Level Up Your Fraud Risk Assessment: Achieving Best-in-Class FRA
By Sophia Carlton Suzanne Carlson Jul 15, 2022
Article
This is the second in a three-part series on FRA.
Achieving an effective FRA can be a moving target. Your risk landscape, organizational structure, shifting strategic priorities and available resources, among other triggers, can impact the effectiveness of your FRA, so it is imperative that you review your approach on a regular basis. This can help you identify where you can make small, incremental changes or wide-sweeping enhancements to achieve an effective FRA that results in tangible, meaningful outcomes that can be used for decision-making and prioritization.
With all the differing information out there on what constitutes an "effective" FRA and what steps you should take, how can you determine where the source of truth lies? Unfortunately, there is not a one-size-fits-all approach. The specific steps that one organization takes to achieve an effective FRA might vary vastly from another.
The good news is that across all the varying “sources of truth”, there are some commonalities. Below are the three key phases and core underlying steps that should be part of your FRA:
BENCHMARKING YOUR FRA EACH STEP OF THE WAY
Within each step listed for each phase in Figure 1, there are specific activities that constitute a baseline (minimum steps to take for a functional FRA), common (what we see across many organizations that yields better results than baseline) or best-in-class (what we recommend to achieve an effective FRA based on leading guidance) maturity level.
Below, we cover the overarching goal and activities for each maturity level, broken out by the three phases. If you already have an FRA program, these maturity scales can help you identify where you can make small, incremental changes that can enhance your FRA quality. If you are just starting out, this framework can help you develop your FRA approach thoughtfully with leading guidance. In this case, the maturity scales provide a roadmap you can use to assess if you are on the right track and allow you to choose what works best for your organization.
Phase 1: Discover
| UNDERSTAND YOUR CURRENT STATE | |||
| GOAL | BASELINE | COMMON | BEST-IN-CLASS |
| Gain a clear understanding of the area to be assessed, including organizational structure, operating environment and existing fraud risk management artifacts and activities. | Collect and independently review documentation and submit follow-up questions as needed. |
Collect and independently review documentation and submit follow-up questions as needed. Conduct interviews with select leadership within the area being assessed.
|
Conduct a stakeholder kickoff.
Collect and independently review documentation and submit follow-up questions as needed. Conduct interviews with select leadership and key process owners within the area being assessed and other risk groups (i.e., Cyber, ERM, ORM) Continue to deepen understanding through additional document requests and interviews based on outcomes of initial interviews conducted. |
| IDENTIFY & DOCUMENT SIGNIFICANT FRAUD RISKS | |||
| GOAL | BASELINE | COMMON | BEST-IN-CLASS |
| Map out significant fraud risks relevant to the area assessed in a fraud risk matrix based on insight into the current state gleaned from the first step. | Independent identification of significant fraud risks based on known fraud. |
Independent identification of significant fraud risks based on:
|
Develop a fraud taxonomy or classification system Independent identification of significant fraud risks based on:
Host fraud risk brainstorming sessions with leadership, process owners and other relevant risk groups (i.e., Cyber, ERM, ORM) |
When identifying and documenting significant fraud risks, here are some level-up tips for you to consider:
- Don’t skip out on creating a fraud taxonomy. A fraud taxonomy has numerous benefits – it facilitates consistent fraud information and tracking, can be leveraged for employee and customer education and enhances understanding fraud types and methods. The fraud taxonomy ensures everyone across your organization is speaking the same language when it comes to fraud.
- You don’t need to start from scratch on your fraud taxonomy. If you are creating your initial fraud taxonomy, use existing risk taxonomies in your organization, industry examples or guidance as a starting place. It is also imperative to consider how your fraud taxonomy will integrate into other risk taxonomies across the business to allow for seamless integration or aggregation.
- Don’t try to boil the ocean. You should focus your fraud risk matrix on significant risks, rather than every single risk, to ensure it is actionable. Think quality over quantity.
- Develop a plan for Governance, Risk & Compliance (GRC) tool integration. If you have a GRC tool, consider how your fraud risk matrix will integrate into it. This integration does not have to be done initially, but it should be a consideration to ensure integration of the FRA into the broader risk management efforts occurring within the business.
- Iterate. Your fraud risk matrix should not become stagnant. Fraud risks and your organization are constantly shifting, so you should have a process in place to make both periodic and ad hoc updates to your matrix to ensure it stays relevant.
Phase 2: Measure
| QUANTIFY SIGNIFICANT FRAUD RISKS | |||
| GOAL | BASELINE | COMMON | BEST-IN-CLASS |
| Assess probability and severity of significant risks identified to enable risk prioritization and top fraud risk identification. | Determine probability and severity of significant risks leveraging: A single qualitative technique (i.e., survey, interviews, workshop) including stakeholders within the area being assessed. |
Determine probability and severity of significant risks leveraging: A mix of qualitative techniques including stakeholders within the area being assessed. |
Determine probability and severity of significant risks leveraging:
|
When quantifying significant fraud risks, here are some level-up tips for you to consider:
- Consider controls. You should map controls to the significant fraud risks identified and have a clear picture on the effectiveness of those controls before beginning the quantification process. You can integrate these into your fraud risk matrix.
