ISACA Journal
Volume 5, 2,014 

Features 

Manage What Is Known and What Is Not Known: A Road Map to Managing Enterprise Fraud Risk 

Zhiwei Fu, Ph.D., CISA, CGEIT, CRISC, CFE, PMP, John W. Lainhart IV, CISA, CISM, CGEIT, CRISC, CIPP/G, CIPP/US, and Alan Stubbs, MAS 

Fraud is inherent to many businesses, but unfortunately, it is ignored to some degree, historically either because the occurrence is rare or organizations do not know how to manage it systematically and deal with fraud only as it is detected. However, fraud is an undeniable reality and has recently become more pervasive and persistent as a result of the downturn in the economy.

Recent economic downturns have had a prolonged and significant global impact, as individuals and businesses seek new ways to make ends meet and remain profitable. Desperate times lead to desperate acts, which sometimes lead to fraud.

Technology has been a double-edged sword. The technological advancements that make it easy for people with legitimate purposes to engage businesses and governmental agencies also provide a mechanism for those bent on theft. The access to services and information customers demand have opened the flood gates through which disgruntled or unethical employees and criminals enter to commit fraud. Criminals are also exploiting the inadequacies of first generation fraud management policies or, in some instances, the overall lack thereof.

The Association of Certified Fraud Examiners (ACFE) has estimated that about 70 percent of all companies around the world experienced some type of fraud in 2013, with total global losses due to fraud exceeding US $4 trillion annually and expected to rise continually.1 Organizations have incurred, on average, the loss of an estimated 7 percent of their annual revenues to fraud, with US $994 billion in the US alone. ACFE has also noted that the frauds reported lasted a median length of 18 months before being detected. In addition to the direct impact of revenue loss, fraud erodes customer satisfaction and drains investments that could have been directed to corporate innovation and growth. Organizations entrusted with personally identifiable information (PII) are also held accountable in the eyes of the public for any breach. Surveys have shown that about one-third of fraud victims avoid merchants they blame for their victimization.2

Organizations in the private and public sectors are recognizing the upwardly spiraling trending of fraud facilitated by computer technology and have implemented homegrown and/or commercial off-the-shelf solutions to mitigate or eliminate fraud. However, these technology solutions are generally focused on the specific needs of individual business units based on what they know. These solutions are not predictive and provide no insight for the unknown. They are more likely to miss fraudulent activities and are not transparent to stakeholders of the organization. With the publication of Donald Rumsfeld’s book Known and Unknown: A Memoir, a phrase has become prevalent: “You don’t know what you don’t know.”3 This phrase has somehow become an acceptable excuse for whatever quandary in which individuals or organizations find themselves. While this expression is indeed true (if not banal), it should not be considered an acceptable excuse, but rather a call to action.

Criminals are becoming more sophisticated, and the fraud they perpetrate is increasingly complex. In response, the requirements for fraud risk management have significantly changed. Fraud risk management is not a by-product but a purposeful act intended to mitigate or eliminate an organizations’ exposure to fraud. Fraud risk management is no longer a “once and done” activity, but a program. As with all effective processes, it must be done by design. To counter fraud, an organization must first understand its unique situation and the risk to which it may be exposed. This cannot be accomplished in a vacuum or through divination, but through structured analysis of an organization’s current state. Organizations must establish an appropriate enterprise fraud risk management framework aligned with the organization’s strategic objectives, supported by a well-planned road map leading the organization to its properly defined target state. Performing adequate analysis of the current state, knowing the organization’s goals by determining a proper target state, establishing an enterprise fraud risk management framework and implementing critical success factors to get to that state can help organizations effectively manage fraud risk.

Know Where the Organization Is

The goal of current-state analysis and assessment is to understand the overall fraud capability and health of the organization. The current-state analysis should cover the entire spectrum for the life cycle of fraud prevention—from awareness, understanding, adoption, implementation, operations, and enforcement of fraud-relevant policy and procedures, to fraud data analysis, investigation, process improvement and reporting, and development of fraud countermeasures. These countermeasures include the organization’s fraud strategy, regulatory and business requirements, current business processes, organizational model, biggest areas of risk for fraud and exposure, most common fraud schemes and how they are currently managed, and existing fraud program and practices.

