Risk management - A tool for small-to-medium sized businesses
Scope and limitations
This risk management tool is designed to help small-to-medium sized businesses meet the requirements of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). Use of this resource is not mandatory and reporting entities may choose an alternative method which is appropriate to their business (size, nature and complexity) and the money laundering and/or terrorism financing (ML/T)
Risk monitoring and review
What is risk?
Risk can be defined as the combination of the probability of an event and its consequences.(1) In simple terms risk can be seen as a combination of the chance that something may happen and the degree of damage or loss that may result if it does occur.
What is risk management?
Risk management is the process of recognising risk and developing methods to both minimise and manage the risk. This requires the development of a method to identify, prioritise, treat (deal with), control and monitor risk exposures. In risk management, a process is followed where the risks are assessed against the likelihood (chance) of them occurring and the severity or amount of loss or damage (impact) which may result if they do happen.
Which risks do you need to manage?
For the ML/TF environment, AUSTRAC generally expects a business's risk management practice to address two main risks: business risk and regulatory risk.
Business risk is the risk that your business may be used for ML/TF. Businesses must assess the following risks in particular:
Regulatory risk is associated with not meeting your obligations under the AML/CTF Act. Examples of regulatory obligations that may be breached include reporting certain transactions such as international funds transfer instructions, verifying the identity of your customers and having an AML/CTF program (showing how your business identifies and manages the ML/TF risk it may face).
Further discussion on business and regulatory risk is included in the risk identification section.
It is unrealistic that a business would operate in a completely risk-free environment in terms of ML/TF. Therefore, it is suggested that a business identifies the ML/TF risk it faces, then works out the best ways to reduce and manage that risk. In doing this, it is necessary to balance the costs to your business and customers against the risk of the business being used for ML/TF. This should be in proportion to the size of your business and the resources you have available. A business will only be expected to counter the ML/TF risk it may reasonably be expected to face while providing designated services.
The risk management framework (or method)
The approach to risk management in this document is based on the AS/NZS 4360:2004: Standard for risk management (Australian Standard) and the AUSTRAC guidance note Risk management and AML/CTF programs. This document tries to simplify the steps in the Australian Standard and yet include those that AUSTRAC considers should be included in a risk management framework. These steps are a core requirement of an AML/CTF program.
The risk management process
The first step is to identify what ML/TF risks exist for your business when providing designated services. As previously discussed, there are two risk types: business risk and regulatory risk.
The AML/CTF Rules state that a reporting entity must consider the risk posed by:
Under these four groups, individual risks to your business can be determined. While not an exhaustive list, some of these individual risks may include:
Products and services:
Business practice/delivery method (channels):
This risk is associated with not meeting the requirements of the AML/CTF Act.
Examples of some of these risks are:
Further information to help identify risks is included in the AUSTRAC guidance note Risk management and AML/CTF programs.
A table similar to Table 1 shown below - Risk management worksheet - could be used for each risk group in preparation for assessing and managing those risks: customers, products and services, business practices/delivery methods, country/jurisdiction and the regulatory risks.
Table 1: Risk management worksheet - risk
The use of this table will be continued in following sections.
Measure the size & importance of risk:
Having identified the risks involved, they need to be assessed or measured in terms of the chance (likelihood) they will occur and the severity or amount of loss or damage (impact) which may result if they do occur. The risk associated with an event is a combination of the chance (likelihood) that the event will occur and the seriousness of the damage (impact) it may do.
Therefore each risk element can be rated by:
To help assess the risks identified in the first stage of this process, we can apply the risk rating scales for likelihood (Table 2) and impact (Table 3) and from these get a level of risk or risk score using the risk matrix (Figure 2).
A likelihood scale refers to the potential of an ML/TF risk occurring in your business for the particular risk being assessed. Three levels of risk are shown in Table 2, but you can have as many as you believe are necessary.
Table 2: Likelihood scale
An impact scale refers to the seriousness of the damage (or otherwise) which could occur should the event (risk) happen.
