Imagine that you are in a vast forest. It’s getting darker and you have no idea how to find your way back home. Without a map you’ll probably end up even more lost. Best case, you’ll find your way home after a month, stone cold and wet. Worst case, you’ll be stuck in the forest forever.
So what does forests have to do with anything and how do you reach the next generation of risk assessments? Stay with me and find out below.
The forest is big. Really big.
Business-wide risk assessment. Financial crime risk assessment. AML risk assessment. Many names, same thing. For the sake of saving space, I’ll simply call it a risk assessment.
So why on earth do you need a risk assessment? It’s not to have a 150-page report that nobody ever reads. Instead, it should be the outset of everything you do. Let’s take one step back and look at the point of the anti-financial crime regulations to start with. Financial crime – that is money laundering, terrorist financing and sanction violations – pose a massive threat towards global safety and security. Huge amounts of money ending up in criminal pockets. Millions of lives destroyed forever by human traffickers, terrorists, drug lords and fraudsters. Society doesn’t stand a chance unless every company that could encounter these illicit funds do their part to find, stop and report the bad guys. That’s the reason we have anti-financial crime regulations, that throughout the world forces hundreds of thousands of companies to take effective actions against this massive and constantly evolving problem.
It’s obvious that you can’t stop Al Qaida simply by ticking a box in a spreadsheet. To make a real difference and comply with the regulations, you must instead ensure a risk-based approach. And to do that you really, really need that map.
The risk-based approach
A key word here is effective actions against financial crime. Effective is here measured as its ability to fulfil the purpose of the regulations – to find, stop and report criminals.
To have a fighting chance in accomplishing this, you must first know two things:
- How you could be misused by criminals. This of course depends on who you are, where you are and what you do as a company.
- Where your highest risks are
Based on the insights into those two questions, you should then take the bag of money that you have to spend on mitigating actions and spend them where they are most effective. This is the risk-based approach in a nutshell.
The map
This is where the risk assessment comes into play. The risk assessment is your guiding document that should not only give you detailed insights in the two questions above, but also actively be used when prioritizing and designing effective mitigating actions. In other words, it’s your map in the vast forest that is financial crime. With that map, you’ll decrease your risk of getting lost or walking in the wrong direction.
The above of course requires the map to be accurate (detailed enough so you can differentiate a small rock from a mountain), relevant (show the forest you’re in and not a desert somewhere else) and updated (have the new trails marked out). And this is where it can become really difficult.
The as-is
If you’ve ever been involved in performing a risk assessment, you probably know it’s a daunting task that leaves no room for joy and a lot of room for hair-pulling workshops using huge Excel sheets, Word documents (did I mention track changes?) and endless Sharepoint folders, Google Docs etc (IT support, please hold).
I’ve met many banks, financial institutions and gambling companies and they all say the same thing about their current risk assessment process: It’s horrible and takes on average 6-8 months to complete. Every year. And once you’re done you often have a hard time using the results to create any meaningful mitigating actions, rendering the whole exercise virtually useless.
There are two key reasons for this challenge to draw a proper map: The first is that you require massive amounts of information on financial crime methods (threats) and risk indicators to make it detailed enough and ensure that it’s relevant for you. The second is that spreadsheets per default makes it static, which makes it virtually impossible to keep it updated. This is where the dynamic approach comes in.
The dynamic approach to risk assessments
Imagine that you are in a vast forest. It’s getting darker and you have no idea how to find your way back home. Without a map you’ll probably end up even more lost. Luckily you have your new GPS. It’s detailed, always updated and always relevant.
Dynamic risk assessments are what GPS is for navigation –highly effective digital tools with high accuracy. A knowledge-based and data-driven approach gives you automatic updates on changes in the landscape and help you take the safest, shortest route back home. In other words, it gives you a risk assessment that serves the purpose it should: To effectively help you identify your highest risks and to be the outset of every action you take against financial crime. In other words: To enable a true risk-based approach.
How to create a dynamic risk assessment
Dynamic risk assessments require two fundamental things:
1. Updated, relevant, and reliable financial crime intelligence (threats and risk indicators)
2. An easy-to-use workflow tool that allows you to always be on top of your risks
It might sound like a handful to build yourself. Even though not impossible, it requires some strong technical skills combined with a team of senior financial crime experts. The good news is that we’ve already built it for you.