Risks abound in the conduct of financial transactions requiring various and costly resources. It is important for businesses to be able to effectively balance managing their risks with managing the costs of managing risks. The risk based approach is designed to help businesses with this balance by directing the greatest and most costly resources to the areas of highest risk. It is an approach considered by the Financial Action Task Force and by Regulators as central to the management of risks as it determines the actions which businesses must take to mitigate risks effectively.

Fully understanding the risks

Money laundering risks are analysed and measured under four main risk categories, namely:

1. Customer/Client Risk
2. Product, Services/Transaction Risk
3. Geographic Risk
4. Delivery Channel Risk

Analysis of risks
Analysing the risks under each of the four categories entails firstly determining – what are the risks which can arise in my business under each risk category? You will need to read your local AML-CFT Guidance Notes from your Regulator which should point to certain risk factors as well consider risk factors arising from reported typologies of money laundering. Those risk factors will provide the considerations for the risk assessment. Secondly, you will also need to determine – how severe and likely to occur are those identified risks? Again, guidance from your local Regulator as well as from reported cases on money laundering will assist in this analysis.

Example:
Under the customer/client risk the following are some of the considerations for risk assessment:

	Answer	Risk Rating
Is the client a politically exposed person?	Yes	High
Has the customer been positively identified as having a criminal history?	Yes	High
Is the customer from a jurisdiction or conducting business within a jurisdiction listed on the Financial Action Task Force for weak AML-CFT regimes?	No	Low

Risk Variables
Risk variables are used when there are considerations other than the main considerations for risk assessment. They are necessary so that one can develop a true picture of the risks. Risk variables increase or decrease the perceived severity and likelihood of risks.

However, it is important to note that more than one risk variable can operate concurrently and so, it is important that businesses understand all the risk variables which could impact the initial risk rating before making a final decision.

Overall risk ratings

Composition of risk ratings

On completion of the analysis under each risk category an overall risk assessment rating is determined by an aggregation of the risk ratings for each risk category.

Example:

	Numerical Rating	Risk Rating/Risk Level
Customer/Client Risk	5.0	medium
Delivery Channel Risk	5.0	medium
Geographic Risk	8.0	High
Product, Services Risk	8.0	High
Overall Rating	6.5	High

Note:

[The full working for calculation of overall risk rating is not shown here.]

Overall risk ratings
The client is assigned an overall risk rating of high, medium, low or combinations thereof to denote the risk level which that client poses to the business.

Actions per risk rating
A set of measures and controls commensurate with the risks is assigned per risk level.

Example

Risk Level	Degree of Due Diligence	Measures and Controls
High Risk	Enhanced
Medium Risk	Medium
Low Risk	Simplified

Example for a high-risk rating one may find a combination of the following measures and controls to combat and control money laundering:

• Increased levels of know your customer KYC documentation or enhanced due diligence documentation
• Escalation for approval of established account or relationship
• Increased monitoring of transactions
• Increased levels of ongoing controls and reviews of relationships

It is important that the actions for each risk level are taken comprehensively so that, should the money laundering risk actually materialise, the business is in a position to demonstrate to Regulators and to the law courts as the case may be, that it took the right actions to combat and control money laundering. The right actions are effective measures and controls commensurate with the risks.