Rethinking Financial Crime Risk Management
Part 1 - The behavioural bias that is Residual Active Risk

In financial crime, we spend an awful lot of time learning about the criminal act and the actors (it is the fun bit, that why some of us love it). As a financial crime specialist, it is a key part of the job to educate the front line.

As I have often told others, I can't teach you about financial crime typologies that work, only ones that don't. It's your job to make sure that they don't work.

I have asked myself the question many times over the years. What makes a risk-averse person change their attitude; and find acceptable some rather indigestible facts.

Its the money - stupid. Well, that is true. However, it doesn't really answer the question. From my perspective as a risk manager, I want to look at controls that incentivise all to sit in the middle ground, between adverse and favourable. So what stops this? Now as humans, we all have this wonderful collection of biases. Most importantly the unconscious bias.

Years ago, that question sent me down the road of behavioral economics. For those who have read 'Thinking, fast and slow', you will have dipped your toe into that world. It is a world where you have to identify your biases and rethink the whole situation; and look at it through a different lens.

Now my use of the word 'lens' is vitally important in that sentence. It is the use of language, to pull one's focus from their unconscious bias (default) position. Now if you deal with management and boards, it is key to your job to ensure that you pull all participants, into pushing their decision-making out of the default position. 

Language is the key to risk management. I realised this when I worked in risk management in the late '90s. The company I worked for was working on the  Turnbull Report on Corporate Governance. For example, I don't know to this day when the terminology changed, but 'inherent risk' was still being called 'gross risk'. It was evident that the term 'gross risk' (which came from auditors and insurers), put one's mind into thinking about the wrong type of risk. This is when I became aware of the power of language in risk management, and the effect it has on the outcome.

So the purpose of this article, is that I want you to rethink the term 'residual risk'. Over decades of writing risk assessments, I have become aware that 'residual risk' is often too high level. If you split the risk down, it then becomes far too granular and the document starts to look like a phonebook; and becomes a risk in itself.

Take the term 'residual risk' and by dividing it into 'active residual risk' and 'passive residual risk'. You then create two ways of looking at the final outcome. The terms 'active' and 'passive' is the language of the DTI guidance on the UK Bribery Act and also CRS. I'm just extending that concept into Financial Crime.

Active Risk in terms of financial crime is facilitation and/or participation.

Passive Risk in terms of financial crime is somewhat more subjective. The bribery and corruption definition was developed to describe the risk of receiving the bribe. Now evolve this definition into the source of wealth. For example, part of the subjects' wealth may have derived from a criminal act. This raises the question, what part of the subjects' wealth has been derived from the proceeds of crime? I like to use the analogy, you can't extract the glass of water once it has been poured into the bath.

 What I have learned is that we all have an unconscious bias towards 'active risk'. It is the defensive position that the risk is widely dismissed, as it 'couldn't happen here'; and that is often the end of the conversation.

'Passive risk' is the land of defensive SAR's.  The proceeds of crime laws have no time limitations or have the ability to deal with prosecuted proceeds. In one particularly difficult subject area that I have observed, is that some people only see an alleged criminal act as a risk when the subject has been convicted. Which is rather ironic as it would not be alleged. This is a perfect example of 'active risk bias'. The reality is that in many jurisdictions the rule of law isn't enforced as it is here. The 'passive risk' approach is to collate the information and evidence an informed opinion. 

So to reflect on my original question. Is that person actually talking about 'active risk' and you're talking about 'passive risk'. By using these terms, you can agree that they are correct in terms of 'active risk'. Now you can objectively discuss the 'passive risks' in a constructive way.

When you discuss risk appetite statements or undertake risk assessments, it allows you to get past the 'it couldn't happen here' obstacle and get everyone into thinking about identifying, and managing 'passive risks'. This is the art of risk management.


Hayden Morgan
Lover of risk management, not compliance dictatorship

Rethinking Financial Crime Risk Management
Hayden Morgan
6 October, 2020
Share this post
Ransomware and the double whammy
If being hit by a ransomware attack if bad enough, make the payment and you can find yourself up against the Department of Justice