The enterprise-wide risk assessment (EWRA) is a comprehensive statement for financial crime risk management at an enterprise level. It also covers the enterprise’s foreign branches/subsidiaries. The risk-based approach, which is recommended by the Financial Action Task Force (FATF) 40 Recommendations, is also derived from the EWRA of the organization. Furthermore, in some jurisdictions, it is a regulatory and legal requirement for EWRAs. EWRAs are a fundamental tool to gauge risk.
Auditors should examine the EWRA to understand the risk contained in it and whether it clearly articulates inherent risk related to the risk mitigation controls and residual risk. Auditors should ensure that the EWRA is in line with the national risk assessment and accepts the applicable laws of the jurisdiction where its branches and subsidiaries operate into the account. For example, in India, the identification of the ultimate beneficial ownership (UBO) starts from 15% onwards, as per the type and nature of the relationship.1 Keeping the minimum threshold of 15% suffices and covers the know your customer (KYC) requirement for almost all countries where an Indian financial institution (FI) has branches and subsidiaries, as a majority of the countries follow the FATF’s 25% and above rule for the identification of UBO.2
What an EWRA Should Evaluate
The EWRA is generally an annual exercise. However, in some FIs where the risk is less, the frequency could be changed to a more suitable period. The EWRA primarily focuses on the inherent risk in FI offerings, the geographies where it operates and the customer types. The EWRA assesses the risk for anti-money laundering/counter-terrorist financing (AML/CTF) and sanctions, in addition to counter-proliferation financing (CPF) and anti-bribery and corruption. Thus, these are the most inclusive elements of an EWRA. For example, before preparing an EWRA for an FI headquartered in Gulf countries, the risk officer should investigate whether it stems from the national risk assessment of the country. In this example, dealers of precious metals (DPMS) will be discussed.
DPMS have been rated high-risk in the national risk assessment. Thus, an FI should look at the customers in this segment as high-risk and with a risk-based approach. The FI should note the kind of transactions the DPMS customers carry and the geographies in which they operate. The DPMS’s inherent risk will be high; furthermore, the EWRA should clearly articulate the percentage of such customers, the controls deployed by the FI and the residual risk derived from such customers. It is pertinent to mention that segments, sectors and customers should be evaluated on all parameters, like in our current example. The DPMS segment should be rated on AML, CTF, anti-bribery and corruption, CPF and sanctions risks. DPMS customers may be rated as high-risk from an AML perspective but may be medium- or low-risk from other perspectives. A comprehensive picture can be pieced together with this information.
The essential key ingredients, which should be part of EWRA, making it more robust and in tune with the current setting, are as follows:
- Products, services and geography risk assessment
- Sanctions risk assessment
- Qualitative and quantitative risk assessments
- The key performance indicators risk
- Policy and procedures inadequacy in articulating practicality
- The risk appetite statement
- Risk tolerance
- The inherent and residual risk of each unit in the enterprise
- The risk from inadequate compliance culture and business units
The EWRA should clearly articulate the quantitative and qualitative risks. The quantitative risks refer to an inherent risk and the qualitative risks are the factors in which movements or changes in its quality could impact the inherent risk. For example, if an FI offers a product like wire transfer, which is generally used by exporters and importers, digitally to its customers. Thus, digital transactions are inherently high-risk because the transaction does not occur face-to-face with the customer. Furthermore, cross-border payments make the FI more vulnerable from a trade-based money laundering perspective. Therefore, the quantitative risk is high for such a product.
Now, if the IT systems are not properly integrated with the core solutions for an FI, the resources deployed by the FI are insufficient and the caseload per resource is high, which will impede the capacity of resources deployed to fully investigate the transaction. The transactions may not be screened properly if this quality changes without the proper integration of IT systems and proper resources. Thus, the inherent risk of the product as a qualitative risk has impacted its inherent quantitative risk, which will be high. This way, the qualitative inherent risk has been increased for the product.
Likewise, sanctions/CPF and anti-bribery and corruption could be defined for products and customers. For example, these would include customers dealing in asphalt, gypsum, cement clinker, fuel oil, etc., as Iran is a major source of these products, making customers dealing with such goods more vulnerable to the sanction risk and CPF.3 Therefore, their inherent risk is high from a sanction and CPF perspective (as described in Table 1). Improperly training staff to understand the documentation around the trade is a qualitative risk that could further increase the inherent risk. Anti-bribery and corruption in certain countries are more vulnerable and awarding of government contracts are generally based on a quid pro quo basis. As such, customers operating in such territories have a high inherent risk level.
