As mentioned in the previous article series, we are going to look at the practical example of the risk assessment through the application of Microsoft Power BI. We have also made a video tutorial for this that can be found at the end of this article. However, we suggest you go to this article first and then refer to the video tutorial.
Go to the previous article in this series
For this article, we have taken a Bank as an example organization. However, please keep in mind that this risk assessment concept can be applied to any organization.
Risk Identification:
The first component of Risk management is risk identification where we need to identify different risk factors that are present within the bank along with its respective components. Further these components should be given appropriate risk grading along with their risk weights to perform quantitative risk analysis.
Let us first look at our data:
In this table, we have assumed that customer opts for only one product and services. The country to which customer belongs is mentioned here. Customer nature is also given. Finally, there are 3 types of transactions that each customer usually performs in his/her account. In this data, we have successfully incorporated 4 risk factors for the AML/CFT risk assessment purposes: Customer Nature, Geographical Location, Product and Services, and Delivery Channel/Transaction Delivery.
Following are tables representing each risk factors:
You can see from the above figure, we have identified all the components included in each risk factor along with their risk grading and risk weight. The detailed theory of the risk assessment is given in my previous article.
The following figure shows the risk weight of each risk category: High, Medium and Low
Risk Assessment:
This is called the power view window in Microsoft Power BI. You can see that in the above figure, we have used Customer Number as metric for each risk factor and its individual components, “Count of Customer ID” column include the number of customers for each risk factor’s components. For e.g., there are 3 Casinos customers(Customer Nature), 192 customers are from India(Geography), 422 customer use Bank Guarantee product(Product and Services and 531 customer uses Internet Banking(Transaction Channel).
The main advantage of Power BI is that it shows the interlink between various components. In the pie chart at the lower corner of the figure, you can see that customer who are risk graded as “Medium” is substantial than others.
If we click at the medium segment, the whole view of Power BI is altered. You compare this figure with the above to see the difference, for instance, you can see the number of medium customers is 3126 for all risk factors, as seen in the Total field. In the world map chart, you can see the location of medium risk customers
You may be thinking that’s good, but maybe wondering, can all these risk factors can be combined into one so that I can see my overall risk of this organization. Yes, this can be done, please look at the below picture:
This is the next power view window where we have clicked on the high-risk segments (blue part in the chart). This will give you information about the high-risk profile in your organization. For e.g., In the highlighted section, it can be seen that bank is giving services to customers like Jewelry dealers, large taxpayers, money transfer agencies who are from IRAN which is the high-risk country to whom it is providing various high-risk products and services like bank guarantees, swift and these customers are carrying different types of transactions like issuing drafts, wire transfer which is the high-risk medium of doing transaction. All these components are high-risk components.
Now, it is time to perform risk calculations:
In the above figure, we can see each risk factor including its components with the number of customers by each component along with appropriate risk weight. Now, we need to perform Risk Calculation using various variables, so, we will leave Power BI, say hello to our old friend, Excel.
Risk Calculation
| Risk Factors | No of Customer | Risk Score | Total Risk Value |
| Customer Nature | 4240 | 47 | 199,280 |
| Geography | 4240 | 50 | 212,000 |
| Product and Services | 4240 | 18 | 76,320 |
| Transaction Delivery Channels | 4240 | 13 | 55,120 |
| 542,720 |
In the above table, the number of customers for each risk factor is the same which is when multiplied by their respective risk score gives the total risk value. As can be seen from the table, the risk value from the transaction delivery channel is low while the geography is high.
Risk Mitigation
In order for the risk mitigation we need to look at different control measures that are available in our organization to cope with risk.
| Control Measures | Implementation Status | Mentioned in Policy | Risk Factors | Control Strength |
| New Products Review from the Compliance Department | Not done | Yes | Product | 20% |
| Customer Screening | Done | Yes | Geography/Customer Nature | 90% |
| Wire Transfer Monitoring | Not done | Yes | Geography | 20% |
| Transaction Monitoring/STR Reporting | Done | Yes | Transaction Delivery | 80% |
| KYC/CDD | 40% still remains | Yes | Customer Nature | 60% |
Let us say, we have 5 types of controls in our organization, lets check their implementation status and their inclusion in our AML/CFT policy to determine their relative strength. For eg, for “New Products Review from Compliance” meaning that before all new products are launched by the organization, they need to be reviewed by the AML/CFT department for AML/CFT risk. However, even though this provision is mentioned in the policy, it is not actually implemented. But, there is still a possibility that it will be implemented in the future since, it is mentioned in the policy. Hence, control strength is 20%. Further, this control is directly applicable to mitigate product risk.
Similarly, the implementation status of KYC/CDD is 40% which means that KYC of 60% of customer accounts is only updated and it is directly applicable to mitigate risk from customer nature. In addition, customer nature risk also mitigated by customer screening, so we take the average of control strength of these two controls which brings to the value of 75%.
Residual Risk
| Risk Factors | No of Customer | Risk Score | Total Risk Value | Control Strength | Residual risk | %=Residual risk/ Total risk |
| Customer Nature | 4240 | 47 | 199,280 | 75% | 49,820.00 | 9.18% |
| Geography | 4240 | 50 | 212,000 | 55% | 95,400.00 | 17.58% |
| Product and Services | 4240 | 18 | 76,320 | 20% | 61,056.00 | 11.25% |
| Transaction Delivery Channels | 4240 | 13 | 55,120 | 80% | 11,024.00 | 2.03% |
| 542,720 |
The residual risk is derived after deducting control strength from total risk. From the above table, the risk from customer nature was 199,280, since the control strength is 75%, the residual risk will be 25%, hence, it is 49,820. Now, we can determine the residual risk rating based on the total risk of the organization. Please note that the residual risk rating is given by the following:
Residual Risk Rating(%) = Residual Risk/Total Risk
We have assumed the following 3 tier rating scale of Residual Risk as follows:
| Inherent Risks | Controls Strength | Residual Risks | Residual Risk Rating |
| High | 80%-100% | Low | 0%-20% |
| 20%-80% | Medium | 20%-80% | |
| 0%-20 | High | 80%-100% | |
| Medium | 80%-100% | Low | 0%-20% |
| 20%-80% | Medium | 20%-80% | |
| 0%-20 | High | 80%-100% | |
| Low | 80%-100% | Low | 0%-20% |
| 20%-80% | Medium | 20%-80% | |
| 0%-20 | High | 80%-100% |
Now, we can safely assume that after applying all the necessary controls, we have successfully brought down the AML/CFT risk to a low level. However, there are still areas of improvement in the control measures. You still need to implement those controls which are merely mentioned in the policy and new controls may need to be sought out with the changes in AML/CFT environment.
Final words,
Risk Assessment is not an exact science but both science and art. As you can see that we have made a lot of assumptions here. These assumptions are based on current and past trends, organization nature, size, and other factors.
Thank you for your time.
Further, if you have found this article useful, please do share and subscribe.
Next: Guidenline to Develop Anti-Bribery Corruption Policy and AML/CFT Policy
