This article was originally published on the White Collar Forensic blog.
All organizations lose revenues to fraud and corruption, but most don’t realize it is happening.
The Association of Certified Fraud Examiners (ACFE) – a global organization of fraud investigators with over 90,000 members – is best known for its widely cited statistic that 5% of revenue is lost each year to fraud. With Global World Product of $94 trillion annually, that means $4.7 trillion a year is lost to fraud. Given the magnitude of the problem, is it realistic to think that your organization is less susceptible? While it is possible your organization has been very fortunate, it is much more likely fraud and corruption are eating away your revenues and have not yet been detected. In fact, the ACFE reported that the typical fraud lasts 12 months before it is discovered.
Investment banks and corporate development teams perform SWOT analyses to use objective criteria to evaluate a potential transaction or business venture by compiling and considering the Strengths, Weaknesses, Opportunities and Threats. Too often, SWOT analyses are myopic and hyper-focused on the transaction or venture itself and they fail to consider the potential consequences fraud or corruption will have on the business situation at hand. This phenomenon goes well beyond SWOT analyses. Fraud and corruption can destroy a company and yet these risks are seldom at the forefront of discussions when budgets are being allocated and critical decisions are being made.
“It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.” – Warren Buffet
What risk assessments uncover
Most compliance advisory projects start with a risk assessment. They typically include a review of policies and procedures, walkthroughs of various essential business processes, accounting and information systems and interviews of various executives representing a cross section of business operations. The results are often documented in a Risk and Control Matrix or “RCM”.
An RCM lists out the various risk events that could happen, corresponding internal controls designed to mitigate the risk, residual risk that remains after considering the existing mitigating control and lastly, likelihood and potential impact on operations if the specific risk scenario were to happen. When interviewing executives, these interviews tend to have an arc to them, particularly if the interviews are performed in a group setting. For example, if the question is posed, how likely is it that a major fraud could disrupt your business operations? In almost 100% of the cases, the initial answer will be “not likely.”
This isn’t because the executives are being disingenuous, it’s just that fraud is somewhat amorphous and the interviewees are focused on other things. Inevitably though, when the likelihood of a specific scenario is the basis for the question, the answers become more meaningful. For example, “how likely is it that someone could onboard fraudulent vendors and approve fake invoices for payment?” Those tangible concepts produce meaningful dialog. Often the answers are “very likely” and that the impact could be significant.
An RCM lists out the various risk events that could happen, corresponding internal controls designed to mitigate the risk, residual risk that remains after considering the existing mitigating control and lastly, likelihood and potential impact on operations if the specific risk scenario were to happen.
The existential threat of fraud
The goal of eliminating fraud is not realistic. Fraud is universal and unavoidable.
Lowering fraud risk on the other hand, is a very achievable goal. It starts with the identification of the specific risks that are nuanced to your organization and industry and the leadership’s understanding that left unchecked, these specific risks could disrupt operations and inhibit organizational objectives. This is accomplished through a meaningful fraud risk assessment performed with the full support and governance of senior leadership.
Information gleaned from a fraud risk assessment provides the blueprint for the organization’s control environment and leadership’s understanding of the organization’s most critical risks, their current ability to mitigate them and the concrete steps that need to be taken to make the organization less susceptible and more resilient.
Fraud can happen in any organization, in many forms – ensure you have an effective approach to mitigating corporate fraud risk through prevention, detection and response. For more information about how NAVEX can help:
