Before implementing or revamping controls and procedures, an institution must first thoroughly examine the nature (manifestations and scenarios of financial crime) and the scale of the risks.
This is done in two phases:
- Identify the possible risks
- Analyse and determine the nature and scale of the risks
Then follows the tailoring of the control framework: fleshing out policies, controls and procedures. The integrity risk analysis forms the basis for selecting adequate risk mitigation controls, also stating the extent to which those controls are effective in mitigating the risks identified. The outcome of the process is net risk – the magnitude of risk that remains if all procedures and controls are effective. The question then is to what extent the remaining net risk is acceptable and matches the firm's risk appetite.
The analysis also encompasses risks identified within the framework of sound and ethical operational management, such as risks inherent in outsourcing certain corporate functions. Institutions must also use their integrity risk analysis to consider whether independent compliance and audit functions are in place, as meant in Section 2d of the Wwft.
At regular intervals, firms must revisit their risks, analysis and controls, and test the effectiveness of those controls. This is because risks are not static. Risks to which a firm is exposed may change as a result of both internal and external factors. Similarly, unplanned events may necessitate an update of the analysis. Accordingly, we will check whether it is up to date as part of our supervision.
Institutions governed by the Wft are subject to a similar obligation to prepare a systematic integrity risk analysis. This is the subject of a good practices document we issued in 2015.