A case for fraud risk maturity assessment
What do you think is the number one mistake many fraud examiners, investigators and other governance champions make?
The number one mistake is not something you may think.
As a fraud examiner, I love to overwhelm suspects with watertight evidence. For some reason, I interview suspects to the point they stop looking me straight in the eyes. It is like an art. Knowing the facts of the case at hand. Taking the statement of the suspect. Collecting evidence. And having the suspects punched in the gut by their alibi.
In 2013, I was investigating a case in which a woman in her late 50s was a suspect. She had visible scars one would say were a result of a mid-life crisis. As I asked her questions to the point of confession, she looked at me directly in my eyes and said: why are you enjoying this? Why are you happy for taking me to jail?
As I left the interview room, I reflected: why do I enjoy this? This question struck me. It helped me change my focus from waiting for problems to happen so that I may investigate them, to proactively preventing them from happening. An investigation
I do not know about you and your career interests.
What I know is that if you are a fraud examiner, you do a good job by holding accountable people who commit fraud. However, you can do even better when you prevent fraud from happening in the first place.
And that is where fraud risk maturity assessment comes in. How do you anticipate and prevent fraud? How do you help people do the right thing?
There are three broad areas for maturity assessments:
- Fraud risk maturity assessment i.e. legal and compliance maturity assessment
- Cybersecurity maturity assessment
- Enterprise-wide risk maturity assessment
A maturity assessment report provides a good starting point for any value addition project. As someone who works closely with board members and senior executive members, they tend to add more value when they understand the current situation in the mission-critical areas – of legal and compliance, cybersecurity and IT governance, risk management and business continuity. Only after such an assessment, the EXCO or board can set an agenda to close the gaps.
A risk maturity assessment evaluates the extent to which an entity has implemented the building blocks in the respective areas of assessment – e.g., for risk assessment, you determine the maturity of enterprise-wide risk management strategy defined in the best practices, specifically ISO 31000 from levels 1 to 5, where 5 means very advanced and 1 means basic. Risk maturity assessment helps inform the governance agenda.
As Mr Strategy, with over 18 years of corporate governance practice, which include risk and strategy, I know for a fact that you cannot add value to something that you do not well understand. A maturity assessment is a starting point to show where the organisation is in terms of risk management.
For the start, I recommend your Board and EXCO undertake a short discussion or briefing on: “How to Conduct Enterprise Risk Maturity Assessment” from a practical point of view. By the end of my 45 minutes talk, you will learn:
- The five levels of risk management maturity are aligned to the ISO 31000:2018 standard, and factors are considered at each level to assess maturity.
- The six (6) pillars or building blocks of enterprise-wide risk success.
- Fraud risk maturity assessment vs cyber risk maturity assessment, and why these risks are top of the agenda for any executive.
- Effective risk reporting to the board and key stakeholders for improved governance.
Interested? Contact me on strategy [at] summitcl [dot] com.
Copyright Mustapha B Mugisa, Mr Strategy 2021. All rights reserved.
Responses