Have you ever reviewed a sentence with misspellings or words missing but found yourself reading the sentence clearly? It’s as though your brain isn’t taking in the gaps or mistakes– you’re anticipating outcomes, drawing conclusions based on what you expect.
Yuo cna porbalby raed tihs esaliy desptie teh msispeillgns.
Certification activities, monitoring, and compliance processes can mirror this anticipation, assumption, and conclusion approach. In fact, there’s an argument to be made for disrupting activities to achieve fresher, more correct, or novel outcomes and to include identifying compliance gaps or fraud. Enter stage left, “risk-based certification.” As a person I respect once told me, if you’re looking at all the things and not catching fraud, what harm is there in making an adjustment to focus on the areas of likely or probable risk? In my 15 years of enforcement, I acknowledge discomfort at adapting the system from a comprehensive full review–it’s scary to deviate from comfort in the process. However, if you tailor and focus activities, as a certifying agent or operation, to the areas of highest risk and address compliance activities systematically to ensure a comprehensive review, you are likely to disrupt the assumption model and create greater opportunities to detect or deter fraud.
What does risk-based certification mean, and how does it accomplish fraud prevention?
The Cressey fraud triangle reminds us that three elements need to be present for fraud to occur: 1) Pressure, 2) Opportunity, and 3) Rationalization.
Each business has unique activities that may create opportunity, pressure, and rationalization. In one hypothetical example, a business may have harsh punishment for production losses. An employee is motivated by fear of losing their job if they alert a business about an ingredient error – that would result in the product not being marketable as organic. The business structure may lack internal controls and systems to outline a reporting process, and the culture may create additional pressure to protect financial interests over ethical and compliance considerations.
Next, the individual may see opportunity through their role and lack of oversight and verification of ingredient inventories. Finally, there is additional rationalization because the lack of errors is tied to year-end bonuses. Hence, a scenario that is ripe for fraud internally. Operations may think of external factors as being a major fraud risk, and these are certainly not to be discounted. However, internal fraud risk is also real, and risk-based certification prioritizes review and oversight activities to target both.
When creating a risk-based approach to compliance, the fraud prevention process required through Strengthening Organic Enforcement (SOE) provides an excellent starting place. Each business (or certifying agent) should be analyzing where opportunity, incentive, and motivation are present, and prioritizing activities in areas of highest risk. You are sure to create new opportunities for fraud if you disregard lower-risk areas, so verification is necessary to some extent across the system. However, where an identified risk is present, additional time and verification should be applied. Reviewing information not only through systems verification but also physical confirmation or cross-checking of records can deter fraud and remove the motivation to make assumptions or draw conclusions about an activity. To quote the approach NOP has proceeded with over the years, “It’s important to trust but verify.”
If you are looking for confirmation of correctness, the human brain is hard-wired to support your conclusions. If you apply cross-verification of your assumptions, it disrupts the assumption and provides that second review, so you are challenging your approach and will potentially see key information you may have otherwise missed. Keep vigilant, friends!