ECCTA Fraud Risk Assessment: Documenting Base-Fraud Scenarios in Practice

The fraud risk assessment is the foundation of the reasonable-procedures programme. It identifies which fraud scenarios are material for the organisation, given its sector, business model, and associated-person network; it documents what controls are already in place; it identifies gaps; and it provides the basis for the proportionate procedures that follow. A generic fraud risk register that lists 'fraud' as a single risk category provides none of these things.

The assessment must be specific enough that someone who has not been involved in its preparation can understand which fraud types the organisation faces, why, and what it has done about them. That standard is relevant both for internal governance — so that the board can discharge its Principle 1 oversight obligations — and for external review by advisers or, in an enforcement scenario, investigators.

Specificity does not require exhaustive detail about every conceivable fraud scenario. It requires a systematic approach: work through the Schedule 13 offence types, identify which are plausible in the context of the organisation's activities and associated-person population, assess likelihood and potential impact, document controls, and record gaps. This process is repeatable and defensible in a way that a generic fraud-risk narrative is not.

The starting point for the fraud risk assessment is the Schedule 13 list of base fraud offences. For each offence, the question is: could an associated person of this organisation commit this offence, in the context of the organisation's activities, intending to benefit the organisation? For most large organisations, several offence types will be immediately plausible; others may be implausible given the nature of the business.

Fraud by false representation (Fraud Act 2006, s.2) is relevant wherever associated persons make representations on the organisation's behalf — in sales, procurement, regulatory filings, or financial reporting. Fraud by abuse of position (s.4) is particularly relevant for associated persons with authority over client assets, access to sensitive information, or fiduciary roles. False accounting (Theft Act 1968, s.17) is relevant wherever associated persons have responsibility for financial records. VAT and customs fraud is relevant for organisations with complex supply chains or cross-border transactions.

Working through each offence type in the context of the organisation's activities forces specificity: rather than recording 'fraud risk' as a category, the assessment records 'fraud by false representation by sales agents in commercial negotiations' as a specific scenario. That specificity is what allows controls to be mapped to the scenario and gaps to be identified.

For each plausible offence type, the risk assessment should identify the specific scenarios in which an associated person could commit the offence. A scenario is not an abstract category; it is a description of how a specific type of associated person, in a specific role or relationship, could engage in the conduct. 'A sales agent could make false representations about the product's regulatory compliance to win a contract' is a scenario. 'False representation risk' is a category.

Scenario development is best done with input from business lines, not just the compliance function. The people closest to the relevant activities — sales leaders, procurement managers, finance controllers, supply-chain managers — have the most direct knowledge of where fraud could occur. Workshop-based risk identification, supplemented by reference to sector-specific guidance and enforcement cases, typically produces a more complete scenario set than desk-based analysis alone.

Each scenario should be assessed for likelihood (given existing controls, how probable is it that this fraud could occur?) and potential impact (if it occurred, what would the consequence be for the organisation and affected parties?). These two dimensions produce a risk rating that supports the prioritisation of procedures: high-likelihood, high-impact scenarios warrant the most substantive controls and the most frequent review.

For each identified scenario, the risk assessment should record the controls that are currently in place to prevent or detect the fraud. Controls include both procedural controls — approval processes, segregation of duties, whistleblowing mechanisms — and technical controls embedded in systems. The record should note where controls exist, what they do, and whether there is evidence that they are operating.

Gaps are the scenarios or control areas where the assessment concludes that existing procedures are insufficient. A gap note should record what is missing, why it matters, who is responsible for addressing it, and a target date. Gaps are not failures: they are a normal feature of a developing compliance programme and the risk assessment's record of them shows that the organisation has identified its weaknesses and is addressing them.

The controls documentation is also the basis for Principle 3 (proportionate procedures) evidence. It allows the organisation to demonstrate that it has thought about how existing business-process controls relate to its fraud prevention obligations, rather than treating anti-fraud procedures as a standalone layer on top of the normal business controls.

The fraud risk assessment must be version-controlled. Each time it is updated, the previous version should be retained with its date and the identity of the person who prepared it. Version control allows the organisation to reconstruct the state of its risk assessment at any point in time — including at the time of the relevant conduct in an enforcement scenario.

The refresh cadence should be set out in the compliance programme documentation. A typical approach is an annual full review, supplemented by event-triggered reviews when material changes occur. Material changes include entering a new market, acquiring a new business, starting a new high-value agent relationship, or receiving intelligence of a near-miss or industry-relevant enforcement action.

Refresh documentation should record what triggered the review, what changed relative to the previous version, and what changes were made to the procedures as a result. This narrative — showing that the organisation's risk assessment was responsive to its changing risk environment — is evidence of the continuous compliance culture that the SFO's guidance looks for.