What is Fraud Risk Analysis?
Fraud risk analysis is an assessment process to determine the likelihood of a fraud being committed, what can be done to prevent it, and which prevention technique is the most commercial to undertake. The process looks at the risk of losses from a fraud and the different actions to prevent that fraud have been identified. Using this information, controls based on a cost/benefit analysis can be identified.
Risk assessment identifies fraud risks and helps determine what controls should be implemented. It is similar to finding the biggest leaks and plugging them in the most commercial manner.
Conducting a Fraud Risk Assessment
Seven actions or decisions are used to determine a level of risk, the likelihood of a loss, possible controls, and the cost of implementing these controls. They apply to any type of risk, not just the risk of loss from fraud. These are:
1. Determine what threats face the business in the different areas of the business;
2. Estimate the likelihood of a loss occurring from each particular threat;
3. Estimate the quantum of any loss from each particular threat;
4. Determine what control procedures could be applied to prevent or detect that particular threat;
5. Estimate the costs of implementing and maintaining each control;
6. Decide whether the cost of a control is worth the benefit of having the control;
7. Implement controls where cost / benefit assessment is favorable or desirable.
These actions or decisions can be grouped into four general steps. They are:
1. Identify the possible threats
2. Estimate the risk of that threat occurring and the potential loss
3. Identify potential controls
4. Conduct a cost / benefit analysis
Identify The Possible Threats
What are the types of threats?
A whole range of threats face businesses, including:
(i) strategic threats;
(ii) operational threats;
(iii) financial threats; and
(iv) information threats.
Fraud is mainly associated with financial threats – including a direct loss of financial resources (money or assets); a loss of information (financial information, patents etc.); or the incurring of unnecessary costs (resulting from bribery etc.).
The methods of identifying threats are as varied as the ways of conducting business, but some questions that business owners should ask are:
(a) What assets does the business use (equipment, etc.) or trade in (stock, etc.)?
(b) How does the business provide and bill for its goods or services?
(c) How is the business paid (cash sales, trade debtors etc.)?
(d) How does the business order its supplies?
(e) How are payments made for goods and services?
(f) How are employees paid?
Each of these areas should then be examined for possible areas of threat.
Are all of these threats relevant to all businesses?
No, but most businesses will have one or more of these areas in its operations.
Most businesses will have a procedure for receiving payments from their customers and a procedure for paying their bills. Most business will purchase and receive goods or services, and will take orders for and supply their goods or services. Most businesses have employees. Business owners have to look at their procedures and determine what areas might be attacked by a dishonest employee and how those areas may be attacked.
Estimate The Risk Of A Threat Occuring
The next step is estimating the likelihood of a loss from a particular identified threat. Some threats are either more likely to occur or will do more commercial damage if they do occur. Some threats are more likely to reoccur after an initial attack than others.
For example, if we have identified an unlocked cash draw as a high potential threat. We determine that the losses from the theft of cash from the cash draw before it is banked or recorded is something that has a high likelihood of occurring, and reoccurring after the first instance if no action is taken to prevent a recurrence.
Estimating the likelihood of a theft and turning that risk to a percentage chance of occurring is difficult, and there are no rules. The process has to be done by instinct by someone that knows the business. Trying to estimate the probability of reoccurrence is even more difficult. Lets say that the likelihood of loss from our cash draw (someone stealing the money) is 50%.
The next step is estimating the loss due to that threat. Keeping the same example, if the cash draw holds $200, the total estimated loss from theft may be that $200. To be conservative, the realistic maximum loss should be used. The loss in our example therefore would be $200, even though the theft of a lesser amount is possible.
Lastly, you must estimate the likelihood of a reoccurrence if no remedial action is taken after the first fraud. We have estimated that the attack is likely to happen 4 times in a given period.
The estimated loss is then a factor of (1) the likelihood of the threat happening, (2) the likelihood of reoccurrence expressed by the estimated number of instances and (3) the estimated loss. Going back to our cash draw example:
50% risk of occurring x 4 occurrences x $200 = a total estimated loss of $400
The potential loss from that threat is calculated at $400 in a given period.
Identify Potential Controls
After locating possible threats, business owners will have to consider what controls are available and whether prevention controls (to stop the fraud) or detection controls (to find the fraud if it occurs) should be used. A control that prevents a fraud is better than a control that only detects it after it has happened and the loss has occurred. But knowledge that controls are in place and a fraud will be found will act as a deterrent to dishonest employees. This is called the “perception of detection”.
Business owners will have to consider what actions may be taken to stop or reduce losses from fraud. Whether controls are appropriate to a potential loss will vary dependant upon each individual business situation.
Going back to our example, we have identified three possible controls;
(1) removing the cash from the draw;
(2) putting a lock on the draw; and
(3) purchasing a safe.
But are these controls commercial?
Conduct a Cost / Benefit Analysis
Once possible controls have been identified, business owners will have to determine whether a control is worth the cost. The costs have to be viewed as both a commercial cost and an inconvenience cost, being the inconvenience to the business by implementing that control.
This is the cost / benefit analysis. It determines whether resources will be spent attempting to prevent a particular loss. Keeping to the example above, the estimated loss from the cash drawer is $400. Removing the cash from the draw costs nothing. If you could guard against that loss by putting the lock on the draw and only spending $10, the control would be practical and commercial. If the cost of buying the safe is $1,000, this control may not be seen as commercial.
Business owners must also consider the practicality of a control. The cheapest and safest control for the example may be removing cash from the draw entirely. But staff may need access to that cash on a day to day basis to conduct the business and sales may be lost because staff cannot service customers. Controls must still allow the business to trade without undue interference. The controls must be practical in the circumstances.
The keys to the lock on the draw can be handed to all employees that need access to the draw and changed quickly and easily. The combination to the safe can be given to these employees and changed easily. Both of these controls pass the convenience test, so the decision can be determined on a commercial basis.
Summary
Risk Assessment is not an exact science and “gut feeling” has to be used in estimating the levels and likelihood of threats.
The risk of loss from frauds is real, so complacency is not the answer. Armed with the results of the risk assessment, business owners will be able to initially direct their limited resources to areas where they will get the most benefit.