Professional Documents
Culture Documents
The FFIEC’s 2010 Bank Secrecy Act/ Anti-Money Laundering Examination Manual Risk Assessment — Overview page 22
1
residual risk. Traditionally, risk assessments line metrics including vacancies and turn- based on the extensive use of supporting data
involve making a control design effective- over, and changes to product offerings, of course. Why then does the enhanced due
ness decision that does not include a more risk models, third party relationships and diligence (EDD) process use a one size fits all
detailed operating test effectiveness. Never- department systems. This process is easily approach? Ideally, a MSB specific EDD form
theless, understanding your control environ- implemented through a formal checklist. The would be developed to address the additional
ment should involve the use of multiple data result of this evaluation provides manage- risk presented by this customer type.
points to ensure the most accurate design ment with a tool for identifying the need
for more robust interim assessments and Transaction Monitoring Scenario Coverage:
effectiveness assessment possible. Control
demonstrates a robust and proactive risk With customized EDD addressed, let us say
data point should include control type auto-
management culture. that your risk assessment has also deter-
mated versus manual and control focus
mined that correspondent banking reflects
preventative vs. detective. These classifica-
So you have diligently defined your scope, a high risk activity. Does your transaction
tions, while useful, are not sufficient when
developed your scoring engine, evaluated monitoring system have a rule or scenario
used in isolation, and should thus be lever- your controls, derived residual risk and even
aged holistically. For example, the robust to monitor this high risk activity? Organiza-
taken the time to develop a snazzy gradient tions should perform an annual assessment
preventative and automated transaction plat- shaded matrix depicting your organiza-
form is certainly a must but what if installa- to map the results of the risk assessment to
tion’s risk in vibrant red, green and yellow. production scenarios to ensure appropriate
tion occurred last week? This introduces the Congratulations…now what?
concept control maturity. Control use and coverage exists for those transaction types
control review are among a dozen or more presenting increased risk.
additional factors that can assist with making Targeted Training: Recent enforcement
a more educated control design effectiveness actions have highlighted the failure of a one
decision and serve as the roadmap upon size fits all training approach. One of the
which to develop a control testing plan.
At a minimum an easiest opportunities to embed risk assess-
ment results is in an organization’s training
Last, but certainly not least, we arrive at
residual risk. Residual risk is the remaining organization’s risk curriculum. Rather than look for providers
risk after management has taken action to with the latest tablet training capabilities,
alter inherent risk through the implemen- assessment can effectuate focus on your organization’s highest inherent
tation of controls. However, identifying risk categories and develop modules specific
residual risk must be viewed as the end of change to a dozen or to these risks. For example, if the NRA popu-
lation presents elevated risk to your organi-
the beginning rather than the beginning of
the end, as much work is left to be done
more elements zation, ensure training for employees who
work with this population have received
once the heat map is in hand. Regardless of
whether a residual risk score is automati-
of a comprehensive additional education focusing on the unique
cally derived based on control design effec-
tiveness or manually calculated through a
AML program risks presented by this customer type.
In summary, I suspect few will question the
thorough management review practice, the importance of the risk assessment process.
residual risk profile should become the play- However, I would encourage readers to ques-
book for integrating risk assessment results Recent surveys suggest that organizations
struggle to derive value from their risk tion the risk their risk assessment creates.
into the organization’s business practices. As money laundering schemes grow, increas-
assessment. When you consider the fact
Before we dive into part two it is important to that a risk assessment has the potential to ingly complex organizations must develop
note that in the time it has taken you to arrive shape almost every aspect of an organiza- and evolve their process to go beyond the
at this paragraph your organization’s AML tion’s AML program, it is disheartening to mechanics of updating three dozen risk
risk profile has changed. Customers have see the exercise conducted and the results factors and instead fully embrace a risk iden-
been onboarded, correspondent banks have left in the ether to await an annual update. tification and mitigation strategy to commen-
processed transactions, cash has changed At a minimum an organization’s risk assess- surate with the level of sophistication of
hands and changes to staffing may have ment can effectuate change to a dozen or those who are intent on exploiting it. To
occurred. Organizations are well advised more elements of a comprehensive AML close, please indulge me in one last visualiza-
to proactively assess their risk through the program. Three such opportunities are tion exercise. When you read the following
use of the aforementioned KRIs as well as a described below. words, what comes to mind? Ready?
robust interim risk assessment process.
Enhanced Due Diligence: As we have Risk Assessment.
An interim risk assessment process should learned, “customers” are a primary risk
touch major lines of business and include assessment category. Let us pretend that Michael Florence, CAMS, anti-money laun-
an evaluation of potential red flags such as through the risk assessment process your dering practice leader, Treliant Risk Advi-
violations or non-compliance with regula- organization has determined that MSBs sors, Washington, DC, USA, mflorence@
tions and policies, department or business represent the highest risk customer type treliant.com