Building an Anti-Fraud Control Plan

Patrick Risch, CFE, CIA, CCSA

BNP Paribas Fortis, Fraud Prevention & Detection

President ACFE Chapter Belgium

2

DISCLAIMER

The views expressed in this presentation are the views of the speaker and do not

necessarily reflect the views or policies of

• BNP Paribas Fortis or any other company of the Group BNP Paribas

• Any organisation of which the speaker is a member

The purpose of this presentation is to share ideas and promote discussion. Examples

are purely for illustrational purposes, and may have been modified or simplified in order

to clarify a point.

Neither the speaker, nor the company and organisations he belongs to, accepts

responsibility for any consequence of the use of (parts of) the framework presented

today.

However, we invite you to participate in the discussion today and later on.

Patrick Risch

patrick.risch@bnpparibasfortis.com

3

Outline

Introduction

Fraud Risk Framework

• The need to manage fraud risk

• Why do people commit fraud?

• Steps in Fraud Risk Management

• Fraud Risk Management: putting it into practice

• Three lines of defense

• Fraud and the Three Lines of Defense

Anti-Fraud control plan

Conclusion

4 | 14-11-2013 | Patrick Risch

5 | 14-11-2013 | Patrick Risch

6 | 14-11-2013 | Patrick Risch

7 | 14-11-2013 | Patrick Risch | 19-04-2011 | Patrick Risch

8

Outline

Introduction

• Purpose of the presentation

• BNP Paribas Fortis

Fraud Risk Framework

• The need to manage fraud risk

• Why do people commit fraud?

• Steps in Fraud Risk Management

• Fraud Risk Management: putting it into practice

• Three lines of defence

• Fraud and the Three Lines of Defence

Anti-Fraud control plan

Conclusion

9

The need to manage fraud risk

You only see what you’re looking for

• Will you see the fraudulent loans that

are not reimbursed?

• Will you see the fraudulent travel

expenses?

Looking for the real cost of fraud …

• … and it’s impact on business

| 24-03-2014 | Patrick Risch

10

Why do people commit fraud?

Some people are honest all of the time.

Some people are dishonest all of the time.

Most people are honest some of the time.

Some people are honest most of the time.

Tommie Singleton, PhD,

University of Alabama

Honest Dishonest

Situational

11

A fraud-deterrent control environment

Avoid hiring Bad People

Do not isolate Good People

Put Situational People

in a healthy control environment

• No opportunity

• Balanced target settings and

good care for people

• Organisational culture that cherishes

integrity, compliance and team spirit

| 24-03-2014 | Patrick Risch

12

Conclusion

There will always be fraud …

• Mindset of people

• Pressure

• Opportunity

So we have to manage the risk

The earlier we detect it,

the better

• Reputation

• Financial

13

Fraud Risk Management

Preventive

medicine

Surgery

Autopsy

14

Fraud Risk Management

Prevention and

Early Detection Fraud Case Management

Repair and

Remediation

15

Fraud Risk Management: Putting it into practice

Anti-Fraud Policy

• Set the tone at the top

• Walk the talk

• Expected behaviour

• Consequences

• Implementation of anti-fraud framework in the organisation

| 24-03-2014 | Patrick Risch

16

Who deals with fraud risk?

| 24-03-2014 | Patrick Risch

Operational Management

Dedicated fraud specialists

17 Patrick Risch

Three lines of defence … and fraud

First line of defence - Operational management

• Ownership, responsibility and accountability for

assessing, controlling and mitigating risks

Second line of defence - Risk management/Compliance

• Facilitates and monitors the implementation of the

framework

• Assist the risk owners in reporting

Third line of defence - Internal Audit

• Provide assurance to the organisation’s board and

senior management

18 Patrick Risch

Three lines of defence … and fraud

First line of defence - Operational management

• Ownership, responsibility and accountability for assessing, controlling

and mitigating risks

Training on how to

recognise fraud

Training on how to

react when

confronted with fraud

Tone at the top Preventive controls

Detective controls

Investigate incidents

Learning

organisation

Mr./Mrs.

