Look before you leap.      

John Heywood (c.1497-1580)

We have been hearing this quote time and again but we keep forgetting it repeatedly and suffering consequences. Following two examples will be able to justify the aforementioned fact:

  1. Organization drafting policies before doing AML/CFT risk assessment. This is the same as driving in the dark being blindfolded.
  2. Organization preparing different AML/CFT Risk Assessment Report and policies after being asked by regulatory bodies. Organizations should carry out risk assessment processes, creation/revision of policies at the beginning of every fiscal year, just like budgeting.

In this and following article series, we will explore, how to carry out AML/CFT Risk Assessment of in any organization. Focus, on the word “HOW”.  If you go through any articles/journals regarding risk assessment, they will provide you with only guidelines. The main problem with guidelines is that they are just ideas in a general sense. These guidelines will tell you that you need to calculate the inherent risk of various risk factors, calculate the strength of internal control, and determine residual risk for risk assessment purposes. But again, how is the question, how can you assign the value of inherent risk or for that matter, the strength of control. Above all, if I do a risk assessment on the basis of these guidelines, how do I know whether the risk assessment is accurate or not, similarly, if, I make policies on the basis of these guidelines, will it be far from reality and never gets implemented.

Well, to be frank, Risk Assessment is not an exact science, because if you look at the definition of Risk in the Oxford Dictionary, it is explained as below:

“Risk” is a chance or possibility of danger, loss, injury or other adverse consequences.–Oxford Dictionary

Again, look at the word chance or possibility. Risk is an uncertain event that may or may not happen in the future. So, how can anyone put the value on the Risk, if it is uncertain; one can make the only estimation. Therefore, how to do proper Risk Assessment is a million-dollar question.

Here are some examples to drive the point home:

  1. Bad Risk Assessment: In a bank, a customer is a salaried private employee earning less than $5000 a year is rated as a High-Risk Customer who only uses that account for his salary deposit and withdrawal.
  2. Good Risk Assessment: In a bank,  a customer is a Politically Exposed Person who profiles as a High-Risk Customer because there are chances that he may use that bank account to siphon money received from corruption.

Here, comes the fun part, the things that we are going to share about risk assessment in the below section are based on my personal experience and from the guidelines from Wolfsberg, FATF, and other related Journals, Whitepapers, articles, and so on. If you have a different opinion than ours or like to share/add something. Please do share in the comment section below.

Now, we will take you through the concept of Risk, Risk Identification, Risk assessment, and Risk Mitigation in the AML/CFT area. In the next article, we will explain how to use Microsoft BI for Risk Analysis.


As of now, you should have known that risk is the chance of suffering a loss in the event of happening any kind of threat. Let’s say you are in the trade finance department, there may be a threat of someone conducting trade transactions, to launder drug trafficking money. The risk is that law enforcement authority will carry out an investigation on this transaction, and you and your bank may be penalized for that.

The universal definition of risk is this:

Risk level/Score = Likelihood × Impact

Risk is a combination of likelihood and impact.


A likelihood scale refers to the possibility or potential  ML/TF Risk occurring in the business for the particular risk being assessed. Three levels of risk likelihood are shown in the sample table below. A corresponding score in the range of 0-100% has been assumed in this article for the severity of risk that the organization expects to encounter. Score 0-30% signifies that the chances of the risk occurring to be minimal and a Score of 70-100% are indicative of very high chances of risk occurrence.

Rating Description/Likelihood of ML/TF Risk Score
Very Likely Almost certain: Will probably occur several times a year 70%-100%
Likely Likely: High Probability will happen once a year 30%-70%
Unlikely Unlikely: But not Impossible 0-30%

Impact Scale:

 Impact scale refers to the consequences of loss or severity of damage that may result if the risk eventually occurs. Impact of ML/TF Risk can be looked upon from the point of view of:

  • Risk of Actual Losses to the Business,
  • The risk to Reputation,
  • Risk of furthering a criminal enterprise,
  • Risk of causing harm

  A corresponding score in the range of 0-100% has been granted for the severity of impact. Score 0-30% signifies that the consequences of the impact would be minimal and a Score of 70-100% is indicative of disastrous or severe consequences.

Rating Description/Impact of ML/TF Risk Score
Major Huge consequences- major damage or effect. Serious Terrorist Act or Money Laundering 70%-100%
Moderate Moderate level of ML/TF Impact 30%-70%
Minor Minor or negligible consequences or effect 0-30%

Risk matrix and Risk score

 The Risk matrix can be used to combine LIKELIHOOD and IMPACT ratings and values to obtain a Risk score. The Risk score may be used to aid decision making and help in deciding what action to take in view of the overall risk. How the Risk score is derived can be seen from the sample Risk matrix and Risk score table shown below.

 Risk Matrix /Score

Risk Score Matrix

Composite Score:

Rating Composite Impact of an ML/TF Risk Score
High/Extreme Risk likely to happen and/or having serious or extreme consequences. Do not all transactions to occur unless Risk reduced to an acceptable level. Extreme Risk is unacceptable. 70%-100%
Medium Possible this might happen and/or have moderate risk. May go ahead but preferably reduce risk 30%-70%
Low Unlikely to happen and/or have Minor or negligible consequences or effect 0-30%

Now, after we have determined how you calculate risk, let’s determine our risk factors for AML/CFT. They are as following:

(1)   Inherent customer risk

Different customers may carry different levels of risk. The Bank may face ML/FT risks if they are not properly identified and their transactions are not monitored effectively and continuously.

