Over the last year, Acuminor have spoken to hundreds of regulated institutions about their financial crime risk assessments.
During these conversations our team have documented ‘pain points’ and then we have conducted an analysis to look for commonality across the industry. This article aims to shine a light on the top 5 pains organisations are having when it comes to conducting their financial crime threat and risk assessment.
If you are struggling with any one of these pains, you are not alone. Please reach out to me if you’d like to discuss how we can help you solve any of these challenges.
Pain Point Analysis
#1 – Threat and Risk Analysis
Regulated organisations are under pressure to be threat-led. The FCA’s new financial crime guide mentions that organisations should have “…identified good sources of information such as National Risk Assessments, ESA Guidelines, FATF mutual evaluations and typology reports…” when completing their risk assessments.
However, there are huge challenges when it comes to horizon scanning for threats and risks. First and foremost, there was consensus acknowledgement amongst the organisations we spoke to, that crucial information about threats and risks is too static, disparate and isn’t shared consistently.
Today, horizon scanning often means the financial crime team must dig through – for example – the National Risk Assessments in their countries of operation. Some of these reports are 10s of pages, some are 100s, they are structured differently, may be repetitive and crucially – it is difficult to extract which parts of the report are applicable to their customers and products.
During this market research, it has also emerged that there is very limited sharing of threat and risk information within organisations. Investigations teams are often sitting on lots of useful threat and risk insights that never gets structured in such a way that it can be shared internally and used in the risk assessment.
#2 – Governance & Buy In
When speaking to the market, a clear theme emerged here and at the crux of this pain sits an inconsistent methodology to risk management across an organisation.
While the ultimate responsibility for the financial crime risk assessment sits with the financial crime team, buy in from the individual business units is essential and is often lacking. The financial crime team waste huge amounts of time asking for information from areas of the business that don’t understand the impact of financial crime and often aren’t bought into why it’s important.
On top of this, due to the inconsistent nature of managing risks, the results of the risk assessments for each product or business area become incomparable, which means it’s hard to diagnose where actions should be prioritised. Without that information, FinCrime teams cannot make the business case for investing in specific risk mitigations and before they can, it’s time to start the risk assessment all over again. Organisations are becoming stuck in a perpetual cycle of doing risk assessments, with an output that isn’t actionable.
#3 – Actionable Outcomes
The overriding challenge spoken about here was that organisations struggle with translating the risk assessment from a paper document into something that drives actions and improvements across the financial crime framework.
Right now, once the risk assessment document is created, it often gets put into a draw and not looked at again until it’s time to update the risk assessment.
We found a consistent appetite to change this, not only to make use of the time put into the risk assessment but more importantly to take actions that prevent real world threats.
#4 – Risk & Control Calculations
Spreadsheet hell was a resounding and common theme when it comes to putting calculations alongside your threats, risks and controls.
Whether you are using numbers to calculate risk or a high-medium-low rating, and even in the simpler organisations, there are multiple tabs and the potential for complex functions and formula – often this can cause the spreadsheet to crash.
Bullying spreadsheets to give a result that can be used takes members of the financial crime time hundreds of hours per risk assessment.
#5 – Manual Nature of Risk Assessments
This pain point is interwoven and is part of all the other pain points. None of the organisations we have spoken to had implemented a satisfactory level of automation into their risk assessments
Everything, from the horizon scanning to the documentation of relevant threats, risks, and controls, to working with risk calculations and presenting relevant results is being done manually
When considered along-side #3 – lack of actionable outcomes – the hundreds of hours spend on risk assessments seems pointless.
Conclusion
The reason we are collecting these pain points is so that we can continue to feedback back and improve Risk Assessment Pro – our fincrime risk assessment platform .
We are working with customers to directly address these pains and pave the way to re-instate the fincrime risk assessment as a dynamic and useful tool at the heart of every financial crime programme
If you recognise these pains, please get in touch to understand how Acuminor can help you solve them.
