AML/CFT Business Risk Assessment
This is unusual in the world of risk assessments, mainly for the reason that you have to articulate in the final document many inherent risks that would not feature highly enough in other risk assessments. It is all too easy to let this document grow far too big and commonly they encapsulate too much live data.
Often the AML/CFT Risk Appetite is addressed within this document, however, this can encapsulate too much live data. You need to consider covering other reporting mechanisms to cover live data and how the risks are managed by key oversight functions.
Risk appetite relates to the capacity to manage risk, it has to capture control capacity and thresholds within these controls. Counting the number of PEP's, for instance, says nothing about your capacity safely service them.
ERM, ORM and Prudential Risks A good framework is the best approach, accountability and ownership is also key to developing a good framework. These can create large assessments. These should behave more like testing benchmarks, as you need to be able to apply changes in regulation, litigation, internal (incidents and breaches) and external events and evidence that the controls are proportionately robust enough to manage the risk.
Data Privacy and Data Integrity These are very much part of the regulatory purview. They should be scoped in both of the above risk assessments. These can be undertaken as separate exercises.
Technology Risk Assessments This is a very broad area, we specialise in having the knowledge to interpret these risks in a manner that the Board and business can understand. With this, we have the ability to engage with specialist consultants and ask the challenging questions that need to be asked. This is an area that businesses are highly dependant on and few challenge the service providers in the same way that they would if it were a regulatory outsourcing.