In assessing the possible impact or consequences, the assessment can be made from several viewpoints. Following is a list of ideas. It does not cover everything and it is not prescriptive.
Impact of an ML/TF risk could, depending on individual business circumstances, be rated or looked at from the point of view of:
Three levels of risk are shown in Table 3, but you can have as many as you believe are necessary.
Table 3: Impact scale
Risk matrix and risk score
Use the risk matrix to combine LIKELIHOOD and IMPACT to obtain a risk score. The risk score may be used to aid decision making and help in deciding what action to take in view of the overall risk. How the risk score is derived can be seen from the risk matrix (Figure 2) and risk score table (Table 4) shown below. Four levels of risk or score are shown in Figure 2 and Table 4, but you can have as many as you believe are necessary.
Figure 2: Risk matrix
Threat level for ML/TF risk
Once threat levels and risk scores have been allocated they can be entered in the risk management worksheet (Table 5) next to the risk.
Table 5: Risk management worksheet - threat level and risk score
Manage the business risks:
Manage the regulatory risks:
This stage is about identifying and testing methods to manage the risks you have identified and assessed in the previous process. In doing this you will need to consider putting into place strategies, policies and procedures to help reduce (or treat) the risk. Examples of a risk reduction or treatment step are:
You could record this using Table 6.
Table 6: Risk management worksheet - risk treatment or action
Another way you can reduce the risk is to use a combination of risk groups to modify the overall risk of a transaction. You may choose to use a combination of your customer, product/service and country risk to modify an overall risk. For example, in the case of a remitter, for a low-risk customer you may decide to only use a bank account-to-bank account service (assessed as low risk by you) to a certain city/province (assessed as a high risk area by you) in a certain country (assessed as low risk by you).
It is important to remember that identifying, for example, a customer, transaction or country as high risk does not necessarily mean that money laundering or terrorism financing is involved. The opposite is also true: just because a customer or transaction is seen as low risk does not mean the customer or transaction in not involved in money laundering or terrorism financing. Experience and common sense should be applied to your risk management process.
Monitor and review
Monitor & review the risk plan:
Keeping records and regular evaluation of your risk plan and AML/CTF program is essential. The risk management plan and AML/CTF program cannot remain static as risks change over time; for example, changes to your customer base, your products and services, your business practices and the law.
Once documented, your business should develop a method to regularly check on whether your AML/CTF program is working correctly and well. If not, you need to work out what needs to be improved and put changes in place. This will help keep your program effective and also meet the requirements of the AML/CTF Act.
Additional tools to help your risk assessment
The following tools or ideas can be useful in helping to manage risk. You can include them in the previous risk assessment process to better inform your decisions.
Applying risk appetite to risk assessment
Risk appetite is the amount of risk a business is prepared to accept in pursuit of its business goals. Risk appetite can be an extra guide to your risk management strategy and can also help you deal with risks. It is usually expressed as an acceptable/unacceptable level of risk.
Some questions to ask are:
The risk matrix can be used to show the risk appetite of your business.
In a risk-based approach to AML/CTF the assessment of risk appetite is a judgement that must be made by the reporting business. It will be based on its business goals and strategies, and an assessment of the ML/TF risks it faces in providing the designated services to its chosen markets.
Figure 3: Sample risk matrix showing risk appetite
In addition to defining your business's risk appetite, you can also define a level of variation to how you manage that risk. This is called risk tolerance, and it provides some flexibility whilst still keeping to the risk framework you have developed.
An example showing how risk appetite and risk tolerance interact follows.
A remitter business has decided that generally the risk is unacceptable to remit money to a particular country. However, the remitter does have some risk tolerance. In this case the business will remit to this region provided that it is a bank to bank transaction only, the customer provides three verifiable customer identification documents and the transaction is signed off by a senior manager.
1 International Organisation for Standardisation. ISO/IEC Guide 73 Risk management - Vocabulary - Guidelines for use in standards. Geneva: ISO, 2002.