Business Risk Assessment

Maximizing Safety and Minimizing Risk | Impact of Board Risk Assessment (BRA) on Financial Crime Prevention

Sara Barclay AML/CTF, Business Risk Assessment, Compliance, Corporate Governance, Guernsey , ,

I am still wild at heart, surfing, kayaking, and diving sometimes to extremes here on the Island. Every time I go into the water there is risk but also reward. The risks I face will vary on the day and the activity. While the rewards I will gain range from deep relaxation to extreme adrenaline rushes and highs. Each journey into the great blue needs differing skills, preparation and an appreciation of circumstances within myself and outside in the environment to ensure that the risks are managed and mitigated. It is more than just turning up to the coast with cool gear, superficially ticking the box of safety, but ensuring that I have the right flow of information, the tools, and skills to stay within my risk appetite and avoid injury or more. In a fluid environment to extract the maximum I must ensure that the information provided from external and internal sources is processed, considered and acted on to ensure safety. 

The Guernsey Framework has brought in the requirement that firms must assess their business of risks related to money laundering, terrorist financing. Alongside the recent focus on assessing the proliferation financing risks posed by the products and services that they provide to their customers.  This allows the level of risk that a business may face to be ascertained and for the board to then ensure that their policies, procedures, controls and the resources required are suitable and sufficient and remain within their risk appetite. A firm’s BRA must also look at the intrinsic risks of the firm as well as the external risks of the environment, which must be reviewed regularly or at least annually. Allowing the board to  take due consideration of these changes, the level of risk that may have changed to their own risk appetite, and to ensure that risks continue to be managed and mitigated. Preventing the business from being subjected to financial crime. 

The Guernsey regulatory framework sets out the areas that the board should be considering regularly, with suggested and meaningful questions to be considered, alongside a requirement that the board should consider other factors that are present in the business but not necessarily suggested in the framework. These questions or factors will change at different rates to the socio-political environment, the risk of the customers engaged by the business, and resources at hand to manage and mitigate the risks. The board needs to have up-to-date management information on the levels of risk of customers, the resources present, and the current and immediate future requirements. Allowing them to assess the risks and consider the suitability of its policies, procedures, and controls to protect the business and Guernsey.  

The issue becomes where the BRA is treated as a document used to meet the regulatory requirements. Shown through the demonstration of ticking the box of what is believed to be expected in the regulations, an ornament to be brought out, dusted off annually before being put back into its box. The failure to ensure that the BRA remains suitable and sufficient, with up-to-date management information being presented to the board regularly on the risks posed internally and externally inclusive of resources and financial crime issues faced by the firm. Which leads to mis-informed decisions and the higher potential of the failure of policies procedures and controls to prevent financial crime and regulatory intervention.

 It has always appeared odd to me that businesses require monthly management accounts to assess and control their business to its aims and objectives, but that financial crime risk is not considered in the same way. By ensuring that the financial risks are monitored with the resources required to manage and mitigate them a board is the best place to control the businesses exposure to risk, allow resources to be placed to risk, and allow early intervention to protect and preserve their business.  

The BRA is much more than a superficial document that shows compliance with the requirements, being instead a tool to allow board consideration of risks faced and posed on a regular on-going basis to ensure appropriate management and mitigation.  Allowing the board to ensure that resources are put to risks where required and that the direction of the business can be helmed effectively, they are able to handle the financial crime and regulatory squalls, overfalls, and rip currents that undoubtedly will be faced by the business. The BRA won’t stop financial crime but with up-to-date internal and external management information will assist the Business in reacting to risks, real or posed, take effective action by having the necessary resources, experience and skills to survive a storm and ensure the safety of the business by the minimisation of those risks. 

Therefore, much like constant reviewing of conditions and potential risks and rewards when partaking in surf kayaking, firms must continually review and follow the due processes to manage and mitigate  financial crime risks, protect the business endeavours and key stakeholders. 

What doesn’t kill us only makes us stronger

Sara Barclay Business Risk Assessment , ,

drift drivingOne cylinder shut down due to a malfunctioning regulator and now my other regulator had started to malfunction, I realised that the situation was now extremely serious and the next decisions would be the most important of my life. As I drifted there at thirty eight meters, unlikely to successfully survive a dash to the surface I took a deep breath trying not to choke on the seawater as it came into my mouth, I focused on the task at hand and dismantled my switched off regulator and signalled to my buddy to put up a surface marker.

