Who owns fraud risk? A governance question hiding in plain sight

Fraud has traditionally been treated as a legal or compliance issue – something to be dealt with when it arises. Increasingly, that approach is no longer sufficient. 

For general counsel, the more pressing question is: Who in the organisation actually owns fraud risk? In many cases, there is no clear answer. That lack of ownership is fast becoming one of the most significant (and underappreciated) sources of exposure. 

A fragmented risk

Fraud does not sit neatly within one function:

• Legal advises on disputes and investigations.
• Compliance develops policies.
• Internal audit assesses controls.
• Finance oversees transactions.
• Operations run the processes.

Each plays a role, but none typically “own” the risk end to end.

This fragmentation matters. Where responsibility is diffuse, accountability can be equally unclear (particularly when something goes wrong).

Why this is changing

There are three developments driving a shift in how fraud risk is viewed:

1. Increasing regulatory focus on prevention: There is a clear move towards holding organisations accountable not just for fraud losses, but for failing to prevent them.

2. The complexity of modern fraud: Fraud now involves technology, third parties and cross border activity. It sits within systems, data and processes, not just isolated misconduct. 

3. Board-level scrutiny: Fraud is increasingly viewed alongside cyber and financial risk as a strategic organisational issue, not just a legal one.

Taken together, these developments mean that organisations are expected to demonstrate active ownership of fraud risk, not just reactive management. 

The risks of unclear ownership

Where responsibility is not clearly defined, a number of issues tend to arise:

• Gaps in control design – assumptions that “someone else is covering it”.
• Inconsistent responses – particularly in early-stage incidents.
• Poor escalation – issues raised but not acted on decisively.
• Difficulty demonstrating accountability – when challenged internally or externally.

For general counsel (GCs), this creates both legal and reputational exposure. The question is no longer just what happened, but whether the organisation can show it had clear, effective oversight of fraud risk.

A practical approach to ownership

Strong organisations tend to take a more structured approach.This does not necessarily mean creating a new function. It means ensuring: 

• Clear senior ownership – typically at executive or board level.
• Defined roles across functions – legal, compliance, audit and finance each with specific responsibilities.
• Alignment between policy and practice – not just documented controls, but how they operate in reality.
• Regular review and challenge – including at audit committee level.

For GCs, a key role is often acting as the connecting point between these functions, ensuring that legal risk is understood in the context of operational reality.

The GC’s role

General counsel are increasingly expected to operate as more than advisers on discrete issues. In the context of fraud, that includes:

• Challenging whether ownership is properly defined.
• Stress-testing whether controls are effective in practice.
• Ensuring that contractual and operational risk align.
• Advising the board on where exposure may arise.

This is not about taking on operational responsibility, but about ensuring the organisation can defend its approach if called into question.

Summary

Fraud is no longer just an event to be investigated. It's a risk to be owned.

For GCs, the question to ask internally is a simple one: If a significant fraud occurred tomorrow, could we clearly explain who was responsible for preventing it and what they actually did? 

If the answer is unclear, that's where the real risk lies.

Our content explained