Risk assessment processes and controls in firms: our findings

Risk assessments that: 

• Are quantitative and qualitative.
• Consider a range of internal and external factors.
• Are weighted.

Risks are assessed by business areas, and the results are combined in the BWRA.

BWRAs consider: 

• Inherent risks.
• Control effectiveness.
• Residual risks.

Firms formally assess BWRAs yearly, rather than simply refresh.

Risk assessments are tailored to the firm, products and customers. Also, the firm documents how it is managing these risks.

Some BWRAs focus mainly on fraud or generic risks, often ignoring specific money laundering, sanctions, anti-bribery and corruption, proliferation financing, and terrorist financing risks. 

We saw firms: 

• Oversimplify the risks they are exposed to.
• Fail to explain how each risk affects the firm.

Some firms’ risk assessments are solely qualitative.

Some BWRAs lack clarity on how the firm identifies and assesses inherent risks.

We saw firms conclude their business is low risk, or that controls are effective/mature without appropriate evidence to support this.

Firms consider capacity of their compliance and financial crime functions to support the current and future growth strategy.

BWRA feeds into risk appetite, controls testing and the firm’s overall risk-based approach. 

CRAs which directly impact firms’:  

• Customer due diligence.
• Transaction monitoring.
• Other processes and controls used to mitigate identified risks.

Firms formally track BWRA actions and note recommendations on how the firm plans to mitigate or reduce the overall risk.

Firms consider financial crime risks in product development, business strategy, growth and sales discussions. 

The MLRO is represented in the associated committees to articulate the risks and financial crime framework enhancements needed to support the business.

Some firms have not developed their CRAs in line with business growth to ensure scalability, consistency and accuracy.

Some firms do not record BWRA actions or assign them owners.

We saw some firms rapidly expand product, service and customer type without considering and ensuring controls remain appropriate and effective beforehand.

Firms share BWRA document and summary with senior management and committees for review and approval – highlighting trends, conclusions, recommendations and actions. 

CRA management information is provided to senior management committees for discussion. 

Evidence of MLRO and committee challenge on risk assessments.

Firms consider CRA processes in business continuity plans.

Firms document risk assessment methodologies in detail and formally log, discuss and approve changes.

Firms review their risk assessment models and processes.

Quarterly or triggered updates to risk assessments to make sure they are responsive to emerging risks and changes in regulatory requirements.

Firms reflect the risks identified and assessed within the BWRA in the CRA through weightings or sub-factors.

Some firms do not document senior management discussion, challenge and approval of BWRAs.

Senior management understanding of financial crime risk mainly focuses on fraud.

Some firms carry out limited or no testing and reviews of risk assessment processes when they make enhancements, upgrades or automation.

Risk assessments are not sufficiently dynamic – this could lead to outdated risk profiles adversely informing business strategy and decisions on control design.