Back to Blog

The Enterprise Wide Risk Assessment (EWRA): From ticking the box to an effective Zero Line of Defence

Share

Last month we were invited to speak at an event organised by the Center of Excellence in Anti-Money Laundering, the recently established public private partnership in Lithuania. Alongside speakers from the public and private sectors, Max Heywood, our Head of Public Sector Partnerships, addressed the topic of Enterprise Wide Risk Assessments (EWRA). 

As a regulatory requirement EWRAs are often seen as a “tick the box” compliance task 

International standards present risk assessments as the basis for an institution’s risk-based approach (e.g. FATF 2014). The lessons drawn from the yearly (or event driven) exercise of assessing a company’s financial crime risks should “inform their AML/CFT policies, controls and procedures” (EBA 2020).

At the same time, detailed guidance on how to implement an EWRA is currently lacking. References to EWRA in international guidance are broad and typically include: 

  • Factors to be considered: e.g. geographic exposure, customer base,
    products and channels 
  • Information sources: both external and internal 
  • High-level principles: for example, EWRAs should be holistic, timely, and tailored 

National legislation often covers specific issues which should be addressed by EWRAs, but these remain high level descriptions as well. 

While this leaves financial institutions with a lot of freedom in developing their EWRA, it also fails to clarify what an effective EWRA looks like. This uncertainty results in EWRAs often being run as a prescriptive “tick the box” compliance exercise, rather than an essential part of an institution’s FinCrime risk management. As a result, despite being resource-intensive, EWRAs can fail to generate the actionable intelligence needed to inform a risk-based approach. 

Integrating EWRA as a Zero Line of Defence reframes it as an active and core component of an organisation’s Financial Crime Risk Framework.

Data from Elucidate’s recently published research paper shows that 97.5% of the banks sampled already conducted EWRAs on a yearly basis. However, a “tick the box” approach can keep financial institutions from realising the potential of what is often seen as a disruptive aspect of their business processes. 

How could financial institutions integrate their EWRA into their overall risk management? The most widespread model for risk management is Three Lines of Defence, which outlines the roles to be played by different functional areas of an organisation, with a primary focus on the customer relationship, compliance, and audit functions. 

A data-driven EWRA that generates quantitative risk metrics can provide a wealth of useful intelligence to help each of the key functions in the Three Lines of Defence model better allocate their resources and focus. 

This is why our presentation at the Lithuanian AML Center event proposed reframing EWRA as a Zero Line of Defence, to make this link conceptually clear. 

The table shows examples of the indicators a data driven EWRA can produce and how they relate to each line of defence:  

    Functional area
    Sample FinCrime Risk indicators - Zero Line of Defence:
    1st line of defence e.g. sales team, customer relationship

  • What % of customers are rated as high risk?
  • How frequently are high risk customers reviewed?
    2nd line of defence: compliance

  • Does the entity have a process to review and update customer information based on Trigger events?
  • Does the entity have Policies and Procedures that define escalation processes for financial crime risk issues?
    3rd line of defence: Audit function

  • % of cases in which Source of Funds is documented
  • % of cases in which Source of Wealth is documented
  • % of cases where date of account opening precedes customer due diligence completion date

Providing a data-driven common language will help to integrate EWRA into FinCrime risk management systems. By aligning around a shared set of quantitative FinCrime risk metrics during the EWRA, different roles within a bank can better communicate about and address  the strengths and weaknesses of the entity's risk framework. 

Last but not least, congratulations to the team at the AML Centre for a very well-organised event, and thanks also to our co-panellists and all participants for joining.

Book a demo to learn more about how Elucidate can help you deal with new sanctions and reduce your risk exposure.

Book a Demo
Elucidate team
Elucidate team
https://www.linkedin.com/company/elucidate-gmbh/

Posts written by diverse members of the Elucidate team.

Subscribe to our Newsletter

Get a monthly update with all of our articles, reports, case studies and more

Thank you! We will be in touch with new updates soon.
Oops! Something went wrong while submitting the form.

Related

More from Elucidate