managing fraud risk: first, second or third line of … fraud risk: first, second or third line of...

Managing Fraud Risk:

First, Second or Third Line of Defence

Responsibility?

Patrick Risch, CFE, CIA, CCSA

BNP Paribas Fortis, Fraud Protection

Board member ACFE Belgium

2 | 27-03-2012 | Patrick Risch

DISCLAIMER

The views expressed in this presentation are the views of the speaker and do not

necessarily reflect the views or policies of

• BNP Paribas Fortis or any other company of the Group BNP Paribas

• Any organisation of which the speaker is a member

The purpose of this presentation is to share ideas and promote discussion. Examples

are purely for illustrational purposes, and may have been modified or simplified in order

to clarify a point.

Neither the speaker, nor the company and organisations he belongs to, accepts

responsibility for any consequence of the use of (parts of) the framework presented

today.

However, we invite you to participate in the discussion today and later on.

Patrick Risch

[email protected]


Outline

Introduction

Fraud Risk Management

• Prevention

• Detection

• Fraud Case Management

• Repair and remediation

Ownership of fraud risk

• When it comes to fraud, there are no winners

• Three lines of defence

Conclusion


Outline

Introduction


• Prevention

• Detection






Conclusion

5 | 27-03-2012 | Patrick Risch | 19-04-2011 | Patrick Risch

10 | 27-03-2012 | Patrick Risch


World # 12

Europe # 3

Eurozone # 2

France # 1

Market capitalisation BNP Paribas

Market capitalisation on 5 September 2010

ICB

C

CC

B

HS

BC

JP M

org

an

Wel

ls F

arg

o

Ban

k o

f A

mer

ica

Ag

r. B

ank

of

Ch

ina

Ban

k o

f C

hin

a

Cit

igro

up

San

tan

der

ITA

U U

nib

anco

BN

P P

arib

as

Go

ldm

an S

ach

s

Llo

yds

Tsb

UB

S

Bar

clay

s

Cre

dit

Su

isse

Un

icre

dit

BB

VA

So

ciét

é G

énér

ale

RB

oS

Deu

tsch

e B

ank

Inte

sa S

PI

No

rdea

Mo

rgan

Sta

nle

y

Cré

dit

Ag

rico

le

Source:

121

138

150

165

105

64

32 26 29 31

38 43 47

53 59

88

105 101 98

37 33 30 29

62

78 81

BNP Paribas = 64 billion euros

Ranking

12 | 27-03-2012 | Patrick Risch

14 | 27-03-2012 | Patrick Risch

Outline

Introduction


• Prevention

• Detection




• When it comes to fraud, there are no winners …


Conclusion

15 | 27-03-2012 | Patrick Risch

Definition of Fraud

Every book, every magazine, every jurisdiction appears to

have its own definition of fraud.

Most definitions encompass the following three key

elements:

• Misconduct or abuse

• Deception

• Enrichment/benefit

16 | 27-03-2012 | Patrick Risch

Cost of fraud

Financial impact

• Direct losses

• Indirect losses

• Increased credit risk

• Cost of Fraud Management and recovery

Reputational impact

• Reliability

• Ethics

Psychological impact

17 | 27-03-2012 | Patrick Risch

Why do people commit fraud?

Some people are honest all of the time.

Some people are dishonest all of the time.

Most people are honest some of the time.

Some people are honest most of the time.

-Tommie Singleton, PhD, University of

Alabama

Honest Dishonest

Situational

18 | 27-03-2012 | Patrick Risch


Prevention and

Early Detection Fraud Case Management

Repair and

Remediation

19 | 27-03-2012 | Patrick Risch

Outline

Introduction


• Prevention

• Detection






Conclusion

20 | 27-03-2012 | Patrick Risch

Policy setting

Yet another policy?

ZERO TOLERANCE

Some important messages:

• What do we consider as fraud

• How do we expect management and staff to deal with

fraud risk

• Who is responsible for managing fraud risk

• What to do in case of a fraud suspicion

• What the consequences are of fraudulent behaviour

21 | 27-03-2012 | Patrick Risch

Talking about fraud

Issues

• No one likes to talk about fraud.

