The third article within this series relates delves into the risk assessments which organisations are to implement from a financial crime perspective.
Risk assessments are a valuable tool used by the board of directors in order to structure operational units in the most appropriate and efficient manner. Whilst AML-CFT business risk assessments have become mandatory since January 2018, there are other risk assessments which organisations should consider undertaking from a financial crime point of view.
What is a Risk Assessment?
A risk assessment is a process through which an organisation identifies the risks which it is exposed to (taking into account the various threats, vulnerabilities, risk areas and risk factors) and through which the appropriate risk mitigation measures are determined depending on the size, resources and systems available within the organisation.
Why have Risk Assessment?
When conducted in the appropriate manner, risk assessments can be of great benefit to the board of directors as they provide valuable information in order to, among other matters, establish the organisation's risk appetite. Risk assessments help directors understand, in a more structured and granular manner, the financial crime risks to which the organisation is exposed to and allows for the determination of the appropriate risk mitigation measures. Risk assessments also assist the board of directors in implementing and allocating the most suitable controls and resources based on the risk-based approach. This will ensure that any inefficiencies due to having excessive controls on lower risk scenarios are identified and resources can be shifted to ensure stronger controls being applied in respect of higher risk scenarios. In addition, gaps in the organisation's financial crime policies, procedures and processes might also be identified. This would trigger changes with the financial crime framework, thereby enhancing internal processes and controls to remedy shortcomings. The board may also decide to implement additional internal controls in order to lower the organisation's residual risk exposure. Risk assessments should therefore be seen as a risk management tool for enhancing an organisations controls and efficiencies based on the risk-based approach.
Type of Financial Crime Risk Assessments
A robust financial crime framework is generally built on a number of risk assessments, with each assessment catering for a specific financial crime theme. Whilst organisations are mandated to establish an AML-CFT Business Risk Assessment in terms of the Prevention of Money Laundering and Funding of Terrorism Regulations, organisations are encouraged to consider undertaking risk assessments relating to other financial crime themes, including, bribery and corruption, market abuse (including insider dealing, market manipulation, prohibited disclosures), sanctions, fraud, and tax evasion. The determination as to whether one should undertake a risk assessment and the level of detail which should go into such risk assessment will depend on the level of exposure which the organisation has in relation to the relevant financial crime. By way of example, a sanctions risk assessment would be very relevant in case where you have a bank which is heavily involved in trade finance, whilst less relevant (albeit still relevant) for an alternative investment fund manager.
Responsibility for the BRA
The responsibility lies with the directors who may delegate the task, but not the overall responsibility. The preparation of the BRA may be delegated to other individuals within the organisation or delegated to third party service providers, however the ultimate responsibility lies with the board.
A firm wide assessment
Being firm wide assessments, risk assessments needs to be drafted with the contribution of all functions which in some way or another, whether directly or indirectly, have an impact on the establishment and/or implementation of the financial crime policies, procedures and processes of the organisation. Establishing the type of governance arrangements, policies, procedures, processes and systems used by the relevant functions will help ensure that the assessment is more holistic and reflects the risk framework of the organisation. This exercise is crucial in order to ensure that the risk assessment is truly a firm wide assessment.
Documenting your Risk Assessment
The risk assessment should document in detail the scope of the risk assessment, methodology adopted in arriving to the conclusions of the risk assessment, the risk factors being assessed, the reasons for considering a risk factor/scenario as presenting a low, medium or high risk, the risk mitigation measures, the outcome of the risk assessment, as well as any information sources used. Changes to the risk assessments (and the reasons for such changes/updates) need to be duly documented. Approvals of each risk assessment and any updates/changes need to be recorded and retained on file.
Getting your methodology right
Before compiling a risk assessment, organisations should set a defined methodology. This will also ensure that any data which is to be compiled and processed for the purposes of the risk assessment is duly obtained from the relevant operating units of the organisation. Good quality data is key in ensuring that your risk assessment is reflective of the risks to which the organisation is exposed to. By far the most common methodology is the following:
- Identify all risks relating to the key risk factors and other qualitative factors and establishing the inherent risk based on the likelihood and impact of such risk;
- Obtain all relevant data relevant to the respective risk factors and risk scenarios in order to ensure that the risk assessment incorporates a quantitative element (in addition to the qualitative element);
- Establish an exhaustive list of controls (such as policies and procedures, training, governance arrangements etc) which are to be applied and establish their effectiveness. The 'effectiveness' of the controls needs to be revisited on a yearly basis to ensure that such control remains as effective as indicated in the previous risk assessment;
- Determine the residual risk by taking into account the inherent risk and the effectiveness of the controls identified in point (b) in respect of each risk. Various course of actions may be identified at this stage, including taking (i) additional measures, (ii) take strategic or tactical actions and/or (iii) revisit the organisation's risk appetite if necessary.
Review your risk assessments
The environment in which the organisation operates, changes to the business models, structures and activities, and new threats or vulnerabilities within the sector in which the organisation operates would all bring changes to the risk assessments undertaken by the organisation. Whilst the general rule is to revisit the risk assessments on a yearly basis, a more frequent revision is required in case any of the above scenarios occur throughout the year.
Risk assessment should not be seen as a data collection exercise but rather as a tool to enhance and improve the controls applied by the organisation from an anti-financial crime point of view. Such assessments will also help organisation ensure that the appropriate resources are being allocated to mitigate financial crime risks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.