Risk management - A tool for small-to-medium sized businesses

Disclaimer

The information contained in this document is intended to provide only a summary and general overview on these matters. It is not intended to be comprehensive. It does not constitute nor should it be treated as legal advice or opinions. The Commonwealth accepts no liability for any loss suffered as a result of reliance on this publication. AUSTRAC recommends that independent professional advice be sought. The information contained herein is current as at the date of this document.


Contents


Introduction

Scope and limitations

This risk management tool is designed to help small-to-medium sized businesses meet the requirements of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). Use of this resource is not mandatory and reporting entities may choose an alternative method which is appropriate to their business (size, nature and complexity) and the money laundering and/or terrorism financing (ML/TF).

Step Description
Risk identification

Identify the main ML/TF risks:

  • customers
  • products & services
  • business practices/delivery methods
  • countries you do business with

Identify the main regulatory risks.

Risk assessment/measurement

Measure the size & importance of risk:

  • likelihood - chance of the risk happening
  • impact - the amount of loss or damage if the risk happened
  • likelihood X impact = level of risk (risk score)
Risk treatment

Manage the business risks:

  • minimise and manage the risks
  • apply strategies, policies and procedures

Manage the regulatory risks:

  • put in place systems and controls
  • carry out the risk plan & AML/CTF program
Risk monitoring and review

Monitor and review the risk plan:

  • develop and carry out monitoring process
  • keep necessary records
  • review risk plan and AML/CTF program
  • do internal audit or assessment
  • do AML/CTF compliance report

What is risk?

Risk can be defined as the combination of the probability of an event and its consequences.(1) In simple terms risk can be seen as a combination of the chance that something may happen and the degree of damage or loss that may result if it does occur.

1 International Organisation for Standardisation. ISO/IEC Guide 73 Risk management - Vocabulary - Guidelines for use in standards. Geneva: ISO, 2002.

What is risk management?

Risk management is the process of recognising risk and developing methods to both minimise and manage the risk. This requires the development of a method to identify, prioritise, treat (deal with), control and monitor risk exposures. In risk management, a process is followed where the risks are assessed against the likelihood (chance) of them occurring and the severity or amount of loss or damage (impact) which may result if they do happen.

Which risks do you need to manage?

For the ML/TF environment, AUSTRAC generally expects a business's risk management practice to address two main risks: business risk and regulatory risk.

Business risk is the risk that your business may be used for ML/TF. Businesses must assess the following risks in particular:

  • customer risks
  • products or services risks
  • business practices and/or delivery method risks
  • country or jurisdictional risks.

Regulatory risk is associated with not meeting your obligations under the AML/CTF Act. Examples of regulatory obligations that may be breached include reporting certain transactions such as international funds transfer instructions, verifying the identity of your customers and having an AML/CTF program (showing how your business identifies and manages the ML/TF risk it may face).

Further discussion on business and regulatory risk is included in the risk identification section.

It is unrealistic that a business would operate in a completely risk-free environment in terms of ML/TF. Therefore, it is suggested that a business identifies the ML/TF risk it faces, then works out the best ways to reduce and manage that risk. In doing this, it is necessary to balance the costs to your business and customers against the risk of the business being used for ML/TF. This should be in proportion to the size of your business and the resources you have available. A business will only be expected to counter the ML/TF risk it may reasonably be expected to face while providing designated services.

The risk management framework (or method)

The approach to risk management in this document is based on the AS/NZS 4360:2004: Standard for risk management (Australian Standard) . This document tries to simplify the steps in the Australian Standard and yet include those that AUSTRAC considers should be included in a risk management framework. These steps are a core requirement of an AML/CTF program.


The risk management process

Risk identification

Identify the main ML/TF risks:

  • customers
  • products & services
  • business practices/delivery methods
  • countries you do business with

Identify the main regulatory risks.

The first step is to identify what ML/TF risks exist for your business when providing designated services. As previously discussed, there are two risk types: business risk and regulatory risk.

Business risk

The AML/CTF Rules state that a reporting entity must consider the risk posed by:

  • customers
  • products and services
  • business practices/delivery methods (channels)
  • countries it does business in/with (jurisdictions).

Under these four groups, individual risks to your business can be determined. While not an exhaustive list, some of these individual risks may include:

Customers:

  • a new customer
  • a new customer who wants to carry out a large transaction
  • a customer or group of customers making lots of transactions to the same individual or group
  • a customer who has a business which involves large amounts of cash
  • a customer whose identification is difficult to check
  • a customer who brings in large amounts of used notes and/or small denominations.

Products and services:

  • credit card
  • branch pick-up
  • door to door delivery service
  • direct credit to a bank.

Business practice/delivery method (channels):

  • online/internet
  • phone
  • fax
  • email
  • third-party agent or broker.

Country/jurisdiction:

  • any country or particular region of a country in which you may do business
  • any country subject to trade sanctions
  • any country known to be a tax haven, source of narcotics or other significant criminal activity.

