Know more about the risk engine
Risk Assessment Pro comes with a number of pre-defined settings to its risk engine. All settings can be changed to accommodate your specific needs. Described below are the current pre-defined settings.
Table of Contents
Pre-defined settings
Calculation of inherent risk for a threat
The probability for each threat is assessed and given a score between 1-4, where 1 is lowest and 4 is highest. The probability reflects how common the threat is in a certain region or country.
Example:
Threat: Individuals use of tax havens (avoidance, evasion and fraud) – Norway
Assessment method: Authority assessment
Motivation: It has become easier to use secrecy structures in tax havens and suspicion of tax fraud committed by Norwegian citizens is more often uncovered. The threat of tax evasion through tax havens is therefore considered to be high in Norway according to the authorities.
Probability is assessed as: High
Example:
Threat: Card-Not-Present (CNP) fraud – Norway
Assessment method: Statistics (estimated annual amounts)
Motivation: The amount for card fraud via online banking were EUR 150 million in 2018. The amount refers to the sum of transactions completed and attempted. The grand majority of card fraud were CNP fraud.
Probability is assessed as: High
Example:
Threat: Forced labour – Norway
Assessment method: Experts analysis
Motivation: The number of reports of forced labour and forced services have been rather low and stable in the past years. However, it is assumed that there are dark figures since the exploited victims do not report or cooperate with the police.
Probability is assessed as: Medium
Assessment of Impact
Impact is assessed manually using a scale of 1 – 4, where 1 is lowest and 4 highest. The impact assessment consists of three components as shown below.
Not used since very little financial crime normally result in direct financial losses (with exception of fraud). Financial losses can be a result of reputational and regulatory risks and is hence better included in the assessment of those two topics.
Level 1: No media coverage
Level 2: National negative media coverage
Level 3: International short term negative media coverage
Level 4: International long-term negative media coverage
Level 1: No FSA criticism
Level 2: FSA criticism but no fine
Level 3: FSA criticism and fine
Level 4: FSA revoke license to operate
Example
If we are misused for the threat Large-scale money laundering, this may result in international long-term negative media coverage (Level 4) and regulator criticism and fine (Level 3).
This results in (4 + 3) / 2 = 3,5 which is rounded up to Level 4 on a 1-4 scale.
Assessment of inherent risk for a risk indicator
The inherent risks are first assessed for each threat. Once done, the risk indicators stemming from the threat will inherit inherent risks from the relevant threat according to an even-distrubution model as shown below.
Risk indicators that occur in several threats will obtain a calculated inherent risk based on the inherent risks from all the relevant threats. This allows an organisation to quickly see what customer types, products/services, transaction types, channels and countries that are most risky.
Based on one threat
Based on more than one threat
Compliance (available as add-on)
Assessment of controls
One control can target one or several risks. As part of the control assessment, the user defines what risks each control mitigates. The user also assesses how effective the control is by assigning a control level (1-4, where 1 is weakest and 4 is strongest).
Several controls for one risk indicator
