Why Ask Why?
A few years back, as the head of a compliance department at a large money services business (MSB), I was asked why we needed to conduct an internal risk assessment again, considering over the past 10+ months the company completed an independent review and three state regulatory exams. The supervisor who asked the question said, in a half joking manner, “We’ve completed the last risk assessment 12 months ago and passed all our audits and exams this past year, how much risk could we really have?”
Assessing the Assessment
It was a good question. Over the past year, we had received very high marks on our audits and exams with only minor findings and recommendations. I decided I was going to use this as an educational opportunity and to teach my AML staff the importance of conducting a risk assessment on an annual basis, regardless if you think you need it or not.
I began the conversation, repeating the supervisor’s question and asked my staff how many of them agreed. It was about 50/50 (of a staff of 12) between agreeing that we needed an annual risk assessment and not needing one because of the recent successful exams. This was about what I expected since over half the staff had only been in the AML field for around a year or so.
In order to make this an interactive learning environment, I pulled out a dry erase marker and had the staff call out to me, as I wrote every new product or service we offered in the past 12 months; all new AML monitoring typologies and best practices we developed; any new risk categories we created for Enhanced Due Diligence (EDD) / Know Your Customer (KYC) as well any current industry trends or news they could think of that might pose a risk to the business. After half an hour of having topics yelled out to me, we have an impressive list of over 30 items.
Light Bulb Moment
Next, I had the staff pull up the previous year’s risk assessment and compare how many of the items on our list were already covered and if so, what risk rating they were assigned. It was during this next half hour period that I could see the “light bulbs” go off over their heads. Each of my staff members began to realize that 20 or so items on our list were not included in last year’s risk assessment. They understood that the MSB world is incredibly fluid and new risk arise all the time. Just because we identified the risk as part of a suspicious activity review, wrote up a methodology on how to identify the activity and a procedure on how to work the problem, the risk was still there and needed to be memorialized. This, I told the “class” was why an annual risk assessment is so important.
“In order to protect your company from risk, you must first know what the risk is and how much danger it presents. Then you can work on mitigating the risk.”
Risk, I told them, can be mitigated down to low, but the risk never leaves. An annual risk assessment that incorporates new risk as well as reviews older existing risk is important to make sure that ALL Risks, not just Current Risks are always being reviewed. The example I used was, if a building sitting on a flood plain buys flood insurance, the risk is still present. All the insurance did was give peace of mind that if damage were to happen, the company would receive funds to rebuild. You still must review and rank the risk and determine your best estimate of the amount of damage the flood would create every year to know how much insurance to keep. The same goes for any other industry like MSBs, credit unions and banks. To protect your company from risk, you must first know what the risk is and how much danger it presents. Then you can work on mitigating the risk.
As I saw nods of understanding from the staff, I felt this was a good time to address the original question from the supervisor, “We’ve completed the last risk assessment 12 months ago and passed all our audits and exams this past year; how much risk could we really have?” I repeated the question aloud once and then a third time to the team. I encouraged the supervisor that it was a fair question and in my opinion a trap that a lot of compliance people can get themselves into. I asked my staff “Why have independent audits and regulatory safety and soundness exams if they don’t identify all the risk for you?” I of course received the typical, it’s required by law answer, but for the most part, the team did not have the years of experience to answer the question. So, I asked a different question “Why are we required to have an annual independent audit and regulatory exams by the states?” The staff knew these audits were required and if we failed our MSB license could be jeopardized, but they did not understand the true reasoning behind them. It was what I expected. So, I sat down and looked each person in the eye and told them my thoughts on the matter.
I said, the states require that we take steps to protect the citizens of those states from being scammed, from allowing fraud into our system and that we do our part in helping to stop the “bad guys” by filing suspicious activity reports. Furthermore, I told them, the states require that we be financially sound and have safeguards in place to protect the integrity of the financial system. In short, the purpose of the regulatory exams and the independent audit is to make sure we are compliant with laws and regulators first and foremost. However, we have to have a strong AML program to ensure that honest people can transmit their money safely and that we do our best to stop the dishonest ones is the reason why we have regulation in the first place, and the key tool that every AML department has to achieve this task is its risk assessment. Without knowing where our risk lie, how can be put in measures to reduce the risk and safeguard our customers?
“A risk assessment is not just an annual thing you do to get it over with. It is something that must be embraced and nurtured.”
As the meeting was nearing the three-hour mark, I had one final parting bit of advice for my staff. I told them; I had been in the compliance industry for over 15 years. Some of you will get out of compliance after a few years and try a different industry, some of you will grow and become superiors and managers and possibly even BSA Officers. All of you, no matter what industry you go into or what level of management you achieve, will need to understand that regardless of the business you are in, and the department you work for, there will always be risk. Understanding that you need to identify those risk sooner rather than later and put a plan in place to mitigate the risk will ensure that you will be successful in your career. A risk assessment is not just an annual thing you do to get it over with. It is something that must be embraced and nurtured. The risk is never going to leave, and new risks are right around the corner. Reviewing and updating your risk assessment on a regular basis will ensure you stay on top of your risk. Plus it never hurts that having a strong risk assessment process will impress state regulators as well as your future manager. This is something that all of us should strive to do.
As the staff headed back to their desk, the supervisor who asked the original question came up to me. He told me that he appreciated how I answered his question and that I included the whole staff. He thought it was good that the knowledge I passed on reached every level of the staff. He appreciated that I could have just told him and him alone the answer, but that I included everyone. I thanked him for asking the question in the first place. It was a good opportunity for me to show case one of my core management beliefs, that “We all learn and adopt together”.
He looked at me with a inquisitive look, “We all learn and adopt together?” He asked. That is correct I replied, but that is a story for another time…
HDCS, Inc. / Chief Compliance Officer