Improve Controls Effectiveness with a Robust Risk Assessment

The starting point for a risk-based anti-financial crime programme is a robust risk assessment. For some financial crime risk types, having a risk assessment is a regulatory requirement. For others, relevant guidance states that it would be considered as part of a suite of reasonable prevention procedures and, therefore, a potential defence to corporate criminal liability. Yet, there are many firms that still do not have robust risk assessments in place.

In recent years, the Financial Conduct Authority (FCA) has specifically highlighted¹ that amongst regulated firms:

• The quality of risk assessments in general was poor
• The risks identified were not detailed enough
• There was a lack of evidence around the assessment of controls
• The residual risk was not always formally documented or understood within firms

Common Pitfalls of Risk Assessments

From our Skilled Person and firm-side experience, Guidehouse has identified the following themes that lead to ineffective risk assessments: 

• There isn’t one — Whilst it is a regulatory requirement, there are some firms that do not even have a risk assessment. Some AML policies may include high-level articulation of risks, but nothing more. Or the risk assessment may simply state that there is a risk of money laundering, without sufficient detail around how that risk may materialise through the firms’ customers and products. Some firms still don’t have a proliferation financing risk assessment, even though the requirement came into force on 1 September 2022.²
• Reliance on third parties — Quite often, firms will commission a third party to conduct their risk assessment and will have no involvement in the process – in effect, “ticking the box.” As a result, such firms struggle to articulate their risks and/or risk assessment methodology under examination from the regulator or a Skilled Person, casting a shadow on their risk-based approach.
• Copied and not tailored — We have observed risk assessments that have been blindly copied from other firms without tailoring the risks to the needs of the business.
• Overly complex — We have seen risk assessments that include vast spreadsheets, irrelevant risks and complex algorithms to calculate risk scores. Often, firms cannot explain the methodology and key outputs of such complicated risk assessments.
• Confusion of inherent ML risks and ineffective operational controls — Often, there is confusion between inherent risks of money laundering and operational risks. This can be one of the root causes of risk assessments becoming complex, confusing, and difficult to maintain.
• Missing/over-optimistic controls assessments — Sometimes, we see controls assessments that paint a picture of a strong framework, despite the firm being under a s166. Other times, the absence of a controls assessment indicates a lack of understanding of the residual risks.
• Tick-box exercise — Many risk assessments simply “tick the box” and are re-visited on an annual basis but are not used to inform the compliance programme. Most people within the firm (aside from the person producing it) do not even know what the risk assessment says.

Using the Risk Assessment: How to Make Your Programme More Effective

Merely performing a risk assessment is unlikely to satisfy the regulatory requirements. In our experience, regulators want to see how firms actually use their risk assessment to drive their risk-based approach. Having a controls environment without a risk assessment is a bit like playing chess without considering your opponent’s moves. Here are some examples of how a risk assessment can be used:

1. Prioritise and respond — As part of the risk assessment process, you may uncover new risks and control gaps. Firms, however, should not treat all residual risks the same. It is important to remember that prioritising is not the same as ignoring. Develop an action plan and prioritise risks and controls based on severity.
2. Ensure your controls are risk-based — A meaningful risk assessment should identify high-risk areas that require the most attention. Ensure those areas are a priority for your control environment – consider what extra controls are needed where your inherent risk is high and where you could do less for lower risk areas. Ensure the risks identified in the risk assessment are flowing through to your transaction monitoring scenarios. Consider how you could evidence this – do you have a coverage assessment, for example?
3. Monitoring plan — Ensure the output of your risk assessment informs the second line monitoring plan. A risk assessment helps to identify areas for monitoring and the appropriate frequency.  The areas identified with weaker controls and higher inherent risk should be subject to more intense monitoring (more frequently) than others.  
4. Board communication —Key risks identified in the risk assessment should be communicated at different levels within the organisation and relevant risk committees. Since the Board sets the risk appetite, it is crucial that they understand the output of the risk assessment. They should use it to monitor whether the firm is within its risk appetite or whether action is required to address any risk exposure outside tolerance.
5. Training — Employees need to be alert to the risks particular to the firm and, therefore, training programmes must be tailored to reflect those risks. Off-the-shelf training should be supplemented with institutional risk-specific training.
   
   

How Robust is Your Risk Assessment?

Increased attention from the regulatory authorities, alongside the potential benefits to an organisation of a well-executed risk assessment, signals that firms should consider whether their risk assessment process is fit for purpose. For an initial self-assessment, answer the following questions honestly and, most importantly, consider how you can evidence your response:

• Was the output shared with the Board and/or other governance forums? What actions followed and was there suitable challenge from the Board?
• How do you know your risk assessment methodology is robust? Can you explain the risk assessment methodology in a clear and succinct way, e.g., data sources, scoring algorithm?
• Can employees at all levels articulate the key risks?  Do they know the difference between risks and controls?
• When was the last off-cycle risk assessment? Do you have a process to identify triggers for updating a risk assessment off-cycle?

Guidehouse can help firms design and execute, or independently review and recommend enhancements to their financial crime risk assessments.  Please contact us if you would like to discuss the effectiveness of your risk assessment.