Introduction to Compliance Risk Assessment

GRC
Compliance Risk Assessment

Introduction to Compliance Risk Assessment

Before starting the Compliance Risk Assessment (CRA), it is important to know about some important factors that increase the importance of performing CRA.

High competition, changes in business practices, complex products and operations, adoption of technology and digital payment mechanisms, increase in expectations of customers, and increase in numbers of financial crimes, including but not limited to money laundering, frauds, insider trading, human trafficking, market abuse, etc. have led to the emergence of new risks, including compliance risks.

This is because, in order to control the above-mentioned broader risk factors, the organizations or institutions are required to take appropriate and robust measures, to ensure that these risks are managed to avoid losses, including financial and reputational losses.

Regulators are also working to further, strengthen the regulatory frameworks, which are required to be complied with by the organizations, institutions, companies, businesses, etc.       

To ensure regulatory compliance, the CRA is regularly performed. 


In this article, we shall discuss the core concepts related to the Compliance Risk Assessment (CRA) process, being followed by organizations, institutions, companies, etc. to identify their compliance risks and assess those risks, to plan out the appropriate compliance risk management strategy necessary to be implemented for risk avoidance and mitigation.

In order to understand the CRA process, we need to know about some important concepts and terminologies.


The objective of Performing Compliance Risk Assessment (CRA)

The overall objective of performing the CRA is to identify and record all the compliance risks extracted from the compliance sources, in a logical manner and analyze each risk to identify its significance, and plan out an appropriate compliance risk management strategy, to ensure that all compliance risks are addressed appropriately and non-compliances do not occur.

To perform CRA, the identification of compliance risk sources is very crucial because compliance risks are to be extracted from them.

Incomplete risk sources may lead to the inappropriate performance of CRA, causing unidentified compliance risks that may lead to non-compliance, because the risks are not on the radar of the management.


Now let us discuss important terms and concepts, that are used in the performance of CRA.


What Is Compliance 

Compliance is the efforts put in by the management and employees of the organization or institution, to ensure that all employees comply with applicable laws, regulations, standards, rules, directives, etc.


What Are Compliance Efforts 

Compliance efforts made by the Board of Directors and Management, broadly include the following:


  • Setting appropriate compliance culture and tone across the organization
  • Identification of all relevant laws, rules, regulations, standards, circulars, directives notifications, etc.
  • Development and implementation of appropriate policies and procedures
  • Establishing regular and ongoing review and monitoring mechanism, to ensure compliance with regulatory requirements 
  • Development of regulatory training programs and awareness sessions for the employees
  • Providing training on regular basis as well as when the need arises, etc 


What Is Compliance Risk

Compliance risk is a risk of non-compliance with the provisions of applicable Laws, regulations, Standards, Rules, Directives, etc. that are issued by the relevant regulatory authorities or bodies.

Compliance risk also includes non-compliance with internal policies and procedures, developed and implemented by the management of an organization or institution, or company.


What Is Compliance Risk Statement

The compliance risk statement is a risk statement, that is prepared and documented in the CRA template or model. The compliance risk statement highlights the following key elements:


1. What is the risk

2. What is the cause of the risk

3. What shall be the outcome of the risk


For example, below is a compliance risk against which the compliance risk statement is drafted:

Compliance Risk 

Non-identification and verification of customers before onboarding or opening their accounts.

Compliance Risk Statement 

The risk that customers may be onboarded by the organization without performing identification and verification, causing non-compliance of AML/CFT regulations, resulting in penalties by the regulator. 


What is Inherent Risk Assessment 

Inherent risk is the risk that is part of the process or an activity. Inherent risk cannot be avoided or completely eliminated. 

Inherent risk assessment is performed during the Compliance Risk Assessment (CRA) process, to identify the overall impact and likelihood of the compliance risks. 

A Score is assigned to ascertain the level or significance of risk, such as:

  • High-level Risk
  • Medium level Risk
  • Low-level Risk


What is Residual Risk Assessment

Residual risk is the amount or portion of risk that remains after the application of control against the risk under consideration. 

Residual risk assessment is performed during the Compliance Risk Assessment process, to identify the overall impact and likelihood of the compliance risk, after consideration and application of the control.

    A Score is assigned to ascertain the level or significance of risk, such as:

    • High-level Risk
    • Medium level Risk
    • Low-level Risk

    What is a Risk Score, Impact and Likelihood and How Is It Calculated

    Risk score is the product of Impact and Likelihood. 

