Keys to fraud risk oversight

Monitoring the risk of fraud through measurement and reporting is a key component in fraud risk management. It allows management to focus limited resources on the areas of highest risk to the organisation.

A quantitative approach to fraud management through the use of fraud risk appetite and key risk indicators (KRIs) is a natural step in the evolution of fraud management programmes.

KRIs have become an indispensable tool used in many operational risk management frameworks. Developing KRIs is crucial to the success of any risk management programme, as KRIs enable organisations to predict potential risk events. When properly designed and effectively communicated, KRIs are useful in identifying areas where additional controls or other mitigation is needed. Alternatively, KRIs may drive risk acceptance decisions.

While the development of a fraud risk appetite statement and fraud KRIs is not a legal requirement, for most financial institutions around the world the use of KRIs as a management tool is common. For example, the use of KRIs is a requirement associated with the calculation of a bank's operational risk capital charge in the banking industry.

KRIs also are becoming more frequently used beyond the financial industry. Recognising their usefulness, organisations in other sectors, such as energy and even not-for-profit, have been developing KRIs. The proliferation of cyber events has also led to the use of cybersecurity KRIs as a measure to assess and manage this risk.

A leading guideline issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management — Integrated Framework Executive Summary, states that a risk appetite statement should articulate "[t]he amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity's risk management philosophy and, in turn, influences the entity's culture and operating style."

Further, a fraud risk appetite statement provides the necessary framework for those elements of fraud risk that the organisation deems significant to require monitoring and reporting on. Many organisations follow the categories stated by the guidelines issued by the Basel Committee on Banking Supervision, Consultative Document Operational Risk (Basel II). They may differentiate in their fraud risk appetite statements between the following:

• Internal fraud: Any acts of fraud committed internally in an organisation that go against its interest, resulting from intent to defraud, tax noncompliance, misappropriation of assets, forgery, bribes, deliberate mismarking of positions, and theft.
• External fraud: Activities committed by third parties, which include theft, cheque fraud, and breaching system security, such as hacking or acquiring unauthorised information.

An effective fraud risk appetite statement includes both qualitative and quantitative components. Fraud KRIs are the quantitative portion of the statement, providing measurement of risk drivers. The primary objective of a KRI is to provide an early warning to identify adverse potential events. When adequately constructed, KRIs help detect and prevent a specific fraud exposure to a business, to an activity, or to a particular type of client.

A fraud appetite statement should carefully weigh intraorganisational sensitivities to risk drivers of fraud and to public perceptions and outcomes associated with fraud events, along with the acceptance that elimination of fraud is associated with cost and decreased client experience (see "Sample Fraud Risk Appetite Statement", at bottom of page).

Methodology for developing fraud KRIs

To enable monitoring and accountability, the development of an initial setup of fraud KRIs requires establishing an understanding of multiple factors. First and foremost is obtaining and analysing past fraud experience (loss history). It is also useful to conduct a review of root-cause analyses to identify triggers affecting past and potential fraud losses.

Because KRIs are designed to assist in projecting the risk of fraud going forward ("Leading" KRIs), it is not enough to look back. The process also requires a careful evaluation of known and emerging fraud schemes and fraud trends (see the chart "Process of Developing KRIs").

The increasingly intertwined landscape of external fraud and cybercrime requires establishing an understanding of the nature and methods driving the latest cyberattacks and their impact on fraud losses. This is especially critical in today's environment for companies in the financial industry.

For example, the monitoring of customer online account activity (using the web, mobile, and other emerging channels) may generate useful information regarding anomalies in data login and password reset patterns. Increases in these parameters above certain thresholds should be assessed. Similarly, the number or percentage of customer calls to the customer care department to report identity theft or the number or percentage of accounts opened online may serve as a leading KRI to account takeover fraud. Using the number or percentage of complaints from customers may be beneficial in detecting early signs of potential fraud. An increase in the number and type of customer complaints may indicate an increase in operational errors or intentional mistakes that are driving complaints. An increase in voluntary staff turnover may prove upon further analysis to serve as a potential warning sign for fraud and could be used as a fraud KRI.

