Why is a financial crime risk appetite statement needed?
11 November 2019
Having a robust financial crime risk appetite statement together with its associated financial crime risk assessment is fundamental to an organisation properly understanding, managing and mitigating its financial crime risks - and therefore limiting the opportunities for criminals to access and use the financial services industry for illegal activities.
The Financial Conduct Authority (FCA) and other regulators have put increasing focus on financial institutions’ financial crime risk appetite statements and broader financial crime risk management frameworks. Specifically:- how risk appetite is understood and defined; how the risk assessment is undertaken; and how risk is managed through policies and procedures and other aspects of the financial crime risk management framework.
There is limited clear guidance or consensus from global regulators stating their expectations regarding the form a financial crime risk appetite statement or financial crime risk assessment should take. As a result it is difficult for organisations to achieve good practice.
As my colleagues set out in their boxing analogy blog about operational resilience, while you may not have an appetite for financial crime risk, by undertaking business you are being exposed to financial crime risk and therefore you are tolerating that risk.
As an organisation you need to define the extent to which you are prepared to tolerate being used by criminals for criminal activities or to be exposed to a regulatory breach (i.e. how many times you are prepared to tolerate being punched in the face) and put in place the appropriate controls to mitigate the risks to what you are prepared to tolerate. This is the ‘tolerable’ or ‘residual’ risk.
Often people misunderstand the term ‘risk appetite’. I frequently hear very senior members of financial services organisations stating that they have ‘zero appetite’ and/or ‘zero tolerance’ for financial crime as it is ‘illegal’. While organisations have no appetite for financial crime risk by carrying on business activities they are exposing themselves to risk and therefore must tolerate the fact that at times they will be ‘punched’!
A Risk Appetite Statement therefore articulates the appetite for risk that an organisation has, the extent of the risks that an organisation is prepared to tolerate (‘residual’ or ‘tolerable’ risks) and the risks it is not prepared to tolerate (‘intolerable’ risks) (see Blog #3) as well as the extent it is prepared to tolerate the failure of its controls (see Blog # 4). It should also include a recognition of its potential exposure to regulatory breaches.