Enterprise-Wide Risk Assessment (EWRA) Essentials: Key Benefits, Common Hurdles, and a Plan for Implementation

Mažvydas Miliauskas
Author
Mažvydas Miliauskas, CAMS
Published
September 10, 2024
EWRA

During a regulatory inspection, one of the key documents that is being examined is the Enterprise-Wide Risk Assessment (EWRA).

Although it is an important compliance document, there is no single template that fits all organisations. Why is that?

In this blog article we will look at the basics, the importance of this process and the complexities involved.

At the end we will also go deeper down this rabbit hole to understand how the EWRA is made.

The basics: what is EWRA?

EWRA is a comprehensive process, used by financial institutions. Its purpose is to identify, assess and mitigate money laundering (ML) and terrorist financing (FT) risks throughout the organisation.

It is a strategic process that periodically assesses the potential risks that an organisation may face. The assessment takes into account risks across its various businesses, products, services, customer types, geographic locations and other factors.

Why is EWRA important?

Done correctly, this assessment will help the organisation understand where its vulnerabilities lie. As well as allowing it to compare risks across jurisdictions and licences (e.g. how customer activity and patterns differ across jurisdictions). This exercise is therefore critical for organizations that passport their activities to other countries (e.g., EU/EEA) or hold licenses in multiple continents.

Some other benefits of this process (which may not always be visible at first):

  • Enhanced risk identification and understanding

The EWRA provides a holistic understanding (and in some cases a visual heat map) of the ML/TF risks faced by the organisation. Those faced by the organisation across all its operations, products, services, customer segments, delivery channels and geographies. By identifying and categorising risks, organisations can prioritise areas/gaps. Those that require more attention and resources. And implement more effective and targeted controls to mitigate those risks.

  • Meeting regulatory expectations

Regulators often require financial institutions to conduct risk assessments. This is necessary to ensure compliance with applicable legislation, which ensures that the risk-based approach is applied by the organisation. If this exercise is done properly, it demonstrates institution’s understanding of the exposure towards ML/TF risks  and prepares the institution for regulatory audits and inspections, reducing the risk of penalties for non-compliance.

  • Enhanced decision-making

The insights gained from an EWRA enable senior management, the board and action owners to make informed decisions about risk management strategies, customer relationships and product offerings.

  • Strategic planning

EWRA helps align the organisation’s risk appetite with its strategic objectives. It ensures that the business model or product(s) offered do not expose the institution to unacceptable levels of risk.

  • Qualitative and quantitative analysis

EWRA typically relies on both qualitative and quantitative analyses to assess ML/TF risk exposures. Qualitative assessments focus on descriptive, subjective insights that help understand the context and complexity of risks, while quantitative assessments rely on numerical data and objective analysis to measure and compare risks.

  • Reputation & customer trust

By proactively managing compliance risks, organisations protect themselves from the reputational damage that can result from being associated with financial crime and increase customer confidence.

  • Ongoing monitoring

The EWRA is not a one-off activity, but a continuous process. It evolves, allowing for regular monitoring and updating of risk assessments in response to new threats, regulatory changes, and business developments that other compliance programs may miss.

  • Empowering employees

EWRA can also empower employees (e.g. department heads) by providing them with the knowledge and recommendations. Those that can be used to secure additional resources (e.g. funding) that are critical to effectively managing the identified risks.

Challenges for the EWRA

Conducting an EWRA is a complex process. It presents several challenges to the compliance team and requires careful planning, coordination and ongoing effort. These challenges can affect the accuracy, effectiveness and overall results of the risk assessment. And it can create unnecessary internal tensions between different teams.

Some of the key challenges that can arise from this process:

  • Lack of resources & expertise

Implementing an EWRA requires significant resources in terms of time, money and skilled personnel, which can put a strain on the organisation, especially when there are competing priorities.

  • Risk methodology and framework

Deciding on the appropriate risk assessment methodology that accurately reflects the organisation’s unique risk profile can be challenging. The process of scoring and categorising risks and controls can be subjective. It can lead to potential biases or inconsistencies in the assessment, which may indicate that the organisation is treating this as a tick-the-box exercise.

  • Complexity of the organisation

Multinational organizations with different business lines and product portfolios may face different regulatory requirements in various jurisdictions and regions, depending on where they hold licenses. This is usually the main reason why there is no one-size-fits-all template for the EWRA.

  • Evolving regulatory landscape

Compliance regulations are constantly evolving, with new guidelines, requirements and expectations from regulators, so the EWRA methodology must take a proactive approach. For example, the guidelines often mention the ML/TF typologies, but some jurisdictions are already expanding the scope so that the EWRA includes other risk areas such as sanctions and proliferation financing and fraud.

