Financial institutions have stepped up investment in risk assessment over the past decade in response to the regulators’ repeated call for a risk-based approach to management activities. The regulatory intention is to enable financial institutions to identify and understand risk exposures and focus resources in a proportional and efficient manner.
This is particularly pertinent in the area of financial crime (FinCrime) where the threat landscape is constantly evolving, and regulatory scrutiny is heightening. But as financial institutions dedicate more time and money to risk assessment, the result is often longer and more complex reports, rather than a clearer and more nuanced understanding of FinCrime risks across the organisation.
There are many reasons for this poor return on investment. Data quality is a perennial challenge to the effectiveness of the risk assessment, impacting the breadth of analysis that can be done, and conclusions drawn from the responses.
But while improving data quality is a complex, long-term challenge, producing a more effective risk assessment report doesn’t need to be. Here we offer six ‘easy fixes’ financial institutions can adopt to improve a risk assessment report.
1. Don’t lose the big picture
The risk assessment findings should be framed in the context of the current regulatory and geopolitical landscape, as opposed to being presented in isolation. What is the organisation’s exposure to the emerging money laundering revelations? Is the organisation in a position to respond quickly and effectively to sanctions regime changes driven by the volatile political landscape? The report should evidence a clear understanding of the organisation’s exposure to current and emerging risks informed by the global macroeconomic and geopolitical context.
2. Keep it short
No one will read a 200-page report, least of all busy management board executives. Writing, reviewing and approving a report this long is time-consuming and costly, and does not add proportionate value. The executive summary should contain the big headlines but also allude to the additional detail in the report and entice the audience to read on. The length of the report will likely be relative to the scope of the assessment and the size of the organisation – but remember, less is often more.
3. Use interactivity for engagement
Risk assessments should be informative, accessible and easily digestible for all intended audiences. Traditionally produced as long Word documents or PowerPoint presentations, there are now alternative formats available that could enhance the user experience and value of the risk assessment. For example, a data visualisation programme could be used to provide an interactive user interface and significantly increase the analytical capability of the report, enabling and encouraging readers to explore areas of interest in more detail. Combining a short, written report with an interactive dashboard can strike the perfect balance of form and function.
4. Don’t focus on limitations
Data limitations, by definition, undermine a risk assessment report. A lengthy data limitations section at the start of a risk assessment report signals to the reader that there is little value in reading on. While data limitations are, often, inevitable and should be explained in the report, they should not undermine the findings. Any data that has severe limitations should not be used for analysis in the first instance and has no place in the report. A short data limitations section should focus on how the limitations were successfully mitigated, rather than all the shortcomings of the data – and consequently, the report itself.
5. Emphasise trends over data points
Trend analysis is a crucial component in evidencing a comprehensive understanding of the risks an organisation is exposed to, and its development over time. The problem for organisations is that risk assessment methodologies and scoring logic will inevitably have to evolve as they adapt to the changing risk profile of the organisation. This makes like-for-like comparisons and trend analysis at the data point level very challenging. Organisations should therefore focus on the broader risk and control trends across successive risk assessments rather than attempt to analyse changes at the individual data point level.
6. Clearly outline actions
The ultimate focus of the report should be on proposing actionable recommendations for tangible change, based on a comprehensive analysis of residual risk. The goal of any risk assessment should be to get the actions approved by the management board and tracked to completion. This then mitigates any exposure not aligned to the organisation’s risk appetite and/or remediates any gaps in the organisation’s control framework. The proposed actions should therefore be front-and-centre of any risk assessment report and supported by compelling evidence and robust rationale. Agreeing and assigning team/individual responsibilities and action due dates in the report is an effective way of encouraging proactive tracking and resolution.