The understanding and management of risk by financial institutions, banks, and entities, has improved over the years. Today, stakeholders are more involved, and they demand greater transparency regarding the risks of a company and how the company reacts and plans the future to take advantage of further chances.
Enterprise-Wide Risk Assessment (EWRA) or simply Enterprise Risk Assessment (ERA) or Overall Risk Assessment or Enterprise Risk Management (ERM) are all terms that describe the same process: the identification, appraisal and supervision of risks of an entity. An assessment helps businesses to adapt their approach of managing risks to meet the demands of the evolving financial corporate standards.
Enterprise-Wide Risk Assessment (EWRA) or simply Enterprise Risk Assessment (ERA) or Overall Risk Assessment or Enterprise Risk Management (ERM) are all terms that describe the same process: the identification, appraisal and supervision of risks of an entity. An assessment helps businesses to adapt their approach of managing risks to meet the demands of the evolving financial corporate standards.
💰 Why Financial Institutions conduct overall risk assessments?
Using ERM programs is a way for companies to gain a competitive advantage. It is not solely pursuant to a regulatory obligation. Understanding which areas of a business are the most exposed to risks is a way for entities to take preventive measures, prioritise actions and protect their business from unforeseen hazards.Getting insights on how risks are spotted, addressed and managed is often decisive for the risk acceptance alignment of the upper-management and board members' oversight function.
ERM plays a fundamental role in the prioritisation of the risks (i.e. governance, operational, reputational, strategic, financial, regulatory) and hence it can be considered an essential step in the overall business strategy and company performance. Risk assessment assists companies to grasp business opportunities in changing environments.
👩💼 EWRA and the Risk-Based Approach (RBA)
Risk-based approach (RBA) is an essential part of Risk Management. RBA was highlighted especially for money laundering risks (AML/CTF) in the 2012 FATF Recommendations:“...countries should apply a risk-based approach (RBA) to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified.” and was also a major concern implemented in the fourth European AML Directive.
An appropriate risk-based approach begins with the acquisition of an in-depth and up-to-date awareness of the institution's risk exposure and an understanding of those risks.Risk-based approach (RBA) is an essential part of Risk Management. RBA was highlighted especially for money laundering risks in the 2012 FATF Recommendations:
“...countries should apply a risk-based approach (RBA) to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified.” and was also a major concern implemented in the fourth European AML Directive.
The RBA is a methodology that allows prioritizing the company's activities based on a previous analysis of data. According to RBA, there is proportionality of actions taken, depending on how high the risk is. This means that RBA in low-risk situations allows for fewer actions to be taken, and emphasis to be given to high risks, where enhanced measures are mandatory. Thanks to this, the allocation of available resources can be optimized.
🔑 How to efficiently conduct Enterprise-Wide Risk Assessments?
A successful EWRA methodology is consistent across domains and is commonly built through the following main stages: Risk identification, Gap analysis/risk prioritisation and Adjustment (corrections-mitigation).
The firm identifies and classifies the risks. The inherent risk scoring must be calculated. The professionals conducting the risk assessment should have a clear understanding of the entity's operations and working environment and the possible problems that arise. A risk can originate in one part of the entity but have an impact on many business units. Hence why we talk about Enterprise "Wide" Risks.
A successful EWRA methodology is consistent across the domains and is commonly built through the following main stages: the risk identification, the gap analysis/risk prioritisation and the adjustment (corrections-mitigation). The firm identifies and classifies the risks. The inherent risk scoring must be calculated. The professionals conducting the risk assessment should have a clear understanding of the entity's operations and working environment and the possible problems that arise. A risk can originate in one part of the entity but have an impact on many business units. Hence why we talk about Enterprise "Wide" Risks.
The firm identifies and classifies the risks. The inherent risk scoring must be calculated. The professionals conducting the risk assessment should have a clear understanding of the entity's operations and working environment and the possible problems that arise. A risk can originate in one part of the entity but have an impact on many business units. Hence why we talk about Enterprise "Wide" Risks.
Risk types
The entity will have to classify the different types of risks. The risks cover business domains like Compliance, Governance, Strategy, Planning, and Infrastructure. These general categories are split into different sub-categories and the risks are detected for each one. For example, compliance risks will be analysed further in compliance culture, reporting, management risks. Infrastructure includes subcategories like human resources, training, communication, IT systems and marketing risks.