• They don’t know how to talk about

fraud.

• There are business targets to be

reached.

22 | 27-03-2012 | Patrick Risch

Learning to talk about fraud

• The real and possible impact

• Words to talk about fraud

• An appropriate framework to cover the entire range of fraud possibilities

Fraud Risk Categories

Internal Fraud

(Occupational fraud)

External Fraud

Abuse of Powers

and Authority

(Corruption)

Asset

Misappropriation

Fraudulent

Financial

Statements

Illegal Gratuities

Economic

Extortion

Bribery

Conflict of Interest

CollusionNon Financial

Assets

Financial Assets

Fraudulent

Disbursements

Misuse of

company assets

Asset

Misappropriation

Fraudulent

documents

Non Financial

AssetsFinancial Assets

Fraudulent

Disbursements

23 | 27-03-2012 | Patrick Risch

Learning to talk about Fraud

If you don’t know fraud, you won’t be able to:

• Recognise it in your daily operations

• Prevent it when designing processes

• Detect it when performing control tasks

Learning to know fraud

• Part of a training path for newcomers and for new managers

– Integrated in product training

– Cross-product

• Other trainings and road shows

• E-learning

24 | 27-03-2012 | Patrick Risch

Assessing fraud risk

Why?

• Focusing limited resources on most risky areas

– Frequency/impact

• Creating awareness

• Thinking out of the box

Nice side effect

• Putting fraud on the agenda

25 | 27-03-2012 | Patrick Risch

Fraud Risk Assessment

Preliminary

Assessment

Wrap Up

• Get an overall starting point

• Objective Yes/No questions

• Covers the entire fraud universe

• Discussion with Line Management, based on preliminary questionnaire

• Inherent and controlled risk

• Fraud Awareness Maturity

• Compare the outcome of the different assessments

• Action plan

26 | 27-03-2012 | Patrick Risch

Preliminary questionnaire

Question Y/N

Is cash available?

Access to confidential information?

One-on-one relation with suppliers?

Decision power on customer acceptance?

…

1 2 3 4 5 6 7 8 9 …

X X

X

X

X

• 40 Questions on 8 topics

• Financial statements

• Access to assets

• Access to information

• Transactions

• Relationship with customers

• Relationship with suppliers

• Decision power

• HR Policies

27 | 27-03-2012 | Patrick Risch

Assessment matrix

Fraud risk category Score

Internal Fraud Abuse of power Illegal gratuities

Economic extortion

Bribery

Conflict of interest

Collusion

Misuse of assets

Asset misappropriation Financial assets

Non-financial assets

Fraudulent disbursements

Fraudulent Financial Statements

External Fraud Fraudulent documents

Asset misappropriation Financial assets

Non-financial assets

Fraudulent disbursements

28 | 27-03-2012 | Patrick Risch

Fraud Awareness Maturity

• Based on objective criteria

– Communication of policy

– Training

– Risk assessment

– Quality of internal control

• Maturity levels

29 | 27-03-2012 | Patrick Risch

Fraud Detection

The haystack

• 70,000 new mortgage loans

• 450,000,000 transfers

• 3,800,000 cheques

• 600,000 physical coupon payments

• 17,000 staff members

• 1,300 branches

• …

30 | 27-03-2012 | Patrick Risch

Fraud Detection

• What are we looking for?

– Kerviel, Madoff, Leeson?

– The great train robbery?

– The one big hit?

• Remember

– Fraud can occur anywhere at any time.

– Big fraud schemes usually start small.

– Errors, anomalies … indicate weaknesses.

31 | 27-03-2012 | Patrick Risch

Fraud Detection

Risk-based approach

• How will a typical fraud scheme appear in your

systems?

• Determine risk factors.

• Isolate high-risk transactions by means of data

mining.

