Skip to main content

Advancing a risk-based approach

The essential role of intelligence-led risk management

This is the second article in our Future of Financial Crime series, emphasising the critical role of intelligence-led risk management as a foundation of financial crime frameworks.

Risk assessment is an essential instrument at the core of a Subject Person’s (SP) financial crime control framework. However, it's often perceived as a regulatory-driven task, leading to broad evaluations of the financial crime vulnerabilities an institution faces. The results often provide limited actionable insights, hindering the ability to make appropriate adjustments to financial crime control measures. Given the ever-changing and increasingly complex nature of financial crime threats, this approach needs to evolve.

Risk assessments are often limited by:

  • Outdated intelligence about threats that lack necessary detail, accuracy, and relevance, leading to a lack of specificity in identifying, assessing, and prioritising the exact financial crime risks that the SP faces.
  • An unclear and delayed connection between identified risks and threats, and the corresponding preventative and detective measures designed to mitigate these risks.
  • Static documentation updated annually or bi-annually, leading to significant time lags between changes in the risk assessment and relevant adjustments to the control framework.
  • Manual processes that do not provide a continuous view, resulting in inconsistent quantification and dynamic measurement of risks against relative likelihood and impact.

Expectations about the role of risk assessment are changing, driven by increased regulatory focus on how well the risk assessment recognises specific threats and evaluates the effectiveness of mitigating controls. Regulatory enforcement may result where these aspects are unsatisfactory.

Adopting a more dynamic and integrated approach to risk assessment and control modulation is key to addressing these limitations and meeting changing regulatory expectations. While change can be incremental and specific solutions will vary across SPs, we believe the following changes are necessary:

  • A proactive risk assessment approach, combining intelligence from internal and open-source sources, and active engagement in public-private information sharing platforms.
  • Implementation of an improved methodology to address the ever-changing landscapes of threats, involving the assessment and quantification of inherent risk and the effectiveness of the current control environment.
  • Greater integration of the risk assessment, where possible, through dynamic values directly linked to the control framework.
  • Implementation of a suitable platform for the risk assessment and control library, providing a clear overview of risks and controls, preferably through real-time visualisations.

By adopting these changes, we believe it is possible to achieve three key benefits:

1. A demonstrable risk-based approach

By identifying and assessing financial crime risks and implementing mitigating controls, it will be possible to better demonstrate to regulators and other stakeholders that a risk-based approach has been effectively implemented.

2. Improved control design and management

By explicitly linking controls to the risks and providing a greater level of specificity in the risks and threats faced, the mitigating controls can be customised to focus on preventing and detecting the crystallisation of risks. This documented linkage also reduces the possibility that key controls may be removed or inadvertently updated, without appropriate governance.

3. Competitive advantage

Organisations can gain a competitive advantage by rapidly focusing their financial crime investments towards the mitigation of their most critical risks. By focusing controls on the prioritised areas, there is an opportunity to enhance efficiency, by dialling down other controls as appropriate, and lowering the cost of compliance.

The adoption of enhanced and refined risk assessment and control approach, enables a SP to deal with emergent risks as 'business as usual' and avoids the requirement for 'fire drills' which disrupt normal operations.

 

In summary, the proposed changes aim to deliver a sophisticated and proactive intelligence-led approach to risk management which takes into account the changing nature of financial crime threats, and dynamically adjusts the mitigating controls on a risk-based approach.

We believe the evolution of the risk assessment and control framework as set out in this article is fundamental to enabling further changes needed in future financial crime capabilities. Specifically, by changing the approach to due diligence to create a more dynamic customer lifecycle management, and the integration of monitoring allows, for the simplification and streamlining of financial crime operations. Overall, this will drive a move to a more efficient and effective approach to fighting financial crime and reduce cost of compliance.

Please get in touch if you would like to discuss this topic further. Also look out for future articles in our Future of Financial Crime series – up next, Revolutionising Due Diligence in Customer Lifecycle Management.

Financial crime blog

Through our blog series, we discuss all aspects of financial crime – from the challenges in tackling the threat, how the public and private sectors can work together to forge a system wide response, as well as exploring some of the specific financial crime threats organisations are facing and how to address these.