Risk assessments – The eight most common errors firms make

Posted: 2nd May 2018

First published by Thomson Reuters in April 2018

Financial crime is a daily challenge that that can impact organisations in multiple ways.

Without the right assessment and controls, the results can damage organisations and their stakeholders, including customers, employees, suppliers, and owners/investors. How we perceive risk is entirely subjective, and this can lead to various competing methods to manage the risk being employed within a business.

We have recently seen the effects of de-risking in the banking world as a response to the challenges of managing financial crime risk, with the withdrawal of banking facilities and services to whole sub-groups of customers. The regulatory risk of money laundering and terrorist financing continues to be a common concern among many boards. Understanding how to manage the risk with cost-effective controls and responsible (not wholesale) de-risking are critical commercial decisions, as it’s vital the industry mitigates risk while ensuring customers retain access to vital financial services.

There have been some recent updates to remind firms of the importance of risk assessments and the need to establish and / or maintain them. A factor widely used in financial crime risk assessments is country risk. Last month, Transparency International released its latest Corruption Perception Index (CPI). The CPI provides countries with a score on how corrupt countries are perceived to be. The index ranks 180 countries by perceived levels of corruption from experts and business people. Historically, New Zealand and the Scandinavian countries tend to be viewed with the lowest levels of corruption. More recently, the Wolfsberg Group published its FAQs on how to manage country risk in the context of financial crime compliance, with an aim to improve firms’ understanding of the risk management process.

Nonetheless, country risk is only a single consideration within the risk management process. Designing an effective risk assessment can be a challenge, as a firm must consider its size, nature, complexity and global reach before adopting an appropriate set of metrics and methodology by which to measure the risk. With all these moving parts, it is common for mistakes to happen, or for processes to become less-than-optimal. Here, we have highlighted the eight most common errors firms make when assessing financial crime risk

EIGHT COMMON ERRORS

1. Buried or incomplete risk assessments

How often does your firm update risk assessments, and are they completed and signed off at board level? Some firms view a risk assessment as a static document. A risk assessment is a living document that can be sensitive to geopolitics, new products and services and many more factors. The evaluation needs to be continuously reviewed and tested to ensure that it remains effective.

2. Firms only performing desktop reviews of risk

A risk assessment only remains useful if the data is accurate and the risk is understood. Assessing the risks onsite to understand where controls are needed provides a more comprehensive view of the risk. Information that is passed third hand can be misinterpreted and even lost. Ensuring that risk assessment is performed onsite provides a more accurate perspective of the risks, as it allows risk to be examined first-hand (for example, through interviews or workshops).

3. Limited, or zero, senior management challenge

The Senior Management and Certification Regime (SM&CR) provides a regulatory responsibility to adopt risk management policies and procedures that satisfy the rules within the FCA Handbook. Who challenges the risk assessments in your firm? Senior management should set the right tone and challenge the risk assessment findings and methodology to ensure it stands up to scrutiny.

4. No business-wide risk assessment

Individual risk assessments of business areas do not consider broader implications of risk on the wider organisation, and often provide only a limited picture. Firms should be able to gain a holistic view in conjunction of the whole business as well as the individual business areas. Therefore, all individual risk assessments should roll up into one enterprise-level assessment that covers the whole business.

5. Missing the inherent risks

Identifying and capturing the inherent risk level is essential for effectiveness. Often risks are not considered across all customer groups, business operations, channels, products, new technology and geography. Third party risk is often missed and leaves firms partnering with unknown entities, resulting in potential risk to the business.  

6. Not evaluating the residual risk

The effectiveness of your controls will only become apparent when the residual risk is robustly evaluated. Are your controls effective in reducing or removing the risk? Is the residual risk commensurate with your risk appetite? Do you need further control measures to reduce it? Assessing and testing your controls to ensure they are doing the job will strengthen your defences. However, poorly designed and assessed controls are often as effective as having no controls.

7. Risk appetite not defined

An assessment needs to be within the risk appetite of the firm. Risk appetite varies from firm to firm in terms of acceptable levels and types of risk. How much risk is the firm prepared to take to achieve its strategic goals? Businesses need to define and communicate their risk appetite within a written statement to provide clear guidance on the levels of risk the firm is willing to tolerate.

8. Misjudging the value and consequences

The Money Laundering Regulations 2017 require firms to implement a written risk assessment formed on a risk-based approach. However, the importance of a risk assessment goes beyond a regulatory obligation. A carefully considered risk assessment will improve business sustainability and promote commercial advantage. 

NEXT STEPS FOR FIRMS

Have you reviewed your current risk assessment and updated where necessary? Is your risk assessment fit for purpose and capable of standing up to scrutiny? Consulting with internal and external stakeholders can provide different points of view to highlight the gaps in the assessment.

How compliant are you with the Money Laundering, Regulations 2017? The regulations oblige firms to “take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject to”. Firms must keep an up-to-date record in writing of the steps taken.

Are you scanning the horizon for new and emerging risks to stay ahead of the threat? New and emerging trends are always on the horizon, and firms need to be prepared for a range of emerging geopolitical, economic, technological and regulatory risks. Firms are recommended to align their external assessments with external sources such as the UK national risk assessment of money laundering and terrorist financing (released November 2017).

Gaining an independent view of both risk and the risk assessment displays to the regulator and other stakeholders a firm’s commitment to drive high standards in this area. Firms that have a willingness to self-assess and evaluate their policies and procedures will build on their experience to enhance their controls.

A move towards a more collaborative approach to tackle financial crime and fraud will improve how we assess the risks as an industry. Information sharing – both within the business and externally – can increase the effectiveness of risk assessments across the industry. The government has sparked some initiatives to assist the industry with better data sharing, but much more collaboration is needed. The Joint Money Laundering Intelligence Task Force (JMLIT) and Joint Fraud Taskforce bring together banks, law enforcement and regulators with a partnership approach to tackle financial crime and fraud.

Staying ahead of financial crime challenges and risks will continue to help firms build traction. Therefore, firms that assess, adapt and act now will be able to thrive in a market with continually evolving risks.