Bizcoach, Small Business Ideas and Resources for Starting a Small Business

Risk Assesment and Fraud

This is a short article illustrating how risk assessment can be used to prioritize business processes for fraud potential.

It is the responsibility of managers to find fraud, but it is hard sometimes to locate the vital clues about where to look for it. Risk assessment is a tool that will help managers detect and deal with fraud in their operations. Risk assessment is a decision-making tool that helps managers sort through a number of possibilities and then chose those with the greatest payoff. Correct risk management is as important as organising public indemnity insurance cover or any of the other steps you take to protect your business. In fighting fraud, risk assessment techniques can help managers identify the most likely business processes where fraud could occur.

The three elements of risk assessment are:

Risk Identification: Determining what is at risk and from what sources.
Risk Measurement: Determining the consequences of the risk (and to a lesser extent, the likelihood of its occurrence).
Risk Prioritization: Determining the appropriate resources to manage the risk.

The three elements of fraud are:

Attitude: A predisposition to commit fraud or an ability to rationalize fraudulent behavior.
Pressure: Internal and external forces working on the individual that might influence their decision to commit fraud.
Opportunity: Conditions that allow the fraud to take place.

Each of these three elements of fraud can use risk assessment techniques of identification, measurement and prioritization to detect and deal with organization fraud. Pre-employment screening attempts to reduce the number of employees with an "at risk" attitude. Behavioral risk assessment examines EAP (Employee Assistance Programs) and similar programs to ensure that "at risk" pressures can be relieved through these safety valves. Risk assessment can be used also to evaluate "at risk" business processes in the organization that may be more prone to fraud opportunities. What is needed is a model of these "at risk" business processes to give managers the clues they need to manage fraud risk.

Most managers can recognize the risk in processes that handle cash and negotiable securities, but how do managers identify processes or parts of processes where the risk of fraud is less obvious? A model of fraud risk can be built around the characteristics of fraud types. The risk of various types of fraud is greater in a process that includes one or more of the characteristics in our model.

Characteristics of Fraud Opportunities

Types of Fraud	Characteristics of Fraud Potential in Business Processes	Examples of Processes or Process Elements
Financial Fraud	Assets include cash, negotiable securities Processes include movement or exchange of the financial assets Processes include subjective valuations of assets or credit	Cashiering/receipting Wire transfers Purchasing Credit/loan approval Auctions/asset disposal Appraisals
Theft of Assets	Assets can be converted easily to personal use or have dual use Assets have more than nominal value Access to the assets is open, frequent and with minimum control Assets are easily concealed Assets are commodities that are difficult to trace Assets are easily sold (ready market)	Attractive assets such as portable computers Precious metal scrap Microchip inventories Consumer inventories Tools and equipment Gasoline Building materials Salvage/scrap/recyclables
Theft of Services	Services can be converted easily to personal use or have dual use Services have more than nominal value Access to the services is open, frequent and with minimum control Services are performed "off premises" Employees are also customers	Telecommunications Building trades Consumer services Shipping Off-site warehousing and refurbishment/repair Adjusting A/R
Misrepresentation Time Results Assets Reputation	Self-reporting processes Processes with high degree of subjective judgment Processes with high impact on organizational survival	Consulting/legal services Estimating reserves Safety/environmental impact Legal/regulatory compliance

The first step of risk assessment is risk identification. Using the model, managers can identify which of their business processes are "at risk" opportunities for fraud. An Accounting Manager might want to focus some attention on transactions that dispose of business assets, journal entries that set up estimated reserves for litigation, and write-offs/adjustments to employee accounts. Identifying some of the riskier areas permits the manager to concentrate more effort where there is more inherent risk of fraud.

The model is a handy first step in detecting and dealing with fraud. The risk areas are based on a wide cross-section of many types of organizations and experience of many years. Nevertheless, each organization operates within their own context or corporate culture, and each has a history of strengths and weaknesses. The model should be supplemented with additional weak areas known to management.

To complete the risk assessment, the manager needs to have some means of measuring and prioritizing the risk of fraud in each of these areas and any additional areas deemed "at risk" from past experience. Risk measurement is the hardest part of risk assessment, and there is little that can be done to date to eliminate subjectivity in the measurement process.

One method of measuring the risk of fraud in various business processes is to establish common factors that are observable or measurable indicators of the size of frauds possible and their consequences. Each process is then scored according to the strength or weakness of the factors using a scale of 1 (low) to 5 (high). For example, factors might be chosen as follows:

Value: What is the relative cost or value of the consequences of fraud? It is useful to annualize this amount so as to compare "apples with apples." Thus a cashiering operation may have a risk of fraud of perhaps $100 per day in skimming (stealing revenue before it enters the accounting system) or an annual exposure of approximately $26,000. Bogus wire transfers could net many millions of dollars. The scoring for a wide range of values like this is typically logarithmic.

Business Impact: How do the consequences of fraud affect the ongoing operation of the business? Low scores represent frauds that are local and internal (such as theft from inventory); high scores are frauds that have widespread or even a fatal consequence to ongoing operations (such as deceiving the regulatory authorities).
Control Environment: What is the strength of the existing control environment to manage the risk of fraud? Tightly controlled operations present less risk of undetected fraud. Operations where few controls are possible present more risk. Internal accounting operations are usually well-supervised and present lower risk than working with independent consultants who may perform much of their work unsupervised.

A formula can be created that represents the fraud risk in each business process. The total scores from using the formula can then be compared to prioritize those business processes that need the most management attention.

None of this is rocket science, but using a risk-based approach to fraud can give managers the additional information they need to address the negative consequences of fraud.

More Business Risk Management Info: