What are You Doing About the Risk of Fraud in Your Organisation?


Part II


5wh Corporate Services’ Fraud Risk Management Framework is based on the Enterprise Risk Management model of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This framework assists us in understanding, quantifying and advising on the risks to which our clients are exposed. Management information and governance are related to each other according to the cycle below.  [Click on the image to enlarge]

Risk management cycle

The risk management process consists of a cycle where each step is used as a stepping stone for the next step. 5wh Corporate Services carries out fraud risk assessments to:

  • determine how much risk the client is prepared to accept (‘risk appetite’);
  • determine the probability of risks occurring and the resulting consequences;
  • decide what measures are to be taken.

During the Line Management & Reporting phase of the cycle, management reports are delivered and used to make decisions, which subsequently lead to action in the Planning & Change phase. The risk appetite for the adjusted business activities must then be re-determined, after which the cycle starts all over again.

Management information

To support decision-making, management uses the following management information:

  • Incidents & Loss Events: recording and determining the cause of undesired incidents contributes to the identification of weaknesses in the business processes and their underlying causes. Loss data relating to both internal incidents (such as actual fraud cases or frequent problems with business systems violations) and external incidents supports better-informed and correct decision-making.
  • Risk Profiles & Quantification Analysis: risk profiles that reflect the residual risk as well as the design and effectiveness of the key controls for the identified risks must be set up. Examples of such controls include:
    • separation of functions;
    • no unilateral individual decision-making;
    • daily monitoring of assets;
    • designation of owners;
    • clearly demarcated roles;
    • codes of conduct;
    • budgeting;
    • confirmations;
    • reconciliation of information from diverse sources;
    • service level agreements (SLAs);
    • documented policy and procedures.


  • Predictor Events: these events are determined on the basis of information in standard management reports and offer an opportunity to monitor changes in the risk position and prevent ineffectiveness of controls. Specific stress tests and scenario analyses are used to estimate and manage the longer-term effects.


The Governance framework consists of three elements:

  • Roles & Delegated Authorities: one essential aspect of the governance framework is that executives have specific roles and responsibilities within that framework. Individuals to whom authorities have been delegated take decisions within set parameters. Decisions outside their authorities are taken by a higher organ.
  •  Policy documents:  policy and procedures for controlling both financial and non-financial risks.
  •  Committees: specific board and/or management committees should set up

Systems and tools

Our clients use a number of systems and tools to support the risk management cycle (analyses, reports, workflow management charts) that deliver management information and data for specific risk management systems. Data quality is crucial for any organisation. Naturally, close attention is devoted to good system support and technology.

Communication, education, training and guidance

Communication translates into a consistent and regular information flow. This helps to give management and the Board a deeper understanding and awareness of risk management.

For the development and application of Fraud Policies and Response Plans see my earlier post, A Contingency Plan for Responding to Workplace Fraud.

© Caleb Mutsumba

What do you think? What strategies do you, or your company, use to manage the risk of fraud and error in your organisation? Are you primarily proactive or reactive in your approach to risk management? Share your experience in the Comment box below.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s