The purpose of the risk assessment is to figure out how vulnerable systems are to fraud. Begin by determining a baseline relative to current activities, so that new processes and procedures can be put in place to more effectively deal with fraud.
Training employees in the middle of the assessment runs the risk of compromising the data gathered during the risk assessment. There will be plenty of time for training later, but during the assessment is the time to uncover and categorize those risks, so the organization can determine what needs to be done most urgently.
To be clear, fraud training is absolutely critical to fraud reduction efforts, but after the assessment is complete. When that time comes, focus on helping employees understand both what is considered private data and intellectual property (presumably the data that needs protection), as well as recognize typical attacks (mostly social engineering and other fraud attacks).
A helpful site to look at when starting a training program is PhishMe.com. This site automates the sending of phishing emails to employees and tracks whether they fall for the ruse. It can also test employees over time to see if educational and training efforts had a positive effect on their ability to deal with the fraud.
This was first published in May 2008