Business Risk Assessment (BRA)

Subject persons are required to have in place a Business Risk Assessment identifying the threats and vulnerabilities that it is exposed to and assess the likelihood and impact of the ML/FT risks.

We have the tools and know-how to assist subject persons to draw up purposeful and relevant business risk assessments. We can also assist subject persons to manage their risk exposure. Measures are broad and vary on a case-by-case basis but may range from strengthening specific parts of the AML control framework to embarking on a structured de-risking exercise.

What are the steps to draw up a meaningful Business Risk Assessment?

1. Identify risk areas

The risk categories should comprise the risks associated with the customer types, the jurisdictions to which customers are linked, the products and services, and the distribution channels. The risks should be adequately described in light of the business model and operations of the entity. In case of large entities, key personnel from various departments should also contribute to the BRA.

2. Extract required data

Subject persons should determine their exposure to risk by looking at the numbers driving those risks. For example, in order to assess customer risks, an analysis of actual customer base should be carried out to determine the number of PEPs, high net worth individuals, etc. Similarly, when assessing geographical risk and the product and service risk, subject persons should assess their exposure to such risks in terms of their actual client portfolio.

3. Rate risk based on impact and likelihood (inherent risk)

Each risk is evaluated on the basis of the probability of the risk materialising, and if it had to materialise, the effect that such risk would have on the entity. The impact is measured in terms of the damage that risk would have on the entity if it had to occur, such as reputational, commercial, regulatory, legal, and financial loss. On the other hand, the extracted data should assist in assessing the probability of a risk occurring. The assessment is carried out on the level of risk before the application of mitigating controls.

4. Identify controls in relation to each risk

The BRA should document the measures, tools policies, controls, and procedures put in place by the entity to address the ML/FT risks. There should be a clear correlation between the risks and controls and the latter should be clearly defined to explain how they serve to mitigate the associated risks. Furthermore, the controls included in the BRA should reflect the true picture of the implemented control framework. Any controls which are yet to be implemented should not be taken into consideration at this stage.

5. Calculate residual risks

This is the level of risk remaining after the application of the measures, policies, controls, and procedures. In order to arrive at the residual risk, the effectiveness of each control should be assessed. The conclusions of the internal audit function or any other independent assessment should be taken into consideration when assessing the strength of the control framework.

6. Are the residual risks in line with your risk appetite?

Zero risk does not exist! In view of this, the entity has to determine whether it will accept the remaining risk to pursue its business objectives, or whether further mitigating measures should be implemented to reduce the risk to an acceptable level. This should be clearly documented within the BRA.

The BRA methodology should be clearly documented. This should explain the method used to conduct the risk assessment, i.e the manner in which the likelihood and impact of the identified risks were assessed and how the effectiveness of the respective controls was measured. Finally, risks are dynamic and therefore the BRA should be a live document that is updated in line with changes to the business model and external environment.

Want to know more about the Business Risk Assessment? Contact us now

Send RFP