Several questions can keep risk leaders at financial institutions up at night. Do we know where our organization may be at risk? Do we have controls in place to mitigate these risks? Is our risk assessment up to date? However, developing an effective strategy for risk assessments for regulations like the Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) and Office of Foreign Assets Control (OFAC) can help alleviate these common concerns.
Although having a risk assessment is not a legal requirement, regulators expect financial organizations to have one documented. The Federal Financial Institutions Examination Council (FFIEC) manual provides general guidance on developing and updating a BSA/AML and OFAC risk assessment for financial organizations. Appendix J of the FFIEC online manual includes a Quantity of Risk Matrix and Appendix M includes a Quantity of Risk Matrix—OFAC Procedures. Both appendices provide a baseline for assessing BSA/AML and OFAC risks.
By performing a risk assessment, your financial services organization can gather a holistic view of where your risks lie for your customers, products, services and geographical presence. It also allows you to identify any control gaps that may put institutions at risk of regulatory exposures leading to monetary fines.
Since risk assessments are specific to each organization, no two risk assessments will be exactly alike; however, the approach to conducting them should be similar. Below are some best practices to be mindful of when developing or enhancing a risk assessment:
- Complete a thorough review to confirm that all customer types, products, services and geographical locations are included in the risk assessment. If specific risk areas are not applicable, institutions should still include them as a line item in the risk assessment and state why they are not applicable.
- Provide a distinction between inherent risks and residual risks. Each risk area in the risk assessment should have an inherent risk rating and residual risk rating. Standard inherent and residual risk ratings are low, moderate or high, and the definitions for each risk level are to be determined by your organization.
- Inherent risks—the level of risk present without consideration of the effectiveness of existing controls. Qualitative and quantitative data are used to determine the level of risk.
- Residual risks—the level of risk remaining after considering the effectiveness of existing controls.
- A majority of risk assessments do a good job of including mitigating controls; however, the part that is frequently left out is determining the effectiveness of the mitigating controls that are in place. Determining the effectiveness of the mitigating controls is critical in understanding the residual risk for each risk area. Standard ratings are strong, adequate or inadequate. Again, the definitions for each rating are to be determined by your organization.
- Once the inherent risk rating and the control effectiveness rating are determined, the residual risk can be calculated for each risk area. The residual risk rating should not be determined by the individual(s) completing the risk assessment, and a methodology should be in place to limit the subjectivity of the process. Below is a residual risk rating matrix, commonly used for calculating the residual risk rating. As you can see, the inherent risk and effectiveness of the mitigating controls drive the residual risk rating.