You’ve just completed your organization’s Compliance or Financial Crimes Risk Assessment. The box is checked, academic exercise complete. Now, USE IT!
Use it to educate, communicate, inform, request, decide, plan, forge ownership, establish accountability, execute, and mitigate risk.
A fundamental objective of an effective risk assessment is to identify and rank an institution’s applicable compliance risks on a residual-risk basis, following due consideration of relevant controls. This is the Risk-Based Approach!
Communicating the results of a risk assessment is where the process of exploiting its utility takes shape. It is imperative that the key takeaways from the construct, categories, criteria, data, ratings, and rankings of the content be translated and condensed into a cogent narration of top risks, replete with rationale, supporting quantitative data, directional indicators and drivers, emerging risks, and changes in the internal and external environments that influence the evaluation and conclusions.
Then, and I cannot emphasize this enough, it is essential that any presentation and discussion of top-rated enterprise risks be accompanied by a recommended plan for managing and mitigating such risks over the ensuing year, perhaps longer.
The case for action must be conveyed to senior business leadership to ascertain their understanding, solicit their input, weigh any challenges, and align on the outcomes –the risk ratings and the proposed mitigation plan.
In communicating, debating and aligning on the top risks and the action plan, it is compulsory to reach alignment and formal approval with management for requests of compliance resources, in the form of operating and capital expenditures, needed to succeed.
WHERE THE RUBBER MEETS THE ROAD, or where the academic exercise leads to ownership, execution, and accountability.
None of the above steps, as integral to success as they may be, will mean anything if the following action is not incorporated into the process and pursued with full vigor and priority. The preceding outcomes must now be funneled into the development of a formal, usually annual, compliance plan that will describe what is to be accomplished, what success looks like, when it will occur by, and who is responsible for delivering the result –executive and operational business owners.
Most action items in a compliance plan are commonly owned in the First Line of Defense. It is common and strongly recommended that the First Line memorialize these commitments in compliance goals for management and employees, create detailed actions plans and milestones, and for the Second Line to track progress and assess results for inclusion in performance evaluations and compensation decisions for business units and individuals.
WHAT MAKES FOR AN EFFECTIVE RISK ASSESSMENT?
From the Big Picture perspective, risk assessment results should be assessed by senior management in context of their formal Risk Appetite Statement, to identify business segments where the amount and type of risk assumed from business activities may run outside management’s comfort level.
For example, whereas banking international money services businesses may be highly profitable, will unchecked growth in such activity place an institution in a position of taking risks that regulators or the public may perceive to be too great for the stated charter and market segment within which the institution is positioned?
In addition, a wise and well-coordinated business will provide a chair for Compliance at the business planning table so that the costs of planned risk mitigation at both the First and Second Line levels can be adequately and accurately assessed for inclusion in business operating budgets and capital investment decisions. And, Risk and Impact (likelihood of occurrence) assessments are carried out during the new product development lifecycle, including all new delivery mechanisms and technology utilization.
Risk assessments that provide optimal utility to an institution are updated on a pre-defined cycle or as a result of defined trigger events that suggest the assumption of significant added risk, for example, mergers and acquisitions, or entry into new geographic markets, market segments, or new product and service offerings.
Risk assessments that pass the glare of regulatory inspection evidence formal design and approach. They are not a letter drafted by an executive based on episodic knowledge, conversations, interpretations of selective readings or research, or personal assessments of perceived risk. While some such narratives are artfully crafted, they are ultimately picked apart and cannot withstand the rigor of audit and inspection.
They are developed in accordance with a defined methodology, fully documented to support conclusions, and stand up to challenge. They include business-specific and industry level risks for consideration and reporting to management. Management overrides to risk assessment ratings and conclusions, while not impermissible, are adequately substantiated, explained, and documented, and substantially limited in frequency.
Through years as a practitioner in compliance and AML/FCC programs at a handful of global financial institutions, and five years as a consultant at boutique and Big Four firms, I’ve noted several common pitfalls that adversely impact the effectiveness of a risk assessment, or even call its veracity into question.
Chief among them are deficiencies around an institution’s risk appetite statement, monitoring of known and emerging risks, and practices that undermine the deployment of a formal, objective, and consistent methodology.
Regulators frequently criticize institutions for lacking a formal and clearly articulated Regulatory Risk Appetite Statement, or for lacking robust monitoring of business activities against risk appetite thresholds, if such thresholds exist at all. They also expect to see evidence of connection between the official risk assessment and conveyance of top risks and changing risk profiles to senior management and the Board, for input to business, risk, and resource decisions.
A risk-based approach can be opened to challenge if there is an absence of metrics or dashboard reporting on Key Risk Indicators that present senior management with a birds-eye pictorial of Inherent and Residual Risk levels, emerging or directional risk, and risks warranting escalation for actioning or monitoring.
Over-reliance on subjective inputs not governed by prescriptive criteria or clear rationale, and unsupported management overrides to risk ratings can also undermine the veracity of the risk assessment and business decisions and action plans predicated upon its conclusions.
Insufficient documentation of a risk assessment, its framework and methodology, and the rationale for risk scoring weights and aggregation approaches, along with a lack of robustness in risk and control assessments, are also common failings that will open up an institution’s risk assessment and related downstream efforts to question, challenge and criticism from constituencies within and from outside the organization.
Remember, risk assessments are like running marathons — so much work goes into arriving at the risk assessment, but when that happens, you have only reached the starting line!
Thought Leadership Series
An Article by Mr. Gary Ferrari, CAMS
Executive Advisor for Strategic Markets
Mr. Ferrari has been an Executive Advisor for Strategic Markets at THE DATA INITIATIVE since June of 2019. He is also a consultant on financial crimes risk and compliance matters. Mr. Ferrari has had an extensive and distinguished career in financial services and consulting; having held executive roles at Ernst & Young, American Express, Standard Chartered Bank, Citi, and GE.