What is a risk assessment?
A well-developed BSA/OFAC risk assessment is the cornerstone of an effective BSA program. It identifies the credit union’s institutional risk profile, and is also used by auditors and examiners to scope out the review of your BSA program and understand the overall risk profile. A poorly-done risk assessment can lead to a more exhaustive third-party review or exam, and will not provide the BSA officer with winning arguments relative to the effectiveness of the program or potential requests for additional loss mitigation control investments.
A risk assessment enables your management to better manage and mitigate gaps in operational controls. It drives policies, procedures, and internal controls. The best-case scenario is that all business line leaders participate in the process. Without their participation, it is difficult at best to get a full understanding of the basics an assessment is built upon. This participation will also assist the individual performing the assessment build the culture of compliance necessary to run an effective program.
What should a good risk assessment include?
The risk assessment should include qualitative and quantitative analysis that will drive your risk classifications. Having a data analyst at the table will provide you with the information needed to help you understand the different components of your assessment. Use the mantra that if you did not have the name of the credit union in the profile, a third party reading it would easily be able to identify the credit union it belongs to. Remember, a properly completed and well-thought-out assessment will help you win arguments relative to the quality of your program or the need to invest in additional loss mitigation controls.
At least annually and prior to audit or examination, review the risk assessment to ensure that it incorporates all inherent risks and speaks to your unique credit union risk profile. Structure the assessment process to include the inherent risk of each area reviewed. Once the inherent risks are defined, include all loss mitigation controls in place and then define the residual risk remaining. Remember, the loss mitigation controls serve as the checklists that third parties will use to test the effectiveness of your program.
The primary components of a good risk assessment should follow FFIEC guidelines and include demographics that cover the field of membership, member composition, and communities served (i.e. low income). It also includes risks associated with your geography including branch locations primality relating to HIDTCA and HIFCY, national shared branching, and members not domiciled in or around branches.
Products and services must be evaluated thoughtfully—do not make the mistake of including those that pose no risk whatsoever. When evaluating products and services, it is easy to incorporate risks not associated with AML/TF. This is not the time to incorporate reputation risks; leave those to the enterprise risk management folks. Membership profiles are also evaluated, broken down by the types of accounts the credit union opens such as representative payee, custodial, business, and so on. In each one of these categories make sure you include historical evidence of any of the inherent risk factors experienced in the prior year.
What is the use of a risk assessment?
Once the risk assessment is complete, the overall rating is assigned, and the profile is summarized, now is the opportunity to disseminate it to management, business leaders, and the board of directors. A well-thought-out risk assessment should give management the information needed to understand the level of risk at each category level, allowing them to determine and justify if additional loss mitigation controls need to be invested in.
It should give business leaders the information they need to know how to run their business lines in a compliant manner, and how to structure staff training and procedures effectively. Finally, it should give the board the required information they need to determine if the program has been built on solid ground and give them the ability to participate and drive the culture of compliance. It should always be the first thing reviewed prior to them approving the BSA/OFAC policy annually.
It is important to understand that a risk assessment is dynamic in nature and not something to complete once a year. Triggering events such as mergers, field of membership expansion, new products and services, environmental variables, and emerging new fraud vectors will require you to dust it off and update it.
For a more detailed and step by step guide, visit the AuditLink website.