Anti-Fraud

19

Three lines of defence … and fraud Prevention and Early Detection Case Management Repair and Remediation

1st L

ine

• Install a culture of fraud

risk awareness

• Provide Fraud Awareness

Training to staff

• Include Fraud Risk in the

overall Risk Assessment

process

• Incorporate fraud

preventive and detective

controls in the operating

procedures: segregation of

duties, monitor adherence

to policies and procedures

…

• Ensure that a Fraud Alert

Line is installed and known

to everyone in the

organisation

• Set up a process for the

management of fraud

cases

• Make the necessary

accounting entries and

register losses.

• Reimburse customers

• Take disciplinary action

towards the perpetrator

• Take legal action against

the fraudsters

• Improve internal control

• Recovery activities

• Communication: internal,

external (prepare press

release)

• Investigate all fraud cases

in a professional and

objective way

| 24-03-2014 | Patrick Risch

20 Patrick Risch

Three lines of defence … and fraud

Second line of defence - Risk management/Compliance

• Facilitates and monitors the implementation of the framework

• Assist the risk owners in reporting

Policy setting

Oversight

Set the example

Independent view Proposing detective

controls

Give advice Knowledge centre

Methodology

21

Three lines of defence … and fraud Prevention and Early Detection Case Management Repair and Remediation

2n

d lin

e

• Oversight on Fraud Risk

Management activities

within the organisation

• Give guidance, advice and

recommendations to Line

Management

• Fraud Risk Assessment

methodology and oversight

on roll out

• Knowledge Centre on

Fraud Risk

• Report on fraud risk

exposure

• Post Mortem analysis and

recommendations to Line

Management

• Monitoring of evolution of

Fraud Risk exposure

| 24-03-2014 | Patrick Risch

22 Patrick Risch

Three lines of defence … and fraud

Third line of defence - Internal Audit

• Provide assurance to the organisation’s board and senior management

ASSURANCE

Fraud Risk

Framework Incidents

23

Three lines of defence … and fraud

Prevention and Early

Detection

Case Management Repair and Remediation

3rd

Lin

e • Provide assurance to the organisation’s board and senior management, that

fraud risk is managed in an effective way by the organisation.

| 24-03-2014 | Patrick Risch

24 Patrick Risch

Conclusion

Prevention and

Early Detection

Investigation of

Fraud Cases

Fraud Repair

And Remediation

Install a culture of fraud risk awareness

Provide Fraud Awareness Training to staff

Include Fraud Risk in the overall Risk

Assessment process

Incorporate fraud preventive and detective

controls in the operating procedures:

segregation of duties, monitor adherence to

policies and procedures …

Ensure that a Fraud Alert Line is installed

and known to everyone in the

organisation

Set up a process for the management of

fraud cases

Make the necessary accounting

entries and register losses.

Reimburse customers

Take disciplinary action towards the

perpetrator

Take legal action against the

fraudsters

Improve internal control

Recovery activities

Communication: internal, external

(prepare press release)

Investigate fraud cases in a professional

and objective way

Oversight on Fraud Risk Management

activities within the organisation

Give guidance, advice and

recommendations to Line Management

Fraud Risk Assessment methodology and

oversight on roll out

Knowledge Centre on Fraud Risk

Report on fraud risk exposure Post Mortem analysis and

recommendations to Line

Management

Monitoring of evolution of Fraud Risk

exposure

Provide assurance to the organisation’s board and senior management, that fraud risk is managed in an effective way by the

organisation.

25

Three lines of defence … and fraud investigations

First line of defence activity

• Linked with operational activities of the business

• Subject to policy and oversight by the second line, and periodical

control by the third line.

But: need for an independent and objective inquiry

• Specific skills and competences

• Destruction or falsification of evidence,

• Cover up management responsibilities

• Confidentiality

| 24-03-2014 | Patrick Risch

26

Three lines of defence … and fraud investigations

• External fraud

• part of the business-as-usual processes, usually well-known to the

operational management.

• investigation of incidents by the operational department

• Internal fraud

• a dedicated competence centre or third party investigators

| 24-03-2014 | Patrick Risch

27

Outline

Introduction

• Purpose of the presentation

• BNP Paribas Fortis

Fraud Risk Framework

• The need to manage fraud risk

• Why do people commit fraud?

