Upload
vuongkien
View
218
Download
1
Embed Size (px)
Citation preview
Managing Fraud Risk:
First, Second or Third Line of Defence
Responsibility?
Patrick Risch, CFE, CIA, CCSA
BNP Paribas Fortis, Fraud Protection
Board member ACFE Belgium
2 | 27-03-2012 | Patrick Risch
DISCLAIMER
The views expressed in this presentation are the views of the speaker and do not
necessarily reflect the views or policies of
• BNP Paribas Fortis or any other company of the Group BNP Paribas
• Any organisation of which the speaker is a member
The purpose of this presentation is to share ideas and promote discussion. Examples
are purely for illustrational purposes, and may have been modified or simplified in order
to clarify a point.
Neither the speaker, nor the company and organisations he belongs to, accepts
responsibility for any consequence of the use of (parts of) the framework presented
today.
However, we invite you to participate in the discussion today and later on.
Patrick Risch
3 | 27-03-2012 | Patrick Risch
Outline
Introduction
Fraud Risk Management
• Prevention
• Detection
• Fraud Case Management
• Repair and remediation
Ownership of fraud risk
• When it comes to fraud, there are no winners
• Three lines of defence
Conclusion
4 | 27-03-2012 | Patrick Risch
Outline
Introduction
Fraud Risk Management
• Prevention
• Detection
• Fraud Case Management
• Repair and remediation
Ownership of fraud risk
• When it comes to fraud, there are no winners
• Three lines of defence
Conclusion
5 | 27-03-2012 | Patrick Risch | 19-04-2011 | Patrick Risch
6 | 27-03-2012 | Patrick Risch
7 | 27-03-2012 | Patrick Risch
8 | 27-03-2012 | Patrick Risch
9 | 27-03-2012 | Patrick Risch
10 | 27-03-2012 | Patrick Risch
11 | 27-03-2012 | Patrick Risch | 19-04-2011 | Patrick Risch
World # 12
Europe # 3
Eurozone # 2
France # 1
Market capitalisation BNP Paribas
Market capitalisation on 5 September 2010
ICB
C
CC
B
HS
BC
JP M
org
an
Wel
ls F
arg
o
Ban
k o
f A
mer
ica
Ag
r. B
ank
of
Ch
ina
Ban
k o
f C
hin
a
Cit
igro
up
San
tan
der
ITA
U U
nib
anco
BN
P P
arib
as
Go
ldm
an S
ach
s
Llo
yds
Tsb
UB
S
Bar
clay
s
Cre
dit
Su
isse
Un
icre
dit
BB
VA
So
ciét
é G
énér
ale
RB
oS
Deu
tsch
e B
ank
Inte
sa S
PI
No
rdea
Mo
rgan
Sta
nle
y
Cré
dit
Ag
rico
le
Source:
121
138
150
165
105
64
32 26 29 31
38 43 47
53 59
88
105 101 98
37 33 30 29
62
78 81
BNP Paribas = 64 billion euros
Ranking
12 | 27-03-2012 | Patrick Risch
13 | 27-03-2012 | Patrick Risch | 19-04-2011 | Patrick Risch
14 | 27-03-2012 | Patrick Risch
Outline
Introduction
Fraud Risk Management
• Prevention
• Detection
• Fraud Case Management
• Repair and remediation
Ownership of fraud risk
• When it comes to fraud, there are no winners …
• Three lines of defence
Conclusion
15 | 27-03-2012 | Patrick Risch
Definition of Fraud
Every book, every magazine, every jurisdiction appears to
have its own definition of fraud.
Most definitions encompass the following three key
elements:
• Misconduct or abuse
• Deception
• Enrichment/benefit
16 | 27-03-2012 | Patrick Risch
Cost of fraud
Financial impact
• Direct losses
• Indirect losses
• Increased credit risk
• Cost of Fraud Management and recovery
Reputational impact
• Reliability
• Ethics
Psychological impact
17 | 27-03-2012 | Patrick Risch
Why do people commit fraud?
Some people are honest all of the time.
Some people are dishonest all of the time.
Most people are honest some of the time.
Some people are honest most of the time.
-Tommie Singleton, PhD, University of
Alabama
Honest Dishonest
Situational
18 | 27-03-2012 | Patrick Risch
Fraud Risk Management
Prevention and
Early Detection Fraud Case Management
Repair and
Remediation
19 | 27-03-2012 | Patrick Risch
Outline
Introduction
Fraud Risk Management
• Prevention
• Detection
• Fraud Case Management
• Repair and remediation
Ownership of fraud risk
• When it comes to fraud, there are no winners
• Three lines of defence
Conclusion
20 | 27-03-2012 | Patrick Risch
Policy setting
Yet another policy?
