Managing Fraud Risk: First, Second Or Third Line Of .

Managing Fraud Risk:First, Second or Third Line of DefenceResponsibility?Patrick Risch, CFE, CIA, CCSABNP Paribas Fortis, Fraud ProtectionBoard member ACFE Belgium

DISCLAIMERThe views expressed in this presentation are the views of the speaker and do notnecessarily reflect the views or policies of BNP Paribas Fortis or any other company of the Group BNP Paribas Any organisation of which the speaker is a memberThe purpose of this presentation is to share ideas and promote discussion. Examplesare purely for illustrational purposes, and may have been modified or simplified in orderto clarify a point.Neither the speaker, nor the company and organisations he belongs to, acceptsresponsibility for any consequence of the use of (parts of) the framework presentedtoday.However, we invite you to participate in the discussion today and later on.Patrick Rischpatrick.risch@bnpparibasfortis.comPatrick Risch 27-03-2012 2

OutlineIntroductionFraud Risk Management Prevention Detection Fraud Case Management Repair and remediationOwnership of fraud risk When it comes to fraud, there are no winners Three lines of defenceConclusionPatrick Risch 27-03-2012 3

OutlineIntroductionFraud Risk Management Prevention Detection Fraud Case Management Repair and remediationOwnership of fraud risk When it comes to fraud, there are no winners Three lines of defenceConclusionPatrick Risch 27-03-2012 4

19-04-2011 Patrick Risch 27-03-20125

Patrick Risch 27-03-2012 6

Patrick Risch 27-03-2012 7

Patrick Risch 27-03-2012 8

Patrick Risch 27-03-2012 9

Patrick Risch 27-03-2012 10

Market capitalisation BNP ParibasMarket capitalisation on 5 September 2010BNP Paribas 64 billion 23130292926Crédit Agricole33Morgan Stanley37Nordea38Intesa SPI43Deutsche Bank47RBoS53BBVA59Unicredit62Credit SuisseBNP ParibasITAU UnibancoSantanderCitigroupBank of ChinaAgr. Bank of ChinaBank of AmericaWells FargoJP MorganHSBCCCBICBC64Société Générale78Barclays81UBS88Lloyds Tsb98Goldman Sachs105 105 101# 12#3#2#1Source:19-04-2011 Patrick Risch 27-03-201211

Patrick Risch 27-03-2012 12

19-04-2011 Patrick Risch 27-03-201213

OutlineIntroductionFraud Risk Management Prevention Detection Fraud Case Management Repair and remediationOwnership of fraud risk When it comes to fraud, there are no winners Three lines of defenceConclusionPatrick Risch 27-03-2012 14

Definition of FraudEvery book, every magazine, every jurisdiction appears tohave its own definition of fraud.Most definitions encompass the following three keyelements: Misconduct or abuse Deception Enrichment/benefitPatrick Risch 27-03-2012 15

Cost of fraudFinancial impact Direct losses Indirect losses Increased credit risk Cost of Fraud Management and recoveryReputational impact Reliability EthicsPsychological impactPatrick Risch 27-03-2012 16

Why do people commit fraud?Some people are honest all of the time.Some people are dishonest all of the time.Most people are honest some of the time.Some people are honest most of the time.-Tommie Singleton, PhD, University ofAlabamaDishonestHonestSituationalPatrick Risch 27-03-2012 17

Fraud Risk ManagementPrevention andEarly DetectionFraud Case ManagementRepair andRemediationPatrick Risch 27-03-2012 18

OutlineIntroductionFraud Risk Management Prevention Detection Fraud Case Management Repair and remediationOwnership of fraud risk When it comes to fraud, there are no winners Three lines of defenceConclusionPatrick Risch 27-03-2012 19

Policy settingYet another policy?ZERO TOLERANCESome important messages: What do we consider as fraud How do we expect management and staff to deal withfraud risk Who is responsible for managing fraud risk What to do in case of a fraud suspicion What the consequences are of fraudulent behaviourPatrick Risch 27-03-2012 20

