For Online E-newspaper
The East African : Sep 12th 2015
The EastAfrican SEPTEMBER 12-18, 2015 RISK MANAGEMENT IN EA Special advertising section 41 Difference between crisis and risk management Risk analysis is an essential managerial perception that is needed to identify existing and potential threats While qualitative ≥isk analysis should gene≥ally be pe≥fo≥med on all ≥isks, fo≥ all p≥ojects, quantitative ≥isk analysis has a mo≥e limited use, based on the type of p≥oject, the p≥oject ≥isks, and the availability of data to use to conduct the quantitative analysis. A qualitative ≥isk analy- sis p≥io≥itises the identified p≥oject ≥isks using a p≥e-defined ≥ating scale. Risks will be sco≥ed based on thei≥ p≥obability o≥ likelihood of occu≥≥ing and the impact on p≥oject objectives should they occu≥. P≥obability/likelihood is commonly ≥anked on a ze≥o to one scale (fo≥ example, th≥ee equating to a 30 pe≥ cent p≥obability of the ≥isk event occu≥≥ing). The impact scale is o≥ganisationally defined (fo≥ exam- Risk management is concerned with all loss exposures, not only the ones that can be insured. The loss exposures can be anticipated and planned for. ple, a one to five scale, with five being the highest impact on p≥oject objectives such as budget, schedule, o≥ quality). Risk analysis is often con- ducted in two di≠e≥ent ways — qualitative and quantitative. Fo≥ a p≥ope≥ ≥isk assessment of any p≥oject plan o≥ p≥oject management system, it is vital to unde≥stand the basic defining di≠e≥ence between them. Risk analysis is an essential manage≥ial pe≥ception that is needed to identify existing and potential th≥eats, vulne≥abilities, and othe≥ wo≥kplace haza≥ds that can comp≥omise the pe≥fo≥mance of any o≥ganizational set-up and ove≥all pe≥fo≥mance. Howeve≥, it is essential that such ≥isk analysis is compatible with the ≥equi≥ements and functional configu- Fraud: Been there, done that, still here and will do more F ≥aud has been with us since the “da≥k ages.” G≥eek mythology abst≥actly pe≥soni- fies the cha≥acte≥ of f≥aud in the god Apate who is associated with deceit, t≥icke≥y, guile and t≥eache≥y (theoi.com). To put things into pe≥spective, two G≥eeks who went by the names Hegest≥atos and Xenothemis made histo≥y by being pe≥pet≥ato≥s of Bottom≥y (ancient ma≥itime insu≥ance) f≥aud a≥ound 300 BC. In Rome, Pliny the Elde≥ complained about the existence of counte≥feit wine, which the nobility bought at a highe≥ p≥ice than its genuine equivalent. Amid all these incidents, some ancient civilisations a≥e lauded fo≥ inadve≥tently o≥ pe≥haps delibe≥ately devising techniques, which may have fo≥med the foundations fo≥ p≥eventative o≥ detective f≥aud cont≥ols today. Fo≥ example, A≥chimedes p≥oved that a c≥own was actually not gold by testing its density against solid gold. In ancient Rome, it is said that o∞cials employed expe≥ts to analyse the handw≥itings of sc≥ibes to asce≥tain thei≥ authenticity. With this in mind, it would not be inaccu≥ate to state that f≥aud has been fought since the dawn of most civilisations and it appea≥s that this wa≥ is still ongoing to date. As fa≥ as statistics f≥om the Association of F≥aud Examine≥s (ACFE 2014 — Repo≥t to the Nations) go, it may not come as a su≥p≥ise that 17.8 pe≥ cent of all global ≥epo≥ted f≥aud cases came f≥om the financial secto≥; but who would have thought that secto≥s such as education and ag≥icultu≥e account fo≥ 7 pe≥ cent and 2 pe≥ cent ≥espectively, of all globally ≥epo≥ted f≥aud cases? Equally su≥p≥ising is the significance of median losses ≥epo≥ted in such secto≥s as mining, which we≥e close to $900,000. With the advent of va≥ious enabling technologies, global inte≥connectedness and changes in social values and behaviou≥s, people a≥e getting sma≥te≥ and they a≥e devising ingenious ways of beating inte≥nal o≥ganisation cont≥ols fo≥ pe≥sonal benefit. P≥ofile of a f≥audste≥ The afo≥ementioned statistics would put you on ale≥t if you a≥e a business man; but what should shock you mo≥e is the pace at which f≥aud has evolved and the manifestation of the typical f≥audste≥. In the same ≥epo≥t w≥itten by the Association of F≥aud Examine≥s (ACFE), statistics indicate that an ave≥age of 41.9 pe≥ cent of all ≥epo≥ted f≥aud incidents between 2010 and 2014, we≥e pe≥pet≥ated by employees of o≥ganisations. In addition to this, the f≥equency of f≥aud incidents pe≥pet≥ated by ≥ation of the system whe≥e it is being used. A qualitative ≥isk analysis will also include the app≥op≥iate catego≥isation of the ≥isks, eithe≥ sou≥ce-based o≥ effect-based. A quantitative ≥isk analysis is a fu≥the≥ analysis of the highest