speaker #1 - managing fraud risk using iso 31000 · pdf filefraud using iso 31000 ......
TRANSCRIPT
Managing the Risk of Fraud Using ISO 31000
Paul J. Sobel
Vice President/ Chief Audit Executive
Georgia-Pacific LLC
[2]
Outline
• Overview of ISO 31000 – New Global Risk Management Standard
• Framework for Fraud Risk Management
• Fraud Risk Assessment
• Treating, Monitoring & Reporting on Fraud Risk
• Internal Audit’s Role in Fraud Risk Management
2
[3]
ISO 31000 - A Brief History
• Australia/New Zealand Standard #4360 (1995, 1999, 2004)
• COSO ERM (2004)
• ISO 31000: Risk Management –Principles and Guidelines (2009)
– ISO Guide 73: Risk Management –Vocabulary
– ISO 31010: Risk Management – Risk Assessment Techniques
3
[4]
The Flow of Risk Management
The principlesprovide the foundationand describe the qualitiesof effective risk manage-ment in an organization
The frameworkmanages the
overall process and its full
integration into the
organization
The processfor managing risk focuses on individual or groups of risks, their identification, analysis, evaluation
and treatment
Monitoring & review, continuous improvement and communication
occur throughout
4
[5]
Mandate
and
commitment (4.2)
Implementing
risk
management
(4.4)
Design of
framework
for managing risk
(4.3)
Continual
improvement
of the
framework
(4.6)
Monitoring
and review
of the
framework
(4.5)
Framework
(Clause 4)
• Creates value
• Integral part of
organizational processes
• Part of decision making
• Explicitly addresses
uncertainty
• Systematic, structured
and timely
• Based on the best
available information
• Tailored
• Takes human and cultural
factors into account
• Transparent and inclusive
• Dynamic, iterative and
responsive to change
• Facilitates continual
improvement and
enhancement of the
organization
Principles
(Clause 3)
Process
(Clause 5)
Establishing the context
(5.3)
Risk assessment (5.4)
Risk identification(5.4.2)
Risk analysis(5.4.3)
Risk evaluation(5.4.4)
Risk treatment(5.5)
Co
mm
un
icati
on
an
d c
on
su
ltati
on
(5.2
)
Mo
nit
ori
ng
an
d r
ev
iew
(5.6
)
ISO 31000 – An Overview
[6]
Linkage of Principles to Fraud
ISO 31000 Principle
Creates value
Integral part of processes
Part of decision making
Addresses uncertainty
Systematic, structured & timely
Best available information
Tailored
Human & cultural factors
Transparent & inclusive
Dynamic; responsive to change
Facilitates continual improvement
6
Applicability to Fraud
Protects value
Embedded in processes
Influences decisions
Fraught with uncertainty
Systematic, structured & timely
Predictive/detective information
Company specific
Culturally dependent
Must include everybody
Keep up with the fraudsters
Requires continual improvement
[7]
Fraud Framework
7
Mandate
and
commitment (4.2)
Implementing
risk
management
(4.4)
Design of
framework
for managing risk
(4.3)
Continual
improvement
of the
framework
(4.6)
Monitoring
and review
of the
framework
(4.5)
Commitment from the top; must reflect the tone at the top
Must understand business, have policy, reporting, accountability
& implications
Goes beyond risk assessment (process to follow)
Goes beyond detecting fraud; includes cultural changes, etc.
Fraudsters evolve; so must the fraud program
[8]
Determine Fraud Risk Criteria
• Support the success and operation of the organization.
• Help define the direction for fraud risk management.
• Should be established by the board and senior management (i.e., top-down).
• Consider real-life context affecting long-term consequences.
8
[9]
Fraud Risk Capacity
• Organization’s total capability to absorb outcomes from fraud events.
• May even define the boundaries for survival.
• Could be individual fraud event outcomes or aggregate outcomes of multiple events.
• Common examples:
– Judgments from litigation
– Violations of laws and regulation
– Damage to reputation
9
[10]
Fraud Risk Attitude
• Risk Management Philosophy (COSO) – “Set of shared beliefs and attitudes characterizing how the entity considers risk in everything it does, from strategy development and implementation to its day-to-day activities.”
• Risk Attitude (ISO 31000) – “Organization’s approach to assess and eventually pursue, retain, take or turn away from risk.”
• Think of it as a spectrum reflecting an organization’s propensity to take on risk –
Risk Averse Risk Accepting
10
[11]
Fraud Risk Appetite
• Definition – Type and total amount of risk an organization is willing to take on in pursuit of its business objectives.
– You can’t necessarily avoid all fraud risk; some risk must be accepted in pursuit of strategic objectives.
– Should consider fraud risk capacity and reflect the organization’s fraud risk attitude.
– Ultimately, it’s about balancing success and survival.
11
[12]
Fraud Risk Appetite Examples
• We will strive for 100% compliance with laws and regulations.
• We will seek new markets for our products, but only in countries with a Global Integrity Index of “moderate” or higher.
• We will not do business with contractors who refuse to sign our Code of Ethics acknowledgement.
• We will not tolerate any actions of fraud or misappropriation by any employee, regardless of position.
• There will be no retaliation against any whistleblowers.
