RISK MANAGEMENT FRAMEWORK
5wh Corporate Services’ Fraud Risk Management Framework is based on the Enterprise Risk Management model of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This framework assists us in understanding, quantifying and advising on the risks to which our clients are exposed. Management information and governance are related to each other according to the cycle below. [Click on the image to enlarge]
Risk management cycle
The risk management process consists of a cycle where each step is used as a stepping stone for the next step. 5wh Corporate Services carries out fraud risk assessments to:
- determine how much risk the client is prepared to accept (‘risk appetite’);
- determine the probability of risks occurring and the resulting consequences;
- decide what measures are to be taken.
During the Line Management & Reporting phase of the cycle, management reports are delivered and used to make decisions, which subsequently lead to action in the Planning & Change phase. The risk appetite for the adjusted business activities must then be re-determined, after which the cycle starts all over again.
To support decision-making, management uses the following management information:
- Incidents & Loss Events: recording and determining the cause of undesired incidents contributes to the identification of weaknesses in the business processes and their underlying causes. Loss data relating to both internal incidents (such as actual fraud cases or frequent problems with business systems violations) and external incidents supports better-informed and correct decision-making.
- Risk Profiles & Quantification Analysis: risk profiles that reflect the residual risk as well as the design and effectiveness of the key controls for the identified risks must be set up. Examples of such controls include:
- separation of functions;
- no unilateral individual decision-making;
- daily monitoring of assets;
- designation of owners;
- clearly demarcated roles;
- codes of conduct;
- reconciliation of information from diverse sources;
- service level agreements (SLAs);
- documented policy and procedures.
- Predictor Events: these events are determined on the basis of information in standard management reports and offer an opportunity to monitor changes in the risk position and prevent ineffectiveness of controls. Specific stress tests and scenario analyses are used to estimate and manage the longer-term effects.
The Governance framework consists of three elements:
- Roles & Delegated Authorities: one essential aspect of the governance framework is that executives have specific roles and responsibilities within that framework. Individuals to whom authorities have been delegated take decisions within set parameters. Decisions outside their authorities are taken by a higher organ.
- Policy documents: policy and procedures for controlling both financial and non-financial risks.
- Committees: specific board and/or management committees should set up
Systems and tools
Our clients use a number of systems and tools to support the risk management cycle (analyses, reports, workflow management charts) that deliver management information and data for specific risk management systems. Data quality is crucial for any organisation. Naturally, close attention is devoted to good system support and technology.
Communication, education, training and guidance
Communication translates into a consistent and regular information flow. This helps to give management and the Board a deeper understanding and awareness of risk management.
For the development and application of Fraud Policies and Response Plans see my earlier post, A Contingency Plan for Responding to Workplace Fraud.
© Caleb Mutsumba