Out-Law Analysis | 09 Oct 2015 | 11:28 am | 3 min. read
The guidance can help organisations of all kinds comply with the UK's Bribery Act, although it concerns risk assessments for other types of financial crime too.
A risk assessment is a must for organisations and forms the bedrock of an effective compliance programme.
The Wolfsberg Group guidance
Consisting of members including Barclays, Citigroup, HSBC and JP Morgan Chase, the Wolfsberg Group's aim is to develop frameworks and guidance for the management of financial risks. The most recent guidance (28-page / 806KB PDF), issued in the form of FAQs, addresses risk assessments for money laundering, sanctions and bribery and corruption.
Describing risk assessments as one element of a 'financial crime compliance toolkit' for financial institutions, the FAQs addresses issues such as what is the purpose of a risk assessment, how often should they be carried out, how should they be organised, who has responsibility for carrying them out and what methodology should be adopted?
The FAQs reiterate and expand upon many of the principles included in existing guidance, including the British standard on anti-bribery management systems, the Ministry of Justice's adequate procedures guidance and the FCA's guidance on the management of financial risks.
What are the main principles contained in the guidance?
The first main point to take from the Wolfsberg Group guidance relates to how often risk assessments need to be carried out.
According to the guidance, the periodicity of a risk assessment will depend on a number of factors including the methodology adopted, the results of the previous risk assessment carried out and any relevant internal or external risk events.
Typically risk assessments will be refreshed annually. However, events such as regulatory intervention, annual reporting, an increase in suspicious activity reports or enforcement action against a peer or competitor could prompt companies to engage in interim validation of an existing risk assessment or to carry out a further risk assessment exercise.
The guidance also makes clear that senior management within organisations are the overall owners of the risk environment. Whilst they may delegate the risk assessment process or the carrying out of actions to, for example a compliance unit or a particular part of the business, those senior staff should retain ownership of the issue.
The Wolfsberg Group said the decision on who manages the risk assessment process may be determined by country, region or business practice. They said the scope and methodology of the risk assessment process must be communicated to relevant stakeholders, including the matters to be assessed, criteria to be benchmarked against, any weighting or scoring to be adopted, the form to be adopted and the contribution expected from the stakeholders within the business.
How should risk assessments be conducted?
Acknowledging that there are numerous ways to conduct a risk assessment process the Wolfsberg Group guidance envisages a three phase process, the outcome of which should be communicated to relevant stakeholders.
First, it said businesses should consider all relevant risk factors, in the absence of any controls, to determine their risk profile. The guidance proposes an assessment across five risk categories: clients, products and services, delivery channels or servicing methods, geographies and any other risk factors that may be derived from regulatory publications and expectations.
Secondly, the guidance recommends that businesses evaluate the mitigating internal controls, whether programmes, policies, procedures or activities, to determine how effectively they protect against a risk materialising or ensuing that they are promptly identified.
If controls are highlighted as not designed or operating effectively or do not exist, a remedial action should be raised. The guidance said, for example, that "a revised training programme for staff, or the establishment of an enhanced due diligence procedure" should be considered. It said any such actions should not affect the residual risk; a corrective action will only seek to improve the residual risk in the following assessment conducted.
The third phase of a risk assessment should involve companies assessing the risk that remains after controls are applied to the inherent risks that have been identified, the Wolfsberg Group said.
Its guidance proposes allocating a rating scale of high, moderate and low to any residual risk and provides details of what may constitute each rating. Whether or not the residual risk level is tolerable will depend on the particular entity's risk appetite and whether or not any steps can be taken to reduce the inherent risk or to strengthen the internal controls.
Potential criminal or civil liability, regulatory intervention and reputational damage will be factors to consider in determining risk appetite.
Risk assessments – the bedrock of an effective compliance programme
Various guidance documents issued since the Bribery Act 2010 came into force have advocated the importance of conducting a proportionate risk assessment.
The Wolfsberg Group FAQs emphasise the need for the risk assessment process to be a senior management led roots and branch review of the business crime related risks, however small, faced by an organisation, and involve a critical assessment of the effectiveness of its compliance control measures.
It is only once this exercise has been carried out that an organisation can have an understanding of the residual risks that it faces and identify any steps that can be taken to strength its compliance programme.
Stacy Keen is an expert in in criminal and regulatory risk at Pinsent Masons, the law firm behind Out-Law.com.