The Risk Officer, the Internal Auditor and the Fraud Examiner

Prior to about fifteen years ago, the risk management function in most enterprises (if it existed at all),  was fragmented  between various business processes of the organization like insurance, legal, regulatory compliance and physical security.  That’s exactly how the operational aspects of the function were handled at the bank holding companies I worked for many years ago.  This pattern continued until around the late eighties and early nineties when management increasingly turned to internal audit shops to first conduct risk assessments of  financial systems under development and then of all enterprise business processes deemed high risk.  But having the internal audit division conduct non-audit related risk functions for the entire organization posed independence problems for the auditors.

Today the various elements comprising the global risk management function are increasingly consolidated under one risk management business process headed by a Corporate Risk Officer (CRO); this is because management has come to realize that dealing with the risks associated with the ever increasing complexity of its market environment necessitates the kind of constant attention that only a dedicated risk professional can bring to the task.

The objective of the Office of Risk Management is to integrate risk management activities across the entire organization.  The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Enterprise Risk Management Framework defines enterprise risk management  as a process designed to identify potential events that might affect the entity, and manage risks to be within its risk appetite, and then to provide reasonable assurance regarding the achievement of entity objectives.

When asked to evaluate fraud risk for any enterprise, the first question I ask is, “Is there an internal audit function?” and the second is, “Is there a Chief Risk Officer?”  If the answer to either or both questions is yes, I know that each of  these assurance functions will be a rich source of information for my work.  I immediately open a dialogue with these professionals to gauge the organization’s risk appetite and then engage them to help develop probability models for the eventuality of a range of fraud scenarios given their views of their organization’s credit, market and operational risk.

Given the post-2008 financial crisis environment in which we currently operate, Fraud Examiners will increasingly be called upon to evaluate the probabilities of fraud scenarios only made possible by the massive gaps in both the understanding and communication of company risk  appetite and exposure that brought on the crisis.  The fraud examiner has two invaluable allies in this evaluative process, the internal auditor and the chief risk officer.  Don’t overlook them.

 

Comments are closed.