The starting point of effective risk management (and fraud is of course a risk) for any organisation is to have a clear awareness throughout the organisation of responsibility at three levels: the board of directors and senior managers; line managers and departmental heads; and every individual member of staff. An overview of responsibility at each of the three levels is as follows:
- The board and the senior management team. The people at the top establish the values of an organisation and set policy. The collective body (we are calling it here for simplicity “the board”) has ultimate responsibility for managing risk and for putting in place an appropriate system of internal controls to achieve this.
- Line managers. The board delegates to line managers. It is the role of managers to implement board policies on risk and control. So, managers should identify and evaluate the risks faced and design, operate and monitor a suitable system of internal control which implements the policies of the board.
- Everyone. All employees have some responsibility for risk management and internal control as part of their accountability for achieving their objectives. The participation of everyone underpins the framework.
I have coined the term “Responsibility Framework” for these roles and responsibilities. The framework can be represented diagrammatically as a triangle as shown in Diagram 1.1.
I always emphasise the importance ...