- Surveys, interviews and workshops have optimal uses. Ensure you leverage each qualitative technique meaningfully and with purpose while considering stakeholder burden.
- If you are creating your initial fraud risk scoring scales, consider how it will integrate into other risk scoring scales across the business. In some cases, you can use existing scales for easy integration. In other cases, it may be appropriate to create differentiated fraud risk scales.
- Don’t get stuck on the number. Perfecting a numerical risk score is less important than understanding what is relatively more significant to ensure a relevant prioritized risk listing.
- Stakeholder education is key. Not all stakeholders will have experience or a knowledge base related to risk scoring and related scales. Ensure you build in time for stakeholder education to ensure each person approaches the process with needed context.
- Consider risk indicators. A fraud risk indicator represents what is driving the fraud risk up or down. There can be both qualitative (i.e., lack of fraud awareness) and quantitative (i.e., volume of work) fraud risk indicators within an area being assessed. You can use these indicators to supplement insight gathered into processes and controls to paint a clear picture of where fraud risks may be greater or lower to establish the quantification process.
| PRIORITIZE AND IDENTIFY TOP FRAUD RISKS* | |||
| GOAL | BASELINE | COMMON | BEST-IN-CLASS |
| Identify top fraud risks to enable focused risk response on areas of highest impact and priority. |
|
|
|
*This step does not have a strong delineation between baseline and common. The activities across both are similar and as such have been combined.
Phase 3: Act
| DEVELOP RISK RESPONSE STRATEGY | |||
| GOAL | BASELINE | COMMON | BEST-IN-CLASS |
| Determine appropriate risk mitigation strategies to proactively combat prioritized and top fraud risks. |
|
|
|
A Fraud Risk Profile template can be leveraged to document the outcome of the FRA for each individual area assessed. It should document the outcomes and insights from the FRA – including but not limited to:
- Prioritized and top fraud risks, including:
- Qualitative or quantitative risk indicators
- Existing controls and effectiveness
- Probability and magnitude scores
- Risk response strategy
- Assigned owner
- Overarching risk indicators for the area being assessed, such as insights into anti-fraud culture or fraud awareness
You can then aggregate outcomes and insights into business areas or groupings to gain insight into key themes and patterns across a group of individual areas. To drive this further, you can create an enterprise-view across groupings.
| MONITOR RISK RESPONSE STRATEGY | |||
| GOAL | BASELINE | COMMON | BEST-IN-CLASS |
| Ensure the risk response strategy is achieving the desired results and being implemented in line with established timelines. If it is deemed ineffective, monitoring enables a quick shift to ensure the desired outcome is achieved. | Assess response strategy implementation and effectiveness at time of reassessment. | Assess response strategy implementation and effectiveness through periodic check-ins (i.e., annual, biannual, quarterly) between the accountable group and FRA team. | Assess response strategy implementation and effectiveness leveraging continuous monitoring through ad-hoc and periodic check-ins between the accountable group and FRA team. |
IT ALL BOILS DOWN TO REPORTING
A final step that falls outside the bounds of traditional FRA approaches is reporting results. Many organizations skip this step and miss an opportunity to engage with stakeholders across the organization. This type of reporting increases fraud awareness, highlights the achievements and key outcomes of FRA efforts and serves to increase the perception of detection, thereby driving down fraud risk. Reporting also ensures that leadership has insight into top threats and can thereby leverage that information for decision-making and anti-fraud investment accordingly while also highlighting the benefit of conducting FRAs to foster continued support of the program from the top.
You should report the FRA results to leadership, the area that was assessed and the broader organization at large. Consider audience; each audience may require a different reporting approach. Considerations for reporting:
- Conduct an initial summary briefing with key stakeholders from each area assessed
- Conduct an executive briefing to aggregate outcomes and priorities to senior leadership
- Distribute key highlights to the broader organization to facilitate awareness of the FRA program and ensure clarity on how each person plays a role in combatting fraud
If you have a Fraud Risk Profile template, you can leverage this as a starting point for reporting efforts. For example, you can leverage the profiles to aggregate outcomes as noted above, which can be used for executive or senior leadership reporting.
TAKE ACTION
You can use these insights to benchmark where your existing FRA program stands across each phase and underlying step. Fraud shows no signs of slowing down, no matter your industry or geographic location. FRA is an imperative tool to help you crack down on top threats meaningfully, making it imperative to invest today to reap the benefits tomorrow.