Beyond Risk Assessments: How to Build Your Fraud Risk Management Program


“Why now?” That is the question Linda Lister, CFE, CPA, CMA, CGA, Senior Manager at EY, asked anti-fraud professionals at the ACFE Fraud Conference Canada’s Pre-Conference session yesterday. She followed up with, “Why come out now with a fraud risk management guide?”

Lister listed some of the past year’s fraud scandals like the Panama Papers and Volkswagen as the proof that large organizations need guidance on how to manage fraud risk. “It’s been so long since Enron and some of the other larger frauds that the tolerance is starting to go back up again,” Lister said. She cited two frightening statistics from EY’s most recent global fraud study: 24% of Canadians surveyed said they would be willing to play with revenues to meet financial targets, and one in 10 said they thought it was okay to give a cash incentive to attain and retain business.

The guide Lister was referring to was the Fraud Risk Management Guide (FRMG), a joint report created last year by the ACFE and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) designed to aid organizations in effectively establishing an overall fraud risk management program. The guide’s genesis dates back to 1992 when COSO released its Internal Control—Integrated Framework, a framework recognized worldwide for designing, implementing and conducting internal controls.

COSO revised this original framework in 2013 to include 17 additional principles to assist in creating an effective internal control system. One of these principles, Principle 8, specifically addresses the importance of organizations considering "the potential for fraud in assessing risks to the achievement of objectives."

While many organizations might realize they need a fraud risk management program, they might not know where to begin. Many organizations begin with a fraud risk assessment, but as Lister explained, you don’t just start and end with a fraud risk assessment; it is much more than that.

The guide details five processes:

  1. Establish a fraud risk management policy as part of organizational governance. The policy:
    1. Establishes and documents the commitment to managing fraud risk
    2. Summarizes fraud control strategies
    3. Outlines the fraud risk management program
    4. Defines procedures for reporting fraud
    5. Establishes employment conditions
    6. Defines conflict-of-interest policies
    7. Establishes procedures for fraud investigation
    8. Sets forth an internal audit strategy
    9. Explains the review, monitoring and feedback process

2. Perform a comprehensive fraud risk assessment.

3. Select, develop and deploy preventive and detective fraud control activities. This principle focuses on both prevention and detection of fraud with respect to each fraud risk exposure identified by the fraud risk assessment team.

4. Establish a fraud-reporting process and coordinated approach to investigation and corrective action.

5. Monitor the fraud risk management process, report results and improve the process. As you make these changes and implement processes to manage your organization’s fraud risk, know that you must continually monitor everything. Organizations are dynamic and will change.

To illustrate the FRMG’s guidance, Lister invited Milva Recchi, Director, Enterprise Fraud Risk Management, at BMO Financial Group to join her on stage to candidly discuss her own experience implementing a program. At BMO, Recchi and her fraud risk management team have established a Criminal Risk Management Framework aligned with the FRMG’s five principles.

One of her valuable pieces of insight addressed principle No. 2 from the list above: performing a comprehensive fraud risk assessment. “I think what was a turning point for me was doing scheme-based fraud risk assessments,” Recchi said. “A lot of us at our companies are about processes. A beginning and an end. But, with fraud risk assessments, you begin with the end in mind. You start at the end and it forces you to do the walk back.”

While Recchi’s implementation of a management framework took BMO more than 2 ½ years, it is important to remember that every company is different; there is no one-size-fits-all fraud risk assessment or fraud risk management program. The Fraud Risk Management Guide, along with resources like interactive scorecards, templates and data analytics tests, is a tool to guide you in your own development of a program that fits your specific objectives. As Recchi said, “If you aren’t doing a fraud risk assessment, you really don’t know what your risks are.” I would go even further and say, if you aren’t creating a fraud risk management program, then you really aren’t addressing your fraud risks. For more information, to purchase the guide or for free resources, visit