ZERO TOLERANCE
Some important messages:
• What do we consider as fraud
• How do we expect management and staff to deal with
fraud risk
• Who is responsible for managing fraud risk
• What to do in case of a fraud suspicion
• What the consequences are of fraudulent behaviour
21 | 27-03-2012 | Patrick Risch
Talking about fraud
Issues
• No one likes to talk about fraud.
• They don’t know how to talk about
fraud.
• There are business targets to be
reached.
22 | 27-03-2012 | Patrick Risch
Learning to talk about fraud
• The real and possible impact
• Words to talk about fraud
• An appropriate framework to cover the entire range of fraud possibilities
Fraud Risk Categories
Internal Fraud
(Occupational fraud)
External Fraud
Abuse of Powers
and Authority
(Corruption)
Asset
Misappropriation
Fraudulent
Financial
Statements
Illegal Gratuities
Economic
Extortion
Bribery
Conflict of Interest
CollusionNon Financial
Assets
Financial Assets
Fraudulent
Disbursements
Misuse of
company assets
Asset
Misappropriation
Fraudulent
documents
Non Financial
AssetsFinancial Assets
Fraudulent
Disbursements
23 | 27-03-2012 | Patrick Risch
Learning to talk about Fraud
If you don’t know fraud, you won’t be able to:
• Recognise it in your daily operations
• Prevent it when designing processes
• Detect it when performing control tasks
Learning to know fraud
• Part of a training path for newcomers and for new managers
– Integrated in product training
– Cross-product
• Other trainings and road shows
• E-learning
24 | 27-03-2012 | Patrick Risch
Assessing fraud risk
Why?
• Focusing limited resources on most risky areas
– Frequency/impact
• Creating awareness
• Thinking out of the box
Nice side effect
• Putting fraud on the agenda
25 | 27-03-2012 | Patrick Risch
Fraud Risk Assessment
Preliminary
Assessment
Wrap Up
• Get an overall starting point
• Objective Yes/No questions
• Covers the entire fraud universe
• Discussion with Line Management, based on preliminary questionnaire
• Inherent and controlled risk
• Fraud Awareness Maturity
• Compare the outcome of the different assessments
• Action plan
26 | 27-03-2012 | Patrick Risch
Preliminary questionnaire
Question Y/N
Is cash available?
Access to confidential information?
One-on-one relation with suppliers?
Decision power on customer acceptance?
…
1 2 3 4 5 6 7 8 9 …
X X
X
X
X
• 40 Questions on 8 topics
• Financial statements
• Access to assets
• Access to information
• Transactions
• Relationship with customers
• Relationship with suppliers
• Decision power
• HR Policies
27 | 27-03-2012 | Patrick Risch
Assessment matrix
Fraud risk category Score
Internal Fraud Abuse of power Illegal gratuities
Economic extortion
Bribery
Conflict of interest
Collusion
Misuse of assets
Asset misappropriation Financial assets
Non-financial assets
Fraudulent disbursements
Fraudulent Financial Statements
External Fraud Fraudulent documents
Asset misappropriation Financial assets
Non-financial assets
Fraudulent disbursements
28 | 27-03-2012 | Patrick Risch
Fraud Awareness Maturity
• Based on objective criteria
– Communication of policy
– Training
– Risk assessment
– Quality of internal control
• Maturity levels
29 | 27-03-2012 | Patrick Risch
Fraud Detection
The haystack
• 70,000 new mortgage loans
• 450,000,000 transfers
• 3,800,000 cheques
• 600,000 physical coupon payments
• 17,000 staff members
• 1,300 branches
• …
30 | 27-03-2012 | Patrick Risch
Fraud Detection
• What are we looking for?
– Kerviel, Madoff, Leeson?
– The great train robbery?
– The one big hit?
• Remember
– Fraud can occur anywhere at any time.
– Big fraud schemes usually start small.
– Errors, anomalies … indicate weaknesses.
31 | 27-03-2012 | Patrick Risch
Fraud Detection
Risk-based approach
• How will a typical fraud scheme appear in your
systems?
• Determine risk factors.
• Isolate high-risk transactions by means of data
mining.
