Member question 1: “Which area of your company ‘owns’ fraud risk?
- “I am interested in benchmarking ownership of fraud risk management, from policy setting to training and compliance monitoring. The scope of the fraud risk management is broad and includes data security, wire transfers, general theft, IP protection, etc.
- “Do you have one owner or is it co-owned by multiple departments (treasury, legal, auditing, etc.)?”
Peer answer: “For us, it is owned by different groups based on the source of the fraud. For example, fraud through phishing attacks is owned by infosec, fraud soliciting payment would be owned by treasury, etc.”
Member question 2: “Where does fraud awareness training responsibility fall within your organization?
- “Who owns the development and maintenance the training content? Who owns the governance of ensuring your organization has received proper fraud training?”
Peer answer: “Fraud is broadly included in our annual global security and privacy training. The global security office rolls up under IT.
- “These types of trainings are mandatory and managed through the learning portal or an outsourced service for on-demand learning. The data and privacy and compliance teams in legal also play a role in the content and establishment of governance.”