Article

Level Up Your Fraud Risk Assessment: Achieving Best-in-Class FRA

By Sophia Carlton Suzanne Carlson Jul 15, 2022

This is the second in a three-part series on FRA.

Achieving an effective FRA can be a moving target. Your risk landscape, organizational structure, shifting strategic priorities and available resources, among other triggers, can impact the effectiveness of your FRA, so it is imperative that you review your approach on a regular basis. This can help you identify where you can make small, incremental changes or wide-sweeping enhancements to achieve an effective FRA that results in tangible, meaningful outcomes that can be used for decision-making and prioritization.

With all the differing information out there on what constitutes an "effective" FRA and what steps you should take, how can you determine where the source of truth lies? Unfortunately, there is not a one-size-fits-all approach. The specific steps that one organization takes to achieve an effective FRA might vary vastly from another.

The good news is that across all the varying “sources of truth”, there are some commonalities. Below are the three key phases and core underlying steps that should be part of your FRA:

 FRA Steps

BENCHMARKING YOUR FRA EACH STEP OF THE WAY

Within each step listed for each phase in Figure 1, there are specific activities that constitute a baseline (minimum steps to take for a functional FRA), common (what we see across many organizations that yields better results than baseline) or best-in-class (what we recommend to achieve an effective FRA based on leading guidance) maturity level.

Below, we cover the overarching goal and activities for each maturity level, broken out by the three phases. If you already have an FRA program, these maturity scales can help you identify where you can make small, incremental changes that can enhance your FRA quality. If you are just starting out, this framework can help you develop your FRA approach thoughtfully with leading guidance. In this case, the maturity scales provide a roadmap you can use to assess if you are on the right track and allow you to choose what works best for your organization.

Phase 1: Discover

 UNDERSTAND YOUR CURRENT STATE
GOAL BASELINE COMMON  BEST-IN-CLASS 
Gain a clear understanding of the area to be assessed, including organizational structure, operating environment and existing fraud risk management artifacts and activities. Collect and independently review documentation and submit follow-up questions as needed.

Collect and independently review documentation and submit follow-up questions as needed.

Conduct interviews with select leadership within the area being assessed.

 

 Conduct a stakeholder kickoff.

Collect and independently review documentation and submit follow-up questions as needed.

Conduct interviews with select leadership and key process owners within the area being assessed and other risk groups (i.e., Cyber, ERM, ORM)

Continue to deepen understanding through additional document requests and interviews based on outcomes of initial interviews conducted.

 

 IDENTIFY & DOCUMENT SIGNIFICANT FRAUD RISKS
GOAL BASELINE COMMON BEST-IN-CLASS 
Map out significant fraud risks relevant to the area assessed in a fraud risk matrix based on insight into the current state gleaned from the first step. Independent identification of significant fraud risks based on known fraud. 

Independent identification of significant fraud risks based on:

  • Known fraud
  • Known internal control gaps
  • Research into industry fraud trends and peer fraud events

Develop a fraud taxonomy or classification system

Independent identification of significant fraud risks based on:

  • Known fraud
  • Known internal control gaps
  • Research into emerging threats that are cross-industry

Host fraud risk brainstorming sessions with leadership, process owners and other relevant risk groups (i.e., Cyber, ERM, ORM)

When identifying and documenting significant fraud risks, here are some level-up tips for you to consider:

  • Don’t skip out on creating a fraud taxonomy. A fraud taxonomy has numerous benefits – it facilitates consistent fraud information and tracking, can be leveraged for employee and customer education and enhances understanding fraud types and methods. The fraud taxonomy ensures everyone across your organization is speaking the same language when it comes to fraud.
  • You don’t need to start from scratch on your fraud taxonomy. If you are creating your initial fraud taxonomy, use existing risk taxonomies in your organization, industry examples or guidance as a starting place. It is also imperative to consider how your fraud taxonomy will integrate into other risk taxonomies across the business to allow for seamless integration or aggregation.
  • Don’t try to boil the ocean. You should focus your fraud risk matrix on significant risks, rather than every single risk, to ensure it is actionable. Think quality over quantity.
  • Develop a plan for Governance, Risk & Compliance (GRC) tool integration. If you have a GRC tool, consider how your fraud risk matrix will integrate into it. This integration does not have to be done initially, but it should be a consideration to ensure integration of the FRA into the broader risk management efforts occurring within the business.
  • Iterate. Your fraud risk matrix should not become stagnant. Fraud risks and your organization are constantly shifting, so you should have a process in place to make both periodic and ad hoc updates to your matrix to ensure it stays relevant.

Phase 2: Measure

 QUANTIFY SIGNIFICANT FRAUD RISKS
GOAL BASELINE  COMMON  BEST-IN-CLASS 
Assess probability and severity of significant risks identified to enable risk prioritization and top fraud risk identification. Determine probability and severity of significant risks leveraging:
A single qualitative technique (i.e., survey, interviews, workshop) including stakeholders within the area being assessed.
Determine probability and severity of significant risks leveraging:
A mix of qualitative techniques including stakeholders within the area being assessed.

Determine probability and severity of significant risks leveraging:

  • mix of qualitative techniques including stakeholders within the area being assessed and across other relevant risk functions (i.e., Cyber, ERM, ORM)
  • Qualitative data analysis to enhance or supplement information gathered through qualitative techniques.

