Among the many threats to shareholder value that bank directors must address, the risk of internal fraud is among the most challenging. Virtually all bank directors recognize their obligation to actively oversee the way the bank monitors its employees to mitigate the risk of fraud, but most directors also understand the need to avoid micromanaging day-to-day operations.
Treading the fine line between oversight and overstepping can be difficult. Often it means learning to ask the right questions of the right people, particularly of the bank’s senior management team.
Because every bank’s risk profile is unique, no single list of questions can fit every institution. Nevertheless, it is possible to outline some broad principles and useful questions within three general areas of strategic, board-level concern.
Major corporate governance elements related to internal fraud comprise management and oversight of the organization including the bank’s published code of conduct, written ethics policy, fraud policies and procedures, and loss reporting practices. Board members should exercise direct and active oversight of these components and be prepared to ask management a broad range of questions, including:
- How frequently are our code of conduct and ethics policies reviewed and updated?
- In addition to introducing our ethics policies during new employee training, how else—and how often—are these policies communicated and reinforced?
- How are fraud losses identified, tracked and reported to the board? Are board members and executives regularly briefed on current fraud issues and trends by the appropriate managers?
- Are employees able to report suspicious behavior outside the day-to-day management structure, or are they able to report it only through their immediate superiors?
- Has the bank established a whistleblower hotline that allows employees to report suspected fraud anonymously?
- How is hotline activity measured and tracked? How is the program’s effectiveness measured and evaluated?
- How often is the whistleblower hotline publicized and reinforced in regular employee communications?
The Control Environment
The next broad area of board concern, the control environment, addresses the various tools, processes, and other components that implement the fraud policies prescribed by corporate governance. Issues of strategic-level concern in this area tend to revolve around training, accountability, and equitable treatment, as well as the effectiveness, efficiency and reliability of fraud reporting practices. Useful control environment questions for board members to ask include:
- How is fraud awareness training being provided throughout the organization? Is awareness training tailored to each line of business?
- Beyond awareness, do employees receive training on ethics, fair service and honest dealing?
- Are employees being trained on specific anti-fraud practices and controls? Once trained, are they held accountable?
- Are fraud policies implemented and enforced consistently and fairly? Are senior-level or revenue-producing personnel subject to the same enforcement as junior or administrative staff members?
- Are anti-fraud controls consistently monitored and tested as part of the internal audit function?
- Do employees know how to report fraud?
Incident Management and Response
The board of directors has primary responsibility for seeing that there is a defined structure and process for responding to fraud-related incidents and issues, including clearly defined roles and responsibilities. It is important that incident response protocols are applied consistently across the institution, rather than allowing each line of business to pursue its own course. To carry out this responsibility, directors should be prepared to ask questions such as:
- Is there a high-level, organization-wide policy regarding incident management? Does it set forth adequate protocols including all relevant legal, reporting and regulatory requirements? Is the policy regularly reviewed and updated?
- Who is the designated management-level employee with the authority to manage and administer fraud investigations and responses?
- Has management taken adequate steps to support this employee with an appropriate team involving legal, human resources, internal audit, information technology and other departments?
- Is there adequate oversight to allow fraud inquiries to proceed without interference from the affected lines of business?
- Does the board receive regular briefings on material issues of fraud or fraud management?
- How does the organization learn and evolve based on industry events and previous large incidents of fraud?
The scope of a director’s responsibility extends far beyond these three general areas alone, but starting with these broad topics can help board members maintain their focus at the strategic level while still posing challenging questions. In addition to establishing the appropriate “tone from the top,” such questions can help guide the management team toward more active and effective management of internal fraud risk.