Regulatory risk

This risk is associated with not meeting the requirements of the AML/CTF Act.

Examples of some of these risks are:

  • customer verification not done properly
  • failure to train staff adequately
  • not having an AML/CTF program
  • failure to report suspicious matters
  • not submitting an AML/CTF compliance report
  • not having an AML/CTF Compliance Officer.

A table similar to Table 1 shown below - Risk management worksheet - could be used for each risk group in preparation for assessing and managing those risks: customers, products and services, business practices/delivery methods, country/jurisdiction and the regulatory risks.

Table 1: Risk management worksheet - risk

Risk group: Customers
Risk Likelihood Impact Risk score Treatment/Action
New customer(example only) - - - -
Customer who brings in large amounts of used notes and/or small denominations(example only) - - - -
Customer whose business is registered overseas with no Australian office(example only) - - - -

The use of this table will be continued in following sections.

Risk assessment 

Measure the size & importance of risk:

  • likelihood - chance of the risk happening
  • impact - the amount of loss or damage if the risk happened
  • likelihood X impact = level of risk (risk score)

Having identified the risks involved, they need to be assessed or measured in terms of the chance (likelihood) they will occur and the severity or amount of loss or damage (impact) which may result if they do occur. The risk associated with an event is a combination of the chance (likelihood) that the event will occur and the seriousness of the damage (impact) it may do.

Therefore each risk element can be rated by:

  • the chance of the risk happening - 'likelihood'
  • the amount of loss or damage if the risk happened - 'impact' (consequence).

To help assess the risks identified in the first stage of this process, we can apply the risk rating scales for likelihood (Table 2) and impact (Table 3) and from these get a level of risk or risk score using the risk matrix below.

Likelihood x Impact = Risk level/Score

Likelihood scale

A likelihood scale refers to the potential of an ML/TF risk occurring in your business for the particular risk being assessed. Three levels of risk are shown in Table 2, but you can have as many as you believe are necessary.

Table 2: Likelihood scale

Frequency Likelihood of an ML/TF risk
Very likely Almost certain: it will probably occur several times a year
Likely High probability it will happen once a year
Unlikely Unlikely, but not impossible

Impact scale

An impact scale refers to the seriousness of the damage (or otherwise) which could occur should the event (risk) happen.

In assessing the possible impact or consequences, the assessment can be made from several viewpoints. Following is a list of ideas. It does not cover everything and it is not prescriptive.

Impact of an ML/TF risk could, depending on individual business circumstances, be rated or looked at from the point of view of:

  • how it may affect your business if, through not dealing with risks properly, you suffer a financial loss from either a crime or through fines from the regulator
  • the risk that a particular transaction may result in the loss of life or property through a terrorist act
  • the risk that a particular transaction may result in funds being used for any of the following: corruption, bribery, smuggling of goods/workers/immigrants, banking offences, narcotics offences, psychotropic substance offences, slavery and trade in women and children, illegal arms trading, kidnapping, terrorism, theft, embezzlement, or fraud
  • the risk that a particular transaction may cause suffering due to the financing of illegal drugs
  • reputational risk - how it may affect your business if you are found to have (unknowingly) aided an illegal act, which may mean government sanctions and/or being shunned by your own community of customers
  • how it may affect your wider community if you are found to have aided an illegal act; the community may get a bad reputation as well as your business.

Three levels of risk are shown in Table 3, but you can have as many as you believe are necessary.

Table 3: Impact scale

Consequence Impact - of an ML/TF risk
Major Huge consequences - major damage or effect. Serious terrorist act or large-scale money laundering.
Moderate Moderate level of money laundering or terrorism financing impact.
Minor Minor or negligible consequences or effects.

Risk matrix and risk score

Use the risk matrix to combine LIKELIHOOD and IMPACT to obtain a risk score. The risk score may be used to aid decision making and help in deciding what action to take in view of the overall risk. How the risk score is derived can be seen from the risk matrix and risk score table (Table 4) shown below. Four levels of risk or score are shown in the matrix and Table 4, but you can have as many as you believe are necessary.

Matrix: Threat level for ML/TF risk

Likelihood Impact - how serious is the risk?
Very likely Medium
2
High
3
Extreme
4
Likely Low
1
Medium
2
High
3
Unlikely Low
1
Low
1
Medium
2
What is the chance it will happen? Minor Moderate Major

Table 4. Risk score table

Rating Impact - of an ML/TF risk
4 Extreme Risk almost sure to happen and/or to have very dire consequences.
Response:
Do not allow transaction to occur or reduce the risk to acceptable level.
3 High Risk likely to happen and/or to have serious consequences.
Response:
Do not allow transaction until risk reduced.
2 Medium Possible this could happen and/or have moderate consequences.
Response:
May go ahead but preferably reduce risk.
1 Low Unlikely to happen and/or have minor or negligible consequences.
Response:
Okay to go ahead.

Once threat levels and risk scores have been allocated they can be entered in the risk management worksheet (Table 5) next to the risk.

