More Related Content Similar to Corruption and Fraud Risk Management using ISO 31000 (20) Corruption and Fraud Risk Management using ISO 310003. Project manager
Valentyn Sysoev
Kyiv, Ukraine
Consulting, audit
E-mail : v.sysoev@auditagency.com.ua
Valentyn has more than 8 years experience on information security area as
consultant, auditor and advisor. Valentyn provided services for financial,
insurance, industrial, energy and others customers as an expert on
information security and risk management.
Valentyn leads the consulting and audit projects as well as projects related
to IS audit and IS assurance, crisis and business continuity management,
international standards implementation – specifically PCIDSS, ISO27001
ISMS, ISO31000 Risk Management, ISO21500 Project Management,
ISO38500 Corporate Governance of IT, ITIL 3, Cobit 5, VISA and
MasterCard.
Education and certification:
• Master’s degree on information security
• CISА - Certified Information System Auditor (ISACA)
• CISM - Certified Information Security Manager (ISACA)
• Certified ISO/IEC 27001 Lead Auditor (PECB)
• Certified ISO 27005 Risk Manager (PECB)
Common information:
• Information security governance
• Crisis management and business continuity management
• Incident management
• Antifraud, fraud detection
• Physical and HR security
• Information and operational risks management
• Project Management
• Corporate Governance
Specialization
Chosen experience:
• More than 30 projects in consulting: ISMS according ISO 27001,
PCI DSS, Pin Security, BCPDR, ISO 9001, ISO 31000, information
and operational security risks, security awareness, incident and
business continuity management.
• More than 25 projects on IT&IS audit: to comply ISO27001, Cobit
4.1, PCI DSS, IS internal controls audit, third party audit.
• More than 5 projects on information system assurance:
information systems and networks penetration tests, social
engineering, physical penetration test, vulnerability scanning.
© Active Audit Agency03.06.2015 3
4. Summary of Webinar
• In this webinar, participants develop the competence to master a model for implementing
corruption and fraud risk management processes throughout their organization using the ISO
31000:2009 standard as a reference framework.
• During this training, I will present the ISO 31000 general risk management standard, the process
model it recommends, and how companies may use the standard for corruption and fraud risk
management.
Learning objectives
• To understand the concepts, approaches, methods and techniques allowing an effective
corruption and fraud risk management according to ISO 31000
• To acquire the competence to implement, maintain and manage an ongoing corruption and
fraud risk management using ISO 31000
• To acquire the competence to effectively advise organizations on the best practices in corruption
and fraud risk management
03.06.2015 © Active Audit Agency 4
Scope and Objectives
5. • Corruption and fraud risk assessment is required by the Law of Ukraine
«On Prevention of Corruption»
o The head of legal entity shall ensure the corruption and fraud risk
assessment within its organization and provide adequate controls.
o Anti-corruption programs shall be developed subject to corruption
and fraud risk assessment and be inclusive of “guidelines, standards
and procedures on corruption and fraud risk management within the
organization”.
• Risk assessment framework is based on International Standard ISO/IEC
31000:2009 “Risk management — Principles and guidelines on
Implementation” as well as on international background of such
corruption risk assessment methodologies and corruption prevention
planning as in Slovenia, Serbia, Montenegro, Australia and USA.
