Unmasking Fraud: The Public Sector Fraud Authority’s Guide to Enterprise Fraud Risk Assessments

The Enterprise Fraud Risk Assessment (Practice Note) has been developed by the Government Counter Fraud Profession (GCFP) Centre of Learning, operating out of the Public Sector Fraud Authority. It was made public on the 13th of January 2025 to provide organizations with a robust framework for mitigating fraud risks and safeguarding resources.

Fraud presents a substantial challenge to organizations worldwide, with public sector fraud alone accounting for an estimated ￡55-￡81 billion in annual losses. This magnitude of financial and reputational risk underscores the urgency for organizations to adopt a structured, comprehensive approach to identifying and mitigating fraud risks. The Enterprise Fraud Risk Assessment (EFRA) serves as a cornerstone of such efforts, providing a robust framework to navigate the complex fraud landscape.

Purpose and Scope of EFRA

The EFRA is designed to evaluate an organization’s susceptibility to fraud comprehensively. It provides a structured overview of potential fraud risks, their impacts, and the underlying drivers. The primary goal is to equip senior leaders and boards with actionable insights that guide effective resource allocation and risk mitigation strategies. This assessment is critical in aligning organizational efforts with broader functional standards, such as the Government Functional Standard GovS 013 on counter-fraud.

Fraud risk assessment is not a one-size-fits-all approach. Each EFRA must be customised to the organization’s unique objectives, structure, and operational environment. Tailoring the EFRA ensures its findings are relevant and actionable, enhancing its impact as a decision-making tool.

Defining Fraud Risks, Threats, and Drivers

Understanding fraud risks requires clarity on three key components: risks, threats, and drivers. A fraud risk is the possibility of an adverse event that compromises organizational objectives. Threats represent the specific actors, activities, or conditions that could enable such risks. Drivers are the underlying factors that increase or decrease the likelihood of fraud occurring, such as economic pressures, regulatory changes, or internal vulnerabilities.

Fraud risks should be described systematically to facilitate clear communication and prioritisation. This involves identifying the actor (e.g., an individual or group committing fraud), the action (e.g., falsifying invoices), and the outcome (e.g., financial loss or reputational damage). For example, under challenging market conditions, a corrupt supplier may falsify invoices to claim payment for services not rendered, resulting in financial losses and diminished public trust.

Building an Effective EFRA

Constructing a meaningful EFRA involves integrating insights from multiple types of fraud risk assessments:

1. Thematic Fraud Risk Assessments (TFRAs): These group risks by function or program, such as procurement or human resources. They provide a focused view of vulnerabilities within specific operational areas.
2. Initial Fraud Impact Assessments (IFIAs): Conducted during the planning stages of new activities, IFIAs offer preliminary insights into potential fraud risks and their impacts.
3. Full Fraud Risk Assessments (FRAs): These are detailed analyses of individual risks within specific business units or programs, offering granular insights into vulnerabilities and mitigation measures.

Each of these assessments feeds into the EFRA, creating a comprehensive picture of the organization’s fraud risk landscape. Organizations with less mature risk management frameworks may begin with a top-down approach using IFIAs, while more established entities can leverage TFRAs for a middle-out perspective.

Presenting Assessed Impacts of Risk

The EFRA’s findings must be communicated effectively to engage senior stakeholders. This requires balancing detail with clarity to ensure that decision-makers can easily grasp the key risks and their implications. Presentation formats should be tailored to the organization’s preferences, using either a business area or cross-cutting risk approach.

In a business area-focused presentation, risks are categorised by operational segments. For example, a mobility scooter scheme may highlight contractor fraud as a high residual risk requiring immediate action. Alternatively, a cross-cutting risk approach addresses overarching risks, such as contractor false invoicing, that impact multiple programs.

To enhance engagement, visual tools like risk scoring grids are invaluable. These tools prioritise risks based on their likelihood, frequency, and potential impact, guiding resource allocation and strategic planning.

How Detailed Should the EFRA Be?

The EFRA must strike a balance between comprehensiveness and usability. While detailed assessments provide valuable insights, excessive complexity can hinder decision-making. To maintain impact, the EFRA should:

• Provide an executive summary highlighting key risks and actions needed.
• Include evidence-based assessments, incorporating data and examples to support findings.
• Maintain a fraud risk register documenting all identified risks and their status.

Annual updates and periodic reviews are essential to ensure the EFRA remains relevant in the face of evolving threats and organizational changes.

Integrating EFRAs into Organizational Strategy

An EFRA is not a standalone tool; it should be embedded within the broader fraud risk management framework. This integration involves:

• Aligning the EFRA with organizational objectives and compliance standards.
• Using EFRA insights to inform strategic decisions on resource allocation and risk mitigation.
• Regularly reviewing and updating the EFRA to reflect new risks and operational developments.

With a proactive and iterative approach, organizations can ensure that their EFRA remains a dynamic and effective component of their fraud risk management strategy.

The Enterprise Fraud Risk Assessment is more than a compliance exercise; it is a strategic imperative for safeguarding organizational resources and reputation. By identifying and addressing fraud risks proactively, organizations can build resilience, enhance stakeholder trust, and secure long-term success. The time to act is now, invest in a robust EFRA process to protect your organization’s future.