32 | 27-03-2012 | Patrick Risch

Managing fraud cases

Independent and objective inquiry

• To find out what actually happened

• To define clearly losses and responsibilities

• To maintain legal evidence

• To avoid cover-up

– By the fraudster or an accomplice in an internal

fraud case

– By someone who made a mistake and thus

facilitated an external fraud

33 | 27-03-2012 | Patrick Risch

Repair and remediation

Cleaning up the mess …

• Accounting

• Loss collection

• Reimbursing customers

• Recovery

• Legal action

• Disciplinary action

… and avoiding reoccurrence

• Lessons learned

• Revise and update controls in place

34 | 27-03-2012 | Patrick Risch

Outline

Introduction


• Prevention

• Detection






Conclusion

35 | 27-03-2012 | Patrick Risch

When it comes to fraud ….

In practice: No one likes fraud

• A Fraud Examiner is always the bearer of bad news.

• Fraud detection routines only prove that everything is functioning

as intended.

In theory: Two overall approaches

• Fraud control is just like any other internal control.

– Management responsibility

• Fraud risk is too specific to leave it in the hands of a layman.

– Responsibility of a dedicated department

… there are no winners

36 | 27-03-2012 | Patrick Risch

Three lines of defence …. in general

First line of defence — Operational management

• Ownership, responsibility and accountability for assessing,

controlling and mitigating risks

Second line of defence — Risk management/Compliance

• Facilitates and monitors the implementation of the

framework

• Assist the risk owners in reporting

Third line of defence — Internal Audit

• Provide assurance to the organisation’s board and senior

management

37 | 27-03-2012 | Patrick Risch

Three lines of defence …. and fraud

First line of defence — Operational management

• Ownership, responsibility and accountability for assessing, controlling

and mitigating risks

Training on how to

recognise fraud

Training on how to

react when

confronted with fraud

Tone at the top Preventive controls

Detective controls

Investigate incidents

Learning

organisation

Mr./Mrs.

Anti-Fraud

38 | 27-03-2012 | Patrick Risch


Second line of defence — Risk management/Compliance

• Facilitates and monitors the implementation of the framework

• Assist the risk owners in reporting

Policy setting

Oversight

Set the example

Independent view Proposing detective

controls

Give advice Knowledge centre

Methodology

39 | 27-03-2012 | Patrick Risch


Third line of defence — Internal Audit

• Provide assurance to the organisation’s board and senior management

ASSURANCE

Fraud Risk

Framework Incidents

40 | 27-03-2012 | Patrick Risch

Outline

Introduction


• Prevention

• Detection






Conclusion

41 | 27-03-2012 | Patrick Risch

Conclusion

Prevention and

Early Detection

Investigation of

Fraud Cases

Fraud Repair

And Remediation

Culture of fraud risk awareness

Fraud Awareness Training

Fraud Risk in Risk Assessment

process

Fraud preventive and detective

controls

Fraud Alert Line

Process for fraud case

management

Accounting entries and

register losses.

Reimburse customers

Disciplinary action

Improve internal control Investigate fraud cases in a

professional and objective way

Oversight on Fraud Risk

Management

Guidance, advice and

recommendations Fraud Risk

Assessment methodology

Knowledge Centre on Fraud Risk

Develop Fraud Detection controls

Report on fraud risk exposure Post Mortem analysis and

recommendations to Line

Management

Monitoring Fraud Risk

exposure

Provide assurance to the organisation’s board and senior management

42 | 27-03-2012 | Patrick Risch

Conclusion

• Managing fraud risk is more than managing

fraud incidents

• A fraud risk management framework, adapted

to the needs of the needs of your organisation

• Make sure that all aspects of fraud risk

management are allocated somewhere

• Role of management

• Fraud detection

– A statistical approach

– Looking into your systems

• Let audit play its role

• Ensure coherence with the overall roles of risk

and control governance

• Create a second line function to maintain

oversight

“Association of Certified Fraud Examiners,”

“Certified Fraud Examiner,” “CFE,” “ACFE,”

and the ACFE Logo are trademarks owned by

the Association of Certified Fraud Examiners,

Inc. The contents of this paper may not be

transmitted, re-published, modified,

reproduced, distributed, copied, or sold without

the prior consent of the author.

managing fraud risk: first, second or third line of … fraud risk: first, second or third line of...

Documents