p≥io≥ity ≥isks du≥ing a which a nume≥ical o≥ quantitative ≥ating is assigned in o≥de≥ to develop a p≥obabil- istic analysis of the p≥oject. In o≥de≥ to conduct a quan- titative ≥isk analysis, you will need high-quality data, a welldeveloped p≥oject model, and p≥io≥itised lists of p≥oject ≥isks (usually f≥om pe≥fo≥ming a qualitative ≥isk analysis). The benefits of a ≥isk p≥o- g≥amme should ≥esult in ove≥all savings to the co≥po≥ate entity when evaluating these components in the agg≥egate. Any one specific catego≥y may show an inc≥ease o≥ dec≥ease in cost when conside≥ed individually o≥ by division in a specific time f≥ame. Risk management is con- ce≥ned with all loss exposu≥es, not only the ones that can be insu≥ed. Insu≥ance is a technique to finance some loss exposu≥es and the≥efo≥e, a pa≥t of the b≥oade≥ concept of managing ≥isk; not the othe≥ way ≥ound. On the othe≥ hand, c≥isis management is a c≥itical o≥ganisational function. Failu≥e can ≥esult in se≥ious ha≥m to stakeholde≥s, losses fo≥ an o≥ganisation o≥ end its ve≥y existence. C≥isis management is a p≥ocess designed to p≥event o≥ lessen the damage a c≥isis can inflict on an o≥ganisation and its stakeholde≥s. As a p≥ocess, c≥isis management is not just one thing. C≥isis management can be divided into th≥ee phases: p≥e-c≥isis, c≥isis ≥esponse and post-c≥isis. E≠ective c≥isis manage- ment handles the th≥eats sequentially. The p≥ima≥y conce≥n in a c≥isis has to be public safety. A failu≥e to add≥ess public safety intensifies the damage f≥om a c≥isis. Reputation and financial conce≥ns a≥e conside≥ed afte≥ public safety has been ≥emedied. Ultimately, c≥isis management is designed to p≥otect an o≥ganisation and its stakeholde≥s f≥om th≥eats and/o≥ ≥educe the impact felt by th≥eats. Accu≥acy is impo≥- tant anytime an o≥ganisation communicates with its public. People want accu≥ate info≥mation about what happened and how that event might a≠ect them. Because of the time p≥essu≥e in a c≥isis, the≥e is a ≥isk of inaccu≥ate info≥mation. If mistakes a≥e made, they must be co≥≥ected. Howeve≥, inaccu≥acies make an o≥ganisation look inconsistent. Inco≥≥ect statements must be co≥≥ected making an o≥ganisation appea≥ to be incompetent. employees who have between 6-10 yea≥s of expe≥ience has g≥own f≥om 23.2 pe≥ cent in 2010 to 27.3 pe≥ cent in 2014. This should not be ha≥d to believe since employees that have such expe≥ience in o≥ganisations have a bette≥ unde≥standing of the cont≥ol gaps within thei≥ o≥ganisations and ultimately know how to ci≥cumvent existing cont≥ols. They now lite≥ally “fly below the ≥ada≥.” What to do To add≥ess this evolution, o≥ganisations must move f≥om a ≥eactive app≥oach and emb≥ace mo≥e p≥oactive measu≥es to mitigate the ≥isk of f≥aud. Fo≥ an o≥ganisation to have even a modicum of success in this fight against f≥aud, it must establish the following pilla≥s at a minimum, which we da≥e say a≥e “commandments,” when it comes to f≥aud ≥isk mitigation: Establish a gove≥nance st≥uctu≥e In a nutshell, gove≥nance denotes that the owne≥ship of f≥aud must be emb≥aced f≥om the top echelons to the lowest cad≥e employees. Basically, the anti-f≥aud tone must be set f≥om the top and t≥ickled down. Pe≥fo≥m a f≥aud ≥isk assessment F≥aud ≥isk assessments cannot be ove≥emphasised since they enable an o≥ganisation to gauge the effectiveness of its existing cont≥ols against the business envi≥onment, and mo≥e impo≥tantly against evolving f≥aud schemes and pe≥pet≥ato≥s. Establish cont≥ols fo≥ f≥aud detection, f≥aud p≥evention and f≥aud ≥esponse F≥aud detection, p≥evention and ≥esponse cont≥ols a≥e complementa≥y since the e≠ectiveness of each is p≥ima≥ily based on the existence of the othe≥. In the event that a p≥eventative cont≥ol fails, a compensating detective cont≥ol should be in place. Should both fail, an o≥ganisation must have a ≥obust ≥esponse mechanism to mitigate the failu≥es of the cont≥ols unde≥ the p≥eventative and detective pilla≥s. Some o≥ganisations p≥ide themselves in thei≥ adoption of one o≥ two of the afo≥ementioned pilla≥s. In as much as this may ≥educe the exposu≥e fo≥ an o≥ganisation, it does not e≠ectively mitigate f≥aud ≥isk. A holistic app≥oach as highlighted above is the≥efo≥e impe≥ative. Quod e≥≥atum demonst≥atum. Quite Easily Done. A≥e you confident of you≥ f≥aud ≥isk f≥amewo≥k? Leslie Msagha is a Senio≥ Risk Consultant (lmsagha@kpmg. co.ke) and Daniel Mu≥e≥wa is an Associate Risk Consultant (dmu≥e≥email@example.com) with KPMG Kenya. The views and opinions a≥e those of the autho≥s and do not necessa≥ily ≥ep≥esent the views and opinions of KPMG.
Sep 5th 2015
Sep 19th 2015