An effective current-state analysis provides a solid and fair representation of the current-state fraud risk management, sufficient to identify areas for improvement and development of sound recommendations. While the current-state analysis is not intended to establish grounds for reportable conditions under any regulations or considered an attestation or assurance report on the effectiveness of the enterprise fraud risk management process, it does provide information for management’s use and allows consideration of the fraud risk program and process improvements. For example, the ACFE fraud prevention check-up tool is a simple, yet powerful tool for the current-state assessment, examining multiple categories, including fraud risk oversight, risk ownership, risk tolerance and risk management policy, entity-level antifraud controls, process-level antifraud controls/reengineering, and proactive fraud detection. Organizations can quickly obtain a high-level overview of the fraud prevention posture and the identification of particular areas for improvement in the organization’s fraud prevention programs, processes and governance.

Figure 1The IBM fraud capability maturity model is a balanced assessment approach across the critical domains of the enterprise fraud risk management program and processes. It allows organizations to dive into their specific capabilities and further evaluate and determine their current state of fraud prevention as compared to industry best practices. Figure 1 provides the structure of the IBM fraud capability maturity model with three key interconnected domains: process, organization and governance, and technology.

The process domain for the fraud capability maturity model includes five components covering the fraud process life cycle: policy and control, detection and prevention, investigation, reporting and performance, and discovery (data and analytics). It addresses policies and approvals/delegation of authority aspects that align with the process, and it covers how various functions interact, how work is executed and where handoffs occur. The process domain also outlines the practices to capture, store, share and govern the relevant data, as well as the methods to analyze this information to support proactive and reactive actions. It also includes key metrics and measurement processes to ensure an effective operating model.

The organization and governance domain includes the organizational structure, roles and responsibilities of organizations, communication and collaboration among organizational components, the sourcing of activities (external vs. internal), and the mechanism by which implementation and changes will be addressed. It also addresses human factors, behaviors and required skills, the expected resources and their allocation, and change implications.

The technology domain includes the services, applications/tools and infrastructure support. It addresses the implementation of changes and/or replacement of applications targeted to support authentication and authorization, transaction monitoring, automation of the fraud detection and prevention process, and performance of fraud operations and functions. It should be noted that technology is a key ingredient of, but not the sole solution for, a comprehensive fraud detection and prevention program. If organization and governance is combined with incorrect processes, any technological advancement will be merely a stopgap measure.

There are five maturity levels defined in the fraud capability maturity model, along with the analysis and assessment criteria for the process, organization and governance, and technology domains, respectively. The current-state analysis is performed based on if, and how well, specific capabilities for each level have been achieved. Hence, the results indicate the organization’s current fraud risk management health and capabilities. The resulting fraud risk posture is then used to support the development of improvement opportunities and the road map. Figure 2 illustrates the high-level descriptions of these maturity levels and their associated capabilities. The fraud capability maturity levels can be rated as fully achieved, largely achieved, partially achieved or not achieved.

Figure 2

Properly implemented, this fraud capability maturity model provides a complete and effective management evaluation of an organization’s current fraud health and capabilities, quickly identifies the organization’s vulnerability to fraud, and helps pinpoint improvement opportunities to fix them.

Know Where the Organization Wants to Be

Fraud detection and prevention, risk management, and security all play critical roles in protecting today’s organizations. A counterfraud program, therefore, requires an enterprise perspective and defense-in-depth protection to prevent fraud from entering the business process and mitigate fraud that manages to break through. Smart organizations should never treat fraud risk management as a point solution, a step in the process or a score. Fraud prevention starts before intake. Fraud should be viewed as preventable, predictable and provable, and it should be managed pervasively throughout the process life cycle. Business process silos and disorganized organizational efforts have proven time and again to incur significantly more costs with decreased efficiency, as well as prevent efforts to effectively and intelligently detect and prevent fraud patterns across the enterprise.

