Building Fraud Risk Management Into A Compliance & Ethics Program
Society of Corporate Compliance and Ethics (SCCE)Virtual Regional Compliance & Ethics Conference: Columbus, OhioNovember 5, 2021Building Fraud Risk Management into a Compliance & Ethics ProgramPresented by:James Rumph, CFE, CAMS, CPA, CIASr. Director, Enterprise Anti-Fraud Team121
Organizational Model1Office ofComplianceand ComplianceOffice ofEthicsOtherComplianceProgramsPrimary OCE Groups with Anti-Fraud FocusEnterprise Anti-Fraud Team: 2nd line focus on operational fraud riskFinancial Crimes Compliance: Financial Crimes regulatory focusOffice of Ethics: Focus on ethical culture and internal investigations1Institute of Internal Auditors (IIA) model previously known as the Three Lines of Defense model. See ee-Lines-Model-Updated.pdf for more details.233Elements of an Effective Compliance & Ethics Program342
High Level ResponsibilityEnterprise Anti-Fraud Committee: Purpose: To establish governance, visibility, and direction for enterprise fraud risks, controls and response activities. Chartering committee: Enterprise Operational Risk Committee (EORC)Structure:Key Responsibilities:- Recommend:- Enterprise Fraud Risk Policy updates- Enterprise-level tolerances- Manage:- Enterprise fraud risk standards- Escalated fraud events- Monitor:- Enterprise-level tolerances and key risk indicators- Fraud Event Metrics Dashboard- High rated findings45Poll #1Does your organization conduct fraud risk assessments?1) Yes; formal fraud risk assessments2) Yes, ad hoc fraud risk assessments3) No4) I don’t know63
Risk Assessment12 Enterprise Anti-Fraud Team: Facilitation: Project management,communication, andmethodology alignment Workshop facilitation withfraud subject matter expertise Risk partner calibration Reporting: Include:2 Key fraud risk factors Ratings/dollar estimates Benchmarking Findings/observations Levels: Product lines/businessareas Product line groupings Enterprise12The Association of Certified Fraud Examiners (ACFE) and Committee of Sponsoring Organizations of the Treadway Commission (COSO) partnered to publish the Fraud Risk Management Guide in 2018. Grant Thornton and the ACFE partnered to publish the Anti-Fraud Playbook in 2020, along with a variety of related tools. See olicies & Procedures- Code of Conduct:- Developed and maintained by Office of Ethics- Enterprise Fraud Risk Policy:- Serves as the enterprise’s primary fraud risk management governance document- Developed and maintained by Enterprise Anti-Fraud Committee (EAFC)- Approved by Enterprise Operational Risk Committee (EORC)- Enterprise fraud risk standards:- Developed and maintained by Enterprise Anti-Fraud Team (EAFT)- Approved by EAFC- Investigations- Threat Intelligence Sharing- Escalation- Testing & Monitoring- Event Data Reporting- Findings Management784
Communication and TrainingPretext Policy Office of Ethics Enterprise-wide Ethics training and Ethics Helpline Financial Crimes Compliance: Business grouping regulatory required anti-fraud trainings Enterprise Anti-Fraud Team: Manage Fraud Risk Roles & Responsibilities Matrix and related FraudSuspicion Hub Facilitate financial crimes threat intelligence sharing Supplement training and awareness89Monitoring & TestingCommittee andWorking GroupFacilitation andPretext Policy ParticipationTraditional andRed Team ControlTestingTolerance / KeyRisk Indicator (KRI)Monitoring1MaturityAssessmentsEvent MetricMonitoringGrant Thornton and the Association of Certified Fraud Examiners partnered to public the Anti-Fraud Playbook in 2020, along with a variety of related tools. See 5
Poll #2Has your organization conducted formalized red team testingfor fraud risk controls?1) Yes2) No3) I don’t know11Response & Prevention / EnforcementPretext Policy Enterprise Anti-Fraud Team: Findings management and escalation Advisory services Policy exception escalation Internal Investigations Unit (IIU): Associate and producer investigations and collaborating withareas like the Office of Associate Relations for disciplinary actions Sharing lessons learned with business partners11126
Management Reporting Key Stakeholder Groups:Pretext Policy Audit Committee Enterprise Operational Risk Committee (EORC) Enterprise Anti-Fraud Committee (EAFC) Office of Ethics: Ethics program metrics Culture Survey results Enterprise Anti-Fraud Team: Finding, tolerance/key risk indicator and other metrics, and update reporting1213Exam ManagementPretext Policy Exam Management Team: Manages exams on behalf of Office of Compliance and Ethics andbusiness partners Enterprise Anti-Fraud Team: Share enterprise-level fraud risk and control information anddocumentation as needed13147
