Create a business-wide risk assessment
Table of Contents
STEP 1: UNITS
Risk Assessment Pro enables you to assess risks across your organisation by using assessment units.
You can create assessment units to reflect your business. This is done in the Admin panel. Once the assessment units are in place, create a new risk assessment for each assessment unit by clicking “New risk assessment” in respective assessment unit.
In enterprise settings, it is possible to conduct risk assessments in each assessment unit and then aggregate the results into a group-wide risk assessment report.
There is an assessment unit with your name on it. That is your personal space where you can try things out without risk of interfering with other processes.
STEP 2: SETTINGS
1. Define what you want to assess
To understand how an organisation can be misued by criminals, you first need to know what that organisation does – the nature of its’ business. In Risk Assessment Pro, you must therefore start with defining the following for each risk assessment:
- Your country of operation
- Your industry (bank & finance, gambling etc.)
- Your customer types (natural persons, legal persons or both)
- Your products and services
The selection creates a filter of the threat and risk content in Acuminor’s database (Atlas) – only showing the threats and risk indicators that are relevant to the selections made.
2. Select Data Model: Acuminor continuously update its database with new information and a new data model is regularly released. Select the latest named data model e.g. 2021:15 to ensure that you are using an up to date version. It is suggested that you keep the selected data model during the duration of a Risk Assessment process.
If you select the data model called “Latest” you will automatically update to the latest data model deployed by Acuminor. Normally we recommend not using this data model setting when performing business-wide risk assessments since it could mean that you repeatedly receive new risks mid-project.
STEP 3: DATA IMPORT
Your internal data can provide further insights into risks and controls. The data asked for only contains numbers and volumes. No names or other personal information is required.
The risk exposure for an organisation can be further highlighted by how many of the relevant risk indicators that can be found in the organisation. The Solution allows for manual and .CSV upload of risk indicator data related to the following:
- Products and services
- Distribution channels
- Data related to existing controls (upcoming feature)
The Solution also features API connections to alleviate data collection. It is however possible to proceed with the risk assessment, even if no or only limited data are available (see more below).
Using CSV import
- Press “CSV import” and select “Download Template”. Repeat for each risk area (customer, products etc).
- Populate the templates with Excel or any other .cvs-ready tool. Make sure to type numerics only, without any “,” “.” or blank spaces.
- Press “CSV import” and select “Upload template”.
Your data is now uploaded to Risk Assessment Pro.
Risk Assessment Pro has additional RESTful API that allows automatic data extraction from your existing KYC or Transaction monitoring tools. Contact us for more information.
STEP 4: INHERENT RISK ASSESSMENT
The inherent risks are the risks that the organisation can be misused for financial crime purposes, given that no mitigating actions are in place to prevent it from happening.
Know what threats and risks that are most dangerous for you
The risk engine has now generated a number of inherent risks.
The inherent risk is assessed both for threats and risk indicators.
A threat is a criminal method identified through Acuminor’s analyses of trusted vetted sources. Examples of threats are human trafficking, trafficking of drugs, black labour and terrorism recruitment.
1. What threats are most relevant for you?
Your Settings has generated a customized set of financial crime threats, relevant for your business.
Each relevant threat is assigned an inherent risk, which allows an organisation to focus on certain crime types. The inherent risks assessment of a threat contains two parts: Probability and impact.
2. Assess probability
Probability is the assessment of the likelihood of a threat to materialise in the organsiation. The probability can be assessed by:
- Using uploaded internal data (number of relevant customers, products, transactions, channels and geographies)
- Manual assessment of the probability based on the available information (data, risks etc.)
- Using the Threat probability as determined by Acuminor’s analyses
The pre-set probability configuration is assessed on a scale of 1-4. As a guiding principle, and for clarification, the probability levels can be translated into the following:
- Level 1 (low): Probably occurs
- Level 2 (medium): Occurs to a limited extent
- Level 3 (high): Commonly occurring
- Level 4 (very high): Very common
3. Assess impact (optional)
Impact is defined differently in different organisations. Three components commonly used when assessing impact are:
- Regulatory impact
- Reputational impact
- Financial loss
Acuminor’s Solution offers each organisation to use other definitions of their choosing.
