The latest draft of the Handbook on Countering Financial Crime & Terrorist Financing (AML Handbook) has been released and here we take a summary look. As a management consultancy that assists organisations with all aspects of organisational architecture in a bid to help them grow, improve and protect what’s important, we were particularly interested in the GFSC’s approach to not just the specific risks of money laundering and terrorist financing, but the wider impact of risk on an organisation.
Furthermore, for some time East Harbour has been extolling the virtues of ensuring a tighter integration between strategy and risk – after all in the context of business architecture it’s very difficult to define one without the other – and we’ve been aware over the last few years of the growing focus by the GFSC on the importance of clearly defining strategy, risk, business models, and so on, within an organisation. In addition, best practice recommends that not only are these cornerstones of any organisation clearly defined, but that they are also effectively communicated throughout the organisation, and that activity, in the form of strategic initiatives, is resourced and aligned accordingly.
Let’s start at the beginning, lifting directly from the document… the stated purpose of the handbook is to assist prescribed businesses to comply with the requirements of the legislation, due at the end of March 2019, and to indicate good industry practice through the application of a risk based approach. It is also intended to assist with the design and implementation of the systems and controls organisations may find necessary to mitigate any identified risks. Furthermore, it adopts a technology neutral stance, and allows organisations to embrace whichever solution is deemed appropriate.
The underlying premise of this legislation is the criticality of organisations acknowledging, at the very highest level, that they have a duty to understand enterprise risk, and a need to ensure that the systems and processes they use to develop effective policies, procedures and controls to identify, assess, mitigate, manage, review and monitor risks are both effective and robust.
The first thing the Board needs to have clarity about is its risk appetite – in effect what level of risk the organisation is prepared to carry in order to achieve its stated strategic objectives. To define risk appetite an organisation necessarily needs to have clarity about exactly what its strategic priorities are. The GFSC also stresses at this stage the importance of visibility – the Board needs to be seen to be taking the lead with regards to enterprise risk, and the management thereof. The Board must also take ultimate responsibility for compliance – understanding of risk and risk appetite starts at the top and must be filtered down throughout all levels of the organisation. In addition, it’s important to link risk appetite to the business model – the appetite has to be commensurate with the model otherwise it is doomed to fail – and this is why we talk to organisations in terms of an integrated framework (see below):
Assuming that the strategic objectives are clearly defined, understood and communicated, and that the risk appetite has been established, the focus is then able to shift to the specific risks that the organisation needs to manage, whilst maintaining an awareness that the sum effect of individual risks may be greater than the individual elements (some risks may compound others). It can also be a good idea at this stage to consider and incorporate the wider risk environment, blending elements of common PESTLE and SWOT exercises into the broader thinking.
We often talk to clients about the six main stages in the risk management cycle, starting with Risk Governance and Culture – in effect the risk appetite and general approach to risk, as set out by the Board.
Then follows the need to carry out specific risk assessments (BRA) within the confines of this risk appetite, where the specific risks affecting the organisation are clearly defined, analysed and evaluated (steps 2-5 below).
This is not a one off process either, with regular reviews (minimum annually) necessary to ensure that the organisation is cognisant, at all times, of the potential changes to the risk landscape and its potential impact upon the business. It is critical to understand that risk is dynamic by its nature, and therefore a dynamic and responsive process for managing risk is vital. Policies, procedures and controls must be approved by the Board, and these must be regularly reviewed (effective governance and ongoing oversight) to ensure they are properly maintained and implemented.
Another interesting point stressed within the handbook is the need for clear communication throughout – awareness of BRAs; record keeping and documentation that demonstrates the compliance activity that has taken, or is taking, place at Board and Senior Management Team level; a reliance on record keeping to demonstrate the process of managing risk, and to generate accountability at a more operational level.
But equally important is the understanding that this handbook, and other similar guidance relating to risk, is not about limiting opportunities or innovation, but simply about creating an environment that ensures an awareness and control of any associated risk. Additionally, if managed effectively and with the right tools, robust risk monitoring and management should enable an organisation to more effectively align its activity and allocate its resources, thereby creating a more efficient business.
In our opinion therefore, the AML Handbook update goes significantly beyond simply a raising of awareness of AML and TF risks, but instead is further insight into the holistic approach being adopted by the GFSC towards risk, strategy, business models and so on. It is vital for organisations to have a clear understanding of these critical elements of business architecture, and the interplay between them.
At East Harbour we have built a reputation on helping businesses achieve strategic goals, improve results and manage risk. We utilise carefully chosen technology solutions to enable the clear visualisation and communication of strategy, risk frameworks and performance management, and how they combine within your organisation. Moreover, the solutions we’ve selected provide a dynamism and responsiveness simply not possible using spreadsheet based risk processes, and allow both high level enterprise governance combined with monitoring of specific risk indicators at an operational level.