This content is independent of any content coming from insurance brokers or insurers or law firms. There are many misconceptions around Fraud Risk, just like many topics in risk management and commercial insurance.
The above video shows a real life example of Fraud Risk and ensuing liability. In short, it is a company's CEO that was brought to court by shareholders for allegedly defrauding the company and its investors. The video also explains the relevant types of commercial insurance that could have been used by (a) the company and its investors to recoup the losses incurred due to the alleged fraud; and (b) the CEO for the expenses borne in the litigation.
It is a form of Operational Risk, specifically the risk of fraud by employees, service providers, or other third parties, faced by an organization and its stakeholders. Fraud Risk can have different facets, ranging from a traditional ponzi scheme or a modern cyber fraud.
Fraud Risk Assessment
The assessment of Fraud Risk is one of the hardest in risk management simply due to it being very difficult to measure or calculate the probability of occurrence of a certain fraud event. This is especially true as it relates to fraud schemes involving insiders. It is simply very difficult to predict an insider's character and intentions leading up to a certain fraud event. Cyber Fraud Risk on the other hand is easier to predict and measure given the ability to mathematically estimate the effectiveness of cyber controls in place.
Fraud Risk Factors
There are numerous factors that can lead to Fraud Risk. It is difficult to enumerate all of them, however the following lists some:
- Lack of basic controls such as countersignatures on checks, double reconciliations, corporate governance, etc.
- Implementation of systems without regard to their related fraud risk (ex. installing software that makes the organization more vulnerable to external fraud)
- Implementation of business practices without regard to their related fraud risk (ex. adopting a new cash based service)
Fraud Risk Management
The management of Fraud Risk entails (a) the implementation of controls to prevent the occurrence of a fraud; and (b) the procurement and management of commercial insurance to hedge against most residual risks that are not prevented by the implemented controls. Because Fraud Risk assessment is difficult as mentioned above, we prefer strengthening the procurement and management of commercial insurance in order to hedge against Fraud Risk. We believe this to be even more true for small to mid sized organizations that will find it expensive to implement controls against Fraud Risk. Instead, a wiser spend would be on relevant Fraud Risk insurance as outlined below.
Fraud Risk Insurance
D&O insurance, which stands for Directors and Officers Liability Insurance, protects management and members of the board of directors in case of liability against them, and in turn pays for any of their defence or settlement costs in the event of a lawsuit or monetary demand. The business itself as a legal entity can also be insured under such commercial insurance.
This is an example of a CEO that was allegedly embezzling money from the company he was heading up. Investors took note and decided to launch a lawsuit against the CEO. Now let's look at this objectively, if the CEO is innocent then he would still have to pay for his lawyers’ fees which make up most of the defence costs he would have to incur. On the other hand, if the CEO is guilty then he would have to pay some form of settlement as advised by his lawyers in order to not let the case drag on in court producing a final guilty verdict against him.In either scenario, D&O insurance would pay for the CEO’s defence and/or settlement costs.
That said if the D&O insurance policy was not structured correctly, which means that the terms and conditions of the policy were not amended to reflect different and relevant loss scenarios, then the probability of having the insurance company deny coverage can be quite high. It is therefore important for a risk management consultant that is independent of any insurance broker or company to be involved in the process of structuring and triggering this typeof commercial insurance.
Crime insurance, also known as Fidelity Bond or Fidelity Insurance, protects a business against a fraudulent event from employees or third parties. Just like any type of business insurance, it should be structured according to the specific operational risk of the business, which entails fraud risk scenarios and measures of the business in this case.
If the business shown in this example had bought relevant crime insurance then it would not have needed to resort to suing their CEO, instead it would have simply recouped the allegedly embezzled amounts from the insurance company, assuming the commercial insurance policy was triggered clinically for effective payout.
Crime insurance is often required by regulators for businesses in certain industries to purchase. However, the terms and conditions of such commercial insurance, and as accepted by regulators, are considered to be generic or off the shelf and mostly irrelevant to the specific fraud risk of a business. What ends up happening is that many businesses purchase crime insurance only because they are required to do so, but they don't end up using it as an effective hedge against their fraud risk.