03.06.2015 © Active Audit Agency 5
Background
6. 03.06.2015 © Active Audit Agency 6
Corruption and fraud risks
assessment - main stages
Corruption risks assessment
2. Corruption and fraud risks detection
2.1 Functions and
processes description
2.2 Detecting threats
and risk factors
2.3 Existing controls
Analysis
2.4 Corruption and
fraud risk description
3. Corruption and fraud risks analysis and evaluation
3.1 Threat likelihood
assessment
3.2 Impact
assessment
3.3 Risk levels
evaluation
3.4 Risks assessment
report
4. Corruption and fraud risk response
4.1 Risk response actions 4.2 Residual risks
4.3 Corruption and fraud
prevention plan
5.Communicationandconsulting
6.RisksMonitoringandreview
1. Preparation and planning
1.1 Preparatory actions
1.2 Understanding the
organization and its environment
1.3 Assessment planning
7. • Choose a format
– Self assessment, i.e. internally by institution’s personnel without
external experts involvement or
– Together with invited experts, skilled and knowledgeable to the
methodology of corruption and fraud risks assessment or
– Fully outsourced to external experts
• Working group creation
– Structure, privileges, training
• Communicating to institution’s personnel
• Develop the plan
03.06.2015 © Active Audit Agency 7
Stage 1.1
Preparatory actions
8. Risk assessment plan
03.06.2015 © Active Audit Agency 8
Stage 1.1
Preparatory actions
Terms Of delivery
# Stage Actions and tasks Responsible Start date End date
Preparation and planning of corruption risk assessment
1
Preparatory actions
Working group training
2 Risk assessment plan development
3 Understanding the
institution and its
functional
environments
Definition of external and internal parties of the
institution
4
Analysis and understanding external and internal
environments of the institution
5
Collection and
analysis of
information
Preparation of the necessary documentation and
list and sources of information
6
Collection of required documentation and
information
Processes identification and modelling7
8
Justification of the processes and models by
Working group and analysis planning
9. • ISO 31000 expects you to consider your organization’s context (pros and cons)
through the:
– External environment (external factors that cause/control corruption)
• independency, budged, appointment of the top management, strategies, control, security
issues, citizens, etc.
• to identify external strengths, weaknesses, opportunities and threats regards corruption
– Internal environment (internal factors that cause/control corruption)
• includes organsational aspects (legislation, processes, objectives, competences etc.), human
resouces (capabilities) and implementation of processes in practice (legal framework vs.
practice, sanctions, transparency) with the aim to consider its
– Objectives and strategies in place to achieve objectives
– Governance, structure, roles and accountabilities
– Capability of people, systems and processes
– Decision-making process,
– Human, technological and financial resources,
– Changes to processes or compliance obligations
03.06.2015 © Active Audit Agency 9
Stage 1.2
Understanding the institution and its
functional environments
10. • The output of this stage in the risk management process:
– pros and cons - external and internal factors that cause / control
corruption and fraud in institution
– detail organisation's objectives, processes / functions, competences,
legal framework, expectations of citizens,
– set out a number of areas which should be allocated attention
• These can then be used to prioritise the order in which you attack the next
task.
– basically, to know your organizational pros and cons regards
corruption and fraud.
03.06.2015 © Active Audit Agency 10
Stage 1.2
Understanding the institution and its
functional environments
11. Define the approaches and methods for risk assessment and supporting
tools development
• Common and/or anonymous surveys (questionnaires) for employees or external parties
• Brain storm
• Focus groups
• Deep/ structured interview
• Checklists
• Observing the daily activities
• Scenario analysis
• Delphi method
• Information systems analysis
• Legislation, regulatory and other documentation analysis
03.06.2015 © Active Audit Agency 11
Stage 1.3
Assessment planning
12. 03.06.2015 © Active Audit Agency 12
Stage 2
Corruption and fraud risks detection
Corruption risks assessment
2. Corruption and fraud risks detection
2.1 Functions and
processes description
2.2 Detecting threats
and risk factors
2.3 Existing controls
Analysis
2.4 Corruption and
fraud risk description
3. Corruption and fraud risks analysis and evaluation
3.1 Threat likelihood
assessment
3.2 Impact
assessment
3.3 Risk levels
evaluation
3.4 Risks assessment
report
4. Corruption and fraud risk response
4.1 Risk response actions 4.2 Residual risks
4.3 Corruption and fraud
prevention plan
5.Communicationandconsulting
6.RisksMonitoringandreview
1. Preparation and planning
1.1 Preparatory actions
1.2 Understanding the
organization and its environment
1.3 Assessment planning
13. Why to describe functions and processes
Corruption and fraud are usually connected to decision making process and appears because of
vulnerability to corruptionfraud from the process and conditions perspective related to it. Thus we
need to analyze main and secondary processes of organization in detail to identify if they are
vulnerable to corruption and fraud..