  • Data quality and availability

Some organisations often struggle with inconsistent, incomplete or inaccurate data across different departments, products or dashboards/systems, making it difficult to conduct a reliable risk assessment.

  • Integration with existing risk management frameworks

The EWRA may use a methodology that differs from the standard set by the Chief Risk Officer or the Enterprise Risk Management team.

  • Technology and tools

Older technology systems may not support the sophisticated analytics and reporting required for an effective EWRA, leading to data integration and risk analysis challenges or additional time spent on customisation.

  • Lack of coordination

An effective EWRA requires cross-departmental coordination, often followed by meetings, interviews and deadlines with other teams such as risk management, data analytics, IT, legal, etc.

  • Continuous improvement & monitoring

Identifying and assessing emerging risks and best practices is an important part of this process, as risks evolve rapidly due to changes in technology and criminal behaviour. Additionally, the EWRA could help create key risk indicators that keep senior management aware of certain metrics (e.g., the share of high-risk customers). And ensure they are informed when the organization’s risk profile begins to change (e.g., a large increase in newly onboarded customers from a single country).

  • Risk awareness

Creating and maintaining a culture of risk awareness throughout the organization poses challenges. Particularly in large organizations where employees may not fully engage in AML/CFT efforts. The involvement of senior management in this process is therefore crucial. And, without it, it can be almost impossible.

  • Clear documentation

There is a saying that “if it is not documented, it did not really happen”, and this also applies to the EWRA..

  • Balancing business objectives with compliance

It is normal practice when business objectives might not be in line with the compliance objectives. It reflects the existing situation and commitment to resolve the identified risks. .

There may be more examples, but let’s move on to the more interesting part – how to create an EWRA.

How to create EWRA for your organisation?

First, an important disclaimer. There are disagreements which methodology works best, as well as different industries that face compliance risks on a different level. The example that will be used in this article is not the only resource that should be used. Therefore we would like to mention several other resources that could be taken into consideration. Read as many resources as you can and only then consider what can be used for your organization. Some of the resources include:

  1. The Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption;
  2. EBA’s ML/TF Risk Factor Guidelines
  3. Other local regulatory publications (e.g., BoL Overview of EWRA by Market Participants ; MAS – Enhancing Robustness of EWRA on ML/TF; AUSTRAC Guidance)

For this example to create the EWRA, we’ll use the risk management model from the official ISO 31000 standard (see below), which is divided into 3 main stages. We won’t cover the other elements in this article, but they also play an important role in the process.

Risk Management Process. Source: ISO 31000:2018 Risk Management - Guidelines
Risk Management Process. Source: ISO 31000:2018 Risk Management – Guidelines

Stage 1 – Identify the scope, context and criteria that are relevant to your organisation

Scope

This means that the organisation should be clear about the scope of this EWRA exercise, which will play a role if you need to tailor your risk assessment. Will it also cover areas like Sanctions or Fraud? What time period will be used for this exercise? Will it cover the private customers, business customers or both? What about the existing branches? Are the partnerships models within or out of scope for this exercise? The list of questions can go on and on.

Context

Context is the internal and external environment in which the organisation operates.

The internal context takes into account the risks that it inherits from engaging in activity that is specific to your business model. For example, a bank and a pension fund may be exposed to different ML/TF risks. Even though they operate in the same jurisdiction. Also, partnership with a company that is located in FATF’s list of Jurisdictions under Increased Monitoring presents different compliance risks, compared to a partner that is located in the same country.  

The external context refers to the environment in which the organisation operates (regulatory environment, level of corruption, etc.). For example, regulator in one country might be ok with certain type of customers, while in other countries such customer base would be outside of the regulator’s risk appetite.

When considering a level of criminality and other typologies, it is considered good practice to research some external reports. A good example of an external report can be the National Risk Assessment (NRA) document. The public sector publishes it, providing a comprehensive overview of threats, vulnerabilities, and crime trends. As well as a review and rating of ML/TF-related issues affecting the country as a whole and different sectors (e.g. the banking industry, electronic money institutions, etc.). Combine these areas with the local AML laws and you will have a good understanding of what needs to be covered in the EWRA document.

Organization's EWRA

(Risk) criteria

Defining risk criteria for an EWRA requires a thorough understanding of the organisation’s risk environment and must be clear and measurable. So it can challenge the existing organisation’s risk appetite and strategic objectives. It should be flexible enough to adapt to changes in the risk landscape. Yet robust enough to provide a consistent framework (methodology, risk scores, thresholds, weights, etc.) for assessing ML/TF risks across the organisation.

