Dear Trainer,I have prepared the slides (referappendix) for the RM training.I suggest that we have a face toface training workshop for this course as it would be more effective and we caninclude interactive group discussions, case studies and Q&A sessions. Ibelieve this method would encourage knowledge sharing among new and experiencedstaff as well.Below are notes on how you maypresent the slides and examples to help illustrate the process better. Regards,Head of Compliance Overview of RM Refer Appendix 1 & 2 (ISO31000, 2009) defines riskas follows “Organisationsface internal and external factors that make it uncertain whether, when, andthe extent to which they will achieveor exceed their objectives. The effect this uncertainty has on the organisation’sobjectives is risk”.RM is the process of systematicallyidentifying, analysing, assessing, managing, monitoring & communicating past,present and future risks in a way that will minimise losses & maximiseopportunities .
In the wake of the global financialcrisis, numerous banks collapsed and were critised for their inadequate riskmanagement framework (RMF). (Lehman,xxxx)(HBOS,2011). Since then RM has been placed firmly in the spotlight by bothbusinesses and regulators. Effective RM translates into thebank achieving its objectives by: i) being able to understand the environment weoperate in and all the risks associated with it will allow us to manage/avoidthese risks. In return, improving the decision making process, making our bankscore principle “HERE FOR LONG TERM” achievable.ii) protecting and enhancing the bank’s assets andreputation with a robust RMF. This in return will maximise shareholders wealthand provide assurance to shareholders that their investments are protected.iii) allowing us to immediately identify potentialserious problems that could impact meeting our objectives and put in placeaction plans to manage the likelihood of occurrence.
This will eventually leadto time and cost saving in the long run.iv) permitting activities to take place in aconsistent and controlled manner making achievements of objectives smooth.v) providing more confidence to the regulators onthe dealings of our businesses. Thus allowing us to concentrate on our businessstrategies.Failure to properly implement a RMFcan result in significant fines (RBS,2011), reputational damages and even lossof banking licenses. Recently the Monetary Authority of Singapore revoked BSIBank’s merchant banking license for serious breaches with one of them being an “unacceptable risk culture, with blatantdisregard for compliance and control requirements as well as MAS’ regulations” (MAS,2016). Refer to Appendix x & XNote:This part will be illustrated using the compliance risk management (CRM) in ourbank specifically the RM of money laundering & terrorist financing (MLTF)Compliancerisk (CR) is “the risk of legal or regulatory sanctions, financial loss orreputational damage which a FS may suffer as a result of its failure to complywith legal and regulatory requirements applicable to its activities”.
(BNM,2016)As global regulations proliferate,regulators expectations increase and the expansion of businesses into new &complex products, we are exposed to a greater deal of compliance risk than everbefore. A robust CRM framework is needed to ensure compliance risk are managedeffectively. CRM regimeOne major compliance risk that weface as a bank is relating to MLTF risks.FI’sare required to take appropriate steps to identify, assess and understand theirMLTF risks in relations to customers, products, services, transactions anddelivery channels. (FATF,2012) (BNM,2013)(BNM,2013)mentions that “In the context of “Risk-Based Approach (RBA)”, the intensity andextensiveness of risk management functions shall be proportionate to thenature, scale and complexity of the reporting institutions activities and ML/TFrisk profile.”The following MLTF regime in thebank is designed based on the above 2 statements.
(1) Policies and proceduresIt is vital forany RM framework to first have a published policy that is agreed by the board.The policy should contain the risk approaches, appetite, roles of individuals within the organization, a variety of keyactivities, systems and controls and monitoring processes within the MLTFregime. Our bank policy “Compliance- AMLCFT Policy” is available via the banksknowledge portal. (2) Risk Identification You can’t mitigatea risk if you don’t know its there. Therefore it is vital to understand thedifferent MLTF risks that the bank faces.
Such risks are identified by:i) understanding legal (AMLATFAPUA, 2001) andregulatory obligations (BNM,2013)ii) referring to published typologies/recommendations such as (Wolfsberg,2006) , (FATF , 2015) etciii) understanding bank’s objectives, products,services, customers, markets, exposures and environment it operates in and itscontrols.iv) referring to risks logs, past breaches,complaints & self-assessments findingsThis process isimportant to be done on an on-going basis to cater for the alterations inregulations, emergence of new trends and business strategies. (3) Risk Analysis Risk identifiedare then analysed to detect:i) MLTF control weaknesses, thus indicatingcompliance risks existii) Probability that the risks will crystalized iii) Consequences if it occurs (regulatory breach,financial loss, reputational damage etc)We use anapproach which quantifies the consequences and probability as high, medium andlow and present the results in a 3 x 3 matrix.