Organizations can become hard targets for both organized and opportunistic fraudsters. Banks get robbed frequently, but US Army post Fort Knox never does. Organizations should establish and implement an organizationwide fraud risk management framework that integrates counterfraud capabilities—through organization and governance, fraud prevention, and detection enabled by technology—to share a common language for understanding, managing, and expressing fraud risk, both internally and externally. Such an enterprise framework helps align policy, business and security, and provides guidance to technological approaches to consistently and effectively manage fraud risk through standard and consistent management processes and practices. Figure 3 illustrates an enterprise fraud risk management framework that spans the enterprise security program, business process, application policy, procedures and controls, and counter- and defeat-fraud capabilities.

Figure 3

Fraud risk management is a top-down and bottom-up process. It is critical for organizations to establish and implement the right policies, process and technology, and for the components within the organization to diligently enforce these policies and processes collaboratively and consistently, to effectively fight fraud across organizations. The enterprise principles, culture and ethics provide the practical guidance for the desired organizational behavior for governance and day-to-day management. It includes affirmative activities to set the right tone at the top with well-established principles, a code of conduct and oversight that pushes the antifraud culture throughout the organization. This attitude effects enterprise policies, training, communication, and management programs and activities, and with strengthened controls, makes fraud harder to perpetrate. When fraud is detected, it is identified and dealt with efficiently and effectively.

The enterprise security program in the framework, including cybersecurity and IT security, provides general security countermeasures at the perimeters of the enterprise—an outer ring of protection. The enterprise security acts as a service to the business in countering fraud. It includes activities to handle breaches and cyberthreats, identity and credential management, authentication and authorization, activity surveillance, security information and event management, security incident response management, data loss prevention, malware and antivirus programs, intrusion detection and intrusion prevention programs, and others.

The business process and application and policy procedures controls are an inner layer in the framework that provides controls of what is and what is not allowed. These controls include decision-making controls, process and application-specific controls, change management process, configuration management, access controls, and appropriate monitoring and auditing controls. These controls secure the enterprise perimeters and provide preventive protection from fraud. Appropriate enterprise oversight and governance of these processes and controls are essential for effective implementation and execution of the fraud risk management framework. Without the proper governance and oversight suitable for the organization, the enterprise framework could readily become an exercise on paper and have little material effect on the organization’s collaborative counterfraud program.

At the core of the enterprise fraud risk management framework are the counter- and defeat-fraud capabilities. These capabilities include intelligent front-office and back-office functions and capabilities to disrupt fraudulent operational activities and use of advanced analytics to discover the potential fraud through the process life cycle—detect, respond, discover and investigate frauds. Figure 4 provides one viewpoint of four critical and fundamental capabilities at the core of the counterfraud program: detect, discover, respond and investigate.

Figure 4

Detect is a process of finding fraud within a business process. It evaluates if a transaction is potentially fraudulent in a relevant time frame by applying models and rules to determine the propensity for fraud. Discover is a process of finding fraud with data through analytic discovery capabilities. It retrospectively reviews historical data and identifies anomalies and patterns that could be indicative of the potential fraud. Detect and discover often go hand in hand. Detect is inline and operational while processes are taking place, while discover is back office and analytical. Detect is a real-time (or near real-time), machine-based and one-to-many operation (i.e., one rule or model applies to many transactions). It applies the analytics, predictive models, rules and everything the organization has learned historically to the business processes. Discovery is a retrospective, batch-oriented, human-intensive and many-to-one analytical process (i.e., many data points lead to one rule or pattern) in which big data and advanced analytics play a significant enablement role.

Respond is taking appropriate actions in real time to either stop or discourage the fraudster once fraud has been detected, e.g., not allowing fraudsters or suspects to register or question them at the time of registration before they get into the systems. Respond is essentially defeating or disrupting the fraud act when it has been identified.

Investigate provides back-office, analytic capability. It confirms and documents the fraud or suspicious schemes that the organization has discovered in order to build a case for prosecution and recovery. The investigative process provides feedback to develop or update rules, watch lists and patterns. It considers all relevant, supporting information the organization has gained through the process, data learned through relationships, and data obtained or enriched from third-party sources to support documenting the build-out of the cases. Investigate is essentially confirming the fraud, understanding and working the case.