It is also possible to refrain from using impact when assessing the inherent risks. The use of impact can be disabled in the risk engine configuration. If impact is not used the inherent risk will be determined by the probability only.
The pre-set impact configuration uses a scale of 1-4. As a guiding principle, and for clarification, the impact levels can be translated into the following:
- Level 1 (low): Very little impact
- Level 2 (medium): Limited impact
- Level 3 (high): Noticeable impact
- Level 4 (very high): Significant impact
4. Approve and lock
Once you are done with a threat, click “Approve and lock” and proceed to the next.
A risk indicator is a specific customer type, product/service, transaction type, distribution channel or geography that is found in one or several threats.
1. What risk indicators are most relevant for you?
Once all threats have been assigned an inherent risk, the inherent risk for each risk indicator (customer type, product/service, transactions, channels and geography) related to the threats are generated automatically.
The inherent risk for each risk indicator is accessed by clicking on any of the risk categories in the dashboard.
2. What should I do with the inherent risks for the risk indicators?
You don’t have to do anything unless you disagree with the inherent risks. The risk indicators are important when assessing controls in the next step, and are also an important part of using the results of the risk assessment to improve the control environment.
STEP 5: CONTROL ASSESSMENT
1. Define controls
In this step you will define what controls (mitigating actions) that are in place today in the organisation (KYC, policies, transaction monitoring etc.). The effectiveness of these controls will be assessed once the control environment has been set.
When clicking on Control Assessment for the first time the control editor will be opened. Here you have the possibility to select and edit controls from a list of built-in controls as well as creating new controls. Define your controls and select those that will be assessed.
Close the editor when you want to start assessing your controls. If you want to return to the control editor just click “Manage Controls” at any time.
General v/s specific controls
There are two types of controls: General and specific.
- A general control is a control that mitigates all risks in one or more risk categories
- A specific control is a control that mitigates one or more risk indicators
2. Assess controls
Assigning a control to a risk category or specific risk indicator makes it possible to assess how effective the control in question is in relation to the linked risk category/indicator(s).
Specific controls must be linked to one or more risks before it can be assessed. Select the control and click “Add…” button in the bottom. Find the relevant risk(s) by searching or using the “risk labels”. Then set the control score.
Risks without any controls will be shown without any control strength. Controls are assessed on a scale 1-4, where 1 is weakest and 4 is strongest. The control levels used can be configured.
As a guiding principle, and for clarification, the control levels can be translated into the following:
- Level 1 (weak): Very little effect on the risk
- Level 2 (moderate): Limited effect on the risk
- Level 3 (strong): Noticeable effect on the risk
- Level 4 (very strong): Significant effect on the
You can see an overview of the high-level effectiveness of all controls in the dashboard. You can also see the control effectiveness for each risk indicator by clicking on a risk category.
STEP 6: VERIFY RESIDUAL RISKS
1. Residual risks
Once the inherent risks and controls are assessed, Risk Assessment Pro calculates the residual risks automatically.
The residual risks are the risks that the organisation can be misused for financial crime purposes, given the controls that are in place by the time of the assessment.
You can see the high-level residual risk for each area included in the risk assessment (money laundering, terrorist financing, sanctions, compliance) in the dashboard.
You can also see the residual risk for each risk indicator. You should look through each category of risk indicators to validate that you agree with the residual risks.
2. Comment on your results
Write your analysis and findings next to where you find the results. Click on the quotation marks next to the results on the dashboard or whithin each risk category. Your text will automatically populate the corresponding section in the report where you have the possibility to continue writing.
STEP 7: REPORTS
1. Create the report
When you are satisfied with the results, you are ready to create your risk assessment report. Also see “Start writing your results” above.
To create your report you first need to select a template. Go to “Reports” and click on the “Create new report” button. Name your report, click on the “template” button and select the template of your choosing. You will now have the possibility to write and edit the executive summary and backgraound sections for your report. Click “Save” when you are done or just want to proceed to the report.
3. Custom templates
There is a possibility to create custom templates for your organisation. Let us know if you need a report template and we will help you with that.
Once ready, you can export the report to Microsoft Word by clicking “Export” in the report view.
Risk Assessment Pro comes with pre-defined settings of its risk engine. You can always adjust and optimise the risk engine to suit your specific needs. Read more about the pre-defined settings.