Talking about fraudIssues No one likes to talk about fraud. They don’t know how to talk aboutfraud. There are business targets to bereached.Patrick Risch 27-03-2012 21

Learning to talk about fraud The real and possible impact Words to talk about fraud An appropriate framework to cover the entire range of fraud possibilitiesIllegal GratuitiesEconomicExtortionBriberyConflict of InterestCollusionNon FinancialAssetsMisuse ofcompany assetsFinancial AssetsAbuse of Powersand al Fraud(Occupational fraud)Fraud Risk CategoriesExternal FraudFraudulentdocumentsAssetMisappropriationNon FinancialAssetsFinancial AssetsFraudulentDisbursementsPatrick Risch 27-03-2012 22

Learning to talk about FraudIf you don’t know fraud, you won’t be able to: Recognise it in your daily operations Prevent it when designing processes Detect it when performing control tasksLearning to know fraud Part of a training path for newcomers and for new managers– Integrated in product training– Cross-product Other trainings and road shows E-learningPatrick Risch 27-03-2012 23

Assessing fraud riskWhy? Focusing limited resources on most risky areas– Frequency/impact Creating awareness Thinking out of the boxNice side effect Putting fraud on the agendaPatrick Risch 27-03-2012 24

Fraud Risk AssessmentPreliminaryAssessment Get an overall starting point Objective Yes/No questions Covers the entire fraud universe Discussion with Line Management, based on preliminary questionnaire Inherent and controlled risk Fraud Awareness Maturity Compare the outcome of the different assessments Action planWrap UpPatrick Risch 27-03-2012 25

Preliminary questionnaire 40 Questions on 8 topics Financial statementsAccess to assetsAccess to informationTransactionsQuestionIs cash available? Relationship with customersRelationship with suppliersDecision powerHR PoliciesY/N1 2 3 4 5 6 7 8 9 XXXAccess to confidential information?One-on-one relation with suppliers?XXDecision power on customer acceptance? Patrick Risch 27-03-2012 26

Assessment matrixFraud risk categoryInternal FraudAbuse of powerScoreIllegal gratuitiesEconomic extortionBriberyConflict of interestCollusionMisuse of assetsAsset misappropriationFinancial assetsNon-financial assetsFraudulent disbursementsFraudulent Financial StatementsExternal FraudFraudulent documentsAsset misappropriationFinancial assetsNon-financial assetsFraudulent disbursementsPatrick Risch 27-03-2012 27

Fraud Awareness Maturity Based on objective criteria– Communication of policy– Training– Risk assessment– Quality of internal control Maturity levelsPatrick Risch 27-03-2012 28

Fraud DetectionThe haystack 70,000 new mortgage loans 450,000,000 transfers 3,800,000 cheques 600,000 physical coupon payments 17,000 staff members 1,300 branches Patrick Risch 27-03-2012 29

Fraud Detection What are we looking for?– Kerviel, Madoff, Leeson?– The great train robbery?– The one big hit? Remember– Fraud can occur anywhere at any time.– Big fraud schemes usually start small.– Errors, anomalies indicate weaknesses.Patrick Risch 27-03-2012 30

Fraud DetectionRisk-based approach How will a typical fraud scheme appear in yoursystems? Determine risk factors. Isolate high-risk transactions by means of datamining.Patrick Risch 27-03-2012 31

Managing fraud casesIndependent and objective inquiry To find out what actually happened To define clearly losses and responsibilities To maintain legal evidence To avoid cover-up– By the fraudster or an accomplice in an internalfraud case– By someone who made a mistake and thusfacilitated an external fraudPatrick Risch 27-03-2012 32

Repair and remediationCleaning up the mess Accounting Loss collection Reimbursing customers Recovery Legal action Disciplinary action and avoiding reoccurrence Lessons learned Revise and update controls in placePatrick Risch 27-03-2012 33

