Introduction
Version 1.0 - January 2025
Financial crime risk assessments are essential to assess a firm’s risk of financial crime exposure and to meet regulatory requirements for an effective, risk-based compliance program.
Cable’s Risk Assessment is based on regulatory guidance, industry experience, and user feedback. It is designed to be responsive to information provided by users about their firm’s exposure to risks, and it automatically calculates suggested inherent and residual risk ratings (based on a firm’s controls) on a Risk, Risk Area, and business-wide level.
Cable’s Risk Assessment can be completely configured to a firm’s understanding of their own risk exposure and to incorporate their risk appetite. All automatically suggested Risks or risk ratings can be edited, with rationale and notes documented within the risk assessment, to ensure that a firm can communicate their assessment of risk to all relevant stakeholders.
This document provides an overview of the structure of Cable’s Risk Assessment. The full detailed methodology can be found here.
Questionnaire
Cable’s Risk Assessment guides firms through a series of questions designed to identify applicable Risks and their inherent risk levels. Cable’s questionnaire ensures all areas flagged by regulatory guidance are considered and allows a firm to prioritize its time considering the nuanced risks posed by their business.
Risks
Cable’s Risk Assessment is organised into 10 high-level Risk Areas that firms should consider according to regulatory guidance or expectations from the Wolfsberg Group, FATF, FFIEC, JMLSG Guidance, and national risk assessments, as well as from industry best practice. The 10 Risk Areas are Regulatory Risk, Operational Risk, Geographic Risk, Size and Nature of Business Risk, Processes and Systems Risk, Product/Services Risk, Delivery Channel Risk, Customer Risk, Transaction Risk, and Typology Risk.
Each high-level Risk Area is then divided into Risks, which are identified based on the answers to the questionnaire. The answers to the questionnaire also enable Cable to suggest an inherent risk score between 1 and 5.
Users are able to add their own Risks or disable any Risks Cable has identified, as well as manually adjust any automatically calculated risk ratings as needed to reflect their own assessment of risk.
As a result, the Risks and risk ratings generated by answering the Cable questionnaire are only the starting place for a firm’s risk assessment. Ultimately Cable’s Risk Assessment is a tool but does not replace the firm’s requirement to fully assess and understand their own risks.
Controls
Against each Risk, firms can assign controls that they have in place to mitigate the particular Risk. Once a control is mapped to a Risk, users provide their own assessment of control adequacy and effectiveness on a scale of 0-100%. Users can either input an exact percentage or select a more qualitative rating as explained below.
Based on the control adequacy and effectiveness, an overall control efficacy score for each Risk is calculated. A residual risk rating is also calculated. These scores can be manually adjusted at any time and users have the ability to leave detailed notes against each Risk.
Approvals
Cable’s Risk Assessment has an approval flow with audit tracking of who was involved in completing the Risk Assessment, and who approved it. Once approved, the Risk Assessment is locked and cannot be changed, although it can be viewed and downloaded.
Automatically Updating Risk Assessments
When a risk assessment is approved, a new copy of the approved risk assessment is created, which is labelled as a “live” assessment. This live assessment can be updated on an ongoing basis, either manually by firms, or automatically, if the firm is also using Cable’s Automated Testing product. An overview of Automated Testing can be found here.
If the firm is using Cable’s Risk Assessment for managing the risks of third parties, then the third party risk assessments can also be automatically included in the firm’s own risk assessment. The methodology for how third party risk assessments are incorporated into a firm’s risk assessment is here.