How to perform an effective risk assessment?
There are four key phases in performing an effective risk assessment, as follows:
“Phase 1: Identify the money laundering and terrorist financing risks faced by the different areas of the business, the clients and the markets we serve.
Phase 2: Assess each identified risk by considering the potential likelihood and resulting impact should it occur (inherent risk).
Phase 3: Apply and assess the mitigation measures for each scenario (risk control).
Phase 4: Review the mitigating measures (checks, systems and controls) we have in place or mitigating actions we could take, to bring the level of net risk to an acceptable level (residual risk).”
In order to identify the subject person's inherent risk, assessment across the following five risk categories is undertaken, although, other factors may also be considered in future:
- Clients
- Products and Services
- Interface Risk (or Delivery Channels)
- Geographies
- Other Qualitative Risk Factors such as employees and third parties.
Risk factors are the underlying causes or circumstances where the subject person may be used for purposes connected to financial crime. Managing the risk factors inadequately could lead to loss of reputation, exposure to legal liability, and possible consequent financial costs.
Each risk scenario is analysed to determine the likelihood of the scenario occurring and the resulting impact. Control measures are implemented to mitigate the inherent risk, which is monitored through regular risk-based internal compliance reviews and reports, AML/CFT policies and procedures, and KYC checklists, irrespective of the type of the client.
Furthermore, each risk factor and control measure are assigned a score (or “weighting”) which reflects the level of risk associated with that risk factor and the effectiveness of the risk-mitigating measures. The weighting used may range between 1 and 4 (or 0-100), with 4 being the highest risk weighting, which can be assigned per risk factor.
Following the determination of the inherent risk and the control strength of the mitigating factors, residual risk for each scenario is determined by ‘subtracting’ the total score attributed to the levels of mitigation from the inherent risk score.
After determining the residual risk score, we verify whether this falls within the boundaries of a subject person’s risk appetite.