03.06.2015 © Active Audit Agency 13
Stage 2.1
Functions and processes description
Institution’s function 1 Institution’s function 2 Institution’s function n
Process1.1
Process1.2
Process1.n
Process2.1
Process2.2
Process2.n
Processn.1
Processn.2
Processn.n
Institution
Fraud factors Fraud factors Fraud factors
Fraudthreat
Fraudthreat
Fraudthreat
Fraudthreat
Fraudthreat
Fraudthreat
Fraudthreat
Fraudthreat
Fraudthreat
14. Functions and processes description order
The functions and processes of the institution have to be reviewed from
upper level to lower levels. The order to perform description has to be the
following:
• Function description;
• Processes (high level) description for the every function;
• Sub-processes description (low level processes);
• Operations/ procedures / steps description for each process.
03.06.2015 © Active Audit Agency 14
Stage 2.1
Functions and processes description
Institution’s functions Processes Sub-processes and tasks
15. Tools to be used for business-process description
In order to describe and perform the modelling of functions and business-
processes you may use the following software:
• MS Visio or other diagram editor ;
• MS Word or other word processing software;
• MS Excel or other electronic spreadsheet software;
• Specific software if available (ARIS, Industry Print, QPR Suite …).
03.06.2015 © Active Audit Agency 15
Stage 2.1
Functions and processes description
Define IN
and OUT
for the
process
Define the
resources
Produce a
process
model
Describe a
process
model in
selected
format
Check a
process
model
Document and
approve
16. Tools to define corruptionfraud action threats and factors
The definition of corruptionfraud action factors and threats is done
based on:
information, gathered by working group during interview
internal normative documentation, which governs the activities of the
institution and/or business unit,
information from business process observation and its performance.
also we may use the other methods and tools chosen earlier during risk
assessment planning phase.
03.06.2015 © Active Audit Agency 16
Stages 2.2
Risk threats and factors definition
17. Corruption and fraud factors detection
The goal of this stage is to detect the whole list of possible corruption
and fraud factors, which may exist in the functions, processes,
procedures, regulations, information systems etc., and can be used to
exploit the potential corruption action threats.
The corruption and fraud factors are:
process or group of the processes shortcomings,
absence or insufficiency of corruption prevention controls,
contradictions of the requirements or the possibility of theirs dual
interpretation,
complexity or excessive bureaucracy of the process
– that is all what may lead to misuse of the official position to gain undue
advantage.
03.06.2015 © Active Audit Agency 17
Stages 2.2
Risk threats and factors definition
18. Corruption and fraud factors
03.06.2015 © Active Audit Agency 18
Stages 2.2
Risk threats and factors definition
Human
Factor (H)
Ethical factors and
conflict of interest (E)
• Realization of institution’s anti-corruption policy
• Unregulated the conflict of interest
• Material and intangible gifts, donations to workers
• Donations, charity funding to the institution
• Protection of whistleblowers (informers)
• False motives
• Financial perturbations
• Pressure and intrusions
• The level of realization
Organizational and
operational factors (O)
• Collisions and contradictions
in regulatory acts and
regulations
• Decision making process is
arbitrary
• Terms of decision making are
arbitrary
• The functions, rights,
responsibilities and
accountability are blurred
• Abuse of contacts
• Information is closed
• Unregulated relationships
with interested parties
• Excessive burdens
19. Corruption and fraud action threats detection
The corruption and fraud factors doesn’t produce any impact by
themselves, corruption and fraud action threats must exist in order to
exploit them.
