Financial Crime Risk Assessment

Risk Assessment Questionnaire

It is a regulatory requirement to produce a financial crime risk assessment and so our aim is make it as painless for you as possible while maximizing your visibility into your risks in real-time.

This is done by guiding you and your team through a series of questions to assess the risk across 10 areas that include:

  • Regulatory Risk
  • Geographic Risk
  • Size and Nature of Business Risk
  • Operational Risk
  • Delivery Channel Risk
  • Processes and Systems Risk
  • Typology Risk
  • Product/Services Risk
  • Customer Risk
  • Transaction Risk

As you’re answering the questions, there can be additional conditional questions that will be prompted based on your answers to prior questions. You will also have the ability to add notes to provide additional context to your answers. The notes can also be edited or deleted.

Risks & Controls

Once you’ve completed the questionnaire portion of the Risk Assessment, your next step is to fill in details about your risks and controls you’ve put in place to mitigate each risk.

Based on your questionnaire responses, we generate a list of risks across 10 areas and suggest an Inherent Risk score for each. We also suggest potential controls for each risk. Once you input your control details, we automatically calculate Control Adequacy, Control Effectiveness, and Residual Risk values for each risk.

While you’ll get lots of suggestions from us along the way, you should always make manual adjustments if you need to. And if you change your questionnaire responses, your Risks & Control page will update to reflect your latest answers!

Let’s take a look at how you should complete this section below.

Risks

Each of your Risks is displayed in a row with key details about the Risk:

Definitions

First, let’s explain what some key terms mean in each Risk row:

  • Inherent Risk is a measure of your exposure to a risk, without any controls mitigating that risk. It’s scored on a scale of 1-5 (from lowest to highest risk).
  • Control Adequacy is a measure of whether your controls for a risk are properly designed to fully mitigate the risk. In other words, do you have the right controls?
  • Control Effectiveness is a measure of whether your controls, however they’re designed, are operating effectively and as expected. In other words, how well are your controls working?
  • Residual Risk is a measure of the risk remaining after your mitigating controls are applied, depending on the Inherent Risk score and the adequacy and effectiveness of your controls.

What can you change for each Risk?

  • Manual Values
    • We suggest an Inherent Risk score based on your questionnaire responses. Additionally, based on your Controls input (see more on this below), we calculate Control Adequacy, Control Effectiveness, and Residual Risk values.
    • You can manually adjust any of these values, as well as switch between your manually input values or our auto-calculated values.
      • To manually edit values, click on the +/- buttons or on the numbers themselves to enter a value.
      • To switch between manual or auto values, toggle the “Auto Value” button under each score.
  • Risk Owner
    • You can assign a team member as an owner of each Risk — simply click the blue button on the right of the Risk panel and select an owner (or add a new user as an owner to send them an invitation to your Risk Assessment).
  • Risk Appetite
    • You can indicate whether the values for a Risk are within your risk appetite — just select “Yes” or “No” from the dropdown menu on the right of the Risk row.
  • Disable Risk
    • You can disable a Risk from being incorporated into your Risk Assessment by de-selecting the tick box at the top left of each Risk row.
  • Add Risk
    • If you’re exposed to a Risk which is not already listed, you should manually add a new Risk.
    • To do so, click the “Add Risk” button at the bottom of the page to generate a new Risk row which you can edit.
  • Add notes
    • You can add notes by expanding the Controls section. You may wish to use notes to document context about a Risk, such as why you’ve changed the rating.

Controls

Access your Controls for each Risk by clicking on the “Active Controls” button in the top right of each Risk row:

Definitions

Let’s cover a few definitions again!

  • We explained Control Adequacy and Control Effectiveness above — these are measured by percentage scores, with certain thresholds to indicate how weak or strong a Control is.
  • See these Controls strength thresholds (Very Weak, Weak, Moderate, Strong, and Very Strong) by clicking on any of the Control Adequacy or Control Effectiveness values.

The thresholds start at 80%, in line with regulatory guidance and industry practice — or, if we put it in more real world terms, this means a control that doesn’t do what it’s supposed to do 1 out of 5 times isn’t really working effectively at all!

What should you input for your Controls?

  • Select Your Controls

    • For each Risk, we’ll suggest potential Controls that are common for that Risk — you should indicate which Controls you have in place for the Risk by ticking the box next to each Control to move it to the “Active” Controls list.
  • Add Controls

    • If one of your Controls isn’t included in our suggested list, you can manually add a new Control.
    • To do so, click the “Add Control” button at the top of the Controls panel, enter the new Control’s name or select from the dropdown list, and then select whether you want to add this new Control to all Risks in the Risk Area.
  • Set Control Scores

    • For each Control, set both Control Adequacy and Control Effectiveness scores using the methods below:
      • You can manually input the percentage score, and also adjust using the +/- toggle; or
      • You can click on the Control strength thresholds to assign a percentage score at the top of that range, then manually adjust the score as needed.

If your business is not at the stage where you have exact calculations for control adequacy and effectiveness, don’t worry! Fill in your best estimate based on your judgment and provide your interpretation of these based on judgement.

  • For each Control where you’ve set up Automated Assurance in Cable for it, we will populate the effectiveness score for you! The controls that have the effectiveness score available, calculated by Cable, are identified by the plug icon. When you add a control with a blue plug icon, the effectiveness score will be auto-populated with the option for you to manually adjust.
    • A blue plug icon indicates that data is available to be immediately pulled into Risk Assessment
    • A grey plug icon indicates that we can calculate the effectiveness score but we don’t have sufficient data from the Automated Assurance to do so yet.

Please note that the effectiveness score is likely not yet available for your first risk assessment as you’re onboarding onto Cable until the Automated Assurance module is configured.

  • Add Control Notes
    • For each Risk, you can provide additional context or information about your controls by adding notes under the Notes section below all the controls. The notes can also be edited or deleted.

Summary Checklist

Here’s a checklist to follow to complete this section.

  • For each Risk:
    • Select your Controls to add to the “Active” Controls list, and add any custom Controls as needed, making sure each Risk has at least one Active Control.
    • For each control, set the Control Adequacy and Control Effectiveness scores.
    • Review the overall scores for Inherent Risk, Control Adequacy, Control Effectiveness, and Residual Risk and make any manual adjustments as appropriate.
    • Assign a Risk Owner if appropriate.
    • Mark whether the risk scores are within your risk appetite as appropriate.
  • After you complete these steps for each Risk in a Risk Area, check if you should add any custom Risks to the Risk Area beyond those already provided.
  • Complete these steps for each risk area.

Next steps

Once you enter all Risks and Controls values and provided all the necessary context for each Risk, you’ve completed this step! 🎉

Go on to the next Assessment stage to finish up your Risk Assessment.

Assessment

Here is your completed Risk Assessment. You can:

  • Add Actions tied to specific risks, which will be tracked in the Actions tab on the left sidebar. Expand the risk you want to add an action for and click “show notes, controls & actions” and “create action

  • Finalize this version by
    • Requesting internal approval / approving the assessment

Please note that the Risk Assessment will be locked down and become non-editable once you request for approval and/or approve the assessment. A new copy of the risk assessment will also be created after approval.

  • Export your Risk Assessment as a downloadable report and select whether you’d like to include:
    • The assessment only
    • The methodology
    • The controls
    • Actions