Module 1 introduced the concepts of regulatory risk and business risk and explained the differences between them. Regulatory risk is associated with compliance, where a business's actions to comply may not meet the standards of regulatory practice. However it is important to note that compliance and regulatory risk management are not identical. Planning the AML/CTF program involves an understanding of both compliance and risk management; these two concepts are contrasted in the table below.
Compliance |
Risk management |
Compliance is about meeting obligations, which in this case are mandated by the AML/CTF Act. |
Risk management involves:
- the identification of different types of risk
- assessing the impact of these risks
- determining the risk appetite of the organisation
- putting in place risk management procedures and controls.
|
Compliance is about meeting obligations that may have a mandatory component. |
Risk management does not have a mandatory component as the organisation determines how to deal with the various risks it faces.
However, risk management may have to deal with both mandatory and non-mandatory elements. |
All compliance risks must be dealt with. |
Risk management is used to prioritise the compliance risks. |
Compliance identifies all the obligations an organisation has. |
Risk management techniques are used to prioritise the response to the obligations in terms of control procedures and processes, levels of monitoring and reporting requirements. |
