The risk-based approach. In today’s financially challenging environment, institutions are vulnerable to a variety of economic abuses, necessitating the implementation of preventive measures to mitigate the risks. Money laundering (ML), terrorist financing (TF), corruption, insider dealing, embargoes, and international sanctions are among them.
The Risk-Based Approach
Globally there has been an emphasis on the application of the Risk-Based Approach (RBA) to ensure that appropriate measures are taken to prevent or mitigate the bribery and corruption risks.
In this regard, expectations are that:
- RBA must be an essential foundation for efficient allocation of resources across the organization to implement risk-based measures.
- There must be a risk assessment exercise that helps identify, assess, and understand the bribery and corruption risks.
- The bribery and corruption risks are identified through risk assessment and must be adequately addressed in the anti-bribery and corruption regime implemented in the organization. In the areas where such risks are identified as low, the organizations must be allowed to make timely decisions regarding the application of controls.
Meeting the above expectations requires an important and pivotal role by senior management for ensuring technical compliance and effectiveness on RBA. In this regard, sharing of risk assessment results and embedding those results in regulatory framework and policies, procedures, and compliance programs to reduce the level of threats and vulnerabilities identified in risk assessment is an essential element for effective mitigation of bribery and corruption risks.
Organizations must ensure an entity-level internal risk assessment report covering risks identified. The internal risk assessment report should help to identify, assess, and understand bribery and corruption risks at the entity level for employees, customers, products, services, transactions, delivery channels, and jurisdictions. The internal risk assessment report should also assess major international/domestic financial crimes and terrorism incidents which have a probability of posing risks to the organization.
Internal Risk Assessment
The internal risk assessment report shall ensure the assessment of the effectiveness of existing anti-bribery and corruption controls to arrive at residual bribery and corruption risks about which organizations have to make decisions. A risk assessment would generally be based on perception, subjective judgment, and senior management experience about the bribery and corruption risks posed to them. The senior management may adopt any suitable approach to their operations, considering risk appetite and business strategy.
The bribery and corruption risk assessment framework should provide an entity-wide assessment of risks that an organization is inherently exposed to without considering the impact of the effectiveness of controls (i.e., inherent risk) after that assess the impact of the effectiveness of controls framework designed to mitigate these risks and, in the end, resulting in exposure.
The inherent risk shall be measured on both external and internal ML/ TF/ PF risk factors without considering the efficacy of the effectiveness of controls. While assessing inherent risk on external factors, the organization may consider referring to the various sources of information.
After assessing the inherent risks, the effectiveness of the anti-bribery and corruption control framework implemented by senior management is assessed to ensure the effectiveness of internal controls design and their implementation.
Residual risk is an outcome of assessing inherent risks and the effectiveness of internal controls. The organization’s risk assessment framework must be able to quantify the residual risks that would lead the organization to devise an appropriate control system, where weaknesses are found, and the residual risks are exceeding the organization’s approved risk appetite.
The Responsibility Of Oversight Of Bribery And Corruption Risks
The responsibility of oversight of bribery and corruption risks posed to the organization lies on the board and senior management. The board shall delegate the oversight and monitoring functions to any of its sub-committee, preferably to the Board Compliance Risk Committee or Board Audit Committee. The internal risk assessment report must be presented to the board or its sub-committee for approval after review and recommendations of the compliance risk management committee.
The recommendations about internal risk assessment report must be action-oriented for developing mitigating controls on bribery and corruption risks, identified on weaknesses of controls observed. It will be the responsibility of the compliance risk committee to monitor the implementation of a time-bound action plan developed to mitigate bribery and corruption risks.
The organization must take steps to ensure that anti-bribery and corruption controls are adhered to and effective and should be monitored on an ongoing basis to ensure timely remedial measures. The entity’s standardized risks and the effectiveness of available controls are required to be evaluated by the relevant Board subcommittee on a periodical basis. Significant internal control gaps and violations must be a part of the report submitted to the board. The standardized report must include a review and recommendations of the compliance risk management committee before submitting it to the relevant Board sub-committee.
The risk-based approach (RBA) is critical to implementing the FATF Recommendations adopted in 2012. Between 2007 and 2009, the FATF issued a series of guidelines in collaboration with relevant sectors in order to assist both public authorities and the private sector in implementing a risk-based approach. The FATF is currently reviewing its set of RBA guidance papers in order to align them with the requirements of the revised FATF Recommendations and to reflect the experience gained by public authorities and the private sector over the years.