10 ways to strengthen fraud risk assessments

Here are 10 ways you can strengthen your fraud risk assessment to move toward best-in-class:

1. Understand your complete risk universe. Identifying the full range of internal and external fraud schemes that could affect your organization is vital to an effective fraud risk assessment. Many organizations skip this step altogether, focus too heavily on either internal or external fraud, or don’t put enough effort into this process to ensure it results in an effective tool to assess risks across the organization. Remember that risks evolve, so you should periodically review your risk universe to ensure that you stay ahead of emerging threats.
2. Narrow your focus. While you must identify your risks, don’t go overboard or try to boil the ocean. More is not always better. Instead, focus on identifying the internal and external risks most relevant to your organization. Your organization might have a multitude of fraud risks and not know where to start with the massive list. This translates to analysis paralysis. You don’t have to conduct an enterprise-wide fraud risk assessment right out of the gate. If you have limited resources, you can start small and expand over time as you gather lessons learned and as resources allow.
3. Employ the right risk-assessment techniques. Risk assessments and risk-assessment techniques are not all equally effective. Many organizations rely heavily on surveys to assess risks. However, surveys alone are not optimal since they can be subject to biased, perception-based responses and there is no way to ensure everyone is responding within the right context. Surveys are generally most appropriate in the early stages of your risk assessment. They should be followed by interviews or workshops for deeper analysis. A mature risk-assessment process should employ multiple techniques including surveys, interviews and workshops.
4. Focus on facts, not perceptions. Many organizations focus on perception-based questions as part of fraud risk assessment — for example, “How would you rate the strength of controls?” The reliability of such perceptions can vary widely. A better approach is to map out your risks and design a set of information-based questions aimed at assessing the strength of controls to protect those entry points.

5. Involve the right people. Organizations tend to keep their fraud risk assessment teams small or focused only on senior leadership or management. Aim for a broader set of perspectives from the business staff on the front lines. They actually understand how controls are implemented and where you have potential gaps or vulnerabilities. Building a broader risk-assessment team can help you train stakeholders on fraud risk, on their role in fraud risk prevention and detection, and on why fraud risk management matters.
6. Dive deep. Dig beneath the surface. Your assessment should dive deep enough to understand your top risks, the controls in place, and the key gaps and vulnerabilities across your organization. You will not get this insight in a 30-minute interview or a 10-15-question survey. Best-in-class risk assessments take time, both to develop the methodology and to implement across your organization.
7. Build a strong foundation. It is difficult for a fraud risk assessment to be effective if you do not have a solid fraud risk management foundation in place. This foundation should include a strong and documented governance structure; and defined roles, responsibilities and reporting mechanisms for your fraud risk management program. This foundation will ensure there is an underpinning strategy and governance structure in place so that you can be certain the assessment itself and the results have a clear path, priorities and reporting structure.
   
8. Break out of your silos. Fraud risk assessment should not be conducted in a silo. Strategically integrate with other functions at your organization as you conduct the assessment and relay results. It is especially important to communicate results to relevant business lines to help inform decision-making and communicate lessons learned that should be incorporated to strengthen current controls and mitigation activities.
   
9. Focus on a broad range of controls. As part of the risk-assessment process, you should identify existing anti-fraud controls and appraise their effectiveness. Often, organizations either do not fully understand their existing anti-fraud controls or rely on perceptions of effectiveness instead of working to understand actual effectiveness. This is where a control inventory comes in. As you begin to conduct your fraud risk assessment, match your identified fraud risks to your identified anti-fraud controls. Once you begin to assess and score risks, leverage this inventory to understand what controls are in place to combat a risk and to work to understand how strong controls are in practice. You can leverage audit findings, controls testing results or other sources of data to help, and you can talk to front-line staff implementing these controls to understand what they are doing and how that might differ from the design of the control.
   
10. Turn insight into action. If you are not using the insights gathered during your fraud risk assessment to take meaningful action, you are not alone. But you also are not making full use of your assessment. Your fraud risk assessment is a tool. The results should drive decisions, resource allocation, and business and process improvements.