    Impact means the significance or potential of the risk if it occurs or materializes.

    The likelihood is the probability or chance of occurrence of the risk.

    For both Inherent and Residual risk assessment in the CRA, the Impact and Likelihood are to be assessed for each compliance risk, to arrive at a Score or assess the overall significance of the particular compliance risk, such as whether the compliance risk is a High, Medium, or Low, level risk.


    ✅Complete Course on Introduction to Compliance Risk Assessment is available on Udemy.
    In the course, all practical concepts are discussed in detail and how the Compliance Risk Assessment is performed practically, is also discussed using case studies.
    ✅You can check the course detail on Udemy, by searching Introduction to Compliance Risk Assessment by Givernance Risk and Compliance (GRC) 

     

    Control Mapping

    As we earlier discussed, residual risk assessment is performed after consideration and application of controls against the particular compliance risk, therefore, control mapping in CRA means the identification of the control that management may have developed to address the compliance risk under consideration.

    Controls are usually found in the policies, procedures, and SOPs of the organization. Further, controls are practices adopted by the organization to perform its duties and tasks.


    Other GRC Articles



    Risk Treatment

    When inherent and residual risk assessments are performed, the management now knows which risks are falling in the Score range of High, Medium, and Low.

    High and Medium level compliance risks are crucial. In case the residual risk assessment results in High or Medium level compliance risks, then it means that the controls are either weak or incomplete.

    To address the weak or incomplete controls, the management prepares a risk treatment plan, in which strategies are established to strengthen the controls, so that the risk levels may be decreased after the implementation of robust controls.


    Additional Material 

    In this GRC video in which different Compliance Sources are discussed, that are used to perform the CRA process. 


    Do you want to learn about the Fundamentals of Compliance and Compliance Governance?

    🔔A detailed Course on Fundamental of Compliance and Compliance Governance Model is available on Udemy   

    Check other GRC Courses


    Usman is an experienced GRC Trainer, and Consultant. He can be reached at: liboctober@gmail.com

    Newsletters and eBook

    Name

    Email *

    Message *

    Popular GRC Posts

    What Is Regulatory Compliance

    GRC
    Image
    What Is Regulatory Compliance To understand Regulatory Compliance, we need to know about Compliance first.  What is Compliance? In general terms, Compliance means the act of identifying and practicing the particular information, received from some reliable source. Now, if we think about Compliance by a business, entity, or organization, then Compliance will be defined as follows: Compliance means the identification, understanding, and practicing of the provisions of applicable laws, regulations, standards, policies, circulars, etc. that are issued by the State or the Regulatory authorities. Now, Regulatory Compliance means, compliance with the provisions of applicable regulations issued by the regulator. Who is a Regulator?  Regulator The Regulator is the supervising body or institution, which issues a license, provides directions, issues frameworks and regulations, and provides oversight to the entities or organizations, which are registered with it.  For example, The Securities and E
    Read Article

    Performing KYC/CDD at Different Stages of Customer Lifecycle

    GRC
    Image
    KYC/CDD at Different Stages of Customer Lifecycle   Customers need solutions to their needs and wants and explore different financial options, to choose suitable institutions for collaboration and services. They need quick responses and easy solutions to their account opening and financing needs.  The financial objectives of the customers might include obtaining finance or funds, to utilize or invest in some profitable business or company or they may require other services that these financial institutions provide, such as credit card, payment gateway, digital payment solution, etc. When we talk about the financial service industry, such as banks, money exchange businesses, money service businesses (MSBs), remittance companies, insurance houses, payment gateways, etc. the needs of most of the consumers are linked with their financial objectives. 
    Read Article

    Who Is Your Customer? Know Your Customer (KYC)

    GRC
    Image
    Who Is Your Customer?  A customer is a person, including the individual, business, corporate, organization, etc. to whom the products and services are provided, as part of the business relationship. Customers are the source of business and profits for the organizations.  Customers are required to be treated with care and in an ethical manner, and regulatory authorities require companies and organizations to ensure that fair dealing policies and practices are adopted and implemented. Types of Customers? Customers may be real person or individuals or legal businesses or entities. Customers usually include  salaried individuals,  business start-ups, sole proprietors, traders, housewives, small and medium enterprises, corporate entities, not-for-profit organizations, charitable organizations, welfare trusts, governmental organizations, etc. Nature and types of customers vary from organization to organization.  Customers may belong to different jurisdictions or countries therefore; they pos
    Read Article