We all have to make decisions, the regulations force us to make decisions for the protection of our customers ourselves and our jurisdictions. We demonstrate this by risk assessments, an exercise that can be seen as pointless and only for the sake of the regulations. By engaging with the assessment process and thoroughly reviewing and demonstrating the potential areas of risk that we face we are able to understand, minimise and hopefully withstand potential events that may and will occur. It goes without saying that any risk assessment needs to be monitored and assessed regularly as environments and situations change, it also allows us to be more alert and able to detect and deal with new or unknown risks and risk areas as and when they arise.

I knew my focus was narrowing and it had become darker, my fingers replaced the membrane in the regulator and I screwed it together, I moved to the valve of my cylinder and slowly turned on the air, nothing happened and no air escaped. Slowly pressing down I purged the regulator it worked, thank God, and I put it in my mouth and tasted the sweet air. By no means was this a fix, more a patch as within seconds it started to leak again. I looked up to be greeted by two huge eyes of my dive buddy who had just released the surface marker, with a smile I signalled it was time to depart to the surface and I put my fingers round the line attached to the surface marker as we began our leisurely ascent.

At eighteen meters the patch was failing, at seventeen meters the regulator was finished and I put in to my mouth the other semi working regulator and felt air and cool salt water, at sixteen meters I could see the sun shimmering and new that the odds of them both working to a lifesaving capacity to the surface was not in my favour, it was time to change the plan to meet the situation and I signalled to my buddy. At fifteen meters with my buddy’s emergency octopus and air filling my lungs we gently continued our ascent to the surface. At the surface we were both smiling and greeted by our safety boat.

We had addressed the known risks by our planning and checks pre dive, during the dive we had calmly and successfully dealt with a worst case scenario, assessing the situation and assigning tasks to create a better situation. The ascent had been undertaken in a control manner avoiding the potential of the bends and though it had required a change to meet the situation we had accomplished the task successfully. The risk had morphed but we had successfully dealt with the new and unknown risk due to good training, assessment and management.

Risk assessments are not pointless or just for regulators or governing bodies to review and assess but are vital. Life and business is about risk, just make sure that you have realised and assessed them initially and then periodically, fate has a nasty habit of striking when you least expect it as history and the present time shows us, make sure you can survive.

When things go wrong review, understand, remediate and enhance, I know that is what I will be doing, it wont be pointless and will make me stronger.

Diving in to Compliance

Sara Barclay AML/CTF, Business Risk Assessment, Compliance Monitoring, Corporate Governance , , , , , ,

Entering the waterMy weekends are spent reviewing overarching risk assessments and analysing specific risk assessments as well as undertaking the compliance review of policies and procedures, finishing with the review of performance of the systems and controls.  I am not taking work home with me nor am I moon-lighting or taking on further roles, I am though a qualified Diver and a qualified Solo Diver.

Diving can be a high risk pursuit and can lead to death even at shallow depths. My joy and passion is to go deep, exploring wrecks and reefs of the Channel Islands below 30 meters or 100ft and seeing the beauty and fragility of the alien world below illuminated in beautiful colours with its abundance of life.  The chance of swimming to the surface and surviving without any injury after a total gear failure or panic attack are slim at best, at these depths. The choices I make are calculated and risks are mitigated using similar principles that a Financial Services Business (“FSB”) would utilise.

I start every dive season off with an overarching risk assessment, looking at the risk I am prepared to take, what I want to achieve and the factors affect me. This is not overly different to the Anti-Money Laundering and Combatting Terrorist Financing (“AML/CTF”) Business Risk Assessment for any FSB in Guernsey.  My overarching risk assessment is where I look at what I want to achieve and the risks that I am prepared to take in essence what my risk appetite is, and it does vary year to year.

For a FSB the AML/CTF Business Risk Assessment looks at the risks posed by its products and services and its customers. In my case these translate to the types of diving I want to engage in, my planning and who I dive with.  My mitigation of the risks faced would be my diving gear and its set up and my overall health to make the dive.

