My Presentation to Finance a few years ago with regards to Fraud and Risk Management and some examples of how to mitigate and control Fraud.

1. Alexander Larsen
Fellow of the Institute of Risk Management

2. The Dot Com Scandal
(2000)
Corporate collapses and massive
bankruptcies (early 2000s)
2008 -2009 Credit Crisis
“Failure in Risk Management”
2010 BP Deepwater Horizon
catastrophe

3. All organisations exist to achieve their objectives.
The purpose of risk management is to manage the barriers to achieving these
objectives.
Today
Identify & Manage
Organization’s vision,
Aims, Objectives

4. Enterprise Risk Management: The identification,
assessment and management of those risks which may have
either a positive or negative impact on the organisation’s assets,
reputation or ability to meet objectives.

5. • 5
Achieve
objectives
Less risk
averse
Improve & enhance
Reputation
Corporate
Governance
Country / Industry Regulation
Better decision
making
Improved
business planning
Improve
Quality &
Efficiency
Demonstrates
improvement

6. Early 2000’s - Computer Companies in the States faced a labour strike closing ports
along the West Coast of America.
While rivals floundered, perceptive risk management and around-the-clock
communication with its Asian suppliers (Partnerships) and U.S. shippers meant that
Dell had identified the potential problem six months earlier.
18 jumbo jets were chartered early resulting in a relatively undisrupted supply-chain
and a massive boost to Dell’s reputation for reliability and customer service (not to
mention subsequent profits!)

7. • 7
“Risk Management is not just about insurance”
THIS IS REACTIVE RISK
MANAGEMENT!!!!
80%
of risks faced byof risks faced by
organisations areorganisations are
notnot insurable!insurable!
‘‘Chance orchoice’ - SOLACE/ZMMSChance orchoice’ - SOLACE/ZMMS

8.  Risk Management can :
 Protect brand and reputation
 Provide protection should your current controls fail
 Provides more than just monetary recovery (insurance – remember 80% uninsurable)
REACTIVE RISK MANAGEMENT :
Loss of
information
needed for
strategic
operational
decisions
Loss of customer
goodwill
Loss of market
share
Reduced cash
flow control
Negative publicity
Loss of
employees to
competition
Cost of winning
back lost
customers
Missed business
opportunities
Loss of employee
knowledge
Loss of vital and
critical paper
records

9. • Slide 9
Strategic
Business
Departmental Business
Operational
cross cutting issues affecting the
achievement of organizational
objectives
Issues affecting the achievement of
departmental objectives
Issues affecting the achievement of
operational objectives
Partnerships
Projects

10. Risk
Identification
Risk
Assessment
Risk
Response
Planning
RISK
IDENTIFICATION
RISK
ANALYSIS
RISK
MANAGEMENT
MONITORING
PRIORITISATION

11.  Assess probability of occurrence and resulting impact for each risk against individual objectives based
on defined scales
 Rank risks using a probability-impact matrix where the position in the matrix suggest risk management
strategy
 Agree on how to Monitor risks – Ongoing Meetings etc.
HighMediumLow
Low Medium High
IMPACT
PROBABILITY
Critical (high priority)
Significant (medium priority)
Negligible (low priority)
2
1
3 4
Assess
probability
and impact
1
2 3
4
Individual risk
Rank
individual
risks
RISK CRITICALITY ACTION
1 Critical Not accept,
initiate actions
4 Critical Not accept,
initiate actions
3 Significant Accep and
monitor
2 Negligible Accept
Risk RankingRisk Matrix
Organization
Obectives

12. Risk Identification

13. Environmental
& Safety Risk
Compliance &
Legal Risk
Financial Risk
Strategic &
Market Risk
Information
Technology Risk
Operational Risk
Projects Risk
HR Risk

14. 1. HR related Risks
2. Cyber Risks
3. Political Risks
4. Oil Price Fluctuation
5. FX Fluctuation
6. Supply Chain Risk
7. Failure of Acquisitions/JV’s
8. Major Fraud

15.  Global Financial Meltdown
 Strong Risk Management in Silo’s without an overarching view
(ERM)
 Bearings Bank – Nick Leeson
 Major fraud
 Nick Leeson preaching Risk Management
 ENRON
 Failure of ERM
 Major Fraud exposed
ALL REACTIVE RISK MANAGEMENT

16. Risk Assessment

17. Impact (severity)
How bad is it when it does happen?
Likelihood (frequency / probability)
how likely is it?
How often does it happen?
Ideally this should be done in a group environment and not in isolation. EVERYONE
has information and experiences to contribute. This is not a science.

18. Likelihood
Impact
5
3
1
2
4
ECA B D
Likelihood: (in the next 12 months)
A Almost Impossible
B Low
C Medium
D High
E Almost Certain
Impact:
I Negligible
II Marginal
III Moderate
IV Major
V Catastrophic

19. Scale Description
Service Levels /
Objectives
Reputation
Financial (%-age
of annual
operating
budget)
1 Negligible
Insignificant fall in service
levels, insignificant effect
on objectives, i.e.
resource stretch
Public concern
restricted to local
complaints
< 20%
2 Marginal
Marginal fall in service
levels,some objectives not
met
Minor negative local/
public/ media attention
and complaints
20% - 40%
3 Moderate
Moderate fall in service
levels,several key
objectives not met
Adverse national
media public attention
40% - 60%
4 Major
Major fall in service levels,
majority of key objectives
not met.
Serious negative
nationlal or regional
criticism
60% - 80%
5 Catastrophic
Catastrophic fall in service
quality, complete failure of
objectives.
Prolonged
international, regional
and national
condemnation
> 80%
Scale Description
1 Almost Impossible
2 Low
3 Medium
4 High
5 Almost Certain

20. Risk Analysis & Management

21. Action/controls
already in place
Adequacy of
action/control to
address risk
Required management
action/control
Responsibility
for action
Critical
success factors
& KPI’s
Review
frequency
Key
dates
[actions/controls
already being done
that relate to this
risk/cluster]
[how effective are the
actions/controls
already in place?]
[new actions/controls required to
manage the risk down to its
target score]
[the person
responsible for this
action plan being
carried out]
[what will success
look like?
How will
performance
indicators have
improved]
[frequency of
reviewing this
action plan]
[Milestones/deadlines]
]

22.  The use of Internal Controls protects not only the employer, but also the employee.
 If departmental internal controls are weak and poorly monitored, it increases the
chance that fraud or errors could be overlooked.
 ERM helps identify which internal controls should be established to minimize the
identified risks. Internal Controls are everyone’s responsibility to:
 Prevent loss of resources
 Ensure reliable financial information
 Ensure compliance with governing laws and regulations
 Ensure efficiency and effectiveness of operations

23.  How can companies proactively manage the risk
of Fraud?

24.  Financial services
 Call centres at banks
 Etc.
 Fraud Reporting
 Via Risk Committee to Management Committee
 IT Security and Fraud
 HR
 Recruitment checks (history of fraud?)
 Supply Chain requirements
 Vetting 3rd
party staff based on pre agreed requirements
 Educating customers
 banks emails etc.
 Major JV or Acquisition Due Diligence
 – Partners, Country of operation, ethical or environmental history etc.