12
[13]
Fraud Risk Tolerance
• COSO Definition – “Acceptable level of variationrelative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective.”
• ISO 31000 Definition – “Organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives.”
• My Definition – Risk taking boundaries within which managers and employees are expected to perform in pursuit of the organization’s strategic, operations, reporting and compliance objectives.
13
[14]
Fraud Risk Tolerance
• Boundaries are expressed as the ceiling and/or floor related to key risk outcomes and effects, for example:– Financial results (current or future)
– Reputation (real or perceived damage)
– Health & safety (injuries, lost time)
– Environmental (exceedences, spills, remediation costs)
– Compliance (fines, penalties, sanctions)
– Customer satisfaction (ratings, market share)
– Warranty defects (liability, cost to repair)
14
[15]
Fraud Risk Tolerance Examples
• In fraud cases where we can seek restitution, we will only do so if the costs are not more than 150% of the expected restitution amount.
• Internal controls should be designed to ensure duties are segregated to prevent any type of fraud without collusion.
• Monitoring efforts should be designed with a focus on detecting fraud events totaling $10,000 or more.
• Taking company assets for personal use is considered fraud if the value of such assets exceeds $25.
• There should be no frauds detected by our External Auditor.
15
[16]
Fraud Risk Management Process
• Establishing the Context
• Fraud Risk Assessment
– Fraud risk identification
– Fraud risk analysis
– Fraud risk evaluation
• Fraud Risk Treatment
• Fraud Monitoring and Reporting
16
[17]
Fraud Risk Identification
• What examples of fraud have occurred in the past?
– Inside the company
– To others in our industry
• What examples of fraud haven’t occurred, but could have?
• What are the different outcomes (consequences) from fraud events?
17
[18]
Fraud Risk Analysis
• Where are these fraud events most likely to occur? Why?
• What are the different consequences of different types of fraud events?
• What conditions increase the likelihood of fraud events occurring?
• Are there interrelationships between events that could cause one to make another one worse?
18
[19]
Fraud Risk Evaluation
• What is the impact of possible outcomes from fraud events?
• How likely is it that fraud outcomes will be realized?
• What other factors may influence how we prioritize fraud risks?
• What does our prioritized risk profile look like?
19
[20]
Fraud Risk Assessment Criteria
• Traditional focus has been primarily on Impact and Likelihood
• Tends to be single point outcomes as opposed to range of outcomes
• A good foundation, but is it robust enough in today’s business world?
Likelihood
Imp
ac
t
Remote Possible Probable
High
Low
Medium
20
[21]
What About Other Criteria?
• Risk velocity
• Risk tolerance
• Readiness/ Preparedness
• Capacity
• Controllability
• Monitorability
• Interdependencies
• Frequency of occurrence
• Volatility
• Maturity
• Degree of confidence
21
[22]
How Do You Make Sense of Multiple Criteria?
• Mapping Multiple Dimensions Won’t Work!
22
[23]
A Possible Approach1. Start with traditional impact/likelihood assessment.
2. Determine which Other Risk Assessment Factors are relevant and meaningful.
3. Assess whether those factors will significantly, moderately or negligibly affect:
• How the risk is managed
• How the risk is prioritized relative to other risks
• How the risk is monitored and reported
23
[24]
One Example
Risk Impact Likelihood Factor A Factor B Priority
AAA High High 1
BBB High Medium 2
CCC Medium High 3
DDD High Low 4
EEE Medium Medium 5
FFF Low High 6
GGG Medium Low 7
HHH Low Medium 8
III Low Low 9
24
[25]
One Example
Risk Impact Likelihood Factor A Factor B Priority
AAA High High 1
BBB High Medium 3
CCC Medium High 5
DDD High Low 2
EEE Medium Medium 4
FFF Low High 6
GGG Medium Low 8
HHH Low Medium 7
III Low Low 9
25
[26]
Treating Fraud Risk
• Focus on highest priority risks first.
• Determine possible options for treatment.
– Avoid, transfer, reduce or accept
• Decide on best treatment option.
– Should take into consideration fraud risk attitude and tolerance
26
[27]
Monitoring Fraud Risk
• Visible monitoring can be an effective deterrent to fraud.
• Must consider costs/benefits of monitoring to prevent fraud vs. monitoring to detect fraud.
• There are different things that can be monitored:
– Fraud events
– Effectiveness of the fraud system
– Changes in the business context
27
[28]
Reporting Fraud Risk
• Educate the Board on the fraud risk profile and means to manage the risks.
• Determine escalation protocol for various types of fraud events.
• Consider reporting of changes in business context and impact on fraud risk profile.
28
[29]
Internal Audit’s Role
• Help build the framework for fraud risk management.
• Facilitate fraud risk assessments.
• Provide assurance and advice on the effectiveness of:
– Fraud risk treatments;
– Fraud monitoring activities;
– Fraud reporting.
• Providing fraud training and education.
29
[30]
Summary
• Just as the business world changes and evolves, so does fraud.
• It is important to have some structure to a fraud risk management program.
• Risk management techniques found in ISO 31000 can provide a good road map for fraud risk management.
• Internal auditors can play an important role in the fraud risk system.
30