What is risk?

The International Organization for Standardization defines risk as the combination of the probability of an event and its consequences (ISO/IEC Guide 73). In simple terms risk can be seen as a combination of the chance that something may happen and the degree of damage or loss that may result if it does occur.

What is risk management?

Risk management is the process of recognising risk and developing methods to mitigate and manage it. This requires the development of methods to identify, prioritise, treat (deal with), control and monitor risk exposures. In risk management, a process is followed where the risks are assessed against the likelihood (chance) of them occurring and the severity or amount of loss or damage (impact) which may result if they do happen.

Generic risk management worksheet (pdf 57kb)

Which risks do you need to manage?

In Unit 1 Fundamentals of AML/CTF programs, the Risk Principles Framework identified two categories of risk that need to be managed in implementing an AML/CTF program.

1. Business risk is the risk that your business may be used for money laundering or terrorism financing. Businesses must assess the following risks in particular: customer risks, products or services risks, business practices and/or delivery method risks and country or jurisdictional risks.
2. Regulatory risk is associated with not meeting your obligations under the AML/CTF Act. Failing to meet regulatory obligations includes such things as not reporting suspicious matters, not conducting customer identification, not fulfilling customer identity verification requirements, or not having an AML/CTF program.

Within these categories the first step to managing the risks is to identify both business and regulatory risks that your business may face for ML/TF and then work out the best ways to reduce and manage those risks. This is the process of following a risk management method.