Measure and monitor your fraud risk management program success

Susan is head of investigations for a mid-sized, global manufacturing organization with sales and manufacturing facilities in the U.S., Latin America and Europe. The chief compliance officer (CCO) and chief financial officer (CFO) have asked Susan to make a short, end-of-year presentation to the board of directors summarizing the company’s fraud risk management program (FRMP) and some recent investments the company has made into improving its culture of compliance and anti-fraud controls. Managing a global team of eight professionals — all CFEs, of course — Susan recently invested in new data analytics training and technologies with the intent to improve both preventive and detective capabilities around fraud, corruption, policy violations, errors and abuses.

The company’s board of directors is comprised of experienced business professionals with a mix of finance, business operations, engineering and legal knowledge. They’re known for asking tough questions that demand data-driven metrics, as opposed to “gut-feeling” inclinations. While Susan’s investigative team reports to the legal department, she also knows that she must coordinate with internal audit and ensure that she appeases the heads of various departments, such as finance, information technology, sales and operations, to gain their support. While everyone in the organization is aligned to the company’s goals and mission set forth by the CEO and the board, generally speaking, legal and compliance professionals in the business often take on risk management functions of keeping “the business out of trouble” so it can execute on its mission. On the flip side, staff dedicated to finance, operations and business growth have a different perspective in meeting the company’s objectives. Their focus is often around “making the business better.” Better efficiencies, better processes, better sales, better profits, and so forth.

Susan knows that her presentation to the board, which includes a good mix of risk and business-minded personnel, needs to balance both messages around making the business better and keeping the business out of trouble. With careful preparation, Susan hits it out of the park with her presentation, impressing the board and providing them a better understanding of the full impact and capabilities of the company’s FRM.

The example above is fictional, but if part of your job is implementing new technology and innovations to prevent and detect fraud, you might have encountered a similar situation with your company or a client. Or, perhaps you will in the future.

When presenting to the board or upper management, it’s important to keep their frame of mind and business objectives front and center if you plan to win them over. Dollar savings means nothing to a general counsel or chief compliance officer when the result is litigation or violation of the law. Alternatively, the CFO isn’t going to be compelled by a message that’s solely risk or regulatory-based without a consideration of return on investment or cost savings.

Making the business better

When it comes to making the business better, finding hidden money, cost recoveries and dollar savings is quite often the most popular and measurable — especially when your audience is the CFO, COO, business managers and procurement professionals. When I talk to companies each week, it’s always fun to hear how people get excited about the opportunities to recover lost funds and put money back on the balance sheet. Such metrics might include:

• Amount of dollars recovered from third parties via your prevention and detection activities.
• Number of fraud risk schemes identified and stopped (going forward). Most companies I’ve seen will allow you to project out the monthly losses for about 12 months, not in perpetuity. Remember, according to the ACFE’s Occupational Fraud 2022: A Report to the Nations, the typical fraud scheme lasts 12 months before detection. Hence, this is a fair benchmark.
• Reduced investigation and legal time and costs through use of technology and hiring in-house personnel, among other factors.
• Improved response times for investigations, employee training, reporting and remediation.
• End-user feedback and adoption, or net promoter score (which I’ll discuss below).
• Other ancillary benefits. Keep in mind that when your FRM program is working well, especially when using data analytics, there may be other ancillary benefits you want to measure including improved working capital, vendor optimization, per unit pricing comparisons (best price analysis), contract compliance and much more.

Figure 1

As you consider the above goals and KPIs in your own organization in the coming year, I encourage you to think outside the box. Remember, you can’t monitor what you can’t measure, so make sure you challenge your team to come up with metrics.

I posed the KPI question to one of my mentors, David Coderre, CFE, author of “Fraud Detection: Using Data Analytics Techniques to Detect Fraud.” He said selecting KPIs around your FRMP is a difficult question and sometimes hard to measure. “Did the amount of fraud decrease? Was fraud found faster? Was there more successful recovery or prosecutions, as compared to the previous method or time?” Coderre asks. “These are all interesting, but my favorite KPI for a fraud risk management program is the degree of acceptance, at all levels of the organization. The acceptance can be measured, for example, by looking at the efforts to make fraud risk an integral part of all aspects of the company; the ongoing monitoring and updating of the program.”

