys to assess risks. However, surveys alone are not optimal since they can be subject to biased, perception-based responses and there is no way to ensure everyone is responding within the right context. Surveys are generally most appropriate in the early stages of your risk assessment. A mature risk-assessment process should employ multiple techniques including surveys, interviews and workshops.
- focus on facts, not perceptions. Many organizations focus on perception-based questions as part of fraud risk assessment. A better approach is to map out your risks and design a set of information-based questions aimed at assessing the strength of controls to protect those entry points.
- involve the right people. Organizations tend to keep their fraud risk assessment teams small or focused only on senior leadership or management. Aim for a broader set of perspectives from the business staff on the front lines. Building a broader risk-assessment team can help you train stakeholders on fraud risk, on their role in fraud risk prevention and detection, and on why fraud risk management matters.
- dive deep. Dig beneath the surface. Your assessment should dive deep enough to understand your top risks, the controls in place, and the key gaps and vulnerabilities across your organization.
- build a strong foundation. It is difficult for a fraud risk assessment to be effective if you do not have a solid fraud risk management foundation in place. This foundation should include a strong and documented governance structure, defined roles, responsibilities, and reporting mechanisms for your fraud risk management program.
- break out of your silos. Fraud risk assessment should not be conducted in a silo. Strategically integrate with other functions at your organization as you conduct the assessment and relay results.
- focus on a broad range of controls. As part of the risk-assessment process, you should identify existing anti-fraud controls and appraise their effectiveness. Often, organizations either do not fully understand their existing anti-fraud controls or rely on perceptions of effectiveness instead of working to understand actual effectiveness. You can leverage audit findings, controls testing results or other sources of data to help, and you can talk to front-line staff implementing these controls to understand what they are doing and how that might differ from the design of the control.
- turn insight into action. Your fraud risk assessment is a tool. The results should drive decisions, resource allocation, and business and process improvements.
Do something, start somewhere
Effectively managing your organization’s fraud risk is a long-term journey. Any assessment is better than none; a useful mantra is “Do something, start somewhere.” You might want to either institute an enterprise-wide fraud risk assessment methodology or start in one business area and build out the program slowly over time. If you already have a fraud risk assessment in place, dive deep to determine where you might be able to improve current processes to increase the effectiveness and usefulness of your current program. If you are starting from scratch, pick one area to focus on first, then leverage best practices and leading guidance to build a methodology that is tailored for your organization.
Grant Thornton library articles: 10 ways to strengthen fraud risk assessments