by John Hanson
Assessing compliance risks is a fundamental and foundational part of an effective corporate compliance and ethics program. Once the risks are identified, they are prioritized and addressed, often in accordance with a board and/or management-approved compliance plan, during the year. This may include revising or drafting policies, conducting training sessions, and auditing or testing, among other things.
While there are many ways to go about assessing compliance risks, compliance professionals might consider incorporating into their assessment methodologies the Fraud Triangle, which may assist them in not only assessing risks, but also with prioritizing and addressing those risks.
“The Fraud Triangle” is a concept developed by Dr. Donald R. Cressey, a renowned sociologist and criminologist, and it identifies three causal factors for occupational fraud. When the risks rise within all three factors, the risk of occupational fraud increases.
To better understand this, lets distinguish “occupational fraud” from “predatory fraud”:
Occupational Fraud: “Internal” fraud that is committed by an executive, employee or other agent of an organization who takes advantage of their employment or occupational position for their personal benefit by intentionally misusing, misapplying or misappropriating an organization’s assets or resources.
Predatory Fraud: “External” fraud, commonly associated with con artists and other organizational “outsiders” who devise schemes to deceive people or entities in order to enrich themselves or for other personal gain.
Though Dr. Cressey was concerned with criminal acts (i.e. fraud), my experience has shown that his theory also applies to less than criminal acts, such as violating a compliance policy.
While organizations may certainly fall victim to predatory fraud, their greater risks may relate to their post-internal fraud incident exposure, in large part due to the vicarious liability that attaches to the organization for the acts of their employees, agents, etc. While predatory/external fraud can lead to significant organizational exposure, particularly if the company failed to adequately safeguard information, technology or assets held in a fiduciary manner, this series of articles will focus on occupational/internal fraud and/or non-compliance risks and the Fraud Triangle.
Factors of the Fraud Triangle
The three factors of the Fraud Triangle are: opportunity, rationalization and motivation.
Opportunity concerns a person’s ability to commit fraud and is affected by such things as, among others: internal controls, knowledge, authority and experience. Though internal controls are an effective means of reducing opportunity, those with more knowledge, authority and experience may be better able to devise schemes to circumvent internal controls and/or conceal fraudulent acts.
Rationalization concerns a person’s ability to internally justify their wrongful actions. This is often affected not only by a person’s individual moral compass, but also by the ethical tone within an organization and the person’s perception about the fairness and equality of rewards and punishments for actions and behavior.
Motivation, in the context of the Fraud Triangle, generally relates to an “unshareable need” within a person’s life. This need can arise from a broad range of things, from common and ordinary life issues to those that are more nefarious.
Though not technically part of the Fraud Triangle, there is another factor that is important as it relates to whether a person might commit fraud – the perception regarding whether they will get caught. In my experience, this can be an overriding factor, such that even if the risks are high within the three Fraud Triangle factors, a person who perceives they will get caught will be less likely to violate a company policy, act unethically or commit a fraud.
Having spent more than 20 years in the anti-fraud and fraud investigation fields, 10 of those as a FBI agent who specialized in fraud investigations, I have seen the Fraud Triangle proven out over and over. As an independent corporate monitor, I have used it in assessing risks within the compliance and ethics programs of the companies I have monitored.
Because it is effective in improving compliance risk assessments and programs in general, I will share through a series of articles some brief but practical thoughts about how compliance professionals can incorporate each factor of the Fraud Triangle into their own compliance risk assessments and programs.