Elements of an Effective Compliance & Ethics ProgramEnterprise Anti-Fraud Team Share enterprise-level fraud risk and controlinformation and documentation as needed Audit Committee, EORC, and EAFCFinding, tolerance/key risk indicator andother metrics, and update reporting Fraud risk assessmentfacilitation and reporting Enterprise-level fraud risk policy and standards administration Manage Fraud Risk Roles & Responsibilities Matrixand related Fraud Suspicion HubFacilitate financial crimes threat intelligence sharingSupplement training and awarenessEnterprise Anti-Fraud Committee(EAFC) facilitation Policy violation escalationFindings management and escalation Committee and working group facilitation and participationMaturity assessmentsEvent metric monitoringTolerance / Key Risk Indicator (KRI) monitoringTraditional and red team control testingFindings managementAdvisory services1415Other Questions and CommentsJames Rumph, CFE, CAMS, CPA, CIANationwide; Sr. Director, Enterprise Anti-Fraud Team614.249.6356 / rumphj1@nationwide.comJames has served Nationwide and its members in fraud risk roles for about six years. First within the Office of Internal Audit andthen with the Enterprise Anti-Fraud Team, which is part of the Office of Compliance and Ethics. He leads a team of anti-fraudprofessionals who help the company manage fraud risk through five primary focus areas: governance, risk assessment, controlsconsulting, investigation / corrective action consulting, and monitoring and testing.James joined Nationwide with a wide range of fraud prevention, detection, and response experience, including from his time asboth a FBI and private forensic accountant and leading investigations for an insurance special investigations unit (SIU). Jamesalso serves the anti-fraud community as President of the Central Ohio Association of Certified Fraud Examiners (ACFE) Chapterand as Chairperson of the ACFE’s Global Chapter Leaders Committee.15168
Nationwide, the Nationwide N and Eagle and Nationwide is on your side are service marks of Nationwide Mutual Insurance Company. 2021 Nationwide179
3 Enterprise Anti-Fraud Committee: Purpose: To establish governance, visibility, and direction for enterprise fraud risks, controls and response activities. Chartering committee: Enterprise Operational Risk Committee (EORC) Key Responsibilities: -Recommend:- Enterprise Fraud Risk Policy updates - Enterprise-level tolerances-Manage:- Enterprise fraud risk standards
Types of economic crime/fraud experienced Customer fraud was introduced as a category for the first time in our 2018 survey. It refers to fraud committed by the end-user and comprises economic crimes such as mortgage fraud, credit card fraud, claims fraud, cheque fraud, ID fraud and similar fraud types. Source: PwC analysis 2
Types of economic crime/fraud experienced Customer fraud was introduced as a category for the first time in our 2018 survey. It refers to fraud committed by the end-user and comprises economic crimes such as mortgage fraud, credit card fraud, claims fraud, cheque fraud, ID fraud and similar fraud types. Source: PwC analysis 2
COSO issued guidelines in the Fraud Risk Management Guide [3] to conduct a risk assessment. The following is the recommended fraud risk assessment process for PT X. It should be adopted among the strategies it uses to anticipate the risk of fraud faced by the company. 1) Establish a fraud risk assessment team The fraud risk assessment team may .
Fraud risk management strategy Fraud prevention Anti-fraud culture Risk awareness Whistleblowing Sound internal control systems A fraud policy statement, effective recruitment policies and good internal controls can minimise the risk of fraud. Fraud detection Performing regular checks. Warning signals/fraud risk indicators:
Making the case for a Fraud Risk Management Program . A COSO-consistent Process for Fraud Risk Management . Roles of Key Parties in Managing Fraud Risk ; Control Environment and Fraud Risk Assessments . Anti-Fraud Con
nance policy from scratch. The Fraud Risk Management Guide contains a "Sample Fraud Control Policy Framework" and a "Sample Fraud Risk Management Policy" that can be adapted to any organization. 2. Assess fraud risk This step is the most important fraud risk management step, because it establishes the baseline for succeeding steps. As-
Card Fraud 11 Unauthorised debit, credit and other payment card fraud 12 Remote purchase (Card-not-present) fraud 15 Counterfeit Card Fraud 17 Lost and Stolen Card Fraud 18 Card ID theft 20 Card not-received fraud 22 Internet/e-commerce card fraud los
performing a fraud risk assessment, or For developing and implementing a comprehensive fraud risk management program So, . You get to work one Monday morning and your boss says, "Hey, we need to do a fraud risk assessment in order to comply with the new COSO Principle about fraud risk, and we want you to head up the effort to do that .
