Final remarks on risk appetite statements
04 December 2019
The risk appetite statement should not be considered in isolation but should be considered in the context of the broader financial crime risk management framework.
The risk appetite statement informs policies and procedures which should be designed to ensure that the controls are in place to mitigate the inherent risks to within the agreed tolerable levels.
The risk assessment, which is itself a key part of the ‘risk management framework’ should assess the inherent risks that the institution is exposed to and the suitability and comprehensiveness of the controls that mitigate the inherent risks to the defined risk tolerances (residual risk) as set out in the risk appetite statement.
Management oversight should ensure the connectivity of the financial crime risk appetite with the financial crime risk assessment and with the controls and policies & procedures. They should monitor the effectiveness of the controls and manage the risk to within risk tolerances.
When the risk and control frameworks join up effectively, financial crime risk is effectively understood and managed to within the institution’s risk tolerances and the objective of not being used in the furtherance of financial crime and in meeting regulatory requirements is achieved.