The data in Table 1 could assist an FI in deciding on the controls the particular segment requires. In fact, it could help to fine-tune the risk-based approach for such customers and could be a tool for specific training around the customer types, the list of checkpoints and documents to be collected from such customers, etc.
Likewise, the FI could have charts based on geographies and products.
The new areas to be covered in the EWRA include looking at more current practicalities and ensuring the EWRA is comprehensive.
Now, digital compliance is shaping up and coming into the front seat as more and more FIs digitalize, incorporate cryptocurrency and more. Digital compliance has also seeped into the financial transaction arena. Moreover, green compliance or environmental terrorism has taken a higher focus in the compliance fraternity. So, the EWRA should clearly articulate the risk emanating from the FI; the percentage of customers in the FI’s database, such as virtual assets service providers, dealers of wood, manufacturers with heavy carbon footprints like those in the petrochemical industry (resulting in waste in the water, which is hazardous to the environment and does not follow the rules set by concerned industry regulators), etc.; and whether they are licensed or regulated. Including such risk types of customers from these industries and having proper KYC procedures will keep the FI abreast with the latest developments in the financial crime compliance world and would improve the FI’s fight against financial crime.
The EWRA should also evaluate the control mechanism in place by the FI for both qualitative and quantitative risks and whether the control mechanism rates the residual risk rating high, medium or low. If the strength of the controls is good enough, it could bring the high inherent risk to medium or low and vice versa. Therefore, below are some controls that could be helpful in lowering residual risk within the risk appetite of the FI.
- Tone from the top (corporate governance)
- The data quality/the data being fed to transaction monitoring systems
- The scalability of the system
- The automation
- Policy and procedures
- The competence of the compliance officers
- Training appropriate to the roles and responsibilities of the staff and business units
- The culture of compliance being instilled by FI and engagement of its resources by the human resources (HR) department for it and further the reward and recognition program for reporting lapses. The culture plays a very pivotal role in managing the entire compliance program. Most lapses and financial crimes that slip through the FI have human interventions. Therefore, the thriving culture of compliance should be emphasized more, especially from the first line of defense. Therefore, the chief compliance officer and HR should work in tandem to inculcate such habits among its resources
- The whistleblowing programs
- The hotline
Thus, the equation in an EWRA would be as follows: Inherent risk – controls = residual risk.
After arriving at the residual risk, the risk appetite statement should be clearly articulated, which could also be incorporated into the EWRA to make it more comprehensive; the risk appetite and the risk tolerance can be used interchangeably. The FI is ready to accept the residual risk calculated by the ERWA during a business transaction, as no business in this realm is without risk and has some risk, which is calculative and can enhance profitability. Therefore, if the residual risk is within the risk tolerance of the FI, the risk can be accepted.
Generally, residual risk is accepted by the FI; however, the residual risk can further be diluted by transferring risk through other means mentioned below.
Managing Residual Risk
- Active Ways
- Risk avoidance, de-risking the products or jurisdiction
- Bringing in new and more effective internal controls to reduce residual risk to an acceptable risk level
- Risk diversification to lower areas and maintaining balance
- Passive Ways
- Transferring risk (i.e., covering through insurance, etc.)
- Provisions in the balance sheet for the risk taken in case it materializes its cost
- Risk acceptance—this will lead to a risk appetite statement
In a nutshell, the structure of an EWRA is very vital to articulate the exact risk the institution is exposed to, the institutional risk taking place and the mitigating factors. This article should serve as comprehensive advice for an FI’s board of directors to understand the level of risk their enterprise is exposed to and the controls and the risk tolerance the institution has. Further, it should help the board to contemplate de-risking and transferring the risk and help to properly deploy a risk-based approach for an FI. In the fight against financial crime, an EWRA is crucial and should be drafted in a clear and concise manner.
- “Master Direction - Know Your Customer (KYC) Direction, 2016,” Reserve Bank of India, February 25, 2016, https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11566&Mode=0
- "Transparency and Beneficial Ownership,“ Financial Action Task Force, October 2014, https://www.fatf-gafi.org/content/dam/fatf/documents/reports/Guidance-transparency-beneficial-ownership.pdf