Assessing risk in the new world
The risk based approach has been around since the very moment mummy dinosaur told her baby not to stick his head outside the cave, because of the risk of having it bitten off by a hungry T-Rex. Similarly, we all manage risk when crossing the road, and we all, well most of us, agree that doing this with a blindfold increases the risk of getting hurt.
So, let’s not get too hung up about the RBA. We’re at risk of taking the concept too seriously, which can result in the whole risk based approach becoming counter-productive. When I walk into the chemist to buy painkillers, I am told I can only buy a particular maximum amount. This does not reduce the suicide risk an overdose brings; it merely reduces the risk of impulsive suicide whilst in the shop.
Within the AML/CTF world we were ‘introduced to the risk based approach’ in 2007, when the Regulations suddenly told us to start thinking risk. What became clear was that anyone who was sensible about which clients to do business with, did change very little in their business model.
In order to simplify our lives, allegedly, a raft of software vendors have come up with risk classification algorithms that confirm what a little bit of common sense already told you. This is fine, the danger occurs when your frontline staff ignores the common sense and starts believing that a risk classification algorithm’s complexity automatically means it must be true.
The Guidance is quite clear, it tells you to minimise complexity, so keep it simple so that everyone can understand which clients you don’t want, which are lower risk, which ones are standard risk, and which are the ones you need to pay some extra attention to.