Last month we were invited to speak at an event organised by the Center of Excellence in Anti-Money Laundering, the recently established public private partnership in Lithuania. Alongside speakers from the public and private sectors, Max Heywood, our Head of Public Sector Partnerships, addressed the topic of Enterprise Wide Risk Assessments (EWRA).
As a regulatory requirement EWRAs are often seen as a “tick the box” compliance task
International standards present risk assessments as the basis for an institution’s risk-based approach (e.g. FATF 2014). The lessons drawn from the yearly (or event driven) exercise of assessing a company’s financial crime risks should “inform their AML/CFT policies, controls and procedures” (EBA 2020).
At the same time, detailed guidance on how to implement an EWRA is currently lacking. References to EWRA in international guidance are broad and typically include:
- Factors to be considered: e.g. geographic exposure, customer base,
products and channels
- Information sources: both external and internal
- High-level principles: for example, EWRAs should be holistic, timely, and tailored
National legislation often covers specific issues which should be addressed by EWRAs, but these remain high level descriptions as well.
While this leaves financial institutions with a lot of freedom in developing their EWRA, it also fails to clarify what an effective EWRA looks like. This uncertainty results in EWRAs often being run as a prescriptive “tick the box” compliance exercise, rather than an essential part of an institution’s FinCrime risk management. As a result, despite being resource-intensive, EWRAs can fail to generate the actionable intelligence needed to inform a risk-based approach.
Integrating EWRA as a Zero Line of Defence reframes it as an active and core component of an organisation’s Financial Crime Risk Framework.
Data from Elucidate’s recently published research paper shows that 97.5% of the banks sampled already conducted EWRAs on a yearly basis. However, a “tick the box” approach can keep financial institutions from realising the potential of what is often seen as a disruptive aspect of their business processes.
How could financial institutions integrate their EWRA into their overall risk management? The most widespread model for risk management is Three Lines of Defence, which outlines the roles to be played by different functional areas of an organisation, with a primary focus on the customer relationship, compliance, and audit functions.
A data-driven EWRA that generates quantitative risk metrics can provide a wealth of useful intelligence to help each of the key functions in the Three Lines of Defence model better allocate their resources and focus.
This is why our presentation at the Lithuanian AML Center event proposed reframing EWRA as a Zero Line of Defence, to make this link conceptually clear.
The table shows examples of the indicators a data driven EWRA can produce and how they relate to each line of defence:
Providing a data-driven common language will help to integrate EWRA into FinCrime risk management systems. By aligning around a shared set of quantitative FinCrime risk metrics during the EWRA, different roles within a bank can better communicate about and address the strengths and weaknesses of the entity's risk framework.
Last but not least, congratulations to the team at the AML Centre for a very well-organised event, and thanks also to our co-panellists and all participants for joining.