We continue our review of the Economic Crime and Corporate Transparency Act 2023, which has elevated the expectations for senior leadership and boards across large organizations. Fortunately, the UK government has put out a document entitled “Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud.” (The Guidance) Section 3.2 of the official guidance, titled “Top Level Commitment,” should be required reading for every compliance professional seeking to build a credible, defensible, and sustainable anti-fraud culture. Today, we take a deep dive into the requirement for a fraud risk assessment.

As compliance professionals eagerly anticipate the impending go-live of the UK’s Failure to Prevent Fraud Offense, it is paramount to revisit the foundational pillar of any anti-fraud strategy—the fraud risk assessment. The act of assessing fraud risk has always been critical, but in this new legislative context, its significance cannot be overstated. The comprehensive risk assessment outlined by guidance in section 3.2 provides a blueprint that can prepare your organization not only to meet compliance standards but also to strengthen your corporate defenses against fraud.

Risk assessments must be both dynamic and regularly updated. Static, outdated assessments leave your organization exposed, failing to capture evolving fraud techniques and risks introduced by changes in personnel, procedures, technology, or external environments. Organizations are now explicitly encouraged to leverage their existing risk assessment frameworks, extending them to encapsulate the broader scope of the Failure to Prevent Fraud Offense. This approach not only maximizes efficiency but also ensures thoroughness and cohesion within your risk management strategies.

Identifying Associated Persons

The term “associated persons” casts a wide net, and it is essential to thoroughly understand who within and outside your organization could potentially expose you to risk. This includes agents, contractors, and personnel in sensitive roles such as finance or procurement. Each category presents unique fraud risks, ranging from false representation and failure to disclose to false accounting and abuse of position. Properly categorizing and assessing these typologies enables targeted, efficient mitigation measures and preventive strategies tailored to specific vulnerabilities.

Leveraging the Fraud Triangle

Compliance professionals must use the Fraud Triangle. Opportunity, motive, and rationalization are foundational tools to structure their risk assessments. Each element provides a lens through which potential fraud scenarios can be systematically evaluated:

1. Opportunity: Does your organization inadvertently offer avenues for fraudulent activity due to weak controls, insufficient oversight, or technological vulnerabilities? For instance, departments such as finance, procurement, and marketing often harbor increased opportunities for fraud due to their access to funds or sensitive information. It’s also crucial to consider external agents or contractors operating with minimal oversight.
2. Motive: Financial incentives and operational pressures can drive individuals towards fraudulent activities. Compliance teams must critically assess whether reward systems such as bonuses or commissions could unintentionally incentivize fraud. Additionally, organizational pressures related to achieving financial targets, impending mergers, acquisitions, or regulatory deadlines must be closely monitored.
3. Rationalization: The justification of fraudulent acts often stems from organizational culture and industry norms. A company that subtly tolerates fraud, perhaps viewing it as a necessary evil for winning business or reaching targets, sets the stage for rationalization. Ensuring a robust speak-up culture and providing effective whistleblowing channels can significantly mitigate this risk.

Using Diverse Sources and Preparing for Emergency Scenarios

Risk assessment is enriched by diverse sources, including data analytics, past audit findings, industry-specific information, regulatory enforcement actions, and publicly available prosecutions or DPAs. These resources not only help identify potential fraud scenarios but also benchmark your organization’s prevention measures against industry standards and practices.

Unexpected emergencies, from natural disasters to economic crises, inherently increase fraud risks. Organizations must proactively incorporate emergency scenarios into their risk assessments. Doing so not only complies with the statutory obligation to demonstrate reasonable fraud prevention measures but also practically prepares your organization to adapt and maintain integrity during challenging times swiftly.

Classification and Regular Review of Risks

A thorough risk assessment involves classifying inherent risks by their likelihood and impact. This classification is vital in prioritizing resources effectively, focusing efforts on mitigating high-impact, high-probability risks. Regular reviews of your risk assessment, typically every two years, or sooner if triggered by significant internal or external changes, ensure its continued relevance and effectiveness.

Failing to update and refine your risk assessment regularly can expose your organization to severe consequences. Courts may interpret outdated assessments as indicators of inadequate preventive measures, leaving your organization vulnerable to penalties and reputational harm.

Five Key Takeaways for the Compliance Professional

Here are five key takeaways for the compliance professional:

1. Dynamic and Regular Updates Are Essential:

Risk assessments must not be viewed as one-off or static exercises. Continuous monitoring, regular updating, and adaptation to emerging fraud threats are essential to maintain relevance and ensure comprehensive fraud prevention capabilities.

2. Comprehensive Identification of Associated Persons:

Given the expansive definition of “associated persons,” compliance professionals must carefully identify and categorize all internal and external parties capable of exposing the organization to fraud risks. Tailored fraud risk mitigation strategies should then be developed based on these typologies.

3. Utilize the Fraud Triangle Effectively:

Applying the fraud triangle’s elements, opportunity, motive, and rationalization, can provide structure and depth to fraud risk assessments. This systematic approach helps to uncover specific vulnerabilities and inform targeted preventive measures.

4. Broaden Your Sources of Risk Intelligence:

Compliance professionals must leverage multiple sources, including past audit reports, data analytics, regulatory enforcement actions, and publicly available case studies. Integrating this diverse intelligence enhances the effectiveness and breadth of fraud risk assessments.

5. Incorporate Emergency Scenario Planning:

Fraud risks escalate during emergencies. Preparing and integrating emergency scenarios into your fraud risk assessment framework helps ensure that robust fraud prevention measures remain effective during crises, aligning your risk management practices with statutory obligations and best practices.

The Time to Act is Now

The clock is ticking towards the implementation of the Failure to Prevent Fraud Offense, and complacency is not an option. Conducting and maintaining a dynamic, comprehensive fraud risk assessment is no longer just best practice. It is a statutory necessity. By rigorously identifying associated persons, leveraging the Fraud Triangle, drawing insights from diverse sources, preparing for emergency scenarios, and regularly reviewing your assessment, your organization can confidently demonstrate its commitment to fraud prevention. Proactive engagement in these activities not only fortifies your compliance posture but also significantly enhances your organization’s resilience against fraud. Compliance professionals must seize this opportunity to reinforce their strategic value, embedding effective anti-fraud measures into their organizational culture and operations as we move closer to this critical regulatory milestone.

Join us tomorrow as we consider the procedures to implement your fraud risk assessment.