The enterprise fraud risk management framework requires a standard enterprise management process for consistent and effective implementation. Figure 5 provides an enterprise fraud risk management process that integrates enterprise security, business policy, procedure controls and fraud management that spans the entire life cycle, incorporating the concepts of preventing, detecting, responding, investigating, reporting and discovering. Organizations should review and tailor this management process for their environments based on corporate business strategy and requirements. The enterprise fraud risk management framework also requires a consistent communication and reporting process, which should effectively communicate—internally and externally—the organization’s heightened security measures and enhanced capacity of fraud detection, as well as the civil and criminal penalties of fraud.

Figure 5
View large graphic.

The fraud risk management process clearly indicates that no single layer of fraud prevention and risk management is enough to detect, deter and prevent fraud and to keep determined fraudsters out of enterprise systems. For example, no authentication measure on its own is sufficient to counter fraud. Effective fraud risk management requires organizations to employ a multilayered fraud-prevention approach to defend against today’s attacks and those that have yet to appear.

Technology is not the driver of enterprise fraud risk management, but the enabler of the enterprise fraud risk management strategy and road map to multilayered defense in depth and the organization’s target state. Organizations have implemented technology solutions over time through the increasingly matured system life cycle methodology. Unfortunately, technology solutions are implemented for fraud risk management in many organizations with a focus on specific lines of business and implemented in silos. The data to support these systems and provide insight to fraud are scattered and isolated as well. These point solutions are usually scattered across the enterprise with little or no integration. Without proper enterprise planning, coordination and governance, these niche fraud solutions and systems in silos create gaps between fraud intelligence units. Disconnected systems are more likely to miss fraudulent activity, drive up IT costs and resources, make it difficult to support transparency and compliance reporting, and prolong the cycle to take action against fraudulent intelligence. It is essential to integrate technology planning, architecture and solutions into the enterprise risk management framework, and manage technology and data as an integral part of the risk management process though continual enterprisewide planning, collaboration, coordination and execution.

With a properly developed current-state analysis, a clear vision of the organization’s fraud posture can be presented to the corporate fraud risk owners and key stakeholders in order to formulate a proper target state and associated road map. The proper planning and commitment at the highest organization level, along with full cooperation and collaboration across components, is critical to reaching the planned target state. The organization must, of course, take a risk-based approach to address higher-risk areas and processes immediately while planning for future fraud risk management enhancements.

Countering fraud is an ongoing and continually evolving process, and the journey to the target state is a balancing act of enhancing the process, organization and governance, and technological capabilities. Becoming the leading practice across public and private sectors with real-time processing and full integration and governance of enterprise process and information should be the organization’s ultimate target state. However, creating a holistic, integrated fraud risk environment takes time. Considering the organization’s current fraud risk management practices, the strategic goals and missions, fraud environments, organizational readiness, and feasibility to implement, the organization must progress incrementally from its current state. The first step is to move purposely in developing basic counterfraud capabilities, then to move toward more integrated, industry-competitive counterfraud capabilities, followed by continual progression to the higher maturity level. This will require the organization to establish a fraud risk framework and operating model and employ a risk-based approach to continually review and systematically mitigate the highest fraud risk exposures in the most critical processes and applications. Advancing to the next level from the current state is usually a reasonable and realistic next step for the organization, even if it might appear to be a Herculean effort. An appropriate road map will aid the organization in maturing its enterprise fraud risk management by finding the optimal balance between minimizing fraud losses, doing more with less, providing high-quality customer experience and ensuring customer satisfaction while minimizing the impact on good business practices.

It should be emphasized that the target state often is a moving target as the fraud landscape is quickly changing and advancements are constantly being made. Fraud detection and prevention requires an ongoing program for continuous improvement. While the road map requires management commitment, thoughtful planning and effective execution, it is evident that not every component of the road map needs to be dealt with equally. A risk-based approach is recommended to prioritize the road map components based on the impact to the business process and in line with the organization’s strategic objectives and fraud risk management goals.

Know How to Get There

Fraud risk management is a top-down and bottom-up process. It is critical for an organization to establish and implement the right policies, processes, technology and components within the organization and diligently enforce these policies and processes collaboratively and consistently to effectively fight fraud across the organization. To effectively and efficiently counter fraud at the enterprise level, organizations should develop an integrated and holistic counterfraud program that enables enterprisewide information sharing and collaboration to prevent first, detect early, respond effectively, monitor continuously and learn constantly. Counterfraud experiences in public sectors and commercial industries have noted a few critical factors to the successful implementation of enterprisewide fraud risk management in the modern era of advanced technology and big data.

