What is a risk assessment?
A risk assessment is a written analysis which aims to identify all possible risk factors for whatever is being assessed, measure the inherent risks, identify action to mitigate the risk, measure the residual risks and determine the risk treatment. It includes analysing each risk factor's likelihood and effects to ascertain where the greatest risks lie.
Why do a risk assessment?
A company might do a risk assessment for various reasons, such as to:
- Ensure the safety of employees,
- Ensure business continuity
- Ensure the security of data
- Ensure compliance with regulatory requirements
- Prevent money laundering
What most people don’t realise though, is that we all do risk assessments on a daily basis. When we’re parking the car, we assess the size of the available parking spot to make sure our car fits and evaluate the likelihood of the car getting dinged by the next car's doors. When we’re doing the laundry we assess whether that hand washed label means the garment will actually get ruined if we save ourselves the hassle of handwashing by simply putting it in the washing machine with the other clothes.
The 6 steps to risk assessment
When doing a risk assessment there are 6 general steps to follow. Sometimes these are done in this order and sometimes they’re done at the same time. The difference between a corporate risk assessment and a personal one is mainly, 1) the formality of the procedure and 2) record keeping. When risk assessing in a corporate setting, a written and thought out methodology and procedures along with logging all decisions is crucial. Like we say in the compliance world “proof or it didn’t happen”.
The 6 steps to risk assessments are:
- Risk identification
- Measuring inherent risk
- Identify mitigation opportunities
- Measuring residual risk
- Risk treatment
- Repeat
Risk identification
Let’s go through the steps of risk assessment and use my favourite example and say you’re thinking about getting a cat (because who wouldn’t want a cat?). You’ve thought about this for a while and your kids have been begging for one for months now. So you’ve already identified why you want the cat:
- They’re cute
- They’re fluffy
- They (sometimes) like to cuddle
- They’re less work than a dog
In order to make a good decision you also have to think about the negative things that come with getting a cat:
- Your clothes will be lined with cat hairs
- They can scratch your furniture
- They might bring you small (sometimes dead) animals as gifts
- You have to clean the kitty litter
To ensure you’re thorough in your decision you also search the internet and find a couple of more negatives:
- They’re veterinary bills can be expensive
- Some friends with allergies might stop visiting
Congratulations, you’ve just finished the first part of risk assessment, the risk identification.
Measuring inherent risk
Now let's go about measuring the risk associated with these. We’ll look at the risk from two sides, how often this risk might happen (likelihood) and how bad that would be (effects).
The golden standard for measuring effects and likelihood is to create a few levels for each (anywhere from 3-5 levels are most common), and make them quantifiable. That way, it shouldn’t matter who performs the measurements or what mood you’re in at the time, your measurements will remain comparable. For likelihood think once a decade, once a year, once a quarter, once a month or x% likely to happen in the next year. For effects it’s good to have a few categories such as monetary value, disruption of service to customers, disruption to internal operations, reputation and legal compliance. When calculating the risk score you would then use the category with the most severe effects for any given risk.
Clothes being lined with cat hair is probably going to happen on a daily basis, but my work doesn’t require me to wear formal clothing, so I think that’s acceptable. I’m gonna say the likelihood of that happening is almost certain with a 5 out of 5 points and the effects aren’t so bad with a 2 out of 5 points. If I multiply those points I’ll get a risk score of 10, which I think is acceptable, so I’m not gonna try and mitigate this.
Not all cats scratch furniture, so this might happen or it might not. I don’t have any scratching posts though so the cat won’t have anywhere else to scratch. I do have a very nice and expensive leather couch, so a single scratch is pretty much going to ruin the aesthetics of that couch. I’m gonna say this is quite likely to happen on an annual basis and give it 4 out of 5 points. For effects I’m giving it 4 out of 5 points based on the price of replacing the couch and the hassle of having to find a new one. If I multiply those points I get a risk score of 16, which I don’t think is acceptable. If I can’t find a way to make this risk score less, I don’t think I’ll get that cat, even if he is super cute.
I go through the rest of the risks the same way. I called a friend to find out about how much veterinary costs are typically, to make sure I had a good understanding of the effects and likelihood of that risk.
Mitigation and measuring residual risk
Now it’s time to see if I can minimise the likelihood or effects of some of those risks.
If I get several scratch posts and buy some cat repellent spray to spray on my couch I can reduce the likelihood from quite likely to somewhat likely with a 3 out of 5, so the risk score will be 12. Since I didn’t change the effects at all, it’s still a very expensive couch that will get ruined by a single scratch, the likelihood is still at 4 points.
Come to think of it, I think 12 is still too high a number, so I think for the first few weeks of having a cat I’m gonna work from home and spray the cat with water every time he comes near the couch. That’ll surely make it quite unlikely that the cat will scratch the couch with a 2 out of 5 points. That brings the risk score down to 10, which I can live with.
Risk treatment
Now that I know all the risks and what I can do to control the risks it’s time to make a decision. Is getting a cat worth it and if so, how will I minimise my risks? Well in order to be methodological about it I’ve decided that I’m ok with risks that measure 10 or lower, if they measure between 11 and 19 I should try and mitigate them to bring them down to 10 or lower, but if the risk measures 20 or more then it’s not worth the risk. I even made a pretty table to help me show that:
I’ve measured all my risks and I’ve decided the following:
- Clothes lined with cat hairs - Inherent risk: 10.
- I’m not going to try and mitigate this risk, I’ll just accept it. - Scratched couch - Inherent risk: 16, residual risk after mitigation: 10.
- I’ll treat this risk with mitigation controls. - They might bring you small (sometimes dead) animals as gifts. Inherent risk: 15.
- I’ll avoid this risk by having my cat be an indoor cat. - You have to clean the kitty litter - Inherent risk: 10.
- Although that’s not going to be pleasent, I’ll accept it. - They’re veterinary bills can be expensive - Inherent risk: 15
- I’ll transfer this risk to an insurance company by buying cat insurance. - Some friends with allergies might stop visiting - Inherent risk: 9
- The only one I know with cat allergies is my weird uncle and I don’t want him in my house anyways, so I’ll accept the risk.
Final result: I’m getting a cat!
Repeat?
The final step of a risk assessment is to trigger a repeat assessment. It’s important to reassess the risks periodically to see if some of the risks have changed. It’s also important to reassess when you know something has changed, like if you get a new couch, or start dating someone who’s allergic. Sometimes this leads to you doing some additional mitigation, but in the most severe cases it might mean that it’s in your and the cat's best interest for the cat to find a new home.
How does all this translate into AML risk assessments?
When doing an AML risk assessment you can follow all these steps with some slight moderations.
When identifying the risks of money laundering occurring using your company, you should use your country's national risk assessment as a starting point and any industry specific guidance they offer.
A good rule of thumb for identifying risks is to think about people, process and technology. What could your customers or your staff do intentionally or unintentionally that could lead to money laundering, are your processes built to stop money laundering or are there gaps that could be utilised and lastly is your technology set up to identify and stop money laundering, are there ways to get around them or do they in fact facilitate money laundering.
When all is said and done an AML risk assessment should help the company reach their goals, be it to safeguard their employees or prevent money laundering or for your personal life, make a life changing decision.