Marketers often refer to this user acceptance concept as net promotor score (NPS). Jeanniey Walden, chief marketing officer of Rite-Aid (and in full disclosure, my wife), defines NPS as a critical KPI, originally developed by global management consulting firm Bain & Co., used to assess overall customer satisfaction and how likely customers are to recommend a company to others. The score is derived from the response to a single question: “How likely is it that you would recommend our offering (product, service or company) to a friend or colleague?” This is scored on a scale of 0 (not at all likely) to 10 (extremely likely). The metric is typically calculated as the percent of promoters (those scoring 9 or 10) minus the percent of detractors (scoring 0 through 6), ignoring neutral responders (scoring 7 and 8). When developing any new fraud risk management solution, program or initiative, it’s always a good idea to ask an NPS question at the end to gauge people’s level of satisfaction at any given time, and over time, to demonstrate continuous program satisfaction by the most important group — your business customer, the end user. As a frame of reference, any NPS above zero is good and over 50 is phenomenal. As a benchmark, top brands like Apple, Intel, Costco and Sony all have NPS at or near 50. Nobody has 100! 

Keeping the business out of trouble

On the risk side, your FRMP also needs to cover the fundamentals of keeping the business free from trouble. When your audience is made up of legal, compliance, information technology and internal audit professionals, you need to be thinking in terms of risk avoidance and remediation. Metrics around improving business transparency and the culture of compliance, as well as reduction in litigation and regulatory risks, resonate well here. Some FRMP metrics include:

• Ability to increase business transparency using data analytics to monitor key activities around vendors, customers or employees.
• Improved collaboration and coordination across departments through integrating multiple data sources and sharing important data and insights.
• Improved culture of compliance based on employee surveys.
• Improved awareness and adherence to corporate policies, as shown by fewer incidents.
• Alignment with regulatory expectations, such as the U.S. Department of Justice (DOJ), U.S. Securities and Exchange Commission (SEC), FINRA, and Serious Fraud Office (SFO). (See DOJ’s “Evaluation of Corporate Compliance Programs,” updated March 2023.)
• Reduction in punitive fines or violations over time.

Going back to our case example, Susan knew she had only one slide to summarize her program to the board in a nutshell. Reflecting on the above KPIs, she presented something like Figure 2:

Figure 2

Reflecting on insights from the COSO/ACFE Guide

Perhaps one of the best resources for developing KPIs for your FRMP, the COSO/ACFE Fraud Risk Management Guide, might already be sitting on your shelf, or bookmarked in your browser. ACFE Regent Emeritus Ryan Hubbs, CFE, is SLB’s global anticorruption and fraud manager. He suggests CFEs review each of the five key pillars as explained in the guide: governance, risk assessment, controls, investigation and monitoring. Hubbs recommends thinking about the attributes that you can test, evaluate and report on in each section. Governance, for instance, may require looking at the number of trainings performed or management employees trained per year, while risk assessment could involve fraud survey or examining vendor risks.

“The program KPIs should reflect the program,” Hubbs says. “If all you have are fraud risk assessments, then focus on KPIs around those. If you are only at the governance stage, then focus on KPIs around training, awareness, policies written, et cetera. Just as the fraud program itself will need to be agile and fluid, so should the KPIs to measure effectiveness.”

Finally, Hubbs also advises keeping in mind that this is your fraud risk management program, and not your competitor’s or one for another big company in another industry. “It is yours, so make sure your KPIs make sense to you and your business,” he says. “Just because XYZ Corp has 127 FRMP KPIs in place doing this or that, doesn’t mean you should, if it’s not part of your risk assessment.”

As you think about your FRMP and your 2024 goals, ask yourself what the DOJ will ask in the unfortunate event of an investigation into your company. It boils down to three main questions:

1. Is the corporation’s compliance (FRM) program well designed?
2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
3. Does the corporation’s compliance program work in practice?

Thank you for reading Innovation Update in Fraud Magazine over the past year, and I look forward to our continued innovation and dialogue together in 2024.

Vincent M. Walden, CFE, CPA, is the CEO of Kona AI, an AI-driven anti-fraud and compliance technology company providing easy-to-use, cost-effective payment and transaction analytics software around corruption, investigations, fraud prevention and compliance monitoring. He welcomes your feed-back and ideas. Contact Walden at vwalden@konaai.com.