Skip to content Skip to menu Skip to footer
Cart

Your financial crime business wide risk assessment is probably broken

Image related to Your financial crime business wide risk assessment is probably broken

This article is a free excerpt from inCOMPLIANCE, ICA's bi-monthly member exclusive publication. To gain access to more articles like this, sign in to the learning hub or become a member of ICA.

Holly Avent offers some advice on how to improve business wide risk assessments

From framework audits to Skilled Person reviews, our work consistently reveals that many firms’ business wide risk assessments (BWRAs) are falling short. Yet the BWRA should be the cornerstone of any financial crime framework, central to identifying and quantifying risk, setting risk appetite and informing downstream controls.

Given its critical role, we’ve spent considerable time examining how BWRAs can be made more meaningful and effective. But this is not a challenge we believe can be solved in isolation. We want to collaborate with more institutions to better understand what’s working, what isn’t, and how the BWRA process can deliver real value.

This isn’t just a firm-level issue, it’s a broader regulatory challenge. Despite guidance in the UK Financial Conduct Authority’s (FCA) Financial Crime Guide, there remains no clear consensus on what ‘good’ looks like. That needs to change.

What’s wrong?

So what’s wrong with the current approach that most firms are taking?

Backwards looking: The BWRA often looks backwards rather than forwards and therefore doesn’t tell you anything new about your risks or controls framework. If the BWRA is an exercise in writing down what you already know it is, to put it bluntly, broadly pointless and might as well just be your MLRO report. 

Not highlighting the critical controls: Historically there has been a temptation for organisations to use the controls assessment within the BWRA as an exercise in demonstrating to stakeholders (internal or external) the entire control framework has been covered, rather than highlighting the most critical controls and, more importantly, which aspect of the control is most relevant.

Confusing risks and risk factors: Firms often confuse risks and risk factors. Here are some real-life examples we’ve seen in clients’ BWRAs recently: 

  • ‘Politically exposed person (PEP) screening is not adequate’: This is not a risk. Rather, it’s a control that’s in place to prevent a risk from crystallising. The real risk is not that you don’t undertake adequate screening, but that your organisation becomes involved in the handling of the proceeds of corruption as a result of PEP customers not being correctly identified and classified. On the other hand, the number of PEPs within the organisation is likely to be a relevant risk characteristic of the customer risk factor, as the greater the number of PEPs, the higher the inherent vulnerability of the firm handling the proceeds of bribery or corruption. It’s worth remembering that managing PEP risk is a particularly hot topic and there’s a regulatory obligation to identify those customers that might be classified as PEPs and to apply a risk-based approach to them.
  • ‘Non-face to face delivery channel is higher risk’: This is not a risk either. It’s a risk factor. We can convert this risk factor into a real risk by identifying a risk event and the impact of the risk. For example, a criminal uses a fabricated identity to get onboarded in order to use the institution’s products and services to launder the proceeds of crime, exposing the institution to regulatory censure.
  • ‘Current accounts’: This isn’t a risk as it only states what product the firm offers and doesn’t actually tell us anything about the risk the firm is exposed to and is trying to manage.
  • ‘Failure to train staff’: This is listed on almost all BWRAs we review, but this isn’t a risk, it’s a control failing.
speech marks

Firms often confuse risks and risk factors.

What should a purpose-led risk assessment look like?

A BWRA should articulate the actual risks. As highlighted above, firms often confuse risks and risk factors. We think this is partly due to the prominence of the five risk factors (customer, jurisdiction etc.) in the Money Laundering Regulations and Joint Money Laundering Steering Group (JMLSG) Guidance. Due to the way the regulations are written, people try to force risks into one of the five risk factors. In reality, real risks rarely sit neatly within a single risk factor and are significantly more complex than this.

  • What is a risk? A risk is the possibility of a certain event occurring, with an underlying cause, that has a negative impact. Remember it’s ok to include risks that aren’t applicable to you in your BWRA. Assessing these risks shows that you’ve thought about them and concluded that they aren’t relevant, rather than that you’ve just forgotten about them.
  • What is a risk factor? A risk factor is a characteristic that may make the organisation more vulnerable to a given risk.Risk factors should help you understand the risk profile of the business, identifying where the underlying risks are more likely to crystallise. 

Next, a BWRA should isolate the relevant control(s). Once you’ve identified the risks your business faces you can develop and implement mitigation strategies or controls. But not all controls are created equal. Controls can be split into three main categories:

  • Directive (i.e. policy or procedures)
  • Preventative (i.e. screening customers at onboarding/having a four eyes check)
  • Detective (i.e. management information).

In our view, controls that are preventative should ‘score’ more highly than directive or detective controls. You should also score controls more highly when you can demonstrate assurance over a control’s effectiveness. If a control has had external assurance, you can demonstrate control effectiveness much better than simply through your gut professional instinct. Really challenge yourselves on this. Too often we just see ‘highly effective’ ratings which aren’t credible, explained or backed by any evidence.

speech marks

Ultimately, a purpose-led risk assessment will provide a strong evidenced based foundation for any re-prioritisation or reallocation of resources, allowing you to tell a better story to the regulator and other internal/external stakeholders.

What are the benefits of a purpose-led risk assessment?

Ultimately, a purpose-led risk assessment will provide a strong evidence-based foundation for any re-prioritisation or reallocation of resources, allowing you to tell a better story to the regulator and other internal/external stakeholders and should help produce a tailored and informed action plan to reduce residual risk.

Final Thoughts

Having read this far, you may have some questions. For example, do these considerations align with FCA expectations?

  • Yes, we’re confident these meet FCA expectations. The FCA is never going to back a particular methodology or tool – it sets the expectations only. 
  • When we started to think how we could do risk assessments differently, we drew on FCA publications. Firms being able to clearly articulate their risks is a repeat issue in Dear CEO letters. 
  • We also looked at what key and respected bodies, including the Financial Action Task Firce (FATF), are saying.

And would this approach work for a firm that isn’t headquartered in the UK? 

  • Yes. This is not just a UK issue, but something that firms are grappling with across all jurisdictions.
  • We used our purpose-led approach with a major European bank recently as it had concluded that its approach was too costly, time consuming and not utilised. 

Finally, what about the risk of controls not working? Well, control weaknesses are a reason why a risk crystallises – not a risk in themselves.

About the authors

Holly Avent

Holly Avent is a Consultant at Avyse Partners. Visit the ICA Learning Hub for regulatory gap analysis templates produced by Avyse in collaboration with ICA.