Over the past year, the RegTech company has spoken with hundreds of regulated institutions about their risk assessments. Through these discussions, it has highlighted five most common challenges that companies face.
Threat and risk analysis
It stated that regulated organisations are under pressure to be threat-led. Under the Financial Conduct Authority’s financial crime guide, it states organisations should have identified good sources of information, such as National Risk Assessments, ESA Guidelines, FATF mutual evaluations and typology reports.
However, there are challenges when scanning for threats and risks. Acuminor said that the organisations it spoke to agreed that crucial information about threats and risks are too static, disparate and is not shared consistently.
It said, “Today, horizon scanning often means the financial crime team must dig through – for example – the National Risk Assessments in their countries of operation. Some of these reports are 10s of pages, some are 100s, they are structured differently, may be repetitive and crucially – it is difficult to extract which parts of the report are applicable to their customers and products.”
The market research found that there was also little sharing of threat and risk information within the organisation. This leaves teams sitting on useful information that never gets used.
Governance & buy-in
Another clear theme from the firms was an inconsistency for the methods of risk management.
Acuminor stated that while the ultimate responsibility of financial crime risk assessment is with the fincrime team, buy-in from the individual business units is essential, but often lacking. The financial crime team are forced to waste time asking for information.
Furthermore, the inconsistency of risk management means the assessments become incomparable, making it tough for teams to build cases for investing into specific risk mitigations.
The firms also struggled with translating the risk assessment from a paper document into something that drives actions and improvements across the financial crime framework.
It said that when the risk assessment document is created it is often forgotten about until the time comes to update it. Firms seemed eager to change this and make more use of the assessments.
Risk & control calculations
The next pain point was “spreadsheet hell” for putting calculations alongside threats, risks and controls.
It said, “Whether you are using numbers to calculate risk or a high-medium-low rating, and even in the simpler organisations, there are multiple tabs and the potential for complex functions and formula – often this can cause the spreadsheet to crash.”
Manual risk assessments
Finally, the report states none of the organisations Acuminor spoke to had implemented a satisfactory level of automation in their risk assessments.
Read the full report here.
Copyright © 2022 RegTech Analyst
Copyright © 2018 RegTech Analyst