Components of a Fit-For-Purpose Risk Assessment A Fit-For-Purpose Risk Assessment is Key to Effective Risk Management
ABOUT EXIGER Exiger is a global regulatory and financial crime, risk and compliance company. Exiger arms financial institutions, multinational corporations and governmental agencies with the practical advice and technology solutions they need to prevent compliance breaches, respond to risk, remediate major issues and monitor ongoing business activities. Exiger works with clients worldwide to assist them in effectively managing their critical challenges while developing and implementing the policies, procedures and programs needed to create a sustainable compliance environment. A global authority on regulatory compliance, the company also oversees some of the world s most complex court-appointed and voluntary monitorships in the private and public sectors, including the monitorship of HSBC. Exiger has four principal business units being: Exiger Advisory; Exiger Analytics, including DDIQ, the groundbreaking cognitive computing and intelligent search platform; Exiger Diligence and Exiger Insight 3PM. Exiger operates through offices in New York City, Silver Spring (DC Metro), Miami, Toronto, Vancouver, London, Hong Kong, and Singapore.
The goal of a risk assessment is to enable an organization to understand its risks thoroughly so that it can manage them effectively. Each organization is required to tailor its risk assessments to fit their industry, business model, customer base, products and services, distribution channels, regulatory environment, and risk appetite. A well-designed risk assessment sits at the intersection of all these elements covering the specific areas of risk exposure that the organization might face while targeting the risk management controls that are necessary to mitigate these risks. The risk assessment process is not static or immutable; it must be updated periodically to account for changes to the organization s business model, business landscape, and regulatory environment. Things to Consider When Designing a Fit-For-Purpose Risk Assessment Designing a fit-for-purpose risk assessment is a cornerstone of effective risk management. The risk assessment process must be aligned to an organization s business model in order to demonstrate that its risk control framework is sufficient to manage its actual risk exposure. Regulators and auditors often include fitness-forpurpose as a core element of their periodic examinations. In the FFIEC BSA/ AML (Federal Financial Institutions Examination Council Bank Secrecy Act/ Anti-Money Laundering) Examination Manual, for instance, the principle guidance for reviewing a bank s risk assessment states: Review the bank s BSA/AML risk assessment. Determine whether the bank has included all risk areas, including any new products, services, or customers, entities, and geographic locations. Determine whether the bank s process for periodically reviewing and updating its BSA/AML risk assessment is adequate. Using a generic template (as shown in the following charts) to begin constructing a risk assessment will generally yield a generic framework. The data captured from this type of template will not provide the expected level of granularity and specificity an organization needs to ensure a thorough and effective risk assessment. Generic Risk Assessment Templates Risk Category Risk Weighting Risk Score Products Services Customers Geographies Distribution Channels Control Category Control Weighting Control Score Onboarding Monitoring Training Program Governance Systems 3
An effective risk assessment process enables organizations in all industries to protect their customers, their stakeholders, and themselves from serious regulatory, reputational, and financial harm. Business Scenarios The following scenarios illustrate the risks and benefits an organization may experience when developing and conducting risk assessments. Background Information The following scenarios help to illustrate some of the disadvantages that result from ineffective risk assessment processes versus the benefits gained when a fitfor-purpose risk assessment model is implemented. These examples have been drawn from the highly regulated financial services industry an industry with significant experience developing effective risk assessments and/or facing the consequences when failures occur. Although organizations within other industries may face less stringent regulatory requirements and examinations than financial services companies, an effective risk assessment process is still the foundation of proper risk management. An effective risk assessment process enables organizations in all industries to protect their customers, their stakeholders, and themselves from serious regulatory, reputational, and financial harm. Bank X is a mid-sized U.S. regional retail bank with 28 branches located in six states. It has some commercial clients with international trading relationships, so it maintains representative offices in Canada and Mexico, but these foreign offices do not execute financial transactions; they merely facilitate client business dealings that are ultimately booked in the U.S. Bank X is developing a risk assessment covering its financial crime compliance (FCC) risks and controls, including risks and controls for anti-money laundering (AML), sanctions, and anti-bribery and corruption (ABC). A Risk Assessment that is Too Generic Bank X constructs a generic risk assessment framework that lacks granularity. As a result, they are not able to effectively identify the specific aspects of their business that expose them to the most significant risk, and these are the business areas that typically need stronger controls. For example, when Bank X considers the FCC risks associated with its products and services, it selects only generic banking categories to include in its risk assessment questionnaires: Deposit products Commercial lending products Consumer credit products Consumer lending products. These broad categories do not sufficiently represent a targeted understanding of the inherent risks these products can pose. For instance, when an assessment unit selects the generic category These broad categories do not sufficiently represent a targeted understanding of the inherent risks these products can pose. 4 Components of a Fit-For-Purpose Risk Assessment