Critical Success Factor 1: Fraud Risk Management by Design
Organizations have increasingly acknowledged the emerging fraud trend and the urgency to manage fraud risk. As a result, organizations have implemented management processes and solutions accordingly. However, it is not uncommon that organizations find themselves lacking an effective enterprise fraud risk management program, sufficient governance and management framework, and consistent management processes and practices. Their fraud risk mitigation efforts tend to be poorly coordinated and reactionary. The fraud risk management capabilities and technology solutions in place are generally implemented in silos and disconnected across the organization. In essence, fraud risk management is by no means a one-time activity but a program that must be well designed with the following key components:

  • Rigorous risk assessment process—An organization must have an effective fraud risk assessment process to systematically identify significant fraud risk and determine its exposure to such risk. The assessment may be integrated with an overall risk assessment or performed as a stand-alone exercise, but it should, at a minimum, include risk identification, risk likelihood and significance assessment, and risk response. A holistic fraud risk mitigation and implementation of compensating controls across the components is also necessary for cost-effective fraud management.
  • Effective governance and clear organizational responsibility—Organizations must commit to an effective governance process that provides oversight of the fraud management process. There must be a central fraud risk management program with a clear charter and accountability that will provide direction and oversight for the counterfraud efforts. The fraud risk must be managed holistically with transparency and communication integrated across the organization. The fraud risk program owner must be at a level from which clear management guidelines with effective communication and reporting mechanisms can be implemented.
  • Integrated counterfraud framework and approach—An organizationwide counterfraud framework that covers the complete life cycle of fraud management—from enterprise security, authentication, business process, and application policy and procedure controls, to transaction monitoring and management—must be established. This must be a holistic counterfraud approach to continually enhance the consistency and efficacy of fraud management processes and practices.
  • Ecosystems of counterfraud capabilities—An organization needs an ecosystem of interconnected capabilities (not a point solution) through management planning, development, consolidation, communication and collaboration among components, and proper oversight and governance. The ecosystem will best leverage big data, will consider a broad set of attributes (e.g., identity, relationships, behaviors, patterns, anomalies, visualization) across multiple processes and systems, will drive transparency across users, and will provide guidance and alerts that enable smart decisions across the organization.

Critical Success Factor 2: Risk-based Approach
No organization gets to stand still while it is on the path to fraud risk management. Criminals are not going to give organizations a time-out to plug any holes and upgrade their arsenal of analytical tools. Organizations must continually take a risk-based approach to address areas and processes of highest risk exposures immediately, while planning for future fraud prevention enhancements. Countering fraud is an ongoing and continually evolving process, and the journey to the target state is a balancing act of enhancing the process, organization and governance, and technological capabilities, with their proper integration throughout the organization. Proper planning and commitment with full cooperation and collaboration across components is critical to reaching the planned target state.

Critical Success Factor 3: Continual Organization Collaboration and Systemic Learning
Fraud detection and prevention is not merely an information-gathering exercise and technology adoption, but an entire life cycle with continuous feedback, learning, application and improvement. It requires the organization’s commitment to, and implementation of, continual systemic learning, application, coordination and collaboration, knowledge and data sharing, and communication. The organization also needs to continually align the enterprise counterfraud program with, and in support of, its strategic plan.

Critical Success Factor 4: Big Data Technology and Advanced Analytics
Technological breakthroughs and capabilities grounded in big data and analytics can help prevent and counter fraudulent acts that impact the bottom line and threaten brand value and customer retention. Big data technology is able to ingest data from any source, regardless of structure, volume or velocity, and to harness, filter and sift through the oceans of data—whether in motion or at rest—to find and relate the nuggets of information that really matter in detecting potential fraud. Big data provides the means to consolidate, normalize, detect and discover fraud, waste, abuse, financial crimes, improper payments, and more. Big data can also reduce complexity across lines of business, allow organizations to manage fraud pervasively across a claim’s life cycle, improve transparency with fraud intelligence sharing, increase productivity and create actionable intelligence to predict, detect, discover and manage fraud. However, organizations need to manage and maintain a balance between control and speed, moving quickly to explore and analyze big data, but also applying enough controls to avoid missteps with agile integration and governance. Therefore, a central information integration and governance function should be established to continually enhance data management capabilities; enforce standards and policies across the enterprise; and, most important, ensure the data completeness, veracity, integrity and availability.