I then put into action a monitoring programme taking into account my overarching risk assessment.  A full review of my diving gear is essential as is my fitness, this will involve servicing both gear, body and mind and reviewing them on a periodic basis.  This is similar to the provision of management information to the Directors of a FSB. They require to know the state of health of their policies, procedures, systems and controls, to ensure that they are maintained and remain in good condition and fit for purpose in order to mitigate the risks their business face. Knowing that my gear is in good condition and works is essential for whatever dive I do while the health of my body and mind will dictate the dive that can be undertaken safely. Resources must be put to where areas of concern are noted to ensure that the potential for errors or incidents are reduced to a minimum.

drift drivingThen it all comes down to the day, where I undertake a specific risk assessment of myself, the conditions, the type of dive to be undertaken and who I am diving with or if I am going solo. In a sense this is similar to the customer risk assessment that FSB’s undertake for each customer, in order to identify the risk they pose to the FSB and whether the risks are acceptable.

FSB’s by appreciating the risk posed and faced by the customer can decide whether they are prepared to engage in a business relationship with a customer.  In some cases when I have dived I have been satisfied with the risk I face and have dived but I have also be known to decide that the risks are too high or that my systems and controls are not up to the task and have declined the dive or undertaken an easier dive.  I always work on the idea that it is better to be on the surface wishing you were diving then being in trouble under the water away from help and wishing you were on the surface.

Due to the higher risks I take my systems and controls are tailored to me and include as a minimum two independent air cylinders.  I implement my systems and controls by dividing my body in to two halves, one side has computers connected to one cylinder and the other side has old-fashioned gauges connect to my other cylinder, the idea being that should one side fail I can rely on the other as back up.  It also means I can monitor the performance of my systems and controls effectively ensuring that any false readings or dangerous situations are detected early and evasive action taken.

The last thing I do after every dive is to review my systems and controls obtaining data from my computers, analysing this to ensure my policies and procedures remain fit for purpose.  I then assess my overarching risk assessment making changes if required. This has similarities to the quarterly and annual reviews that are done by management and Directors of a FSB to ensure that their businesses are meeting the regulatory framework and mitigating the risks that they face, in essence it’s just good corporate governance.

Diver OKThings do go wrong and no matter how good your policies, procedures, systems and controls are.  I have been in situations where I have had to shut down one side of my systems and controls due to sudden failure of a hose or regulator as well as having to rely on my old-fashioned gauges, watch and mental arithmetic when my computer has failed. It does not come down to luck that I am here writing this but that my risk assessments and planning have taken these situations into account.  My compliance monitoring has reduced these incidents and malfunctions to a minimum and I have put resources to the risks I face ensuring I am suitable trained and able to deal with incidents of this nature.

FSB’s that have a good corporate governance culture, a suitable compliance framework and a compliance monitoring programme that meets their needs and provides the required management information effectively, have in general survived the financial crisis and have adapted to business and regulatory changes with ease.  Where issues have surfaced they have been able to deal with them effectively and/or report at the earliest opportunity where required to the regulatory authorities or Financial Intelligence Unit.

(Pictures by kind permission of Colin Peters)

Briefing note 002- Trust Company Business On-Site Examination Findings from Jersey

Sara Barclay AML/CTF, Business Risk Assessment, Compliance Monitoring, Corporate Governance , , , , , ,

Image

The Jersey Financial Services Commission (“JFSC”) has recently published its 2013 on-site regulatory examination findings in respect of Fiduciary business conducted in Jersey. These findings are pertinent to any financial service business, Compliance Officer and Money Laundering Reporting Officer (“MLRO”) in ensuring that they are adhering to the Guernsey regulatory framework. I believe that key points from the examination findings are as follows:

Evaluation of Suspicious Activity Report’s (“SAR’s”) and reporting to the Financial Intelligence Unit (“FIU”):

  • Delays in the acknowledgement of receipt of an internal SAR to the person disclosing.
  • Lack of detailed investigation by the MLRO to support the decision made.
  • Follow-up action resulting from internal reports not being undertaken or no evidence of follow-up action were noted.
  • Lack of autonomy by an MLRO and the decision to report to the FIU being made by Board rather than the MLRO.
  • Internal reports not being recorded accurately and being overlooked by the MLRO leading to late reporting to the FIU.

Corporate Governance:

  • Board discussions not being fully documented in some instances.
  • Concerns were identified in respect of the Board interaction, reporting lines and the functions of delegated risk committees of cross-divisional functions of a business.
  • Term’s of reference for delegated functions of the Board not being in place.

