As mentioned in the previous article series, we are going to look at the practical example of the risk assessment through the application of Microsoft Power BI. We have also made a video tutorial for this that can be found at the end of this article. However, we suggest you go to this article first and then refer to the video tutorial.

Go to the previous article in this series

For this article,  we have taken a Bank as an example organization. However, please keep in mind that this risk assessment concept can be applied to any organization.

Risk Identification:

The first component of Risk management is risk identification where we need to identify different risk factors that are present within the bank along with its respective components. Further these components should be given appropriate risk grading along with their risk weights to perform quantitative risk analysis.

Let us first look at our data:

Power BI Risk Assessmen
Fig 1: Overall Data

In this table,  we have assumed that customer opts for only one product and services. The country to which customer belongs is mentioned here. Customer nature is also given. Finally, there are 3 types of transactions that each customer usually performs in his/her account. In this data, we have successfully incorporated 4 risk factors for the AML/CFT risk assessment purposes: Customer Nature, Geographical Location, Product and Services, and Delivery Channel/Transaction Delivery.

Following are tables representing each risk factors:

PowerBI 2 Risk Analysis
Fig 2: Identification of Risk Factors along with its components

You can see from the above figure, we have identified all the components included in each risk factor along with their risk grading and risk weight. The detailed theory of the risk assessment is given in my previous article.

The following figure shows the risk weight of each risk category: High, Medium and Low

Risk Assessment:

Power BI Risk Analysis
Fig 3: Graphical Presentation of Risk Factors

This is called the power view window in Microsoft Power BI. You can see that in the above figure, we have used Customer Number as metric for each risk factor and its individual components, “Count of Customer ID” column include the number of customers for each risk factor’s components. For e.g., there are 3 Casinos customers(Customer Nature), 192 customers are from India(Geography), 422 customer use Bank Guarantee product(Product and Services and 531 customer uses Internet Banking(Transaction Channel).

The main advantage of Power BI is that it shows the interlink between various components. In the pie chart at the lower corner of the figure, you can see that customer who are risk graded as “Medium” is substantial than others.

Power BI Risk Analysis
Fig 4: Position of Power View after clicking Medium Segment

If we click at the medium segment, the whole view of Power BI is altered. You compare this figure with the above to see the difference, for instance, you can see the number of medium customers is 3126 for all risk factors, as seen in the Total field. In the world map chart, you can see the location of medium risk customers


You may be thinking that’s good, but maybe wondering, can all these risk factors can be combined into one so that I can see my overall risk of this organization. Yes, this can be done, please look at the below picture:

Power Bi Risk Analysis
Fig 5: Overall Risk Assessment

This is the next power view window where we have clicked on the high-risk segments (blue part in the chart). This will give you information about the high-risk profile in your organization. For e.g., In the highlighted section, it can be seen that bank is giving services to customers like Jewelry dealers, large taxpayers, money transfer agencies who are from IRAN which is the high-risk country to whom it is providing various high-risk products and services like bank guarantees, swift and these customers are carrying different types of transactions like issuing drafts, wire transfer which is the high-risk medium of doing transaction. All these components are high-risk components.

Now, it is time to perform risk calculations:

Power BI Risk Analysis
Fig 6: Risk Value of All Risk Factors

In the above figure, we can see each risk factor including its components with the number of customers by each component along with appropriate risk weight. Now, we need to perform Risk Calculation using various variables, so, we will leave Power BI, say hello to our old friend, Excel.

Risk Calculation

Risk Factors No of Customer Risk Score Total Risk Value
Customer Nature 4240 47           199,280
Geography 4240 50           212,000
Product and Services 4240 18             76,320
Transaction Delivery Channels 4240 13             55,120

In the above table, the number of customers for each risk factor is the same which is when multiplied by their respective risk score gives the total risk value. As can be seen from the table, the risk value from the transaction delivery channel is low while the geography is high.

Risk Mitigation

In order for the risk mitigation we need to look at different control measures that are available in our organization to cope with risk.

Control Measures Implementation Status Mentioned in Policy Risk Factors Control Strength
New Products Review from the Compliance Department Not  done Yes Product 20%
Customer Screening Done Yes Geography/Customer Nature 90%
Wire Transfer Monitoring Not done Yes Geography 20%
Transaction Monitoring/STR Reporting Done Yes Transaction Delivery 80%
 KYC/CDD 40% still remains Yes Customer Nature 60%

Let us say, we have 5 types of controls in our organization, lets check their implementation status and their inclusion in our AML/CFT policy to determine their relative strength. For eg, for “New Products Review from Compliance” meaning that before all new products are launched by the organization, they need to be reviewed by the AML/CFT department for AML/CFT risk. However, even though this provision is mentioned in the policy, it is not actually implemented. But, there is still a possibility that it will be implemented in the future since, it is mentioned in the policy. Hence, control strength is 20%. Further, this control is directly applicable to mitigate product risk.

Similarly, the implementation status of KYC/CDD is 40% which means that KYC of 60% of customer accounts is only updated and it is directly applicable to mitigate risk from customer nature. In addition, customer nature risk also mitigated by customer screening, so we take the average of control strength of these two controls which brings to the value of 75%.

Residual Risk

Risk Factors No of Customer Risk Score Total Risk Value Control Strength Residual risk %=Residual risk/ Total risk
Customer Nature 4240 47           199,280 75%                49,820.00 9.18%
Geography 4240 50           212,000 55%                95,400.00 17.58%
Product and Services 4240 18             76,320 20%                61,056.00 11.25%
Transaction Delivery Channels 4240 13             55,120 80%                11,024.00 2.03%

The residual risk is derived after deducting control strength from total risk. From the above table, the risk from customer nature was 199,280, since the control strength is 75%, the residual risk will be 25%, hence, it is 49,820. Now, we can determine the residual risk rating based on the total risk of the organization. Please note that the residual risk rating is given by the following:

Residual Risk Rating(%) = Residual Risk/Total Risk

We have assumed the following  3 tier rating scale of Residual Risk  as follows:

Inherent Risks Controls Strength Residual Risks Residual Risk Rating
High 80%-100% Low 0%-20%
20%-80% Medium 20%-80%
0%-20 High 80%-100%
Medium 80%-100% Low 0%-20%
20%-80% Medium 20%-80%
0%-20 High 80%-100%
Low 80%-100% Low 0%-20%
20%-80% Medium 20%-80%
0%-20 High 80%-100%

Now, we can safely assume that after applying all the necessary controls, we have successfully brought down the AML/CFT risk to a low level.  However, there are still areas of improvement in the control measures. You still need to implement those controls which are merely mentioned in the policy  and new controls may need to be sought out with the changes in AML/CFT environment.

Final words,

Risk Assessment is not an exact science but both science and art. As you can see that we have made a lot of assumptions here. These assumptions are based on current and past trends, organization nature, size, and other factors.

Thank you for your time.

Further, if you have found this article useful, please do share and subscribe.


Next: Guidenline to Develop Anti-Bribery Corruption Policy and AML/CFT Policy