Refer to slide x for an example on the risk ranking in the event a customer due diligence (CDD) is not performedprior to on- boarding a customer.(4) Risk Evaluation Having analysedall the risks to which we maybe exposed, we then decide which risk can beaccepted and which needs to be avoided. We first start with all the high risksand prioritize them. Sometimes it is wise to treat the lower risks 1stas the solutions maybe quicker or low cost and this will prevent the risk fromescalating. The risk appetite of our will determining the level ofacceptability of the risks.(5) Risk Treatment For risks thatare accepted, the bank then decides on the course of action in order to managethem effectively. Risk treatments include:i) Riskavoidance This would mean tocompletely avoid an activity.
A clear example within the bank is theunacceptance of onboarding of customers from countries (North Korea) identifiedby FATF as non- coorperative in the fight against money laundering. (FATF, 2017).ii) RiskTransferThis iswhen the risk is transferred to another party. iii) RiskmitigationThis is theprocess of applying measures and controls to mitigate the risks from emerging. Typicalcontrols that would be put in place during on-boarding of customer to manageMLTF risks are (BNM,2013):· identify & verify customers prior toonboarding· performing risk profiling and risk ranking oncustomers based on the customer profile (PEP status, citizenships, resident ornon- resident, types of occupations,)· approval matrix for customers based on theirrisk rankings · on- going monitoring of the high risks customers.(6) Compliance MonitoringCompliance monitoring isperformed on a continuous basis and is on a RBA. The monitoring will focus moreon areas of business with higher risks.
This is an integral part of our regime because it:i) is a regulatory requirement. (BNM, 2016)(BNM,2013)ii) ensures efficiency of the controls that havebeen put in place. This will then provide assurance to senior management andregulators that the controls are working or not.
iii) highlights any deficiencies in processes andcontrols which would than call for remedial actions to be put in place. iv) helps maintain an up-to date assessment of MLTFrisks the bank facesMonitoring willbe conducted by a combination of monitoring visits and desktop reviews. Desktopreviews include the use of trigger events that act as warning alarm that thereis an increase in the risk for a breach to occur.
(7) Escalation & reporting An effective framework mustprovide reporting matters to the board or regulators (where necessary) on aregular basis. For the bank the reporting to board is done monthly via theBoard Risk Management and Compliance Committee . Areas covered are :i) summary of regulatory breaches andrecommendations of corrective actions.
ii) results of compliance risk assessmentsundertaken in the period , highlighting key changes in CR profile , summary ofdeficiencies and the impact of any breaches.iii) Any other observations regarding CRM culture.Reportingto regulators are done in instances where there is a regulatory obligation. Forexample (BNM, 2013) requires compliance officers to submit suspicioustransaction reports to Financial Intelligence and Enforcement Department withinthe next working day, from the date the Compliance Officer establishes thesuspicion.
(8) Record KeepingThemaintenance of adequate records is essential in order to demonstrate adequateRM practices. All of the assessments and identification should be maintained tobe able to demonstrate the basis of decisions taken. (BNM, 2013) requires FI’sto maintain documents pertaining to CDD process at least for six years. Refer appendix x & x It is essential that RM is well-integratedthroughout the organization through its culture and business operations and notcarried out in isolation. This is to: (amend)a. Tofulfil regulatory obligations. Complianceand its risk management is the responsibility of all officers within afinancial institution. Therefore defining the roles and responsibilities ofindividuals throughout the firm is essential.
(BNM,2016)b. enableemployees to make business decisions that take into account risks and itsimpact to the bank. This can be done by promoting the awareness andunderstanding of RM in their businesspractices.c. Thevarious risk & control functions needs to be assigned specific roles sothat there are neither gaps in controls nor unnecessary duplicationos incoverage. d.
Interdepencebetween all employees of the bank is important to foster a compliance culturein the bank.e. TOavoid these groups to devolve into ongoing debates about whose job it is toaccomplish specific tasks. Clarify Rf. Delegate and coordinate risk management dutieswith a systemic approach.
Therefore integration between allfunctions in FI’s are needed towards management of CR. and it should operate in the 3 lines of defence (LOD) model as suggestedunder (IIA,2013).-give examples & best practicesRoles & responsibilities1) Board of Directors (BOD)The recentglobal financial crisis exposed a number of risk governance weaknesses in majorfinancial institutions, relating to the roles and responsibilities of corporateboards of directors (the “board”), the firm-wide risk management function, andthe independent assessment of risk governance. Without the appropriate checksand balances provided by the board and these functions, a culture of excessiverisk-taking and leverage was allowed to permeate in many of these firms(Barrings bank,Nielson- Pg 166)When it comes tomanaging CR in the bank he board has the following key functions a. Hasa primary role in forstering a strong compliance culture within a FI byensuring that officers understand their responsibilities in respect ofcompliance & its RM.b. Theboard must ensure that the FI’s corporate objectives are supported by soundrisk strategy and an effective risk management framework that is appropriate tothe nature, scale and complexity.
