Level-Up Your Fraud Risk Assessment
By Sophia Carlton Jun 15, 2022
Article
This is the first in a three-part series on FRA.
Fraud continues to impact companies across industries and around the globe, with bad actors constantly switching their tactics to circumvent new controls. In the case of fraud, when one door closes, a fraudster will find an open window. To help fight fraudsters, one of the biggest tools in your arsenal is a robust, sustainable Fraud Risk Assessment (FRA) process.
In my experience, FRA maturity varies widely from one organization to the next. Some organizations are just getting started, while others have been conducting FRAs for years — with many organizations falling somewhere in the middle of that spectrum. No matter the starting point, it is important to ensure the effort results in useful, tangible outcomes.
There are many definitions, approaches and methodologies out there for FRAs. When used optimally, an FRA is a dynamic and iterative tool that helps organizations to proactively identify and address their top internal and external fraud threats; FRAs help you uncover your vulnerabilities and help you to take control. This clear understanding of your fraud risk universe provides unmatched insight for decision-making and verifies anti-fraud investment is focused where it will matter most.
BREAKING DOWN MYTHS
Before we get into the basics, let’s break down five common FRA myths:
Myth #1- An FRA is a one-and-done activity
Truth- FRAs should be re-performed periodically (i.e., annually for high-risk areas, every other year for lower risk areas) and on an ad-hoc basis (i.e., major reorganization, new product rollout, major change in a process or control).
Myth #2- All FRAs are created equal
Truth- There is such a thing as an ineffective FRA. If you are not able to leverage the outputs for decision-making or to prioritize anti-fraud investments, then your FRA is not effective.
Myth #3- There is a one-size-fits-all approach to FRAs
Truth- Every organization has a different fraud risk universe, operating environment and structure, which means that the FRA approach should be tailored to match each organization’s unique needs.
Myth #4- My organization does not need an FRA because we do not have a fraud problem
Truth- Fraud is like the proverbial iceberg; what we can see is typically a small part of the problem. FRA can help you uncover what you can’t readily see and stay ahead of potential emerging threats.
It is also important to note that you won’t find what you aren’t looking for. Many organizations report increased fraud losses once fraud risk management activities begin because the process shines a light on existing activity that previously went undetected.
Myth #5- My organization currently checks the needed compliance box for FRA, so we are all set!
Truth- Ensuring compliance is important, but it should not be the only objective. The goal is to proactively identify and address top internal and external fraud threats, leveraging the outputs for decision-making. If the current “check-the-box” methodology is not achieving those outcomes, it may be time to make changes.
WHERE TO START
In my experience, there are many ways to implement a successful FRA process. Some organizations may pilot a new approach in one or two areas and then make refinements based on lessons learned before rolling out the program more broadly. Other organizations institute an enterprise-wide assessment that captures every area of the organization in one fell swoop.
Whether you have an established FRA program and are looking to reimagine your approach or are just getting started, here are three ways you can implement your FRA program:
| Approach | Description | Best For: |
| Start Big | Conduct an enterprise-wide assessment. This can be done all at once, or broken into phases based on business unit, department or potential fraud risk exposure. | Organizations with the resources needed to undertake an enterprise-wide assessment or organizations with FRA compliance or regulatory requirements that require an enterprise-wide assessment. |
| Targeted Approach | Select a subset of areas within your organization for a targeted risk assessment. This can focus on areas of highest risk, areas with higher known internal controls gaps or areas with higher spending levels. You can then roll out the FRA program to other areas as resources and time allow. | Organizations looking to enhance what is already in place using a phased approach to test a new FRA methodology before enterprise-wide implementation. |
| Pilot | Select 1-2 areas within your organization to pilot an FRA approach. You can then roll out the FRA program into other areas as resources and time allow. | Organizations beginning to implement an FRA program and are looking to start small prior to rolling out to other areas or an enterprise-wide implementation. |
If you aren’t sure where to start, it is best to start small with a targeted or pilot approach and then expand the program to reflect lessons learned. This provides you the ability to enhance or alter the approach prior to an enterprise-wide assessment.
Additional considerations when getting started:
- Create groupings to help with assessment aggregation. This can be grouping products that all fall into one business unit or business units that are all part of a broader business grouping. When completed, you will have business-line specific insight that you can roll into broader business grouping insights for leadership, and even aggregate further into enterprise-wide insights. If you think about how you can report out and aggregate results at the start, it will make achieving meaningful outcomes that much easier.
- Know that things change. Organizational structures are not stagnant. This means that the way you broke out your assessment in one year may no longer be how the business is organized the next. Create a process to handle these organizational changes and verify results from previous assessments are accurately linked to the new structure.
WHAT TO COVER
Generally, your FRA should cover the extent of internal and external fraud risks across all business processes. This confirms you have a complete picture of your fraud risk landscape and can effectively focus on your most significant threats. However, there may be a need to target a specific type of fraud risk. For example, if you have business processes that handle high-value transactions and are susceptible to external fraud, you can target an FRA to that process and risk type rather than focusing on whole business units.
We have worked with organizations who focus FRAs solely on internal fraud or procurement fraud risk. This type of approach is generally the result of a particular fraud event, perceived higher risk of fraud for that fraud type or area, regulatory expectation or as a result of a regulatory finding, among other instigators. The important thing to remember is that, while you can deep-dive into different risk types or areas with a focused assessment, these do not replace a holistic FRA. You should still conduct a comprehensive FRA to capture all significant risks. The results of the focused assessments can then be integrated into your broader FRA to avoid duplication of effort and reduce any redundancy.
TAKE ACTION
FRA is a marathon and not a sprint. Don’t wait for the perfect conditions to start your FRA journey — it is better to start small and expand if needed to verify you are tackling top threats proactively. You should build on what you have over time to reflect lessons learned as the program matures. If you already have an FRA program in place, periodically assess the value you’re getting from the process, be cognizant of the myths commonly attached to the FRA process and identify ways you can enhance existing efforts. If you are just starting out, approach the buildout of your FRA program strategically, focusing on how to get outcomes that foster decision-making and prioritization of fraud risk management efforts.
In the next part of this series, we will cover the key steps in conducting an effective fraud risk assessment and provide a framework to benchmark your current efforts each step of the way. This insight will enable your organization to level-up your fraud risk assessment and move towards best-in-class.