Business Risk Assessment (”BRA”) and Strategy:

  • Lacking details of the consideration of the following areas;
    • Organisational factors;
    • Jurisdiction of customers;
    • Underlying activities of Customers, including Politically Exposed Person risk;
    • Products and services specific to the business (third parties);
    • Delivery of those products and services;
    • Outsourcing risk to other branches or third parties and;
    • Not separating its BRA assessment from that of the Manager.

Conflicts of Interest:

  • No documented consideration of potential Conflicts of Interest where multiple licences are held and products are provided to customers who are common to both licenses.
  • Consideration and documentation of wider Conflicts of Interests, such as the investment in to customer structures by a Director.
  • Consideration of the risk where a significant shareholder of the business introduces customers.
  • Non-Executive Directors maintaining a direct relationship with a customer.
  • Conflicting roles of Compliance Officers the anti-money laundering function where the individuals also held a primary customer facing role.
  • Consideration of the impact of close staff relationships particularly at a senior level e.g. husband and wife.
  • Policies and procedures for declaring and monitoring were identified.

Compliance Function:

  • Inconsistent attendance at Board meetings by the Compliance Officer.
  • No separate reports in respect of Compliance and the anti-money laundering and combatting terrorist financing (“AML/CTF”) function.
  • Reports not containing the following;
    • Regulatory updates;
    • Progress of compliance monitoring;
    • Updated position on compliance registers, and;
    • Information on periodic reviews and accounting records.
  • In some cases there was a lack of documenting of matters brought to the attention of the Board.

Compliance Resourcing:

  • Back logs in periodic review cycle.
  • Delays in compliance monitoring
  • Not undertaking action in respect of regulatory updates.
  • Out of date policies and procedures
  • Ongoing projects and remedial work not completed.
  • Concerns in respect of the investigation and determination of SAR’s.
  • Meeting the day-to-day requirements of the compliance role, where the Compliance Officer or MLRO held other roles within the business.

Compliance Monitoring:

  • Compliance Monitoring Programme’s (“CMP’s”) task orientated rather than a schedule of testing of the operational procedures.
  • CMP’s not being seen or approved by the Board.
  • Ineffective reporting of the progress or completion of the CMP and of the remediation of compliance findings.
  • Compliance testing of the areas of the business lacking in detail.
  • Ineffective mapping of the business to the regulatory framework.

Business Acceptance Systems and Controls:

  • Procedures not being specific regarding the prescribed due diligence required for higher risk customers and business relationships.
  • Undertaking transactions prior to the acceptance of the customer by the Business.
  • The delay of obtaining verification documents and undertaking risk rating prior to the undertaking of customer transactions.

Customer Risk Management Systems and Controls:

  • Customer risk assessments not capturing fully the risks associated with customers or as detailed by the regulatory framework.
  • Customer risk assessment not capturing the risks identified by the business in the BRA.
  • Customer risk assessments not taking into account adverse information identified on the customer.
  • Weighting scores for risks not being appropriate to elevate overall the risk to high where required.
  • Lack of guidance to assist staff in the completion of the customer risk profile.

Customer Profile

  • Vague customer profiles not capturing the expected pattern and frequency of expected transactions.
  • Customer information held in various places rather than centrally.
  • Where the rationale for the business relationship was recorded as tax planning or mitigation, Licensee’s did not hold the relevant tax advice.

Politically Exposed Persons:

  • PEP’s being declassified contrary to the regulatory framework.
  • Immediate family members and close associates not being designated as PEP’s

In conclusion Licensees and the Boards must ensure that they have up to date compliance procedures, their functions are staffed and resourced appropriately and ensuring that they have suitable and sufficient management information for their compliance status being provided in a timely manner to them.  The role of the MLRO is coming more into focus with Regulators especially its assessment by the Board.  The MLRO function needs to be adequately resourced with a suitable and autonomous person, it is my opinion that this role will become more of a focus of regulatory visits and evidence of its review and suitability will required to be documented.  I would always advise that a separate compliance report and MLRO report is provided to the Board to ensure that matters are easily identifiable to the Board.  Conflicts of interest must be recorded and the risks assessed appropriately.   The BRA must take into account the risks that customers pose to the business and also the AML/CTF risks detailed by the regulatory framework and where they are not applicable they should be noted as such. What I believe is the most important finding to come out is, ensuring customer risk assessments and profiles are detailed and maintained ensuring that all risks are covered in the BRA.  I would advise that you assess your business to these findings and if any matters are found a remedial programme is put in place and signed off by the Board ensuring appropriate timescales and reporting is in place.

