Managing the Risk of Fraud Using ISO 31000

Paul J. Sobel

Vice President/ Chief Audit Executive

Georgia-Pacific LLC

[2]

Outline

• Overview of ISO 31000 – New Global Risk Management Standard

• Framework for Fraud Risk Management

• Fraud Risk Assessment

• Treating, Monitoring & Reporting on Fraud Risk

• Internal Audit’s Role in Fraud Risk Management

2

[3]

ISO 31000 - A Brief History

• Australia/New Zealand Standard #4360 (1995, 1999, 2004)

• COSO ERM (2004)

• ISO 31000: Risk Management –Principles and Guidelines (2009)

– ISO Guide 73: Risk Management –Vocabulary

– ISO 31010: Risk Management – Risk Assessment Techniques

3

[4]

The Flow of Risk Management

The principlesprovide the foundationand describe the qualitiesof effective risk manage-ment in an organization

The frameworkmanages the

overall process and its full

integration into the

organization

The processfor managing risk focuses on individual or groups of risks, their identification, analysis, evaluation

and treatment

Monitoring & review, continuous improvement and communication

occur throughout

4

[5]

Mandate

and

commitment (4.2)

Implementing

risk

management

(4.4)

Design of

framework

for managing risk

(4.3)

Continual

improvement

of the

framework

(4.6)

Monitoring

and review

of the

framework

(4.5)

Framework

(Clause 4)

• Creates value

• Integral part of

organizational processes

• Part of decision making

• Explicitly addresses

uncertainty

• Systematic, structured

and timely

• Based on the best

available information

• Tailored

• Takes human and cultural

factors into account

• Transparent and inclusive

• Dynamic, iterative and

responsive to change

• Facilitates continual

improvement and

enhancement of the

organization

Principles

(Clause 3)

Process

(Clause 5)

Establishing the context

(5.3)

Risk assessment (5.4)

Risk identification(5.4.2)

Risk analysis(5.4.3)

Risk evaluation(5.4.4)

Risk treatment(5.5)

Co

mm

un

icati

on

an

d c

on

su

ltati

on

(5.2

)

Mo

nit

ori

ng

an

d r

ev

iew

(5.6

)

ISO 31000 – An Overview

[6]

Linkage of Principles to Fraud

ISO 31000 Principle

Creates value

Integral part of processes

Part of decision making

Addresses uncertainty

Systematic, structured & timely

Best available information

Tailored

Human & cultural factors

Transparent & inclusive

Dynamic; responsive to change

Facilitates continual improvement

6

Applicability to Fraud

Protects value

Embedded in processes

Influences decisions

Fraught with uncertainty

Systematic, structured & timely

Predictive/detective information

Company specific

Culturally dependent

Must include everybody

Keep up with the fraudsters

Requires continual improvement

[7]

Fraud Framework

7

Mandate

and

commitment (4.2)

Implementing

risk

management

(4.4)

Design of

framework

for managing risk

(4.3)

Continual

improvement

of the

framework

(4.6)

Monitoring

and review

of the

framework

(4.5)

Commitment from the top; must reflect the tone at the top

Must understand business, have policy, reporting, accountability

& implications

Goes beyond risk assessment (process to follow)

Goes beyond detecting fraud; includes cultural changes, etc.

Fraudsters evolve; so must the fraud program

[8]

Determine Fraud Risk Criteria

• Support the success and operation of the organization.

• Help define the direction for fraud risk management.

• Should be established by the board and senior management (i.e., top-down).

• Consider real-life context affecting long-term consequences.

8

[9]

Fraud Risk Capacity

• Organization’s total capability to absorb outcomes from fraud events.

• May even define the boundaries for survival.

• Could be individual fraud event outcomes or aggregate outcomes of multiple events.

• Common examples:

– Judgments from litigation

– Violations of laws and regulation

– Damage to reputation

9

[10]

Fraud Risk Attitude

• Risk Management Philosophy (COSO) – “Set of shared beliefs and attitudes characterizing how the entity considers risk in everything it does, from strategy development and implementation to its day-to-day activities.”

• Risk Attitude (ISO 31000) – “Organization’s approach to assess and eventually pursue, retain, take or turn away from risk.”

• Think of it as a spectrum reflecting an organization’s propensity to take on risk –

Risk Averse Risk Accepting

10

[11]

Fraud Risk Appetite

• Definition – Type and total amount of risk an organization is willing to take on in pursuit of its business objectives.

– You can’t necessarily avoid all fraud risk; some risk must be accepted in pursuit of strategic objectives.

– Should consider fraud risk capacity and reflect the organization’s fraud risk attitude.

– Ultimately, it’s about balancing success and survival.

11

[12]

Fraud Risk Appetite Examples

• We will strive for 100% compliance with laws and regulations.

• We will seek new markets for our products, but only in countries with a Global Integrity Index of “moderate” or higher.

• We will not do business with contractors who refuse to sign our Code of Ethics acknowledgement.

• We will not tolerate any actions of fraud or misappropriation by any employee, regardless of position.

• There will be no retaliation against any whistleblowers.

12

[13]

Fraud Risk Tolerance

• COSO Definition – “Acceptable level of variationrelative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective.”

