By Derek Smith Jr
Every organization, whether for-profit or nonprofit, public or private, should protect themselves by fully assessing their inherent risks, deploying mitigating controls and appreciating their residual risks.
Unfortunately, many organizations, big corporations, and small and mid-sized enterprises (SME) don’t find the need to invest in robust risk management systems; it is my position that this is a fundamental mistake. Additionally, disruptive volatility in markets, supply chains, human capital, information security and other facets of business have become the standard. It is against this backdrop and the Financial Transactions Reporting Act, 2018, Section 5, that risk assessments and risk management are key to a company’s growth and even survival.
Reid Hoffman, LinkedIn co-founder, said: “Everything in life has some risk, and what you have to actually learn to do is how to navigate it.”
Firstly, it is important to note that risk assessment should not be completed in silos. There must be engagement by all stakeholders at the board level, c-suite level and management level. Furthermore, I would submit that support staff and vendors must be engaged. This engagement fosters accurate alignment of strategy with policies and procedures while simultaneously appreciating the risks. Moreover, these assessments enable companies to understand how and to what extent they are vulnerable to money laundering and terrorist financing risks; supply chain breaks; cybersecurity and information security incidents and breaches; emotional threats; and much more.
PWC East Caribbean noted: “It is important that business leaders understand that if risk is anything that can impede objectives, better risk management means better performance.”
The Group of Financial Services Regulators (GFSR) completed an excellent job at providing guidance regarding the design and implementation of risk assessments over the years. The AML/CFT Guidelines 2018, Section 2, provides clarity to the process while allowing flexibility regarding how the process is deployed. The guidelines note that supervised financial institutions (SFI) should consider using the following steps to assess the level of identified risk that the business may face:
- Identify and assess inherent risks by adopting a comprehensive risk-based approach.
- Establish risk tolerance levels from an entity-specific, sectoral and relationship-level perspective.
- Establish risk mitigation measures by employing proper controls.
- Evaluate residual risks by employing a three-lines-of-defense regime.
- Monitor and review risks by utilizing a proper governance regime.
Risks can be categorized in a variety of ways and should be generated based on the nuances of your institution. Some categories may include the client, business operations, transactions, products and services, delivery channels, politics and geographical reach. These categories should be linked, via analysis to the direct achievement of an institution’s objectives, and be constantly monitored. A periodic evaluation of your institution’s internal processes, people, technology and data helps identify risk — both inherent and residual. The risks should be inventoried with a view to determining the risk tolerance of your institution.
In short, COVID-19 has highlighted that many entities were not properly prepared, and it can be an indicator that risk management efforts were not accurately assessed, aligned, monitored and revamped. Disruptors are inevitable. How institutions prepare and transition from substandard risk management approaches will determine whether they survive or not.
Derek Smith Jr is a Top 40 Under 40 leader; the compliance officer at Higgs & Johnson, a leading law firm in The Bahamas; and the former assistant vice president, Compliance & Money Laundering Reporting Officer (MLRO), at an international private bank. He is also a CAMS member of the Association of Certified Anti-Money Laundering Specialists (ACAMS) and an executive member of the Bahamas Association of Compliance Officers.