A projection of fraud losses would not be complete without a consideration of changes to business operations. When evaluating the potential for fraud, it is imperative to take into account factors such as a pending acquisition of a new business or an expansion to new markets or new territories. These business strategies create new opportunities, as well as new risks, that should be assessed in terms of their impact on the projected number of fraud events and the financial cost of the fraud. These may change the risk profile in a manner that skews prior-period fraud figures and existing fraud KRIs.

Similarly, the outsourcing of key activities or the implementation of major IT initiatives might also impact the risk profile and, hence, fraud KRIs. As cybercrime continues to evolve with increasingly sophisticated criminal actors and more data breach events, it is reasonable to assume that the number and velocity of external fraudulent actions will increase. Therefore, the number or percentage of investigations into cyberattacks or the number or percentage of customers impacted by cyberattacks may be useful as cybercrime KRIs.

In addition, it is crucial to review changes to key anti-fraud controls. Introduction of a sophisticated fraud monitoring system that is designed to supplement or replace manual controls is expected to reduce the number and amount of fraud losses and will require a reduction in the weight given to fraud losses recorded in the period prior to the introduction of such a system.

Good KRIs should be determined following an analysis to determine fraud risk drivers. Once KRIs have been defined, it is necessary to establish clear responsibility regarding the sources used in the reporting of a particular KRI. Often, elements used to calculate KRIs include factors that are maintained by different groups, and some activities may be split between corporate functions and lines of business (see the chart "Fraud Risk Drivers and Data Elements").

Note that in the absence of such data, the use of proxies to fraud risk drivers is a practical solution. "Lagging" risk indicators may be used if neither is available.

Another important set of decisions involves determining how often fraud KRIs are measured and reported (eg, monthly, quarterly, or annually). A study conducted by the North American CRO Council found that a majority of chief risk officers (60%) monitor and report on risk appetite quarterly. Other companies report monthly, biannually, or at a frequency that varies by the nature of the particular risk. It is important to notice that fraud events may not follow regular patterns of seasonality or business operation cycles. Hence, a monitoring period that is too short may result in skewed fraud KRIs, and escalations may be unwarranted.

Taking all the elements discussed above into account, a set of KRIs may be agreed as shown in the chart "Fraud KRIs: Reporting Cadence".

Establishing fraud KRI thresholds

After the initial construction of fraud KRIs, the next step is developing appropriate thresholds. It is recommended to assess historical experience averages and compare these to industry benchmarks, if any exist. The use of industry benchmarks may be critical when historical losses are not a good predictor of future fraud-loss experience. There are several sources to choose from, including consortiums, trade associations, and private vendors that maintain operational loss databases — and publicly available events that may be used to supplement them.

Perhaps most importantly, establishing effective KRIs requires determining thresholds based on the severity of a KRI breach (see the chart "KRI Thresholds.").

Another critical decision involves the determination of the appropriate measures required if the threshold is breached. This should be done in a manner corresponding to the severity of the KRI breach. Measures to consider include management reporting, escalation protocols, and governance routines. In considering the actions resulting from KRI threshold breaches, organisations should specify the governance body to which the breach is reported, the reporting manner, the seniority of the individuals involved in the reporting of issues, the nature of the resulting action plans, and the organisational and personnel ramifications. The combination of these responses may drive actions to fraud mitigation and risk acceptance in the organisation.

