Why Old-Fashioned Risk Assessments Get Rejected by Regulators and Partners

During the last months, I had multiple examples of?seeing how old-fashioned tabular, excel, or matrix-based risk assessments were challenged by regulators and also declined as unclear or insufficient as a part of due diligence reviews.

The challenges seemed as a series of questions or (in some cases remarks that looked quite biased and even rude) from the reviewers:

• Your risk assessment process appears to be very confusing and hard to follow.
• Your risk assessment is hard to understand.
• It is difficult to reconcile the criteria used for your risk assessment with the regulatory requirements.
• Why did you use weights XXX for this type of risk?
• Your risk assessment does not differentiate clearly between product risk, AML risk, fraud risk, and other risks.
• Your control descriptions are unclear.
• Your risk assessment is not actionable.

You would be surprised to know, but these comments did not come from a junior intern on their 3rd day in the office, they came from reasonably mature professionals. As a result, the due diligence reviews and license reviews were delayed because of these additional questions and clarifications around risk assessment methodology and descriptions of?risks

So – what was the problem??Why do reviewers pay such?close attention to the risk assessment documentation?

Many reviewers currently use risk assessment documents as the main document to learn about your business and the maturity of your team. If they are able to get a clear picture easily, the risk assessment is good. If your reviewers feel overwhelmed and unable to understand your business, the risk assessment is bad.

This is what makes your risk assessment confusing, overwhelming, and hard to follow:

• When it looks like a long list with too many lines and columns.
• When there is no executive summary.
• When you have more than 3 high residual risks.
• When you use internal jargon, names of your internal?tools?and systems, or other abbreviations to describe risks and controls.
• When you overcomplicate calculations of weights, probabilities, and in general, use too many numbers and formulas.

In the old-fashioned world of traditional finance, the risk and compliance teams viewed their main role as information providers for the senior managers and the board.?The more information they collected, processed, reorganized, and dumped on others, the better they felt about their jobs being done well. These days are over if you work in FinTech. Risk and Compliance are no longer viewed as information services, they are assessed based on their ability to implement and finish and launch new projects and get approvals.

What's the new way of preparing and presenting your Business Wide Risk Assessment:

• View it as a main marketing document describing your business,?this is where your reviewers will start learning about what you do as a company.
• Forget excels and google sheets. Use?plain language and bullet points.
• Minimize or drop entirely your use of calculations, weights, probabilities, and other numerical elements.
• Start with an Executive summary and an action plan. No longer than 1 page.
• No more than 3 high residual risks. Otherwise, you should not be in business.

If these observations resonate with you, I have?GREAT NEWS:

On May 24th, 2023 at 1 PM CET,?I will be offering an updated version of the?FinTech Risk Assessment Workshop?where I will walk you?through my entire process of preparing?the risk assessment in a simple and easy-to-replicate way.?It will take you no longer than 60 minutes to keep it up-to-date. I will also give you the template I've used with my clients and refined over time.

Bonus: a simple risk assessment methodology matrix is added to?help you describe the process of arriving from the inherent to the residual risk following just a few simple steps!

During this workshop, we will cover all required risk assessment elements any FinTech may need:

• An executive summary with key takeaways and an action plan.
• Product Risks for bank and card payments, wallets, BNPL, and crypto.
• AML/CTF risks (covering FATF, EBA, and JMSG criteria)
• InfoSec and fraud risks
• Crypto and VASP-specific risks (covering FATF and EBA criteria)
• Governance and regulatory risks
• Operational and financial risks
• Startup environment risks

If your startup is in the middle of opening bank accounts or seeking approvals from white-label partners, you definitely?need?this training ASAP.

Let me know if you have questions!