• Steps in Fraud Risk Management

• Fraud Risk Management: putting it into practice

• Three lines of defence

• Fraud and the Three Lines of Defence

Anti-Fraud control plan

Conclusion

28

Anti-Fraud Control Plan

Purpose of the control plan

• Give reasonable assurance that

• the framework is in place and is functioning as intended

• Major risks are under control

Formal controls on a continuous basis

• In the first line

• In the second line

• Control of controls

• Direct controls

| 24-03-2014 | Patrick Risch

29

Anti-Fraud Control Plan

The framework = the policy

• Training

• Risk assessment

• Consequence management

• Governance

• Operational incidents reporting

| 24-03-2014 | Patrick Risch

30 | 17-04-2012 | Patrick Risch

Anti-Fraud Control Plan - Training

Control objectives 1st LoD control 2nd LoD control

Training program and

materials contain relevant

topics

Review curriculum

Review course material

Attend training

Every newcomer in the

organisation has received a

basic anti - fraud training

Compare list of

newcomers with

attendees to training

Control of Controls

Every staff member

receives periodical

refresher training

Compare attendance

list with payroll

Control of Controls

Every new people manager

receives a dedicated

training on professional

ethics and fraud

Control of Controls Compare list of new

people managers

with attendance list

31 | 17-04-2012 | Patrick Risch

Anti-Fraud Control Plan – Risk Assessment

Control objectives 1st LoD control 2nd LoD control

Annually risk assessment

exercise , taking into

account all fraud event

types

Participate in risk

assessment meetings

Each internal fraud incident

is reviewed by a

multidisciplinary working

group.

Compare list of incidents

(extract case

management tool) with

minutes working group

meetings

Participate in working

group

Control of Controls

External fraud incidents

above a threshold

(individually or cumulative

according to fraud type) is

reviewed by a

multidisciplinary working

group.

Compare list of incidents

(extract case

management tool) with

minutes working group

meetings

Participate in working

group

Control of Controls

32 Patrick Risch

Anti-Fraud Control Plan – Consequence management

Control objectives 1st LoD control 2nd LoD control

Internal fraudsters are

sanctioned appropriately

Sanctioning policy is in place

Give formal advice on

sanctions

Monitor sanctions in all internal

fraud cases

All relations with external

fraudsters are terminated

Verify termination

of relationship with

external fraudsters

Control of controls

33 Patrick Risch

Anti-Fraud Control Plan – Governance

Control objectives 1st LoD

control

2nd LoD control

A Fraud Risk Manager has

been appointed formally at

an appropriate level in the

organisation

by Appointment is validated

Management Team

Fraud Risk Manager has

targets covering the different

responsibilities of the fraud

risk framework

Review of target setting

34 Patrick Risch

Anti-Fraud Control Plan – Operational Incidents reporting

Control objectives 1st LoD control 2nd LoD control

All fraud incidents are

included correctly in the

operational risk reporting.

Compare incidents

listed in the case

management tool with

the operational risk

reporting

Control of controls

35

Anti-Fraud Control Plan

Major risk = strongly business dependent

• Are controls in place to cover the most important fraud risks?

• Are these controls effective?

| 24-03-2014 | Patrick Risch

36

Control on manual

transactions (signatures )

- A 4 eyes principle is in

place for all outgoing

payments above a

treshold

Anti-Fraud Control Plan – Some examples

| 24-03-2014 | Patrick Risch

Control objectives 1st LoD control 2nd LoD control

All staff members have

respected mandatory

block leave

Control in June (planning)

and September (status)

Control of controls

Control of effectiveness by

verification of accesses

during leave

Control on feasability in

case of batch transactions

Access rights are fully

revised on the occasion

of a transfer

Checklist for transfers Control of controls

Detailled control for risky

functions or transfers

Information is secured

safely outside business

hours ( Clear Desk

Policy)

Control patrol twice a year

at all desks

Unannounced direct

control

37

Outline

Introduction

• Purpose of the presentation

• BNP Paribas Fortis

Fraud Risk Framework

• The need to manage fraud risk

• Why do people commit fraud?

• Steps in Fraud Risk Management

• Fraud Risk Management: putting it into practice

• Three lines of defence

• Fraud and the Three Lines of Defence

Anti-Fraud control plan

Conclusion

38 Patrick Risch

Conclusion

• Managing fraud risk is more than managing fraud

incidents

• A fraud risk management framework, adapted to

the needs of the needs of your organisation

• Make sure that all aspects of fraud risk

management are allocated somewhere

• Role of management

• Let audit play its role

• Ensure coherence with the overall roles of risk

and control governance

• Create a second line function to maintain oversight

• Put in place a control plan to ensure fraud risk is

managed adequately