The BOD mustapprove the FI’s overall risk strategy including the risk appetite and ensureits implementation. c. TheBOD must ensure that a sound control environement exists within theinstitutions with clear indentifictioan of responsibilities of personals withinthe organization.Must ensure thatCCO has proper authority, enough staff and resources to carry out theirrepsonsibilities.
d. Settone from the top. Can be done by rewards systems, socializations nad trainiings, resources e. Provideactive support nad guideance to the 3 LOD f. One of the fundamental obligations of the seniormanagement is to create a robust internal control system to effectively managecompliance risk. SOE Guidelinesrecommend that “when necessary” SOE boards should “set up specialisedcommittees to support the full board in performing its functions, particularlywith respect to … risk management” (Guideline VI.
E).The 3 LOD modelprovides a simple and effective way to enhance communication of RM andcontrol by clarifying essentials roles& responsibilities (R&R). The 3 LOD model distinguishes between 3groups involved in effective RM:2) 1st LOD (IIA,2013) functionsthat own and manage risks.This are mainlybusiness units (BU). Compliance staff may not be fully aware of work processesand controls that are in place in the businesses. Therefore the 1stlines involvement in the CRM process is vital as they understand their productsvulnerabilities, client risk factors, legislations and regulations & theindustries best practices. Their main function in the CRM regime is:a) Primarilyaccountable for the development & implementation of internal controls.
b) Analyseand identify risks affecting their BU’sc) Performself-assessments on the controls effectiveness.d) Identifyremedial action plans for control deficiencies and ensure they are completed inan effective and timely manner.In addition to BU’s, the 1stLOD are also made up of support units (SU). Some of the SU’s involved R in the CRM are:a) HumanResources (HR)Work withcompliance function (CF) to arrange CRM trainings for new joiners as well asrefresher trainings and explore on methods of training that could beimplemented to ensure that adequate training is provided to officers within thebank on the implementation of internal controls to manage compliance risks. b) InformationTechnologies (IT)CF needs to work closelywith IT folks for various reasons such as to maintain the CRM system,perform/advise on enhancements needed and give ad hoc advice whenever there are”hick-ups” experienced in the system. 3) 2nd LOD(IIA,2013) functions that oversee riskThe 2ndLOD are independent functions that are created mainly to ensure the 1stline is properly designed, in place and operating as intended. In other wordsto monitor the work of the 1st line.
Some of the functions that fitin the 2nd LOD and their functions in the CRM framework are asbelow:a) Compliance Function (CF)Xxxxxxx1) Must identify and assess the CR associated withthe FI’s activities. This requires the CF to possess adequate knowledge &exposure to key business process and regulations. (BNM,2016)2) Should monitor the level ofcompliance risk by using a range of indicators to identify trends and 3) Need to quantify & evaluate the likelihoodand impact of losses should the risk materializes. 4) Help the BOD to come up with the CRM policy .5) Compliance monitoring programme that coversregulatory requirments & perform test to evaluate the adequacy of thecontrols in place to manage CR. This is done to provide assurance to BOD ®ulators that the controls are functioning correctly. 6) Ensure that remedial action plans are adequate andmonitor them if any re-occurance.
7) Analyse trends that emerge from the compliancemonitoring. It is essential to identify risk areas .8) Maintain a log of breaches & internalcontrols to help identify trends & root causes.9) Establish escalation & reporting ofcompliance issues. BOD needs to be assured that breaches are being managed& that arrangements are adequate. 10) Provide advisory to BOD & BU on an on- goingbasis and also on regulatory changes and their impact to the FI’s CRM.
Exampleproduct development…xxxxx11) Ensure that adequate training are provided toall levels of staff on the CRM & its implementations.b) Legal Legal also fits in the 2nd LOD in providinglegal advice and interpreting Act(s) for BU’s and CF. For example xxxxxxxxxx TnC.
. etcc) Risk Managementxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa) 3rd LOD (BNM, 2016) says afinancial institution must ensure that there is a clear separation of theinternal audit function and other functions carrying out compliance functionresponsibilities. Compliance risk must be included in the risk assessmentmethodology of the internal audit function, and an audit programme that coversthe adequacy and effectiveness of the other functions carrying out compliancefunction responsibilities should be established, including testing of controlscommensurate with the perceived level of risk.