Throughout my years of work in compliance, there is really nothing I enjoy more, and nothing more challenging, than constructing a new risk assessment. Part art and part science, risk assessments challenge us to look at a business through a static lens and then give it a grade that provides a quantifiable measure of the effectiveness of its efforts to curb risks. And, although the process allows for some flexibility in approach, I have rarely met anyone involved that feels like they have gotten it exactly right.
While having a risk assessment may not be a strict legal requirement in every case, there is an expectation by regulators and bank partners, alike, that Bank Secrecy Act (BSA), Anti-Money Laundering (AML), and The Office of Foreign Assets Control (OFAC) compliance programs and controls be "risk-based," and that riskbased decisions should be formalized and documented. In this sense, the term risk-based implies a recognition 1) that risk will never be eliminated completely – that is not the goal of a risk assessment, and 2) that resources within the company are finite, and so the best approach is to focus those resources thoughtfully where they will have the most meaningful effect. To that end, risk assessments have become a cornerstone of effective compliance programs, a vehicle for concise communication of risks to senior management, and an effective tool for tracking controls identification, design, and implementation.
But what does it actually look like? How does it work? There are numerous types of risk assessments that can be conducted by a financial institution based on the need and scope targeted AML risk assessments, product risk assessments, vendor and third-party risk assessments, and in some cases broad, enterprise-wide risk assessments. All generally contain some common elements and share similar purposes, but often achieve the goal in a variety of ways unique to each entity.
First, identify and categorize the risks faced by the company – for an AML risk assessment, reviewers will expect that this results in the identification of some specific risk categories (e.g., products, services, customers, and geographic locations), and then further examining risks within those categories. For example, within the "geographic locations" category a company may recognize that they operate in a jurisdiction known to be relaxed in government oversight or likely to attract fraudsters.
Next, assess the likelihood and impact of the realization of each risk. First, in an environment where no controls are applied (inherent risk), and then, for comparative purposes, in an environment in which the company's controls exist and have been tested and applied effectively (residual risk). Typically, these attributes are scored or otherwise labeled to produce a resulting confidence level (e.g., high, moderate, or low) relative to the risk following the application of controls. Using the previous example, operating in a high-risk jurisdiction, and applying no controls will likely result in a negative outcome (high inherent risk). However, if the company requires additional information for customers using the service in that jurisdiction, it will thereby reduce that likelihood by some degree ("low residual risk"). Scoring methodologies to reach these outcomes – how the level of risk is defined, scored, and labeled - will often differ and can range from simple and straightforward to very intricate.
Ultimately, there are right ways to do this, yet some examples I have found over the years left something to be desired in their design. The keys to this, particularly for startups, will be to approach the process in earnest, evaluate your company honestly, involve all the members of the senior leadership team for their input, start as simply as reasonably possible with scale and audience in mind, and do not expect the results of the risk scoring to look pretty (low risk) on day one. Remember that the purpose of the exercise is to understand your risks and strategically apply measures to control them, not eliminate them. Mostly, the only recurring audience will be the individuals from within your organization; external third parties are typically limited to bank partners, auditors, or examiners.
The next steps will include approval of the risk assessment by the Board of Directors, recurring (typically annual) reviews of these risks, making decisions about how to report on risk trends, regularly consulting your assessments prior to making significant changes to your platforms or services, and perhaps even growing your company's maturity and scale to include a Risk Committee for program governance. Over time, transaction data, user data, supporting third-party platform data and leadership team input will come to further inform your risk assessment and the overall understanding of the effectiveness of the controls environment. Having this data will allow the risk assessment to become more objective and quantitative as opposed to being purely qualitative. As your familiarity with risk management grows, so will your comfort level in understanding how to put it all together.
If it all sounds like a big deal, that is because it is. However, you do not have to go through this process by yourself. You do not have to wade through the search results for "AML Risk Assessment," read the published guidance for bank examiners, or watch replays of Association of Certified Anti-Money Laundering Specialists (ACAMS) seminars and sessions online to try to figure it all out. While that is all helpful, it can also be overwhelming. The good news is that there is an experienced team at Ankura who has gone through this process for many years, many times for many types of clients and many types of risk assessments, and can assist in a variety of ways, from building it for you to simply providing a helpful eye to guide you along the way. We are here to help you and we look forward to hearing from you about these and any other compliance-related needs you may have.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.