4 April 2020

Following the coronavirus outbreak, businesses are adapting rapidly to a new operating rhythm and new ways of working. Unfortunately, this uncertain climate can leave businesses vulnerable and exposed to fraud.

However, there are actions you can take to remain vigilant and protect you and your business from scammers. So, if you’re looking to minimise risk but don’t know where to begin, here's how to conduct an effective fraud risk assessment in seven steps.

1. Plan

Start by building your risk assessment team, making sure you include some senior people. Then, work together to set some goals, using SMART criteria (Specific, Measurable, Achievable, Relevant, Timely). Write down what your definition of success looks like and then communicate your intentions across the business. In uncertain times, it’s even more important to ensure your employees are alert to potential risks early, even if your risk strategy hasn’t been formalised.

When you're going through this initial process, make sure you consider:

  • the nature of your business
  • the environment and jurisdictions you operate in
  • your business culture and staff, and
  • the effectiveness of existing internal controls.1

2. Identify

Next, outline the risks your organisation currently faces, making sure to cover three main areas:

  • entity level: including bribery, gift policies and government relations
  • process level: covering accounts and procurement
  • transaction level: including such things as commissions, disbursements and entertainment allowances.2

Make sure you include your staff in the process - those on the front line may be more familiar with the risks inherent in the systems and processes they use on a day to day basis. Many businesses find they achieve more thorough risk identification when they allow staff to report concerns anonymously via a hotline or online tool. Even small businesses should consider setting up an anonymous online form for reporting.

During this phase, be sure to consider:

  • any incentives, pressures and opportunities employees and contractors face
  • the risk of management overriding any controls
  • fraudulent financial reporting
  • asset misappropriation
  • corruption
  • regulatory and legal misconduct
  • reputational risk, and
  • risk to information technology

3. Assess

Once you’ve established the risks, it’s time to evaluate the potential damage they could cause. When you do, consider the likelihood of the risk happening (using a simple high, medium, low classification) as well as the potential loss.

To get an accurate picture, it’s vital that you take multiple outcomes into account and analyse reputational and commercial risk, not just financial risk. You should also perform a cost/benefit analysis on each risk. In other words, consider the likely loss if you do nothing, when compared to the cost of implementing procedures and their likelihood of preventing fraud.3

Once you’ve done this, you can determine what procedures need to change and identify gaps in your current procedures and protocols. Compile your findings into a risk matrix.

4. Prioritise

Now that you know what to do, it’s time to come up with a plan of attack for getting it done. Prioritise changes to systems and processes based on the likelihood of the risk, as well as its impact to your business.1 Work out where there are ‘easy wins’, versus the changes that will take more time. Understanding risk changes on a value versus effort matrix may also be important when prioritising.

You should also immediately address any concerns that have a high probability of occurring, especially if they could lead to significant financial, reputational and/or commercial losses.

5. Communicate

Once you have a plan in place to minimise risk, it’s time to compile a report on your findings and share it across the business. Let your people know what your key focuses are and communicate any deficiencies you’ve uncovered in current processes. Include an action plan and ask your staff for their input.

Now is also the time to develop a formal fraud policy and communicate it to all employees, contractors and other relevant stakeholders.

6. Implement

Put in place your procedures and controls, making sure to include preventative, directive and response procedures.

Preventative procedures: These stop fraud from occurring in the first place, through audits, codes of conduct, training and other procedures.

Detective procedures: These uncover fraud when it occurs, such as hotlines and reporting mechanisms.

Response procedures: These reduce harm and take corrective action through investigations, accountability and remedial action protocols.4

7. Monitor

To give your risk assessment the best chance of success, it’s important that you track the measures you’ve implemented and analyse their effectiveness.5

Adopt a mindset of continuous improvement by holding quarterly meetings where you communicate your findings and report on your progress. You should also randomly but regularly analyse transactions to make sure that people understand your procedures and follow them in their day-to-day activities.

Finally, provide ongoing training to staff so that everyone’s skills and knowledge are kept up-to-date.

Additional information


Fraud Risk Management: A Guide to Good Practice: Chartered Institute of Management Accountants http://www.cimaglobal.com/Documents/ImportedDocuments/cid_techguide_fraud_risk_management_feb09.pdf.pdf


Fraud Risk Management: Developing a Strategy for Prevention, Detection and Response: KPMG


Conducting Fraud Risk Assessments Successfully: Information Systems Audit and Control Association: http://www.isaca.org/chapters2/Western-Michigan/events/Documents/Developing%20a%20Fraud%20Risk%20Assessment_CPE_Printable%20PDF_Part1.pdf.pdf


Fraud Risk Management - Providing Insight into Fraud Prevention, Detection and Response: Deloitte http://www2.deloitte.com/content/dam/Deloitte/in/Documents/finance/Forensic-Proactive-services/in-fa-frm-noexp.pdf