Risk types
The entity will have to classify the different types of risks. The risks cover business domains like Compliance, Governance, Strategy, Planning, and Infrastructure. These general categories are split into different sub-categories and the risks are detected for each one. For example, compliance risks will be analysed further in compliance culture, reporting, management risks. Infrastructure includes subcategories like human resources, training, communication, IT systems and marketing risks.
It is the analysis and assessment of the adequacy of the existing relevant risk management measures. The residual risk will be exposed.
When the business examines its risks taking into account the existing applicable controls, we are faced with a “Residual risk”. By examining these two calculated levels of risk, a business can assess its existing controls and evaluate if they are sufficient or not.
The deep understanding of the company and the risks that the company faces is key to determine if the company can achieve its overall goal or extra measures are needed. An EWRA is more efficient for an entity if the risks are prioritised to more or less urgent, according to their importance for the entity.
When the business examines its risks taking into account the existing applicable controls, we are faced with a “Residual risk”. By examining these two calculated levels of risk, a business can assess its existing controls and evaluate if they are sufficient or not.
The deep understanding of the company and the risks that the company faces is key to determine if the company can achieve its overall goal or extra measures are needed. An EWRA is more efficient for an entity if the risks are prioritised to more or less urgent, according to their importance for the entity.
If it is deemed necessary, this phase takes place and includes new or additional risk management measures to control the risks that are not adequately covered. In this phase, a corrective action plan will be provided. Due date and an estimation of the time required for the completion of the plan are usually considered, together with the appropriate means for completing the task.
Anti Money Laundering Overall Risk Assessment
Are you looking for more detailed information on the AML overall risk assessment obligation ? Follow the article for more insights.
🧐 What is Risk Appetite and Risk Tolerance?
Risk appetite is the amount of risk an entity is willing to take. Risk appetite forms the goals an entity has and determines the profile of a business as a more risk aggressive or more conservative. Risk tolerance is more specific in an operational sense and represents the application of risk appetite to particular objectives. It is the level of risk that an entity can handle per individual risk.
The risk appetite is the amount of risk an entity is willing to take. The risk appetite forms the goals an entity is having and the profile of a business as a more risk aggressive or more conservative entity. An entity has to develop a risk appetite and communicate it to its different units to set the goals for every department. The risk appetite will have to be monitored and updated if it is needed. To develop a risk appetite, the business will take into account some factors: the current risk level the business has up to that moment, the risk that the entity is capable of handling, its risk tolerance and the entitiy's attitude regarding growth, returns, risks. Risk tolerance is more specific in an operational sense and represents the application of risk appetite to particular objectives. It is the level of risk that an entity can handle per individual risk. A company sets its risk appetite, but the risk tolerance is the acceptable action that will be taken based on the appetite.
📁The necessity to document and continuously update the EWRA
The EWRA will be updated every time that an event occurs and can have a significant impact on the risk profile of the entity. It is not a process that takes place once per year, but an on-going process that occurs every time a major situation arises. The entity should have, at any time, a clear understanding of how the risks associated with the business relationship are evolving.
In general, the EWRA shall be documented, updated and kept at the disposal of the supervisory authorities (the National Bank for Belgium, ("NBB"). The EWRA will be updated every time that an event occurs and can have a significant impact on the risk profile of the entity. It is not a process that takes place once per year, but an on-going process that occurs every time a major situation arises. The entity should have, at any time, a clear understanding of how the risks associated with the business relationship are evolving.
In addition to the core document of EWRA, a framework describing the process for the completion of the assessment is required. In this document, the applicable legal framework will be mentioned. Moreover, it should state the methodology used, how this has been integrated into the assessment, a description of the procedures for monitoring and timely updating the risk assessment process and a reference to the extent to which the responsible staff, the senior management, and any other parties have been involved in all the phases of the process.
Concluding, risk professionals should not forget that risk management is not a "tick-the-box" process. It is a whole system for improving the performance of a business. It is a continuous process that requires a deep understanding of the entity business model and its functioning in the specific business and legal environment.
Got your interest ?
Pideeco conducts independent Compliance reviews to provide financial institutions greater insights on their regulatory performance. We can assist you in your business Risk Assessment and ensure that all regulatory requirements are appropriately covered.
