Implement a risk management process

This guidance is designed to help your business meet your risk management obligations. You may choose a different way to manage risk which is more suited to your business and the risks it faces.

What is risk and risk management?

In simple terms, risk is a combination of the:

  • chance that something may happen, and
  • the degree of damage or loss that may result if it does occur.

Risk management is the process of recognising risks and developing methods to both reduce and manage those risks. This requires the development of a method to identify, prioritise, and control risks, and then monitor how effectively risks are being managed.

In a risk management process, risks are assessed against the chance of them occurring (likelihood) and the amount of loss or damage (impact) that may result if they do happen.

Which risks do you need to manage?

You need to manage the risk that your business may be exploited for money laundering, terrorism financing and other serious crimes. This is known as money laundering and terrorism financing (ML/TF) risk.

Managing risk does not mean operating in a completely risk-free environment – this is not realistic. Instead, you must identify the risks your business faces and then find the best ways to reduce and manage those risks. This should be in proportion to the size of your business, the risks you face, and the resources you have available.

The four-step risk management process

On this page, you will find a summary of a four-step process to help you to manage ML/TF and regulatory risks.

The steps are:

  1. Identify risks
  2. Assess and measure risks
  3. Apply controls
  4. Monitor and review effectiveness.

1. Identify risks

Identify the ML/TF risks that exist for your business when providing designated services. You must consider the risks posed by:

  • your customers
  • your products and services
  • your business practices/delivery methods (channels)
  • the countries you do business in or with (jurisdictions).

The following are some examples of the types of risk that you may find for each of these categories.


  • the type of customer – for example, an individual, sole trader or company etc.
  • new customers
  • customers who want to carry out large transactions
  • a customer or group of customers making lots of payments to the same recipient
  • customers who have a business which involves large amounts of cash
  • a customer whose identification is difficult to check
  • customers who use large amounts of bank notes and/or small denominations.

Products and services

  • remittance service
  • gambling/wagering account
  • superannuation fund account
  • digital currency exchange
  • banking products.

Business practices/delivery channels

  • face to face
  • online/internet
  • phone
  • email
  • third-party agent or broker.


  • any country or particular region of a country in which you may do business
  • any country subject to trade sanctions
  • any country known to be a tax haven, source of narcotics or other significant criminal activity.

2. Assess and measure risks

Once you have identified the risks your business faces, each risk needs to be assessed and measured in terms of the chance (likelihood) it will occur and the severity or amount of loss or damage (impact) which may result if it does occur.

The risk level associated with each event is a combination of the likelihood that the event will occur and the impact it could have.

Likelihood x Impact = Risk level


Likelihood refers to the potential of a particular risk occurring in your business.

Three levels of likelihood are provided as examples, but you can have as many as you need for your business.

  • Very likely: Almost certain –  it will probably occur several times a year
  • Likely: High probability it will happen once a year
  • Unlikely: Unlikely but not impossible.


Impact refers to the seriousness of the damage which could occur if the risk happens.

You know your business, and are in the best position to know how it would be affected by any impacts.what impacts may affect it and how those impacts would affect it. Some examples of impacts to think about could include:

  • How your business would be affected by a financial loss from a crime.
  • The risk that a particular transaction may result in a terrorist act and loss of life.
  • The risk that a particular transaction may result in funds being used for any of the following: corruption, bribery, tax evasion, drug trafficking, human trafficking, illegal arms trading, terrorism, theft, or fraud.

Note that these do not cover every scenario and are not prescriptive.

Three levels of impact are shown here, but you can have as many as necessary for your business:

  • Major: Severe damage
  • Moderate: Moderate level of damage
  • Minor: Minimal damage.

Once you assess the likelihood and impact of each risk, you can determine the risk level based on these two factors. Following is an example of how you could use a risk matrix and risk score to determine the risk level posed by customers.

Risk matrix and risk score

You can use a risk matrix to combine the likelihood and impact to obtain a risk score. The risk score may be used to aid decision making and help in deciding what action to take in view of the overall risk.

How the risk score is derived can be seen from the risk matrix and risk score table shown below. Four levels of risk are shown, but you can have as many as you believe are necessary.

Likelihood/Impact Minor Moderate Major
Very likely





















Risk score/level and response table

Risk score Risk level Description and response
4 Extreme

Risk almost certain to happen and have very consequences.


Do not allow transaction to occur unless the risk is reduced to an acceptable level.

3 High

Risk likely to happen and/or to have serious consequences.


Do not allow transaction until risk reduced.

2 Medium

Possible this could happen and/or have moderate consequences.


May go ahead but take steps to reduce risk.

1 Low

Unlikely to happen and/or have minor or negligible consequences.


Okay to go ahead.

3. Apply controls to manage risks

This step is about determining how to manage the risks you have identified and assessed. Managing ML/TF risks involves applying your systems and controls. Examples of risk reduction or controls could be:

  • setting transaction limits for high-risk products (for example limiting the amounts or frequency of transactions)
  • having a management approval process for higher-risk products or customers
  • a process to place customers in different risk categories and apply different identification and verification methods
  • not accepting customers who wish to transact with a high-risk country.

The following table provides an example of how you could record this information.

Example: Customers

Risk Likelihood Impact Risk score Control/action
New customer Likely Moderate 2

Standard ID check

ID verification type

Customer who brings in large amounts of used notes or small denominations Likely Major 3

Non-standard ID check

ID verification type

Customer whose business is registered overseas with no Australian office Very likely Major 4 Do not accept as a customer

It is important to keep in mind that if a customer, transaction or country is identified as high risk it does not necessarily mean that criminal activity is occurring or will occur.

The opposite is also true. Just because a customer or transaction is seen as low risk, this does not mean the customer or transaction is not involved in criminal activity. Your knowledge of your business and common sense should be applied to your risk management process.

4. Monitor and review

Once documented, your business should develop a method to regularly evaluate whether your AML/CTF program is working correctly. If not, you need to work out what needs to be improved and put changes in place. This will help keep your program effective and also meet the requirements of the AML/CTF Act.

For more information about AUSTRAC’s expectations for businesses to continuously review their risk assessment, download Insights: Assessing ML/TF Risk (PDF, 439KB).

Keeping records and regularly doing an evaluation of your risk and AML/CTF program is essential. Risks change over time, for example, changes to your customer base, your products and services, your business practices and the law. Whenever you update your AML/CTF program, you must keep a record of the previous version/s for seven years from the date it is replaced.

The content on this website is general and is not legal advice. Before you make a decision or take a particular action based on the content on this website, you should check its accuracy, completeness, currency and relevance for your purposes. You may wish to seek independent professional advice.

Last updated: 14 Dec 2022
Page ID: 504

Was this page helpful?

Was this page helpful?
Please note that feedback you provide here will be used only for the purpose of improving our website. If you have a specific question about your AML/CTF obligations, please contact us.