All regulations state that a risk-based approach (RBA) is central to an effective implementation of the AML/CFT legislation. It means that organizations should identify, assess, and understand the ML/TF risks to which they are exposed to, and implement the most appropriate mitigation measures. A Business Risk Assessment (BRA) improves the effectiveness of ML/TF risk management, by identifying the inherent risks faced by an entity as a whole, determining how to effectively mitigate those risks through internal policies and procedures and establishing the residual risk.
The statutory obligation requires the entities to apply the following risk factors in their risk assessment. They are,
Additionally, based on the size, nature and complexity of the businesses, transaction risks are also considered.
The basic idea behind these risk factors is that the firm should assess the ML/FT risks it is exposed to and develop policies and procedures to mitigate those risks. In doing so, if the residual risks are not within the entity’s risk appetite, then efforts should be made to address those control gaps.
A risk assessment should be robust with inputs from the UAE National Risk Assessment (NRA) issued by the National Committee for Combating Money Laundering and the Financing of Terrorism and Illegal Organisations (NAMLCFTC), Sectoral Risk Assessment (SRA), Recommendations by FATF / MENAFATF and thematic review reports issued by supervisory authorities. Feedback and inputs from Compliance Officers is also a key consideration.
The first step is to identify AML/CFT related potential failures (PFs) against each of the risk factors and gauge the impact of those PFs should they materialize into an event and the likelihood of materialization. The impact-likelihood assessment at this stage is referred to as inherent risk rating (IRR). Potential failures related to Proliferation Financing (PF), should also be considered during the risk assessment.
After IRR has been completed, the next step is to define the controls to arrest the likelihood of materialization of the risk and reduce the impact should the event occur. This is also termed as risk treatment or simply a treatment plan. Controls defined as part of the treatment plan should be assessed for their effectiveness. These are assessed based on their design effectiveness and operating effectiveness. The combined design effectiveness and operating effectiveness of a control indicates whether the control is ineffective, partially effective, or effective. A well-designed control could still fail to mitigate the inherent risk, should the person operating the control fail to operate it diligently or the system designed to implement the control fails. A treatment plan may not completely arrest the risk, leaving a residual part of it unaddressed. It is important for entities to periodically review their controls using health checks or control self-assessments or control indicators to identify weaknesses in them. Data generated by such self-assessment exercise can give valuable insights into the operating effectiveness of the controls put in place to address the risks.
The risk that remains after the risk treatment is referred to as residual risk. Residual risk is also measured in terms of impact and likelihood. The residual risk should remain within an entity’s risk appetite. If the data, points to the fact that the residual risk is above risk appetite, then processes warrant additional risk treatment.
The steps required to build an effective Business Risk Assessment has been depicted in the below diagram.
In order to have an objective view of likelihood and impact assessment, a standard risk assessment template should be developed with likelihood on one axis and impact on the other.
We at Adventant work with our clients in designing the entire BRA by considering their size and complexity of business. We work with our clients by assessing their inherent risks based on the statutory risk factors, designing and documenting controls to mitigate those risks and determine their residual risks. We ensure that the residual risk remains within your risk appetite. Whenever, the risks get elevated, we will recommend additional steps required to enhance the controls.
We ensure that your BRA remains fit for purpose and work closely with you in keeping it up to date.
A template of a Business Risk Assessment (BRA) can be found here
