Can you identify risks without assessment?
You can. At least, that’s the picture emerging from our most popular ever free assessment (more here), the Fraud Prevention Scorecard. Before continuing, I realised that saying “fraud” can mean many things to different people. We base our definition on that from the UK Economic Crime and Transparency Act (if you complete the assessment, you’ll get a workbook that includes explanations and examples across the 12 areas of fraud we delineated in that act).
It’s not a stretch to see how bribery, conflicts of interest, money laundering, and other separately legislated compliance areas might also be defined as “fraud.” This is especially true of the “conspiracy to defraud” wording, which essentially describes an agreement where people conspire to benefit financially to the detriment of others.
As many tools to prevent fraud overlap with anti-bribery, anti-corruption, and anti-money laundering, let’s use ‘fraud’ as a byword for financial or economic crime.
So, it is curious that 50% of respondents said “yes” to the question, “Has the company conducted a thorough risk assessment to identify potential economic crime and fraud areas?” But on a question about robustness of risk identification, using a five-point scale (where 0 is “Nothing in place/weak” and 5 is “Robust”), 71% are sat in that middle point, and 14% are near that robust end.
How are we arriving at a middling score on robust risk identification with a 50/50 score for assessments? Here are my guesstimated hypotheses:
🤔 The best scores have been around reporting and whistleblowing 👇.
🤔 Using this data helps identify/confirm known risks.
🤔 The second-best score is in detection and response.
🤔 As detection tools advance, so can risk identification.
It’s good news that we’re getting better at whistleblowing and detection. Why? Look at the screenshot 👇 from the Association of Certified Fraud Examiners Report to the Nations 2024. This report examines data from thousands of fraud cases investigated by its members in the prior 12 months. Tip (whistleblowing lines being a large part of this) remains the most common detection method, followed by audits and reviews. But if you look down, the lowest mean value of the fraud is reserved for automated transaction/data monitoring.
There are three questions about automated monitoring in the assessment, and only 22% of respondents are NOT using data analytics tools.
In conclusion, you can conduct risk identification without assessment, much like diving into the water to check if there are sharks. But, and I know I’m biased here, I still feel 3D risk assessments (external threats/context, internal controls, and culture) might help achieve three crucial things:
🚦 Help identify unknowns (before they occur)
🚦 Better purpose analytics (saving ⏱️/💰)
🚦 Help us understand why, not just what…
…This then informs better policies, training, and continuous improvement (some of the weaker areas in the survey responses so far).
What do you think? Is it better to react or try to predict?