• ISO 31000 Definition – “Organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives.”

• My Definition – Risk taking boundaries within which managers and employees are expected to perform in pursuit of the organization’s strategic, operations, reporting and compliance objectives.

13

[14]

Fraud Risk Tolerance

• Boundaries are expressed as the ceiling and/or floor related to key risk outcomes and effects, for example:– Financial results (current or future)

– Reputation (real or perceived damage)

– Health & safety (injuries, lost time)

– Environmental (exceedences, spills, remediation costs)

– Compliance (fines, penalties, sanctions)

– Customer satisfaction (ratings, market share)

– Warranty defects (liability, cost to repair)

14

[15]

Fraud Risk Tolerance Examples

• In fraud cases where we can seek restitution, we will only do so if the costs are not more than 150% of the expected restitution amount.

• Internal controls should be designed to ensure duties are segregated to prevent any type of fraud without collusion.

• Monitoring efforts should be designed with a focus on detecting fraud events totaling $10,000 or more.

• Taking company assets for personal use is considered fraud if the value of such assets exceeds $25.

• There should be no frauds detected by our External Auditor.

15

[16]

Fraud Risk Management Process

• Establishing the Context

• Fraud Risk Assessment

– Fraud risk identification

– Fraud risk analysis

– Fraud risk evaluation

• Fraud Risk Treatment

• Fraud Monitoring and Reporting

16

[17]

Fraud Risk Identification

• What examples of fraud have occurred in the past?

– Inside the company

– To others in our industry

• What examples of fraud haven’t occurred, but could have?

• What are the different outcomes (consequences) from fraud events?

17

[18]

Fraud Risk Analysis

• Where are these fraud events most likely to occur? Why?

• What are the different consequences of different types of fraud events?

• What conditions increase the likelihood of fraud events occurring?

• Are there interrelationships between events that could cause one to make another one worse?

18

[19]

Fraud Risk Evaluation

• What is the impact of possible outcomes from fraud events?

• How likely is it that fraud outcomes will be realized?

• What other factors may influence how we prioritize fraud risks?

• What does our prioritized risk profile look like?

19

[20]

Fraud Risk Assessment Criteria

• Traditional focus has been primarily on Impact and Likelihood

• Tends to be single point outcomes as opposed to range of outcomes

• A good foundation, but is it robust enough in today’s business world?

Likelihood

Imp

ac

t

Remote Possible Probable

High

Low

Medium

20

[21]

What About Other Criteria?

• Risk velocity

• Risk tolerance

• Readiness/ Preparedness

• Capacity

• Controllability

• Monitorability

• Interdependencies

• Frequency of occurrence

• Volatility

• Maturity

• Degree of confidence

21

[22]

How Do You Make Sense of Multiple Criteria?

• Mapping Multiple Dimensions Won’t Work!

22

[23]

A Possible Approach1. Start with traditional impact/likelihood assessment.

2. Determine which Other Risk Assessment Factors are relevant and meaningful.

3. Assess whether those factors will significantly, moderately or negligibly affect:

• How the risk is managed

• How the risk is prioritized relative to other risks

• How the risk is monitored and reported

23

[24]

One Example

Risk Impact Likelihood Factor A Factor B Priority

AAA High High 1

BBB High Medium 2

CCC Medium High 3

DDD High Low 4

EEE Medium Medium 5

FFF Low High 6

GGG Medium Low 7

HHH Low Medium 8

III Low Low 9

24

[25]

One Example

Risk Impact Likelihood Factor A Factor B Priority

AAA High High 1

BBB High Medium 3

CCC Medium High 5

DDD High Low 2

EEE Medium Medium 4

FFF Low High 6

GGG Medium Low 8

HHH Low Medium 7

III Low Low 9

25

[26]

Treating Fraud Risk

• Focus on highest priority risks first.

• Determine possible options for treatment.

– Avoid, transfer, reduce or accept

• Decide on best treatment option.

– Should take into consideration fraud risk attitude and tolerance

26

[27]

Monitoring Fraud Risk

• Visible monitoring can be an effective deterrent to fraud.

• Must consider costs/benefits of monitoring to prevent fraud vs. monitoring to detect fraud.

• There are different things that can be monitored:

– Fraud events

– Effectiveness of the fraud system

– Changes in the business context

27

[28]

Reporting Fraud Risk

• Educate the Board on the fraud risk profile and means to manage the risks.

• Determine escalation protocol for various types of fraud events.

• Consider reporting of changes in business context and impact on fraud risk profile.

28

[29]

Internal Audit’s Role

• Help build the framework for fraud risk management.

• Facilitate fraud risk assessments.

• Provide assurance and advice on the effectiveness of:

– Fraud risk treatments;

– Fraud monitoring activities;

– Fraud reporting.

• Providing fraud training and education.

29

[30]

Summary

• Just as the business world changes and evolves, so does fraud.

• It is important to have some structure to a fraud risk management program.

• Risk management techniques found in ISO 31000 can provide a good road map for fraud risk management.

• Internal auditors can play an important role in the fraud risk system.

30

[31]

Questions?

paul.sobel@gapac.com