Reasonably designed. Risk-based. Mitigating controls. Adopted and approved. Fully implemented. Effectively managed. Inherent and residual. Appropriate.
We all know these terms and hear them day-in and day-out in the world of AML. But how many of us truly understand how they relate to AML risk assessment? When I first came to the land of AML following the events of 9-11, I asked myself, “How do we know what the risks are without taking a careful inventory of who we are, what we offer, where and to whom we offer it, and how we deliver it?” Seems simple enough on the face of it.
Every day, as individuals and consumers, we encounter many ways in which we navigate risk and make decisions, and some of our decisions pose higher risk than others.
Remember when you were applying for that pre-approved mortgage and you were told what amount you qualified for? Many thought, “Oh, I must be able to afford that.” Not so fast! How many mortgage owners are feeling the brunt of this now? Did you cross against the red light this morning with hot coffee in your hands and maybe your cell phone too? Was that a risk with oncoming buses and traffic or slippery conditions? The point is, we make decisions that are risk-based all the time, and we do so without considering the consequences because we accept the risk associated with that activity.
In the world of pervasive fraud, it is incumbent upon financial institutions of all types and sizes to assess risk, if only to know what risks exist for them. For many, it takes only one or two incidents to sit up and take notice. But why react when you can simply proact?
According to the Federal Financial Institutions Examination Council (FFIEC) guidance on risk assessment, understanding both the quantity and quality of risk is an important first step in AML risk assessment. Companies often will begin by developing a risk questionnaire and ask the business unit managers to assess the risks associated with the company’s products and services and the types of clients who buy them. It’s important to identify how many of what type you serve, so that you have a good idea of the risks associated with each group and to fully understand the level and type of activity you can expect.
The purpose of conducting proactive AML risk assessment is to determine what risks exist and how you will mitigate those risks. Whether you use questionnaires, interviews or other means to identify and collect information on risk in certain areas of the company, performing the assessment not only sets the stage to identify risk factors – it lays the foundation to more fully understand the risks imposed by these factors. Demonstrating that a judgment is made based on analysis and diligence goes a long way to defending an action taken.
One of the variables of conducting a risk assessment is whether to limit the assessment to customers, products and services, and geographies. Some companies will go a step further and explore additional risk factors and design mitigation controls to be implemented. And that leaves the remaining risk, that which the company accepts in operating its day-to-day business.
Examiners look for a risk assessment to be “reasonable.” A subjective view perhaps, but what it means to the consultant like myself who conducts independent reviews, reasonable means the company considered its risks following a comprehensive analysis of the risk factors.
An evaluation of compliance risk exposure takes into account the financial crime risks, the strengths and effectiveness of established controls designed to mitigate risk and the identification of residual risk. The risk assessment is designed by the company for the company, to identify potential events that, if they occur, can be managed within the company’s risk appetite.
Preparing a thoughtful AML risk assessment, no matter how limited in scope, will help the company as well as key personnel to better understand its risk appetite and its risk exposures based on geographies, customers and products/services. The risk assessment as a foundation for your compliance program can begin with a thoughtful review of operations and is a great starting point. Understanding the risks faced in managing day-to-day compliance operations is key to protecting your assets. Remember that demonstrating knowledge of the company’s appetite for risk will go a long way to defending your program and keeping you out of the headlines.