How to conduct a risk assessment of your business


You may have your own methods of assessing risk. The following is merely a suggestion.

The management of risk is engrained in today’s business culture, and most large organisations carry out regular risk assessments with the aid of a risk register. Some of us may not be comfortable with these methods at first but they are simple. All businesses, from the smallest to the largest, can easily develop a risk register to reflect their own particular risk profiles. It is important to strive to reflect your own businesses risks.

The size and detail of risk registers will differ between businesses to reflect their different risks. We are all different sizes in our practice, we have different clients ranging from the sole trader to the high net worth individual, we may offer a full range of services or we may limit ourselves to just a few.

The advantage of the risk registers is that policies and procedures for your firm emerge from it organically. It is also a physical record that you have taken a rational and considered approach to your legal obligations. Record keeping is more important than ever, now that your business will be supervised and monitored for compliance with the Regulations.

To carry out an effective assessment of your risks, you should assess your business in context. You should be careful to assess the three elements of risk (opportunity, likelihood and impact) even in relation to customers that you know and trust. There is no magic formula for devising a risk register – it is more art than science. It is simply a matter of:

• listing the realistic risks that you can think of
• categorising the various elements of the risk as H (high), M (medium) or L (low), taking account of any current management policies
• finding the aggregate of the various elements
• using your imagination to devise a way of managing that risk (if necessary)
• assessing the level of risk (H, M, L) after the management strategy has been implemented.

To set your level of risk, you should apply your experience and common sense – your best guess. One person’s assessment may well be different from another’s but there is nothing wrong with that.

It is important to review your risk register periodically, so that you can re-evaluate the risks and the effectiveness of your management policies.

Areas of risk do not necessarily fall into neat categories but overlap and any particular risk should be seen as an accumulation of all elements together. There are no absolutely rights or wrongs when identifying risks, rating them as High/Normal in the formulation of a proportionate response. All you can do is to make estimates based upon your experience and common sense. This lack of absolute certainty may cause discomfort to some but this is the nature of professional judgment. As long as your estimates are honest and within the wide band of reasonableness, your judgment will be valid, even if your estimates differ from those of others.

Risk register definitions explained
Opportunity: The purpose of this is to identify the various opportunity risks that exist in relation to your particular practice. It is important to be realistic, and not include fanciful risks.
Characteristics: the purpose of this is to record details of the opportunity to enable you to maintain consistency of decision-making by identifying consistencies or distinguishing between the risk register examples and any case in hand.
How likely: This is your estimate of how likely it is that a particular risk will materialise. If you have identified a risk, there is always a possibility that it will materialise. How likely that is depends upon how well you know the particular client.
Impact: This is the estimate of the negative impact to society if the risk were to materialise. This is, perhaps, the most difficult assessment, as it may relate to the crime underlying the money laundering, as well as the value of the property. Some transaction lend themselves more readily to organised crime and terrorism than others, including those involving overseas dealings, particularly with countries where corruption is rife and terrorism sponsored or tolerated, or from areas of high instances of drug dealing; complex transactions and corporate structures, which could obscure ownership; and high value transactions. It is suggested that the negative impact on society corresponds to the potential negative impact upon your practice. Clearly, the more serious the negative impact, the more likely you are to
become involved in a money laundering investigation.
Aggregate risk: An aggregate of the values in the ‘how likely’ and ‘impact’ columns will provide you with a workable value for determining the rigour of your (proportionate) response to the particular risk.
Management policy: This records the proportionate response to the identified risks – the policies and procedures for forestalling and detecting money laundering, as required by the Regulations. Whether you implement or change a policy will depend upon your assessment of the magnitude of the aggregate risk.
Resultant risk: This is your assessment of the risk should the Management policy be implemented. It is a useful marker for future review of your risk assessment, in light of experience of its implementation.