OutlineIntroductionFraud Risk Management Prevention Detection Fraud Case Management Repair and remediationOwnership of fraud risk When it comes to fraud, there are no winners Three lines of defenceConclusionPatrick Risch 27-03-2012 34

When it comes to fraud .In practice: No one likes fraud A Fraud Examiner is always the bearer of bad news. Fraud detection routines only prove that everything is functioningas intended.In theory: Two overall approaches Fraud control is just like any other internal control.– Management responsibility Fraud risk is too specific to leave it in the hands of a layman.– Responsibility of a dedicated department there are no winnersPatrick Risch 27-03-2012 35

Three lines of defence . in generalFirst line of defence — Operational management Ownership, responsibility and accountability for assessing,controlling and mitigating risksSecond line of defence — Risk management/Compliance Facilitates and monitors the implementation of theframework Assist the risk owners in reportingThird line of defence — Internal Audit Provide assurance to the organisation’s board and seniormanagementPatrick Risch 27-03-2012 36

Three lines of defence . and fraudFirst line of defence — Operational management Ownership, responsibility and accountability for assessing, controllingand mitigating risksTraining on how toreact whenconfronted with fraudTraining on how torecognise fraudTone at the topPreventive controlsDetective controlsLearningorganisationInvestigate incidentsMr./Mrs.Anti-FraudPatrick Risch 27-03-2012 37

Three lines of defence . and fraudSecond line of defence — Risk management/Compliance Facilitates and monitors the implementation of the framework Assist the risk owners in reportingOversightPolicy settingSet the exampleProposing detectivecontrolsMethodologyIndependent viewKnowledge centreGive advicePatrick Risch 27-03-2012 38

Three lines of defence . and fraudThird line of defence — Internal Audit Provide assurance to the organisation’s board and senior managementASSURANCEFraud RiskFrameworkIncidentsPatrick Risch 27-03-2012 39

OutlineIntroductionFraud Risk Management Prevention Detection Fraud Case Management Repair and remediationOwnership of fraud risk When it comes to fraud, there are no winners Three lines of defenceConclusionPatrick Risch 27-03-2012 40

ConclusionPrevention andEarly DetectionCulture of fraud risk awarenessFraud Awareness TrainingFraud Risk in Risk AssessmentprocessFraud preventive and detectivecontrolsInvestigation ofFraud CasesFraud Alert LineProcess for fraud casemanagementInvestigate fraud cases in aprofessional and objective wayOversight on Fraud RiskReport on fraud risk exposureManagementGuidance, advice andrecommendations Fraud RiskAssessment methodologyKnowledge Centre on Fraud RiskDevelop Fraud Detection controlsFraud RepairAnd RemediationAccounting entries andregister losses.Reimburse customersDisciplinary actionImprove internal controlPost Mortem analysis andrecommendations to LineManagementMonitoring Fraud RiskexposureProvide assurance to the organisation’s board and senior managementPatrick Risch 27-03-2012 41

Conclusion Managing fraud risk is more than managingfraud incidents A fraud risk management framework, adaptedto the needs of the needs of your organisation Make sure that all aspects of fraud riskmanagement are allocated somewhere Role of management Fraud detection– A statistical approach– Looking into your systems Let audit play its role Ensure coherence with the overall roles of riskand control governance Create a second line function to maintainoversightPatrick Risch 27-03-2012 42

“Association of Certified Fraud Examiners,”“Certified Fraud Examiner,” “CFE,” “ACFE,”and the ACFE Logo are trademarks owned bythe Association of Certified Fraud Examiners,Inc. The contents of this paper may not betransmitted, re-published, modified,reproduced, distributed, copied, or sold withoutthe prior consent of the author.

A Fraud Examiner is always the bearer of bad news. Fraud detection routines only prove that everything is functioning as intended. In theory: Two overall approaches Fraud control is just like any other internal control. –Management responsibility Fraud risk is too specific to leave it in the hands of a layman.