ECCTA failure to prevent fraud: a guide for chief risk officers
The fraud risk assessment is the spine of a reasonable-procedures defence, and it is usually the CRO's to own. DefenceFile organises the assessment, the controls that follow from it, and the monitoring that keeps it live — as a living, audit-ready file rather than a static document.
The sample board pack opens in your browser — no email, no form.
What you are accountable for
You own the fraud risk assessment, the proportionate procedures that follow from it, and the monitoring and review that keep both current as the business changes.
The worries
- The fraud risk assessment exists but is not linked to the controls or evidence behind it
- Monitoring and review happen but leave no discoverable trail
- Showing the assessment was live and revisited, not a one-off document
How the defence file helps
- Hold the fraud risk assessment and its supporting evidence in one register
- Map associated persons and their risks to the controls that address them
- Keep monitoring, review, and update records discoverable and dated
- Surface gaps and unresolved blockers for human decision rather than hiding them
Evidence to prioritise
The fraud risk assessment with version history and review dates
Associated-person and control mapping
Monitoring and review records that show the assessment is live
Chief Risk Officer questions
- Where does the fraud risk assessment fit in the offence?
- Risk assessment is one of the six principles in the Home Office guidance and underpins what counts as proportionate procedures. DefenceFile organises the assessment and its evidence; the reasonableness judgement remains with the courts and your advisers.
- How do we show monitoring actually happened?
- Keep dated monitoring and review records linked to the assessment and controls. The platform keeps these discoverable so a reviewer can see the assessment was revisited, without asserting the programme was adequate.
- Does the platform assess risk for us?
- No. DefenceFile structures the inputs and evidence; the risk judgements are made by your team and advisers. It does not score, certify, or decide your risk position.
For other roles
- Head of Internal AuditHow internal audit provides independent assurance over ECCTA fraud-prevention procedures using a reviewable evidence trail.
- Company SecretaryHow company secretaries evidence board commitment and governance for the ECCTA failure-to-prevent-fraud offence — a reviewable defence file.
- Chief Financial OfficerHow CFOs evidence the finance and procurement controls that matter for the ECCTA failure-to-prevent-fraud offence.
Keep going
- Failure to prevent fraud: the offence explainedThe statutory offence, the size test, and what a defence file is for.
- Reasonable proceduresHow the six principles map to evidence you can organise.
- Straight answersSourced answers on scope, penalties, and the defence.
- Pricing and pilotsHow a structured pilot review of your evidence works.
DefenceFile organises evidence for legal and compliance review. It does not provide legal advice, create privilege, certify scope, certify reasonable procedures, or guarantee that a statutory defence will succeed.