(2)     Inherent product risk and Services

The products and services of the Bank itself carry ML/TF risks. For example, deposit products, Remittance, Electronic Banking, Wire Transfers, etc.

(3)  Inherent transaction and delivery channel risk

The delivery channel also exposes the Bank to money laundering risks. For example, the Bank usually appoints Remittance Agents. These agents may push the Bank into ML risks.

(4)   Inherent geographic risk

The different geographical locations shall have different risk levels for ML/FT. For example, districts located near the border area could have a higher level of risks or countries that are sanctioned, hence, customers belonging to these areas are automatically high risk.

Every component in these risk factors is given a risk score based on its impact and likelihood. For e.g., the Organization may have 5 products and services, then the risk score of each 5 product and services is calculated. After that, the composite score of each risk factor including their components is calculated.



Risk Appetite/Risk Tolerance:

Once the Impact/threat levels and score have been allocated, we need to determine the amount of Risk that the organization is prepared to accept in pursuit of its business goals. This is termed as the Risk appetite. Risk appetite serves the guide to the Risk management strategy and also informs how the organization deals with risks. It is usually expressed as an acceptable/unacceptable level of risk. The Risk matrix above has been used to show the Risk appetite of the business. Some organizations may accept low and medium and not accept the high risk so they try to mitigate those risks by implementing different control measures.

Controls Assessment

Once the inherent risks have been identified and assessed, internal controls must be evaluated to determine how effectively they offset the overall risks. Controls are programs, policies, or activities put in place by the organization to protect against the materialization of an ML/TF risk,  or to ensure that potential risks are promptly identified. The controls in place are evaluated for their effectiveness in mitigating the inherent money laundering risk and to determine the residual risk rating. As with inherent risk factors above, each below control is assigned a score, to show the relative strength of that control which is assigned on the basis of what importance the institution places on the control. For example, it may be expected that Client Due Diligence carries a larger weighting that Record Keeping and Retention within the risk assessment.

S.N Controls Details Controls Rating Control Strength
1.        AML Policies and Procedures High 80%-100%
2.        Know Your Client, Client Due Diligence, Enhanced Due Diligence Medium 30%-80%
3.        Designated AML Compliance officer/Unit Low 0%-30%
4. Other controls…..    

Residual Risk Assessment

Once both the inherent risk and the effectiveness of the internal control environment have been considered, the residual risk can be determined. Residual risk is the risk that remains after controls are applied to the inherent risk. The residual risk rating is used to indicate whether the ML/TF risk within the organization are adequately managed.

The 3 tier rating scale of Residual Risk is as follows:

Inherent Risks Controls Strength Residual Risks Residual Risk Rating
High 80%-100% Low 0%-30%
20%-80% Medium 30%-70%
0%-20 High 70%-100%
Medium 80%-100% Low 0%-30%
20%-80% Medium 30%-70%
0%-20 High 70%-100%
Low 80%-100% Low 0%-30%
20%-80% Medium 30%-70%
0%-20 High 70%-100%

(Note: Residual Risk Rating = Residual Risks/Total Risk)

  1.     Low Residual Risk: The overall inherent risk of the organization based on the clients, products/services, channels, geographies, and other qualitative factors, is low and the mitigating controls are sufficient to manage this inherent risk.
  2.     Medium Residual Risk: The overall inherent risk of the organization, based on four risk factors is moderate and the mitigating controls are not adequate to manage this level of risk, OR the overall inherent risk is high and the mitigating controls are adequate to manage this inherent risk.
  3.     High Residual Risk: The overall inherent risk of the organization, based on the four risk factors, is high and the mitigating controls are not sufficient to manage this inherent risk.

Overall Risk Assessment

The main objective here is what is a total inherent risk faced by the organization, how much has been mitigated by the control strength, and how much is residual risk left. Following is the format that may be used as a guideline for risk assessment.

Risk Factors Risk Value Risk Weight Total Risk Control Strength Residual Risk(Total Risk -Control Strength)


  1. PEP
  2. Cash Intensive.
  3. c…
Product and Services


  1. Deposit and Withdraw
  2. Remittance


  1. High Risk Jurisdiction
  2. Foreign Nationals
  3. …..
Delivery Channel


  1. Debit/Credit Cards
  2. Wire Transfer
  3. ….

Risk Management

The main objective risk management is to reduce the risk to risk appetite level of the organization. The residual risk should be equal to the risk appetite of the organization.  The balance between residual risk and risk appetite determines the degree of the controls implemented by the organization. This may result in the following situations:

Residual Risk > Risk Appetite: Organizations need to spend more on strengthening controls or implementing new control.

Residual Risk < Risk Appetite: Organization is spending unnecessarily more on control measure, therefore, may need to divest some expenditure to other fruitful areas.

Final Risk Assessment

What now left is to analyze overall risk assessment. If your organization is able to reduce overall Inherent risk to low residual risk,  then it means you have adequate controls and they are operating effectively. But if not, then you need to improve or implement new controls.

Final Words:

This is a basic idea regarding, how your organization risk framework should be. Now the one major question that may be clouding your mind is, how, I can apply this practically.

In the next article series, I am going to use actual data to saw your practical application of this concept. We are going to use Microsoft Power BI for this purpose.

Please click on the following link to go to the next lecture in this next article series.

Ready for Risk Assessment with Microsoft Power BI !



Kiran Kumar Shah