While fraud risk is a potential problem faced by almost every organisation, fraud is given only a perfunctory nod in most organisations’ overall consideration of risk, according to Carl Gibson, director of the risk management unit at La Trobe University.
Traditionally, he said organisations have focused on reducing loss through layers of controls to deter, delay, detect, respond to and recover from fraudulent activities.
“This has created for many an almost static array of controls that are attempting to manage what is an increasingly dynamic set of fraud-related threats,” he said.
Existing standards such as AS8001-2008 (Fraud and Corruption Control) and AS/NZS ISO31000: 2009 (Risk Management – Principles and Guidelines) provide guidance on establishing arrangements for managing fraud-related risk, that can be aligned within an organisation’s overall approach for risk management.
Gibson said these approaches provide significant advantages over the more traditional “controls-bounded” arrangements, which tend to be more reactive to fraud trends and incidents.
With risk management, however, he said it was better to examine “what could be” in order to better keep up with changes in the activities of fraud perpetrators
Such a risk-based approach creates an improved understanding of how an organisation’s external and internal environments can affect its objectives, and thereby create fraud-related risk.
“The rigour of such a process will assist in identifying fraud exposures, a proportion of which would previously have remained hidden,” he said.
Such a risk-based approach also allows organisations to think more broadly about how it can address fraud-related risk, rather than a sole concentration on prevention (and usually financial) controls, Gibson added.
Strong fraud risk management processes should create the means to tackle fraud through addressing both the causes of fraud-related risk before a fraud occurs (reducing the likelihood), and reducing the direct and collateral harm should a fraud occur (reducing the negative consequences), he said.
Such processes should also enhance opportunities to further strengthen organisational ethics and behaviours through the visible outcomes of detection, recovery and disciplinary actions.
“A risk-based approach can also provide significant improvements in efficiency by reducing unnecessary controls, in circumstances where the risk has markedly lessened,” Gibson added.
He also noted that the buzzword of the past few years has become “resilience”, yet he argued few organisations consider how fraud can seriously undermine efforts at building resilience.
“A focus on fraud-related risk, in addition to existing fraud control measures, can provide the firm foundation for enhancing overall organisational resilience,” he said.
News