deposit products, Bank X is unable to differentiate between the risk posed to that unit by an individual customer s deposit activity versus that of cashintensive businesses (which represent a much higher risk for money laundering activity). A Risk Assessment that is Too Myopic Bank X decides to be especially rigorous and granular in its assessment of FCC risk. They create a model that assigns a risk score to every customer transaction processed during the past year, using a combination of risk ratings associated with the product, customer, geography and amount. The model calculates the percentage of transactions that fall into the highest risk bracket and compares this percentage to the same figure for the prior year s transactions to determine whether Bank X is increasing its risk exposure. This risk assessment model s extreme focus on single transactions precludes the possibility of assessing risks posed by product categories, customer types or geographies. It also does not afford Bank X the opportunity to measure larger risk trends associated with changes in business model, product offerings, customer populations or geographical scope. This risk assessment model s extreme focus on single transactions precludes the possibility of assessing risks It also does not afford the opportunity to measure larger risk trends. This focus on its foreign operations means that the resulting risk assessment does not cover the risks associated with its domestic operations. (which represent 100% of its commercial activity). A Risk Assessment with an Incorrect Business Focus Bank X constructs a risk assessment framework that excludes its domestic business operations. This leads the risk assessment to focus exclusively on representative office operations in Canada and Mexico. Therefore, the risk assessment determined an inherently low, and inaccurate, level of risk since these are highly regulated, domestic environments. This focus on its foreign operations means that the resulting risk assessment does not cover the risks associated with its domestic operations (which represent 100% of its commercial activity). Since the risks of violating AML, sanctions and ABC regulations reside almost entirely with the bank s domestic customers and their financial activity, this focus on the two representative offices results in an inaccurate assessment of Bank X s risk exposure. A Risk Assessment that is Fit-For-Purpose (For Now) Bank X develops a risk assessment model that includes all of its major business lines, product offerings, customer types, transactions executed, distribution channels, and geographical exposure. The control 5
The control framework used to mitigate risks caused by business activity is broad enough that trends can be established. It is also sufficiently granular to identify the root cause of control deficiencies and remedy them effectively. framework used to mitigate risks caused by business activity is broad enough that trends can be established. It is also sufficiently granular to help identify the root cause of control deficiencies and remedy them effectively. In this case, Bank X has passed the first test of developing an effective risk assessment process, which is to design a risk assessment framework that allows the organization to account for all of its business activities and areas of risk exposure. Bank X also needs to develop a governance mechanism for its risk assessment process so it can undergo a periodic evaluation to cover all areas of the bank s operations. As the organization s business model and dynamics shift, the risk assessment framework should be adjusted to account for changes or additions to its business operations, product offerings, customer base, industry standards, or regulatory expectations. A fit-for-purpose risk assessment is a critical component of effective risk management. Organizations should be cautious of the business risks that result from risk frameworks that are too generic, myopic, or represent an incorrect business focus. When an organization develops a risk assessment process that aligns with all of its business activities and areas of risk exposure and they recognize the process is not static they are much better positioned to identify, address, and minimize their regulatory and reputational risk. How Risk 360 Can Help Exiger Risk 360 is a web-based, content agnostic assessment platform that enables centralized administration of enterprisewide and targeted risk assessments. This technology tool is flexible, user-friendly, and it offers transparent methodologies that provide clear audit trail documentation. When the Risk 360 platform is used in conjunction with risk assessment subject matter experts, corporations optimize their risk assessment business model and processes in a way that enhances resource efficiency while minimizing the regulatory and reputational risk to their organization. Risk 360 is part of Exiger, a global regulatory and financial crime, risk and compliance company. Exiger arms financial institutions, multinational corporations and governmental agencies with the practical advice and technology solutions they need to prevent compliance breaches, respond to risk, remediate major issues and monitor ongoing business activities. Exiger works with clients worldwide to assist them in effectively managing their critical challenges while developing and implementing the policies, procedures and programs needed to create a sustainable compliance environment. 6 Components of a Fit-For-Purpose Risk Assessment
For more information, contact: John W. Melican Chris Andre Managing Director, Americas Regional Chair Head of Financial Crime Practice jmelican@exiger.com Managing Director, Americas Deputy Head of Financial Crime Compliance candre@exiger.com Patrick Pizzichetta Financial Crime Compliance Advisory Managing Consultant ppizzichetta@exiger.com New York City Silver Spring (DC Metro) Miami Toronto Vancouver London Hong Kong Singapore www.exiger.com