03.06.2015 © Active Audit Agency 19
Stages 2.2
Risk threats and factors definition
CORRUPTION
Bribery Nepotism
Stealing Conflict of Interest
Fraud Collusion
Extortion Exaction
Abuse Resource exploitation
20. • As the result of this stage all existing controls on corruption prevention
must be described, which may control or compensate possible corruption
factors.
03.06.2015 © Active Audit Agency 20
Stages 2.3
Existing controls Analysis
Corruption factors Corruption threat Existing control
1
Legislated recruitment process is inefficient.
Conflict of interest
Nepotism
Abuse
Theft
Standard provisions
for recruitment
process
2
Notifications of Code of ethics and conflict of interest
Policy violation are insufficient
Conflict of interest
Nepotism
Standard provisions
and Code of ethics
3
The process of whistleblowers’ work and protection is
not established.
Abuse
Imposture
Theft
Information misuse
No control
4
Employees are not motivated to report about
corruption offences
Imposture
Theft
Bribery
Information misuse
Hot line
21. • Risk should be described based on corruptionfraud threat and factors,
taking into account existing control and prevention measures.
03.06.2015 © Active Audit Agency 21
Stages 2.4
Corruption and fraud risk description
Corruption factors Corruption threat Existing control Corruption and Fraud Risk
1
Recruitment process is
inefficient.
Conflict of interest
Nepotism
Abuse
Theft
Standard
provisions for
recruitment
process
Inefficiency of recruitment process may
lead to the risks of corruptive offense
(conflict of interest, nepotism, collusion,
patronage, bribery, abuse) in the
organization
2
Notifications of Code of
ethics and conflict of
interest Policy violation
are insufficient
Conflict of interest
Nepotism
Standard
provisions and
Code of ethics
Insufficiency of process for
communicating the violation of Code of
ethics and conflict of interest Policy may
lead to corruption (conflict of interest,
nepotism, extortion, bribery, abuse) in
the organization
3
The process of
whistleblowers’ work
and protection is not
established.
Abuse
Imposture
Theft
Information misuse
No control
Not established within an institution a
process to work and protect
whistleblowers and to protect their
identity may lead to corruption (conflict
of interest, nepotism, extortion, bribery,
abuse) in the organization
22. 03.06.2015 © Active Audit Agency 22
Stage 3
Corruption and fraud risks analysis
and evaluation
Corruption risks assessment
2. Corruption and fraud risks detection
2.1 Functions and
processes description
2.2 Detecting threats
and risk factors
2.3 Existing controls
Analysis
2.4 Corruption and
fraud risk description
3. Corruption and fraud risks analysis and evaluation
3.1 Threat likelihood
assessment
3.2 Impact
assessment
3.3 Risk levels
evaluation
3.4 Risks assessment
report
4. Corruption and fraud risk response
4.1 Risk response actions 4.2 Residual risks
4.3 Corruption and fraud
prevention plan
5.Communicationandconsulting
6.RisksMonitoringandreview
1. Preparation and planning
1.1 Preparatory actions
1.2 Understanding the
organization and its environment
1.3 Assessment planning
23. • The likelihood level evaluation and corresponding risk prioritization are based on
corruptionfraud threat and factors, estimated by the members of working group
taking into account existing control and prevention measures and theirs effectiveness
03.06.2015 © Active Audit Agency 23
Stage 3.1
Threat likelihood assessment
Likelihood level Likelihood level description
4- SURE
Probably or almost certainly (act may be committed in the short term and perhaps even
several times) - means that a corruption and fraud act was committed or may be
committed in the next few months and can be repeated (monthly, weekly ...)
3 - POSIBLE
Perhaps (act may be committed in the medium term) - means that a corruption and
fraud act was committed or may be committed during the year, and can be repeated
several times.
2- SELDOM
Sometimes (in exceptional cases) means that the act was not committed or had been
committed only once in the last three years and it is probable that the act will be
committed for three years.
