Financial crime risk assessments are one of the most difficult parts of the financial crime framework to get right, but they are essential to analyze a business's risk of financial crime exposure.
Without a good risk assessment, it’s impossible to meet regulatory expectations for an adequate compliance program. Regulators are increasingly demanding that firms’ financial crime compliance programs be effective and risk-based.
Consequences are severe for getting this wrong.
Recently, financial crime risk assessments featured prominently in the US OCC’s corrective actions for a US partner bank. In the UK, the Gambling Commission’s largest fine to date was issued to a large sports-betting and gaming group for inadequate AML risk assessment processes.
This post describes the key components of the financial crime risk assessment process and provides a downloadable example risk assessment checklist.
But many compliance leaders acknowledge the need to improve current risk assessment processes. Here are a few reasons why:
- Manual and time-consuming. Risk assessments are burdensome and painful. They involve maintaining long spreadsheets and require significant effort to coordinate input across multiple sources.
- Difficult to conduct. Despite how critical risk assessments are, assigning risk ratings too often feels like simply sticking a finger in the air.
- Inflexible. If a risk rating changes, how does this affect the whole assessment? With numerous risks to consider, manually re-evaluating each part of the assessment can be complicated and frustrating.
- Not optimized for growth. Even if risk assessments are outsourced to external consultants, they aren’t updated in real-time or dynamically. This reduces their usefulness for assessing the ongoing state of business or making business growth decisions.
What is the standard financial crime risk assessment methodology?
Financial crime risk assessments have two stages:
Identification. Firms first identify broad or high-level risk areas to evaluate, then further determine specific risk categories that apply to their business, based on regulatory guidance or expectations (e.g., from the Wolfsberg Group, FATF, JMLSG Guidance, FFIEC, or national risk assessments) and industry practice.
The following risk areas are commonly considered in risk assessments:
|Risk Areas||Example Risk Categories|
|Customers||Politically exposed persons|
|Geographies||FATF blacklist countries|
|Processes and systems||New technologies|
|Operations||AML compliance employee turnover|
|Size and nature of business||Client base stability|
Assessment. For each specific risk category, firms evaluate their inherent risk, the strength of their relevant controls, and their residual risk.
- Inherent risk is a firm’s exposure to a risk without any controls mitigating the risk. It’s commonly expressed on a Low/Medium/High scale, a 1-5 rating scale, or a similar rating system.
- Residual risk is the risk remaining after mitigating controls are applied to the inherent risk, so it’s dependent on inherent risk and the overall efficacy of relevant controls.
Risk ratings for each risk category are aggregated into an overall risk score for each high-level risk area. Then, an enterprise-level risk score is determined based on the risk scores for the risk areas.
How are controls assessed for each risk?
Controls mitigating a particular risk need to be assessed for both adequacy and effectiveness.
- Control adequacy is whether controls are properly designed to fully mitigate the risk.
- Control effectiveness is whether controls, however designed, are operating effectively and as expected.
To rate overall control efficacy for a risk, firms have to accurately evaluate both of these control aspects through metrics and self-assessments.
Assessing controls is a challenging, time-consuming task for many compliance teams that only provides a snapshot of how controls are operating at a single time.
What happens after the risk assessment?
Risk assessments are foundational for firms’ compliance programs. After completing an assessment, firms should take the following steps:
- Reporting and communication. Risk assessments need to be documented and approved by senior management, and shared with relevant stakeholders (e.g., Board committees or internal audit teams).
- Follow-on actions. Gaps or weaknesses detected in risk assessments should be addressed promptly and any remedial actions taken need to be tracked.
- Updates. Risk assessments should be updated at least annually, or more frequently depending on firms’ circumstances.