Advanced predictive analytics can mine data to identify suspicious patterns that will enable timely detection and prevention. Cybercriminals are constantly changing and complicating their tactics and attack vectors. Organizations cannot be simply responsive, but must anticipate emerging trends and potential attacks before they occur. As coined by Louis Pasteur, “Chance favors the prepared mind,” so the more attuned an organization is to its environment and analytics, the better chance it has to be in front of the problem and not reacting to it. The vast amount of data available to an organization today prevents individual minds from discerning the patterns and, therefore, the need for automated processes to point out what should be of concern. Analytics must identify suspicious and potentially fraudulent activities, but it must also be clever as it sorts through prodigious amounts of data quickly to find what matters.

Conclusion

Smart organizations manage their enterprise fraud risk management with a well-planned road map that consists of proper organization and governance, adequate analysis of current state to understand where they are, and a holistic and integrated framework with standard management processes to provide guidance and a methodology for its practices. They manage fraud risk as an integral part of their risk culture. They develop an ecosystem of interconnected counterfraud capabilities and integrate across systems and processes, enabled by a technology strategy and with formal enterprise-level oversight and governance. These capabilities span across the enterprise security, business and technology controls. Smart organizations implement advanced technologies that support various data sources, regardless of structure, volume or velocity, with proper integration across systems and processes and enterprise-level oversight. They leverage intelligent and predictive analytics, consider a broad set of attributes (e.g., identity, relationships, behaviors, patterns, anomalies, visualization) and exhibit smart tendencies (e.g., predict, detect, discover, manage, learn). They embrace and encourage organizational collaboration and continual systemic learning; constantly exercise governance of the enterprise fraud risk management practices; and provide guidance to improve smart decisions and actions, drive transparency across users and, ultimately, allow their capabilities to evolve continually.

References

  • Conning & Company, 2000: Insurance Fraud—Renewing the Crusade, USA, 2000
  • Edelman, 2012 Edelman Trust Barometer, USA, 2012
  • Gartner, The Five Layers of Fraud Prevention and Using Them to Beat Malware, USA, 2011
  • Harris Interactive, The Harris Interactive Surveys, USA, 2013
  • ISACA, COBIT Process Assessment Model (PAM): Using COBIT 5, USA, 2013, www.isaca.org/cobit
  • ISACA, COBIT 5 Assessment Programme, USA, 2013, www.isaca.org/cobit
  • ISACA, Assessor Guide: Using COBIT 5, USA, 2013, www.isaca.org/cobit
  • Kroll, 2013/2014 Global Fraud Report, USA 2013
  • Symantec, The 2013 Norton Report, USA 2013

Endnotes

1 Association of Certified Fraud Examiner (ACFE), Reports to the Nation, USA, 2013
2 LexisNexis, True Cost of Fraud Study, 2013
3 Rumsfeld, Donald; Known and Unknown: A Memoir, Penguin Group, USA, 2011

Zhiwei Fu, Ph.D., CISA, CGEIT, CRISC, CFE, PMP, is the senior principal of governance, risk and compliance (GRC) and cybersecurity at IBM Global Business Services. He can be reached at zhiwei.fu@us.ibm.com.

John W. Lainhart IV, CISA, CISM, CGEIT, CRISC, CIPP/G, CIPP/US, is partner and cybersecurity and privacy service area leader at IBM Global Business Services. Lainhart has more than 30 years of experience, and is an industry recognized leader and expert in managing regulatory, security, risk and compliance matters in the commercial and public sectors. He can be reached at john.w.lainhart@us.ibm.com.

Alan Stubbs, MAS, is a cybersecurity consultant at IBM Global Business Services. He can be reached at afstubbs@us.ibm.com.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.