Table 5: Risk management worksheet - threat level and risk score

Risk group: Customers      
Risk Likelihood Impact Risk score Treatment/Action
New customer
(example only)
Likely
(example only)
Moderate
(example only
2
(example only)
 
Customer who brings in large amounts of used notes and/or small denominations
(example only)
Likely
(example only)
Major
(example only)
3
(example only)
 
Customer whose business is registered overseas with no Australian office
(example only)
Very likely
(example only)
Major
(example only)
5
(example only)
 

Risk treatment

Manage the business risks:

  • minimise and manage the risks
  • apply strategies, policies and procedures

Manage the regulatory risks:

  • put in place systems and controls
  • carry out the risk plan & AML/CTF program

This stage is about identifying and testing methods to manage the risks you have identified and assessed in the previous process. In doing this you will need to consider putting into place strategies, policies and procedures to help reduce (or treat) the risk. Examples of a risk reduction or treatment step are:

  • setting transaction limits for high-risk products
  • having a management approval process for higher-risk products
  • process to place customers in different risk categories and apply different identification and verification methods
  • not accepting customers who wish to transact with a high-risk country.

You could record this using Table 6.

Table 6: Risk management worksheet - risk treatment or action

Risk group: Customers      
Risk Likelihood Impact Risk score Treatment/Action
New customer
(example only)
Likely
(example only)
Moderate
(example only
2
(example only)
Standard ID check
ID verification type X
Customer who brings in large amounts of used notes and/or small denominations
(example only)
Likely
(example only)
Major
(example only)
3
(example only)
Non-standard ID check
ID verification type X
Customer whose business is registered overseas with no Australian office
(example only)
Very likely
(example only)
Major
(example only)
5
(example only)
Do not accept as customer

Another way you can reduce the risk is to use a combination of risk groups to modify the overall risk of a transaction. You may choose to use a combination of your customer, product/service and country risk to modify an overall risk. For example, in the case of a remitter, for a low-risk customer you may decide to only use a bank account-to-bank account service (assessed as low risk by you) to a certain city/province (assessed as a high risk area by you) in a certain country (assessed as low risk by you).

It is important to remember that identifying, for example, a customer, transaction or country as high risk does not necessarily mean that money laundering or terrorism financing is involved. The opposite is also true: just because a customer or transaction is seen as low risk does not mean the customer or transaction in not involved in money laundering or terrorism financing. Experience and common sense should be applied to your risk management process.

Monitor and review

Monitor & review the risk plan:

  • develop and carry out monitoring process
  • keep necessary records
  • review risk plan and AML/CTF program
  • do internal audit or assessment
  • do AML/CTF compliance report

Keeping records and regular evaluation of your risk plan and AML/CTF program is essential. The risk management plan and AML/CTF program cannot remain static as risks change over time; for example, changes to your customer base, your products and services, your business practices and the law.

Once documented, your business should develop a method to regularly check on whether your AML/CTF program is working correctly and well. If not, you need to work out what needs to be improved and put changes in place. This will help keep your program effective and also meet the requirements of the AML/CTF Act.


Additional tools to help your risk assessment

The following tools or ideas can be useful in helping to manage risk. You can include them in the previous risk assessment process to better inform your decisions.

Applying risk appetite to risk assessment

Risk appetite is the amount of risk a business is prepared to accept in pursuit of its business goals. Risk appetite can be an extra guide to your risk management strategy and can also help you deal with risks. It is usually expressed as an acceptable/unacceptable level of risk.

Some questions to ask are:

  • What risks will the business accept?
  • What risks will the business not accept?
  • What risks will the business treat on a case by case basis?
  • What risks will the business send to a higher level for a decision?

The risk matrix can be used to show the risk appetite of your business.

In a risk-based approach to AML/CTF the assessment of risk appetite is a judgement that must be made by the reporting business. It will be based on its business goals and strategies, and an assessment of the ML/TF risks it faces in providing the designated services to its chosen markets.

Sample risk matrix showing risk appetite

Likelihood Impact - how serious is the risk?
Very likely Acceptable Risk
Medium
2
Unacceptable Risk
High
3
Unacceptable Risk
Extreme
4
Likely Acceptable Risk
Low
1
Acceptable Risk
Medium
2
Unacceptable Risk
High
3
Unlikely Acceptable Risk
Low
1
Acceptable Risk
Low
1
Acceptable Risk
Medium
2
What is the chance it will happen? Minor Moderate Major

Risk tolerance

In addition to defining your business's risk appetite, you can also define a level of variation to how you manage that risk. This is called risk tolerance, and it provides some flexibility whilst still keeping to the risk framework you have developed.

An example showing how risk appetite and risk tolerance interact follows.

A remitter business has decided that generally the risk is unacceptable to remit money to a particular country. However, the remitter does have some risk tolerance. In this case the business will remit to this region provided that it is a bank to bank transaction only, the customer provides three verifiable customer identification documents and the transaction is signed off by a senior manager.

Relevant legislation

Relevant resources


AUSTRAC help