.

Getting the right fit for the BRA

Sara Barclay Business Risk Assessment, Compliance Monitoring , , , , , ,

Being the holiday season its time to sit back relax and take stock of all that has happened in 2013. Time for any Compliance professional to take stock of the year and to review the key business documents of a licensee and assess if they remain fit for purpose or need to be enhanced.

One such document that requires to be reviewed at least annually is the Business Risk Assessment (BRA) to ensure it is fit for the regulatory framework and the Licensee.  The BRA though is a document  that licensees struggle with and the Guernsey Financial Services Commission (Commission) constantly find as deficient. What lessons can we learn that will allow our 2014 BRA’s to be fit for the licensee and for the rules and regulations?

Essentially the BRA is a high level overarching document that the Board of a licensee must have in place. It evidences what the business is about, identifies the risks associated with its products and services, clients and the jurisdictions that it undertakes business in or through. The Commission have commented on how these documents tend to fall short of the mark, being generic, over simplified and not representative of the licensee.

Whenever I re-draft or assist a licensee with a BRA I take the approach of creating a document that tells the story of the licensee ensuring that it flows into the policies, procedures and forms. I use the BRA to create the framework from which the licensee’s policies and the procedures enlarge upon and stipulate the full requirements of the licensee requirements and the regulatory framework.

My BRA’s look at what the licensee business plan is, the Money Laundering, Bribery and Corruption and Terrorist Financing (ML/BC/TF) risks that the business is exposed to from following its business plan. I then look at how the licensee will mitigate the risks by the implementation of its policies, periodic reviews and training. How it will differentiate its high risk’s from its low risk’s to ensure that a risk based approach can be applied successfully and cost effectively. My BRA’s look at how the Board will be kept informed of the ML/BC/TF risks and what their responsibilities are, from ensuring policies and staff are sufficient to  how they will review the existing and new business.

Licensees often complain that I am stating the obvious in my BRA’s, that the BRA will not stop a criminal or terrorist and so add little to no value to a business. The BRA is not about stopping criminals but assisting in their identification and prevention of a licensee being an unwitting conduit for them, criminals will always seek to abuse the financial system to their own ends. Unfortunately though licensees will be unknowingly utilised by criminals and they, their clients and insurers may suffer reputation loss and in the worst cases material loss. A licensee can never negate these risks in all cases, though the BRA does allow a business to protect itself, and so adds value.

We live in a contentious and litigious society, it is now not the case that a crime has to have been committed, but has a licensee done enough to reduce the possibility of a crime occurring or to protect against being a conduit in a crime as required by the regulatory framework.  The Commission whether on a regulatory visit or dare I say it, when things have gone wrong and Lawyers and Advocates are involved they will review the BRA intently to assess if a licensee has acted recklessly by not assessing or identifying the risks posed by their business. It goes without saying that a licensee who has considered in-depth the risks posed by the business activities and the preventative measures that they have employed (stating the obvious) is going to be treated more sympathetically than a business who did not evidence their consideration of the risks that they faced.

There have been numerous regulatory cases over the last few years that were not about ML/BC/TF having occurred but that licensee’s did not have suitable and sufficient policies or information at hand for the Board or the MLRO to consider and mitigate the risks posed and inherent in their business.  If you need help in assessing or redrafting your BRA the Commission has guidance on what they deem are the minimum requirements. You can ask Consultants to review your BRA and provide suggestions if required. You can simply ask around your fellow peers to see if they can assist or provide guidance.

It must be remembered that the Board of a licensee must take full responsibility and can’t contract out of their responsibility for having a suitable BRA. The Board and the MLRO must ensure that the BRA is fit for purpose and identifies and mitigates the risks while evidencing the preventative measures, and most importantly meets the regulatory requirements. The Compliance professional is only there to suggest what they believe is suitable in how the Licensee has evidence the consideration of the risks that it faces.

Over the course of 2013 a licensee’s business, the risks posed by clients,  products and services it offers inclusive of the jurisdiction that they are associated with or their clients are associated with will have changed.  Now is the perfect time to take stock of the current status of the licensee, its future intentions and go forward in to 2014 with the risk duly considered and mitigated.

Merry Christmas one and all.