How to ensure effective risk assessments

It’s crucial that roles and responsibilities are enshrined within financial crime risk assessments.

And this is how you do it.

Best practice

Ownership of financial crime risk – formerly viewed as compliance’s job alone – should be embedded across the business.

The potential risks posed by the business should be considered, their probability assessed and the mitigating controls decided. The 1LOD (supported by compliance) should conduct as a minimum an annual business-wide risk assessment (BWRA).

The board or senior management should actively consider the risks identified and accept or reject them against their preferred risk tolerance, resulting in a risk appetite statement (RAS).

This RAS should then be translated into the firm’s policies. The 1LOD takes responsibility for this, with guidance from compliance; department heads and the board should do the sign-off.

Business units should document procedures and/or update them to align with the firm’s RAS and policies and must ensure regular monitoring and testing of risk controls (with compliance undertaking quality assurance) to assess effectiveness.

Training, both mandatory and tailored, must be in place to ensure staff understand the identified risks and how to mitigate them. They should also be aware of the BWRA, RAS, policies, procedures and controls, etc.

Finally, monthly reporting by business units to the board or relevant committee(s) on how controls are performing is vital; the board and senior management should actively challenge here.

Reality bites

In reality, many organisations fail to allocate enough time/resources to this process. Why? Usually because of compliance culture shortcomings.

Operations staff might be under-resourced, viewing a BWRA as ‘too time-consuming’ or an ‘add on’, which ‘gets in the way’ of their day-to-day responsibilities.

Instead, the 1LOD should regard risk identification as intrinsic to their role and be afforded the time to complete a thorough assessment.

Compliance culture deficiencies can also make it difficult to consistently apply and document the outputs of risk assessments within daily operations and decision making:

?·??????Do the board, senior managers and committees consistently refer to their RAS, policies and procedures before signing off on a project or transaction? Can they evidence their decision making to their regulator?

·??????Can the board and/or senior management evidence that revenue generated is in line with the firm’s RAS?

Commercial pressures can amplify these regulatory requirements, especially if targets have not been met. Revenue generators will always strive for further profit, potentially taking on additional risk – but can your firm evidence that those risks are in-line with the RAS?

Training and education

Robust training can help overcome these challenges. Staff have historically thought training exercises a chore, encouraging a ‘tick-box’ approach. Instead, training should be:

?·??????Tailored – Mandatory training will be delivered to all staff, with additional tailored training delivered to those in key risk areas to:

o???Engage individuals through highlighting how risks related to their specific roles, thereby reinforcing the relationship between roles and responsibilities and relevant red flags and controls

o???Reduce the ‘fatigue’ associated with generic training, by being relatable.

·??????Timely, to ensure that staff are brought up to speed when the RAS, policies, procedures and controls are updated, or when new legislation, regulations or typologies emerge

·??????Monitored for effectiveness – Training can deliver tangible outputs, providing an indicator that compliance culture is improving and that risk ownership is being embedded. For example, after training was delivered, was there an increase in transaction monitoring alerts or SARs filed?

Criminal ingenuity is constantly evolving. The risk assessment must therefore be understood as an ongoing, dynamic process, intrinsic to all of the business's daily operations, rather than as a fixed, annual inconvenience to be ticked off. Good quality training is fundamental to embedding this sense of risk ownership and ensuring cultural change.

As an external consultant for the International Compliance Association, I deliver briefings on this very topic to organisations on a regular basis. Please message ICA or me if you would like us to help you develop technical competence in this area for you or your team. If you are interested in finding out more about ICA’s learning solutions, please visit?www.int-comp.org/corporate/ica-enterprise. To learn more about FinCrime Protection, visit?www.fincrimeprotection.com.