Say “risk assessment” to a financial crime compliance professional, and you’re sure to invoke hesitation or even fear.  Though mandatory, risk assessments can be daunting, resource-intensive exercises. With new typologies and financial crime threats emerging all the time, how can firms practically rethink risk assessments for a better and more effective approach? 

In a conversation with VP of EverC Melissa Sutherland, FINTRAIL’s CEO Robert Evans and Managing Director Maya Braine unpacked some of the essential considerations for rethinking risk assessments. As risk assessments are the bedrock of your financial crime programme, getting it right is fundamental to your overall success.

Key definitions

Upholding a risk-based approach

A risk assessment is a key component of adopting a risk-based approach. Two-pronged, the exercise involves identifying your firm’s potential risks and then critically assessing them. Which risks are more likely to occur?  What is the severity of their impact? This assessment process will help dictate how you prioritise and distribute your resources. Because compliance resources are finite, moving efforts to a higher-priority risk area will mean less attention to lower-priority areas. While many firms are reluctant to shift resources away from a threat, this triaging is intrinsic to a risk-based approach. We must recognise that low risk is not the same as no risk. However, by prioritising the mitigation measures for highly-likely and high-impact threats, you are taking a risk-based approach which is, ultimately, what regulators expect. 

As new financial crime risks continue to emerge, simply adding them to a risk assessment can make it unmanageable and unsustainable. To counter this, risks should be checked and challenged. Look at the evidence and ask: is this risk still present and relevant?  If not, should it be deprioritised or removed from the assessment? It’s vital to be proportionate with your risk assessment and consider removing extinct threats as well as adding new ones.  Otherwise, the process will balloon to unmanageable proportions and your resources and effectiveness will become diluted.

Establishing cadence

Risk assessments are typically conducted once a year; however, a strictly annual approach is outdated. Ideally, and depending on the nature of the firm, risk assessments should be updated more regularly. As new financial crime risks emerge and more data is available to the compliance function, risk assessments should be re-examined. Especially for rapidly scaling firms, setting up a dynamic approach to risk assessments, which is intrinsic to how the business grows and scales, is vital.

Once a risk assessment is established, cross-reference it with output indicators, such as SARs filed. Are the real risks observed in line with those in the risk assessment? By having a lookback process, you can simultaneously address any assumptions, such as one particular jurisdiction or sector being high-risk, as well as capture changes.

Data, data, data!

One common problem with risk assessments is they can often be based on assumptions rather than factual information.  Both internal and external data sources can give you more factual indicators of where your risks truly lie.  For instance, your internal data may show you which industry types regularly see suspicious activity and feature in more investigations or SARs, which will likely be more accurate than generic “high risk industry lists” which are not tailored to your firm.  

As firms get better at capturing and utilising multiple data points, it’s important to make sure you utilise all relevant information while avoiding being overwhelmed. Risk assessments should balance using consistent data points and incorporating newer, evolving data points. Consistent and high-quality data points are important for benchmarking so a firm can track its compliance efforts and identify trends. When deciding which data points to use, consider your most significant threats. For example, if fraud is a top concern, concentrating on device ID information or biometrics might make the most sense. Allow your top-risk concerns to guide you on where to focus your efforts and which granular data points to include.

Garner insights from business teams

Suspicious activities are typically anomalous. Understanding risk and atypical behaviour requires identifying what is typical as well. Involving other stakeholders in your firm, such as customer-facing teams like relationship managers, can give meaningful insight into what regular activity looks like. As these teams have more exposure to standard day-to-day activity, they can help the compliance department create a better picture of risk factors. Without engagement between business teams, firms may have a skewed perspective of risk. For early-stage firms, having meaningful discussions with the CEO or key founders can help determine: who is the target customer base, and how would a typical user use the product? 

Document your decisions

Unsurprisingly, it’s vital to document decisions and actions when it comes to your risk assessment.  Have a clear and articulate methodology statement: what methodology are you applying, and how do the calculations work? Use data to support your decisions. For example, if there have been no SARs filed or transaction monitoring alerts raised for a particular typology, then document that as part of your justification for its removal or de-prioritisation.

At FINTRAIL, we combine deep financial crime risk management with industry expertise to optimise your anti-financial crime programmes. With extensive experience assisting financial services businesses with building and conducting their enterprise and product risk assessments and customer risk assessments, we’re here to support you.