The legend continues
We looked at Dolos, the Greek personification of fraud and deceit, in some detail in part 1. Now the legend continues: how can Prometheus stop Dolos from moulding the embodiment of lies?
Internal and external fraud risks are classified as operational risks. Article 89 of the Capital Adequacy Ordinance defines operational risk as ‘the risk of losses resulting from inadequate or failed internal processes, people or systems, or because of external events’. Inherent fraud risks are generally higher for financial service providers in particular. Reducing them to an acceptable level requires functional, effective risk management. A fraud risk framework should contain the four typical elements outlined below.
1. Governance
An appropriate governance structure creates the organisational conditions that ensure better detection, assessment and handling of fraud risks. It is important to establish an end-to-end risk culture in the organisation to heighten both awareness and knowledge of fraud risks at all levels. Besides general governance structures that apply to effective risk management (such as a clear allocation of roles and an enterprise-wide risk culture), companies can implement the following as explicit anti-fraud measures:
- Knowledge of and responsibility for fraud risks and controls
- Management of the process for assessing fraud risk
- Support for and provision of anti-fraud training
- Coordination of anti-fraud initiatives in the enterprise
2. Risk assessment
Another element of the risk management process is assessing the risk of fraud. This requires the deployment of specific methodologies and information about fraud risks and their trends (as a time series analysis), as well as software programmes for detecting fraud. The conditions for successful risk assessment are:
- Definition of a risk inventory for all fraud risks
- Assessment of the potential extent/scope of risks to the enterprise if fraudulent acts occur
- Subjective estimate of the probability of occurrence before controls are put in place
- Determination of the risk appetite for the inherent risk (combination of extent and probability of occurrence)
- Documentation of the risk profile for fraud risk
3. Anti-fraud strategy
Based on the risk profile, the organisation should define an anti-fraud strategy that matches the net risk to the defined risk appetite. It should also communicate this strategy to its workforce instruct them on preventing fraud risks and give them means for detecting, resolving, monitoring and evaluating them. Specific controls for preventing and detecting fraud risks are further appropriate components of the framework and hence also of the internal control system.
4. Monitoring and evaluation
The organisation should periodically evaluate the effectiveness of the implemented controls. External and internal risk factors that affect the control environment, as well as fraud trends, must be included in the monitoring process.
Fraud risks affect all enterprises, albeit to differing degrees. While a small business is more likely to be exposed to the risk of physical assets being stolen, highly digitalised enterprises are faced with factors such as cyber risks. Measures to prevent fraud must be broadly anchored in the enterprise. This starts with a risk culture that supports fraud detection or even, in the best case, prevents it entirely, down to control measures implemented by individual employees.
In the next part, you will find out how to detect Aletheia’s twin – the embodiment of lies.