Today, corporations and government agencies are facing an unprecedented wave of regulatory obligations and increased penalties for non-compliance. The financial services sector, as an example, needs to comply with a myriad of prudential regulations, federal privacy, AML/CTF, consumer credit and protection laws to name a few. Obligation registers now contain over 1,000 entries for compliance teams to deal with. In smaller organisations, these teams are often under-resourced due to compliance being a cost centre.

In this blog, we will discuss issues around some of the complexities of effective compliance risk management.

At Protecht, we believe a risk-based approach to compliance obligation management is crucial to avoid becoming too bogged down in the volume of obligations. However, organisations can run into immediate difficulty here, in trying to determine what is the risk event associated with the obligations even before an assessment of the obligation and its associated risk occurs. Let’s work with a subset of core AML/CTF obligations, courtesy of LexisNexis, as a practical example to explain:

  • Organisations must conduct identification procedures on new customers/members.
  • Organisations must report suspicious transactions, and cash transactions above or equal to 10,000.

We must first make a decision as to what we want inserted in our risk event library in relation to these obligations.

We often see the following examples:

  • Failure to conduct due diligence on new customers
  • Failure to report suspicious transactions

For those of you that read my recent blog (Risk Event Libraries – Sanity Check), you will recognise a potential problem here, in that these are failed controls. If we take a step back and think about what the legislation is doing, it is imposing a control framework on organisations to mitigate the key underlying risk event:

  • Money laundering and counter terrorism financing

Therefore, that is the starting point for your risk event library. David Tattam and I have had numerous robust discussions about whether we need to go more granular in the risk event library. For example another risk could be “AML/CTF regulatory reporting requirements breach”, arising when we fail to report suspicious transactions. Maybe… what do you think? I personally do not want my risk event library being cluttered with sub components of the true underlying risk event, as typically, these will either be failed controls or impacts.

05.pngProtecht.ERM Screenshot

Keeping the underlying risk event at a high level reduces the complexity of the risk event library, allowing you to quickly do an inherent risk assessment of this core risk. We would expect most financial services and betting companies to have a high to extreme risk for money laundering and CTF due to the inherent likelihood of it occurring, and extreme potential impacts – reputation and extremely punitive regulatory fines. Once the high risk rating has been determined we can direct our initial energies to this obligation set. You might also like the article What is the definition of Compliance? 


Continuing with our AML/CTF example we are now faced with the following tasks for each core obligation:

  • Assigning an owner – pretty straightforward, someone should have overall responsibility for the obligation.
  • Documenting and assessing what controls are currently in place – time consuming, but perhaps not so bad if we focus on core obligations.
  • Determining our compliance status with the core obligations – achievable after controls documented.
  • Documenting any treatment plans required if our control framework is weak.

Other issues to consider are:

  • Do we need to risk rate each individual obligation, or should we simply default to the risk rating of the underlying risk event? What do you think? I have no strong view here, albeit some obligations may be more important than others.
  • Attaching either metrics or attestation questions to each obligation. Higher risk obligations should have some form of continual monitoring attached to them. So working with one of our AML/CTF obligations, suspicious transaction reporting, we can either attach a metric such as “Suspicious transactions reported during the month” or create an attestation/s around key controls attached to this obligation. Values and response rates can then be aggregated and mapped to the key risk event “Money laundering and counter-terrorism financing” to support a more fluid picture of how this risk is being managed across the organisation #RiskInMotion.

There is no escaping the hard yards to do compliance risk management properly; It takes time, dedication and the appropriate resources. Our recent collaboration with LexisNexis to deliver plain English content through the ERM platform is helping organisations to get better at compliance risk management.

If you are interested in learning more, please send an email to info@protechtgroup.com.
ASIC Report Whitepaper: A Regulatory Spotlight on Non-Financial Risk
Whitepaper

A Regulatory Spotlight on Non-Financial Risk

Download Now

Related Articles

feature image
Enterprise Risk Management Risk Management Case Study

How the Sydney Opera House Improved Transparency and Accountability

Interview to Saira Buksh, Sydney Opera House ERPG Operations Administrator My name is Saira Buksh. I work for the Sydney Opera House and I have been...
Read more
feature image
Compliance Management Protecht News & Events Risk Management Risk Reporting Videos Compliance Professionals

Modern Slavery - Being Prepared

Do you know what the Modern Slavery Act is and how it will impact your business? We had the opportunity to have Associate Professor Justine Nolan...
Read more
feature image
Enterprise Risk Management Risk Analytics ERM Risk Management Software Videos

Webinar Recording - Understanding RiskInMotion

How to bring all your risk information into one dashboard Have you ever been told that your risk reporting is static, backward-looking or too...
Read more
blog-cta-footer-bg

Subscribe to the Knowledge Centre

Get the latest thought leadership on risk, compliance, health and safety and internal audit industry trends, challenges, methodologies, and insights. You will receive notifications directly in your inbox once a month.

Subscribe Now
© The Protecht Group
PROTECHT.ERM
Request a Demo
Resources
ABOUT
CONTACT US

Australia & Pacific

Level 8, 299 Elizabeth Street
Sydney NSW 2000
Australia
+61 2 8005 1265
info@protecht.com.au

United Kingdom & Europe

1st Floor, 60 Gresham Street
London EC2V 7BB
United Kingdom
+44 (0) 203 978 1360
info@protechtgroup.com
Meet the New Protecht

Redefining Risk

If you want to be better as a company, you need to get better at taking risks. Find out how and why we are redefining risk.

Learn More