Business Risk Assessment
A supervised person’s BRA and formal Anti Money Laundering (AML), Combatting the Financing of Terrorism (CFT) and Countering Proliferation Financing (CPF) strategy are key tools to help establish a robust risk management framework to detect and prevent financial crime.
Supervised persons are required to have a comprehensive and up to date BRA in place which assesses and records the ML/TF/PF risks relevant to their business that is clearly supported by information and data. Based on the BRA, a supervised person must establish a formal strategy to manage and mitigate the risks identified.
Where a supervised person has not adequately assessed its ML/TF/PF risks, then the strategy it sets and its systems and controls designed in response, are unlikely to be effective in mitigating and managing the ML/TF/PF and wider financial crime risks it faces.
A supervised person’s BRA and formal strategy are the foundation of an effective financial crime prevention and detection framework. If the BRA and strategy is ineffective, it can lead to systems and controls not operating as intended and exposing the supervised person to unacceptable levels of financial crime risk.
“Nadia has a multifaceted skill set and broad knowledge. Her work ethics are of the highest standard, often exceeding the expected commitment.”
WHAT SHOULD A BUSINESS RISK ASSESSMENT COVER?
The key responsibilities of the Board of a supervised person are to:
- Identify the supervised person’s financial crime risks and to consider them in the round;
- ensure that its systems and controls (including policies and procedures) are appropriately designed and implemented to manage those risks;
- to assess whether those systems and controls are operating effectively and as intended;
- consider whether residual financial crime risks are within the supervised person’s risk appetite and to implement action plans where those risks may be outside of its risk appetite either on an individual or cumulative basis; and
- ensure that sufficient resources are devoted to fulfilling these responsibilities.
- The Board is assisted in fulfilling these responsibilities by the MLCO and MLRO, but the ultimate responsibility sits firmly with the Board.
BOARD INVOLVEMENT
It is the Board that is required to conduct and record a BRA in respect of the supervised person’s operations with specific consideration given to the supervised person’s risk appetite and the extent of its exposure to ML/TF/PF risks.
RISK APPETITE
As part of conducting a BRA it is imperative that, on an on-going basis, the Board sets and monitors its risk appetite. Without a clearly defined risk appetite, it is questionable how the business can understand the level of risk it is willing or able to accept and/or when to act to reduce risk to an acceptable level.
ASSESSMENT OF RISKS
A supervised person must assess the extent of its exposure to ML/TF/PF risks holistically or as a whole by reference to the following factors:
- organisational structure;
- customers;
- the countries and territories with which those customers are connected;
- the products and services the supervised person provide; and
- how those products and services are delivered.
- The assessment must consider the cumulative effect of risks identified, which may exceed the sum of each individual risk element.
Where a business has not identified the financial crime risk it faces, it consequently cannot determine whether its systems and controls are effective to manage and mitigate those risks. In the absence of adequate controls, the likelihood of risks crystallising is significantly increased.
ASSESSMENT O F CONTROLS
The Board is required to ensure that its systems and controls, including policies and procedures, are appropriately designed and implemented to manage the financial crime risks it has identified in its BRA and that they are appropriate to the circumstances of its business.
A supervised person should be considering the following:
- assessing its inherent risks, i.e. the level of risk without mitigation or controls;
- assessing the effectiveness of its systems and controls in mitigating risk;
- calculating its residual risk, i.e. the level of risk that remains after considering the effectiveness of its systems and controls; and
- considering residual risk against risk appetite and reacting, if necessary, for example: where residual risk is assessed as being outside of appetite, enhancing controls to reduce residual risk to an acceptable level.
The Board is required to consider what barriers exist to prevent the operation of effective systems and controls, including policies and procedures, in relation to ML/TF/PF risks and to take measures to address any identified barriers.
KEEPING THE BRA UP TO DATE
The Board of a supervised person must consider, on an ongoing basis, its risk appetite and exposure to ML/TF/PF risks in the round and carry out and record a business risk assessment. Its assessment must be kept up to date.
Guidance provided in the Handbook states that, in the case of a supervised person that is dynamic and growing, the Board may demonstrate that its BRA is kept up to date where it is reviewed annually. However, in other cases, for example a supervised person with stable products and services, this may be too often.
In all cases, the Board may demonstrate that its BRA is kept up to date where it is reviewed when events occur that may materially change the financial crime risk.
HOW CAN APPLEBY REGULATORY COMPLIANCE (ARC) ASSIST ORGANISATIONS?
ARC ensure that the assessment ML/TF/PF risks can be undertaken objectively. ARC is able to draw on our experience of working with a diverse selection of firms and can recognize the needs of varying-sized firms in order to make assessments and recommendations that are proportionate to the size and complexity of the business.