1- NEVER
Never - it means that the act was not committed and the likelihood of committing the
act is almost impossible because of the nature of the existing measures are sufficient or
prevent corruption.
24. • The consequences of the risk can be assessed in three categories: financial loss,
reputational loss, and also legal impact.
03.06.2015 © Active Audit Agency 24
Stage 3.2
Impact assessment
Impact Level
Description of Impact
Financial Impact Legal Impact Reputational Impact
4-CRITICAL
Large financial loss
(> 1M USD)
Lawsuits against institutions or
employees (criminal and
administrative responsibility)
Loss of reputation among the
general population
(negative publicity in the
mainstream media of the country,
etc.)
3-HIGH
Significant financial loss
(100K – 1M USD)
Lawsuits against employees
(administrative and criminal
responsibility)
Loss of reputation among the
parties direct contacts.
(negative publicity among parties
direct contact)
2-MEDIUM
Minor financial loss
(<100K USD)
Administrative and Disciplinary
responsibility
Loss of reputation among the
professionals
(negative publicity within the
institution)
1-LOW Not expected financial loss Disciplinary responsibility
Loss of reputation among the
employees of the structural unit
department
(negative publicity within the unit)
25. • The risk level evaluation and corresponding risk prioritization are based on corruption
threat likelihood and impact.
03.06.2015 © Active Audit Agency 25
Stage 3.3
Risk levels evaluation
Likelihoodlevel
4-SURE 4 8 12 16
3-POSIBLE 3 6 9 12
2-SELDOM 2 4 6 8
1-NEVER 1 2 3 4
1-LOW 2-MEDIUM 3-HIGH 4-CRITICAL
Impact level
Risk level Risk criteria
CRITICAL (12-16)
Corruption acts are almost certain to occur and occur frequently. Their
impact is huge and controls should be implemented immediately.
HIGH (6-9)
Corruption acts are likely to occur and the impact from these acts is high.
Controls should be implemented as quickly as possible.
MEDIUM (3-4)
There is a potential likelihood of corruption acts occurrence. The impact
may be medium and controls should be implemented within a reasonable
period of time.
LOW (1-2)
There is a little likelihood of corruption acts occurrence. The potential
impact is low. Hence, risks monitoring and corruption controls should be
implemented if necessary
26. • As a result of risk assessment, Working Group should develop the Corruption and Fraud
Risk Assessment Report that includes:
o function or process
o corruptionfraud threats and factors
o Existing control
o likelihood and impact of risks
o risk level
03.06.2015 © Active Audit Agency 26
Stage 3.4
Risks assessment report
Corruption factors Corruption threat Existing control Corruption and Fraud Risk L I R
1
Recruitment process is
inefficient.
Conflict of interest
Nepotism
Abuse
Theft
Standard
provisions for
recruitment
process
Inefficiency of recruitment process
may lead to the risks of corruptive
offense (conflict of interest,
nepotism, collusion, patronage,
bribery, abuse) in the organization
4 2 8
2
Notifications of Code
of ethics and conflict of
interest Policy violation
are insufficient
Conflict of interest
Nepotism
Standard
provisions and
Code of ethics
Insufficiency of process for
communicating the violation of Code
of ethics and conflict of interest Policy
may lead to corruption (conflict of
interest, nepotism, extortion, bribery,
abuse) in the organization
3 3 9
27. 03.06.2015 © Active Audit Agency 27
Stage 4
Corruption and fraud risk response
Corruption risks assessment
2. Corruption and fraud risks detection
2.1 Functions and
processes description
2.2 Detecting threats
and risk factors
2.3 Existing controls
Analysis
2.4 Corruption and
fraud risk description
3. Corruption and fraud risks analysis and evaluation
3.1 Threat likelihood
assessment
3.2 Impact
assessment
3.3 Risk levels
evaluation
3.4 Risks assessment
report
4. Corruption and fraud risk response
4.1 Risk response actions 4.2 Residual risks
4.3 Corruption and fraud
prevention plan
5.Communicationandconsulting
6.RisksMonitoringandreview
1. Preparation and planning
1.1 Preparatory actions
1.2 Understanding the
organization and its environment
1.3 Assessment planning
28. • The response measures definition, i. e. corruption response measures – is the last step
in the process of Corruption risk response development.