Challenges with fraud KRIs

As useful as fraud appetite and KRIs may be, their initial setup and ongoing monitoring may take longer than expected. Reaching a consensus regarding fraud risk appetite and the ensuing KRIs may require multiple discussions to bridge perceptions amongst business leaders, risk managers, and fraud professionals regarding the exact nature and amount associated with the risk of fraud and misconduct that are worth monitoring. Some of the most common challenges include the following:

• Attitudes and organisational changes: Perhaps more than the risk associated with other operational failures, fraud risk is invariably tied to organisational and personal attitudes, especially when fraud cases affect a corporation's reputation. Business leaders will have different perspectives regarding what fraud risk could and should be tolerated in an organisation. Often, business unit heads who are responsible for customer service or for the introduction of new products and services may view the risk of external fraud differently than those responsible for fraud operations or their colleagues in risk management. Even within functional units, attitudes may change over time as a reflection of changes in leadership and strategy or in response to law enforcement or a regulatory action. In those cases, appetite and KRIs will have to change accordingly.
• Assessing root cause: Although actual fraud loss figures are often easy to obtain, the exact root cause of fraud may not be easily determined. Fraud events may often be the outcome of a number of control breakdowns. Projecting the risk of fraud may be subject to a wide range of views, and identifying the root cause of fraud loss resulting from an external attack on a company's online systems can be tricky. Perpetrators may be able to exploit vulnerabilities in cybersecurity and business operations. The development of certain types of KRIs may require close partnerships amongst internal stakeholders.
• Data availability: Development of fraud KRIs may also be challenged by the limitations of information systems, which require knowledge of both losses and operational factors. Further, in light of its very nature, fraud risk may be managed in a decentralised way (such as across the various lines of business and geographies). This almost invariably means that mining data or allocating fraud losses across business units in the organisation might be subject to many discussions.

Tips for smaller companies

Developing good KRIs does not necessarily require a big risk management team, big budget, and lots of personnel. Small companies with limited risk management resources, or even a CFO in a one-person finance department who is responsible for risk management, may be able to develop a few key fraud risk indicators and then continue to build upon their programme. Small companies can take the following steps:

• When organisational resources are limited, start with a limited number of fraud KRIs and allow time to inform and educate stakeholders. Don't be afraid to use estimates, make assumptions, and change over time as more information is made available.
• To effectively manage time, it is useful to establish stakeholders' buy-in early. The party responsible for developing fraud KRIs needs to reach out across business lines.
• Setting up KRIs at a level that is too low or thresholds that are too narrow will result in these being breached and will cause unnecessary strain to relationships with business partners.

Maintaining your anti-fraud toolkit

Fraud risk appetite and fraud KRIs are powerful tools. Combined with effective fraud governance procedures, fraud risk appetite and KRIs could be used as a strategic tool that will effect a change in awareness and drive action regarding the mitigation of fraud risk.

Fraud risk management professionals may assist management and lead the thought process to establish acceptable levels of fraud and misconduct loss. Further, by monitoring fraud KRIs, fraud risk managers can effectively support business management by articulating and aligning the expectations of various stakeholders in the organisation.

Sample fraud risk appetite statement

Organisation A has a low appetite for operational risk. The organisation makes resources available to control operational risks to acceptable levels. We recognise that it is impossible to eliminate some of the risks inherent in some of our activities, as acceptance of some risk is often necessary to foster innovation and efficiencies within business practices.

•Internal fraud: The organisation has no appetite for any fraud perpetrated by its staff. The organisation takes all allegations of suspected fraud or corruption very seriously and responds fully, fairly, and timely as set out in the Code of Conduct.

•External fraud: The organisation has a low appetite for fraud and abuse incidents that are generated by fraudulent and abusive practices by vendors and suppliers.

Dalit Stern, CPA (Israel), CFE, MBA, is a senior director in the Enterprise Risk Management group of TIAA Financial Services. She holds a certificate in Cybersecurity: Management of Risk in the Information Age, issued by Harvard's Office of Vice Provost. The views expressed in this article are the views of the author and do not necessarily reflect the views or policies of TIAA. To comment on this article or to suggest an idea for another article, contact Jeff Drew, an FM magazine senior editor, at Jeff.Drew@aicpa-cima.com.