32 | 27-03-2012 | Patrick Risch
Managing fraud cases
Independent and objective inquiry
• To find out what actually happened
• To define clearly losses and responsibilities
• To maintain legal evidence
• To avoid cover-up
– By the fraudster or an accomplice in an internal
fraud case
– By someone who made a mistake and thus
facilitated an external fraud
33 | 27-03-2012 | Patrick Risch
Repair and remediation
Cleaning up the mess …
• Accounting
• Loss collection
• Reimbursing customers
• Recovery
• Legal action
• Disciplinary action
… and avoiding reoccurrence
• Lessons learned
• Revise and update controls in place
34 | 27-03-2012 | Patrick Risch
Outline
Introduction
Fraud Risk Management
• Prevention
• Detection
• Fraud Case Management
• Repair and remediation
Ownership of fraud risk
• When it comes to fraud, there are no winners
• Three lines of defence
Conclusion
35 | 27-03-2012 | Patrick Risch
When it comes to fraud ….
In practice: No one likes fraud
• A Fraud Examiner is always the bearer of bad news.
• Fraud detection routines only prove that everything is functioning
as intended.
In theory: Two overall approaches
• Fraud control is just like any other internal control.
– Management responsibility
• Fraud risk is too specific to leave it in the hands of a layman.
– Responsibility of a dedicated department
… there are no winners
36 | 27-03-2012 | Patrick Risch
Three lines of defence …. in general
First line of defence — Operational management
• Ownership, responsibility and accountability for assessing,
controlling and mitigating risks
Second line of defence — Risk management/Compliance
• Facilitates and monitors the implementation of the
framework
• Assist the risk owners in reporting
Third line of defence — Internal Audit
• Provide assurance to the organisation’s board and senior
management
37 | 27-03-2012 | Patrick Risch
Three lines of defence …. and fraud
First line of defence — Operational management
• Ownership, responsibility and accountability for assessing, controlling
and mitigating risks
Training on how to
recognise fraud
Training on how to
react when
confronted with fraud
Tone at the top Preventive controls
Detective controls
Investigate incidents
Learning
organisation
Mr./Mrs.
Anti-Fraud
38 | 27-03-2012 | Patrick Risch
Three lines of defence …. and fraud
Second line of defence — Risk management/Compliance
• Facilitates and monitors the implementation of the framework
• Assist the risk owners in reporting
Policy setting
Oversight
Set the example
Independent view Proposing detective
controls
Give advice Knowledge centre
Methodology
39 | 27-03-2012 | Patrick Risch
Three lines of defence …. and fraud
Third line of defence — Internal Audit
• Provide assurance to the organisation’s board and senior management
ASSURANCE
Fraud Risk
Framework Incidents
40 | 27-03-2012 | Patrick Risch
Outline
Introduction
Fraud Risk Management
• Prevention
• Detection
• Fraud Case Management
• Repair and remediation
Ownership of fraud risk
• When it comes to fraud, there are no winners
• Three lines of defence
Conclusion
41 | 27-03-2012 | Patrick Risch
Conclusion
Prevention and
Early Detection
Investigation of
Fraud Cases
Fraud Repair
And Remediation
Culture of fraud risk awareness
Fraud Awareness Training
Fraud Risk in Risk Assessment
process
Fraud preventive and detective
controls
Fraud Alert Line
Process for fraud case
management
Accounting entries and
register losses.
Reimburse customers
Disciplinary action
Improve internal control Investigate fraud cases in a
professional and objective way
Oversight on Fraud Risk
Management
Guidance, advice and
recommendations Fraud Risk
Assessment methodology
Knowledge Centre on Fraud Risk
Develop Fraud Detection controls
Report on fraud risk exposure Post Mortem analysis and
recommendations to Line
Management
Monitoring Fraud Risk
exposure
Provide assurance to the organisation’s board and senior management
42 | 27-03-2012 | Patrick Risch
Conclusion
• Managing fraud risk is more than managing
fraud incidents
• A fraud risk management framework, adapted
to the needs of the needs of your organisation
• Make sure that all aspects of fraud risk
management are allocated somewhere
• Role of management
• Fraud detection
– A statistical approach
– Looking into your systems
• Let audit play its role
• Ensure coherence with the overall roles of risk
and control governance
• Create a second line function to maintain
oversight
“Association of Certified Fraud Examiners,”
“Certified Fraud Examiner,” “CFE,” “ACFE,”
and the ACFE Logo are trademarks owned by
the Association of Certified Fraud Examiners,
Inc. The contents of this paper may not be
transmitted, re-published, modified,
reproduced, distributed, copied, or sold without
the prior consent of the author.