Operational Risk Management – Common Operational Risk Area 1 – Fraud/Theft


In the last column, we discussed what operational risk management is and why it is important. In that column we mentioned that there were six common operational risk areas that affect businesses, medical/dental practices, and nonprofits’ operations.  We will discuss fraud/theft which is one of the six common operational risk areas that may adversely affect your operations.



The newspaper articles shown above give you an idea of some of the fraud/theft that may occur if proper operational risk management is not in place.  Fraud and theft are the most common operational risk areas that cost owners millions of dollars each year.

There are many types of fraud and theft that should be considered when conducting an operational risk assessment and preparing a risk management plan.  Examples of Internal fraud/theft committed by trusted employees/volunteers are skimming money from the cash register/drawer, over-ordering supplies and selling the overage, using a company credit card for personal purchases, taking inventory items or medical/dental samples, altering deposits or copays to take money, selling patients’ medical information, or trusted friends, and family members taking out personal loans from cash drawers. Examples of external fraud/theft are shoplifting, stealing cash, credit card fraud, vendor overcharging or double billing, vendors shorting on order deliveries.

The National Retail Security Survey for 2015 reported $44 billion in losses as the result of external retail crime.  A Forbes.com October 7, 2015 article states US Retailers lose $60 billion a year, with employee theft as a top concern. The Statistic Brain reported $50 trillion stolen annually for U.S. businesses by employees.  These are amazing statistics and while you may not have a large company, practice, or nonprofit this should still concern you, especially if you do not know how your operations are working or better still, not working.  If you have not had an operational risk assessment done to identify the risks and potential risks or to identify where fraud or theft is draining your bottom line, you are at serious financial risk.

There are things you can do yourself to identify operational risks and potential risks.  Conducting a self-risk assessment is like conducting a home inspection.  Look for things that seem broken or in need of repair.  Take the time to examine operations, such as cash operations, policies/procedures, internal controls, inventory monitoring, employee checks, camera surveillance, and all the areas of your operations.  Below are a few examples of simple checks of some operational areas:

Cash operations –

  • Are opening and closing cash counts completed?
  • Does each person who handles cash use a separate cash drawer?


  • Do you have policies and procedures that direct how operations are to be conducted?
  • Do you have opening and closing procedures?
  • Do you have written employee/staff/volunteer job duties?

Internal controls

  • Do you have a two person rule on use of credit cards?
  • Do you have lockers or a separate place for employees to secure their personal property

Inventory monitoring

  • Do you conduct regular inventories of your company’s property?
  • Do you have camera surveillance of your products and/or supplies?


  • Do you contact references listed by the employee?
  • Do you contact the last supervisor of the employee?
  • Are employees/volunteers allowed afterhours access?

Camera surveillance

  • Do you have surveillance cameras that cover all exits/entrances?
  • Do you have surveillance cameras that cover cash handling activities?
  • Do you have surveillance cameras that cover areas where workman’s compensation or civil liability issues could occur?

It is important to objectively look at your complete operations to make sure you correctly identify as many risks or potential risks as you are able.  Don’t be the one that can’t see the forest for the trees and thinks everything is fine.  And remember, WSDBA is always available to help our membership, so feel free to contact us. In next month’s column, we will discuss the second most common operational risk, “Internal Controls.”