• This stage assumes:
o the selection of response actions
o residual risks definition
o required resources identification
o the goal and indicators to measure results
o responsible persons for plan implementation
o terms compliance and monitoring
All information mentioned above should be represented in Corruption response plan.
03.06.2015 © Active Audit Agency 28
Stage 4
Corruption and fraud risk response
Corruption risk description
Managed
risk Goal Response actions Performance targets
Residual risk
Budget
Conditions and
prospects
Responsible
person
Execution
time
Monitoring
period
L I R L I R
1
Absence of information security
management system for sensitive
information protection which may lead to
corruption (misuse of information, extortion,
bribery, abuse) in the organization.
3 3 9
Risk
reduction
Develop, document and implement Information Security
management system based on International Standard ISO/IEC
27001:2013
ISMS is implemented.
International certificate of
compliance awarded (in perspective)
2 2 4
2
Insufficient equipment to control leakage of
sensitive information and insufficient funding
may lead to corruption (information misuse,
extorsion, bribery, abuse) in the
organization.
3 2 6
Risk
reduction
Conduct information risk assessment in the scope of ISMS
implementation, define and implement technical controls for data
leakage prevention against sensitive information
Technical controls for data leakage
prevention against sensitive
information are implemented
2 2 4
4
Imperfection of the currently used software
(NDU Zvit, SPED) for reporting to the
Commission results in delays in the
information processing, which may lead to
corruption (information misuse, extorsion,
bribery, abuse) in the organization.
3 2 6
Risk
reduction
Implement the new (or improve an existing) software, which can
eliminate the delays in the information processing
N/A 2 2 4
29. 03.06.2015 © Active Audit Agency 29
Stage 5 and 6
Communication and consulting
Risks Monitoring and review
Corruption risks assessment
2. Corruption and fraud risks detection
2.1 Functions and
processes description
2.2 Detecting threats
and risk factors
2.3 Existing controls
Analysis
2.4 Corruption and
fraud risk description
3. Corruption and fraud risks analysis and evaluation
3.1 Threat likelihood
assessment
3.2 Impact
assessment
3.3 Risk levels
evaluation
3.4 Risks assessment
report
4. Corruption and fraud risk response
4.1 Risk response actions 4.2 Residual risks
4.3 Corruption and fraud
prevention plan
5.Communicationandconsulting
6.RisksMonitoringandreview
1. Preparation and planning
1.1 Preparatory actions
1.2 Understanding the
organization and its environment
1.3 Assessment planning
30. Communication and consulting
• The organization should provide continuous information and communication with a
staff and internal stakeholders at all stages of the Corruption and Fraud Risk
assessment.
• Informing and consulting with external stakeholders, or a third party must also be
carried out at all stages of the Corruption and Fraud Risks assessment and Response
Plan implementation.
Risks Monitoring and review
• Monitor and risks review process should be part of the Corruption and Fraud Risk
Management. Monitoring should be done according to the Response Plan through
performance indicators that are laid in describing response actions to corruption risks
and terms determined by the Plan.
• Risk assessment review must be conducted on a regular basis (minimum annually). In
the case of the significant changes of the functions or processes of organization,
changes in legislation, etc. - may be need the additional non-planned risk review
process.
03.06.2015 © Active Audit Agency 30
Stage 5 and 6
Communication and consulting
Risks Monitoring and review
31. 03.06.2015 © Active Audit Agency 31
Questions?
v.sysoev@auditagency.com.ua
Tell: +380509793761
Skype: valentyn.sysoev