Best Practices in Enterprise-Wide Risk Assessment and Key Missteps to Avoid

ML/FT Enterprise-wide risk assessment (EWRA), also known as business-wide risk assessment, is a key pillar of the AML framework at the enterprise level. It plays a pivotal role in combating Money Laundering (ML), Terrorist Financing (FT), and Proliferation Financing (PF) risks. It is essential that an enterprise adopts certain best practices while conducting EWRA to counter ML/TF and PF effectively.

EWRA is a process of identifying all external and internal risk factors (related to products, services, transactions, delivery channels, customers, geographies, technological, etc.), assessing their impact, exploring ways to mitigate, and controlling and monitoring such risks. It involves people at all levels of an enterprise to develop the best strategy for combating ML/FT and PF risks.

Here is the list of best practices while conducting EWRA:

• One of the major best practices while conducting EWRA is adoption of a risk-based approach in line with the entity’s nature, size, and complexity of business and identification and assessment of ML, TF, and PF risks.
• Well-documented risk assessment methodology that considers qualitative and quantitative measures.
• New and emerging risks are immediately identified and assessed.
• Compliance responsibilities are clearly defined and communicated.
• Residual risks are managed and kept in check.
• ML, FT, and PF risks are considered while developing new products or entering new geographies.
• National Risk Assessment and Sectoral Risk Assessment are given due consideration while identifying and assessing risks.
• Regular testing of risk prevention and mitigation controls.
• Integration of AML Software and Solutions to strengthen risk identification, monitoring, reporting, and the overall quality of the EWRA process

Adopting a comprehensive approach and following all the above mentioned best practices while conducting EWRA helps the entity to stay vigilant against evolving ML/FT and PF risks, comply with the regulatory framework, and safeguard its financial integrity.

Here is the list of worst practices while conducting EWRA:

• Identification and assessment of ML, TF, and PF risks without taking a risk-based approach. No consideration of the nature, size, and complexity of the business.
• Lack of documented risk assessment methodology. No evidence of having considered qualitative and quantitative measures.
• New and emerging risks are unknown, and risk assessment isn’t undertaken.
• Compliance responsibilities are unclear, and there’s no uniform way of working.
• Risk appetite isn’t defined and documented. There is no risk management.
• ML, FT, and PF risks are given no consideration while developing new products or entering new geographies.
• National Risk Assessment and Sectoral Risk Assessment are not considered while identifying and assessing risks.
• Risk prevention and mitigation controls are deployed but not tested.