When quantifying significant fraud risks, here are some level-up tips for you to consider:

  • Consider controls. You should map controls to the significant fraud risks identified and have a clear picture on the effectiveness of those controls before beginning the quantification process. You can integrate these into your fraud risk matrix.
  • Surveys, interviews and workshops have optimal uses. Ensure you leverage each qualitative technique meaningfully and with purpose while considering stakeholder burden.
  • If you are creating your initial fraud risk scoring scales, consider how it will integrate into other risk scoring scales across the business. In some cases, you can use existing scales for easy integration. In other cases, it may be appropriate to create differentiated fraud risk scales.
  • Don’t get stuck on the number. Perfecting a numerical risk score is less important than understanding what is relatively more significant to ensure a relevant prioritized risk listing.
  • Stakeholder education is key. Not all stakeholders will have experience or a knowledge base related to risk scoring and related scales. Ensure you build in time for stakeholder education to ensure each person approaches the process with needed context.
  • Consider risk indicators. A fraud risk indicator represents what is driving the fraud risk up or down. There can be both qualitative (i.e., lack of fraud awareness) and quantitative (i.e., volume of work) fraud risk indicators within an area being assessed. You can use these indicators to supplement insight gathered into processes and controls to paint a clear picture of where fraud risks may be greater or lower to establish the quantification process.
 PRIORITIZE AND IDENTIFY TOP FRAUD RISKS*
GOAL BASELINE COMMON BEST-IN-CLASS 
Identify top fraud risks to enable focused risk response on areas of highest impact and priority.
  • Prioritize risks based on probability and severity.
  • Identify top fraud risks based on prioritization (i.e., all risks with a "high" risk matric rating or the top X risks based on risk scoring)
  • Prioritize risks based on probability and severity.
  • Apply judgement to assess if the prioritization resonates with you and with the stakeholders in the area being assessed based on organizational and fraud risk knowledge.
  • Iterate the scoring and the prioritized risk listing collaboratively with stakeholders until it accurately represents prioritized fraud risks.
  • Finalize prioritized risk listing and top fraud risks based on outputs of iteration process.

*This step does not have a strong delineation between baseline and common. The activities across both are similar and as such have been combined.

Phase 3: Act

 DEVELOP RISK RESPONSE STRATEGY
GOAL BASELINE  COMMON  BEST-IN-CLASS 
Determine appropriate risk mitigation strategies to proactively combat prioritized and top fraud risks.
  • Recommend risk response strategy to area being assessed for all top fraud risks.
  • Document risk response strategies.
  • Recommend risk response strategy to area being assessed for all top fraud risks.
  • Iterate and finalize recommendations in coordination with the area being area being assessed.
  • Document risk response strategies.
  • Collaborate from the start with the area being assessed to develop actionable, feasible and meaningful risk response strategies for top fraud risks, and any additional "very high" risk items as applicable.
  • Document risk response strategies accordingly in a tailored Fraud Risk Profile template.

A Fraud Risk Profile template can be leveraged to document the outcome of the FRA for each individual area assessed. It should document the outcomes and insights from the FRA – including but not limited to:

  • Prioritized and top fraud risks, including:
    • Qualitative or quantitative risk indicators
    • Existing controls and effectiveness
    • Probability and magnitude scores
    • Risk response strategy
    • Assigned owner
  • Overarching risk indicators for the area being assessed, such as insights into anti-fraud culture or fraud awareness

You can then aggregate outcomes and insights into business areas or groupings to gain insight into key themes and patterns across a group of individual areas. To drive this further, you can create an enterprise-view across groupings.

 MONITOR RISK RESPONSE STRATEGY
GOAL BASELINE  COMMON  BEST-IN-CLASS 
Ensure the risk response strategy is achieving the desired results and being implemented in line with established timelines. If it is deemed ineffective, monitoring enables a quick shift to ensure the desired outcome is achieved. Assess response strategy implementation and effectiveness at time of reassessment. Assess response strategy implementation and effectiveness through periodic check-ins (i.e., annual, biannual, quarterly) between the accountable group and FRA team.   Assess response strategy implementation and effectiveness leveraging continuous monitoring through ad-hoc and periodic check-ins between the accountable group and FRA team.

IT ALL BOILS DOWN TO REPORTING

A final step that falls outside the bounds of traditional FRA approaches is reporting results. Many organizations skip this step and miss an opportunity to engage with stakeholders across the organization. This type of reporting increases fraud awareness, highlights the achievements and key outcomes of FRA efforts and serves to increase the perception of detection, thereby driving down fraud risk. Reporting also ensures that leadership has insight into top threats and can thereby leverage that information for decision-making and anti-fraud investment accordingly while also highlighting the benefit of conducting FRAs to foster continued support of the program from the top.

You should report the FRA results to leadership, the area that was assessed and the broader organization at large. Consider audience; each audience may require a different reporting approach. Considerations for reporting:

  • Conduct an initial summary briefing with key stakeholders from each area assessed
  • Conduct an executive briefing to aggregate outcomes and priorities to senior leadership
  • Distribute key highlights to the broader organization to facilitate awareness of the FRA program and ensure clarity on how each person plays a role in combatting fraud

If you have a Fraud Risk Profile template, you can leverage this as a starting point for reporting efforts. For example, you can leverage the profiles to aggregate outcomes as noted above, which can be used for executive or senior leadership reporting.

TAKE ACTION

You can use these insights to benchmark where your existing FRA program stands across each phase and underlying step. Fraud shows no signs of slowing down, no matter your industry or geographic location. FRA is an imperative tool to help you crack down on top threats meaningfully, making it imperative to invest today to reap the benefits tomorrow.