Firms that operate with entity-wide fraud risk management (FRM) arrangements are finding that programmes are most effective when the holistic basis of the discipline is clearly understood. It follows that governance - how to direct, integrate, embed and oversee FRM - is a fundamental part of the process. Critical to its effectiveness is the assembly of performance indicators which gauge both risk and progress in reducing it.
Motivation counts too. Appreciation of the positive benefits (not least a special insight into the relationship between culture and process) offers a far sounder start than simply responding to crisis and regulation. The latter approach leads, all too often, to expensive yet superficial change coated with extra bureaucracy.
KPMG's recent white paper, Unfinished Business: Is Fraud Risk Management used to its full potential? is based on the views of those responsible for FRM in 32 major international companies, from 8 business sectors in 10 countries across Europe, the Middle East and Africa (EMA).
The result is a revealing inventory of current activities surrounding FRM, as well as an insight into the tangible and conceptual gaps in corporate practice. The survey looked at the added value FRM provides, together with what's being done and what isn't. We asked which elements contribute most to effectiveness, as well as considering how success is assessed. Consequently, we examined the often neglected problems of fragmentation and embedding, and go on to suggest some thoughts on how the discipline could develop.
Core fraud risk management, as we have said, is now widely practised but the underlying ideas are unevenly implemented. Many firms still focus on individual measures at the expense of comprehensive and coordinated strategy underpinned by governance and performance indicators.
Firms surveyed reported that FRM does add value. A third specified financial benefits, while another four tenths saw reputational advantages, with a further quarter finding positive benefits in terms of corporate culture, staff morale and loyalty. "It hardens the firm's approach to ethics and leads to more careful treatment of integrity related issues" said one respondent.
Some argue that the discipline has tangible impacts on operations too: "FRM heightens awareness of the need to conform to systems and processes. It demands accountability. FRM leads to more efficient processes. By looking at errors we end up understanding the business as a whole, not just individual weaknesses."
Respondents were split evenly between concentrating their efforts on 'soft controls' (such as awareness training and codes of conduct) versus 'hard' measures (such as segregation of duties, restriction or control and process design).
There's little consistency in the way firms adapt to new threats and changing conditions. Many engage in essentially reactive learning while others take account of control reviews, risk assessments or feedback from training sessions.
A firm's culture and commitment by senior management are the strongest influences on the effectiveness of FRM programmes. A number of firms saw success flowing most surely from well-developed 'process' methods. One respondent said: "Different managers implement different levels of prevention but those who do more tend to get better results."
Developments in training may be fostering a formulaic approach. "Ethics is too often treated as just another module rather than being integrated into the way people think. "E-learning needs to be part of a programme requiring personal engagement with trainers and other trainees."
Effective programmes are the fruit of close engagement with each business function, and whatever the command from on high, policies work better at business unit level when they are negotiated and people have brought into the process rather than having had it imposed.
Although few respondents specifically rated governance as a major factor, many of them raised aspects of it under different names e.g., creation of a control matrix; developing an ethical culture; designating a lead function. Some argue that governance - where to integrate and embed FRM - is the most important factor affecting fraud prevention and reporting.
No firm line can be drawn between culture and process and they are best seen as two sides of the same coin. "Consistent application of controls is a part of a company's culture. As for openness, doesn't it rely partly on procedure?" commented one respondent.
Overall measurement of the effectiveness of FRM programmes is embryonic, with few well-defined and structured approaches. About a third of companies take no steps to assess the effectiveness of their programme, and the majority of those who do so use only an internal audit or assessment.
Only about a third of companies set quantitative targets and they refer mainly to measures like attendance at training sessions and fraud awareness surveys.
While some have taken steps to develop and embed integrated FRM arrangements, most activities are generally divided between 'isolated islands' - several different departments or functions. Directing managerial minds to specific sub-sets of fraud risk begs the question of who is taking a view of the business as a whole. Monitoring also tends to be a fragmented function.
Fragmentation of FRM efforts can prove expensive as well as less effective. Better coordination helps firms to increase the effectiveness of their FRM efforts without major additional investment.
As we have seen, coordinated entity efforts on preventing, detecting and responding to fraud can be beneficial to firms. It ensures not only that the firm has a single view of the threats it faces but also that it delivers a proportionate, targeted and coordinated response.