Stage 2 – The risk assessment process

As you can see from the previous picture, the risk assessment process is divided into 3 steps. However, they are not sequential, and all 3 steps are being done at the same time.

Risk identification

Finding, recognising and describing risks that could expose the organisation to financial crime. These risks should be relevant, appropriate and current. Some examples of factors that might be considered:

Customer base

Number and percentage of high risk customers (e.g. AML risk score, industry, occupation), PEP customers, customers with adverse media findings, etc.

Geographical locations

Different regions present different levels of risk due to factors such as regulatory frameworks, political stability, economic conditions and prevalence of financial crime. Assessing geographic risk helps organisations understand where they may face higher ML/TF risks based on where they operate and have customers.

Products and services

The nature, complexity and diversity of the products offered (e.g. are they cash-intensive, do they allow cross-border movement of funds, etc.); the proportion of transactions for each product.

Delivery channels

Volume of transactions for each type of delivery channel (e.g. transactions conducted in cash vs. digital channels); volume conducted through non-face-to-face channels, etc.

Risk analysis

Critical stage in which the organisation systematically examines and interprets the data collected on potential ML/TF-related risks. The primary objective of risk analysis is to gain a deeper understanding of the nature, sources and potential impact of these risks. It enables the organisation to determine the significance of each risk.

Risk evaluation

The purpose of risk analysis is to analyse risks in terms of their potential impact and likelihood. And to determine the organisation’s ability to manage or mitigate those risks. It also provides input for later-stage risk assessments, enabling decision-makers to determine whether they need to address the risk.

Vulnerability & Controls

While EWRA methodologies vary, there are several elements that every risk assessment needs to take into consideration:

Inherent Vulnerability (can also be referred to as Inherent Risk) – the level of risk that your organisation faces from its business model before the controls are applied.  

Controls – controls that help to prevent the organisation from the identified risks (e.g., KYC programme, transaction monitoring, policies, training etc).  

Residual Vulnerability (can also be referred to as Residual Risk) – the level of risk that your organisation faces from its business model after the controls have been applied. 

There are many different risk matrices available online that you can use for inspiration which have different risk scores, but it is important to choose the one that best suits your organisation. Below are some examples that follow the 5×5 and 4×4 approaches. 

Residual Risk Matrix - Example 1
Residual Risk Matrix – Example 1. Source: Amberly Hazembuller / Sure Assessments
Residual Risk Matrix – Example 2
Residual Risk Matrix – Example 2. Source: CRS Certus

Stage 3 – Risk treatment

The purpose of risk treatment is to document the identified risks. And for the Board of Directors to decide how the identified risks should be addressed. It is important to emphasise that risk assessment is different from audit. And therefore there are several options available to consider:

Accept the risk

The ideal situation is to keep risks within the organization’s predefined appetite. However, risks outside the appetite can be accepted. But such decisions should be made with careful consideration, appropriate governance, and enhanced risk management practices in place to protect the organization.

Monitor the risk

The identified risk should be monitored. This should be done until further notice (e.g. continue monitoring if the likelihood of the risk is increasing or not.).

Mitigate the risk

The residual risk is unacceptable. It requires to take further mitigating actions that would reduce the likelihood or impact of the organization being exposed to the identified risk (e.g., implementing a new rule, conducting additional analysis, providing training, etc.).

Avoid the risk

The identified risk is outside the organisation’s risk appetite. It requires to discontinue the activity (e.g., limiting the product thresholds, discontinuing the product, exiting the market, etc.).

Conclusions

In summary, the EWRA is a critical process for financial institutions. It enables them to manage and reduce the risk that someone might exploit them for money laundering and terrorist financing activities. It requires many resources from the organisation to properly conduct this exercise on an annual basis.

First, the framework should be developed. Then the organisation should look at ways of automating the EWRA process. In order to save time and/or increase the efficiency of this exercise.

AMLYZE as a company does not offer help with the implementation of EWRA. But AMLYZE have a long list of reliable partners who can help your company.

About the author

Mažvydas Miliauskas
Author
Mažvydas Miliauskas, CAMS
Mažvydas is AMLYZE contributing author. CAMS certified high achiever who is passionate about financial crime compliance, ML/TF typologies and enterprise risk management.

Related

Empower your compliance

Let us know how we can help

    Fill in the form bellow to contact us



    Why request a demo?

    It doesn’t matter whether you are interested in a complete end-to-end AML/CFT solution or just a single module from our range. We can help.

    Experience up to a 62% reduction in false positives

    Benefit from a library of over 400 risk rules

    Complete investigations in 3x less time than manually

    Save up to 3 hours per STRs/SARs filing

    Access a library of over 200 pre-defined scenarios