About once a year I will say in a dreamy voice, “Perhaps I should do a PhD in criminology…”. I love the idea of spending months in the library as I craft my thesis, and then becoming the first-ever Dr Grossey. But reality always kicks in when I remember that PhDs, and particularly those in subjects like criminology, have to be underpinned by numerical research. And it’s not just that I’m a bit scared of maths – although I am. It’s more that I know what a minefield it is to try to numericise (what? it’s a word… maybe) AML.
This was brought home to me recently as I worked with a client on their financial crime risk appetite statement. All was going swimmingly: we knew which financial crimes we were concerned about (with me banging the drum loudest for money laundering – nothing changes); we knew what could be tolerated (some financial crime, reluctantly but realistically, but no sanctions breaches at all); we knew who would be responsible for reviewing the risk appetite; we had even chosen a lovely font for the finished statement. And then we came to the dreaded metrics. That’s consultant-speak for measurements. How could we show in cold, hard numbers that we were keeping to our stated risk appetite? Take a moment and think about it. How do you measure that the amount of financial crime risk that you have taken on is within your tolerance? We came up with a couple of ideas of things that could be measured – number of internal SARs received and converted, number of staff doing AML training – but it’s definitely the trickiest part of the whole process. Any ideas, AML-ers so wise?
(And yes, I did a ton of Googling looking for suggestions. There are dozens of papers out there explaining what a risk appetite is, and what the statement should include – marvellous. But when it comes to metrics, they all say, in essence, “make sure that you include metrics”. Thanks a bundle.)
I hate money laundering 
% PEP clients, % high risk clients, exposure to high risk countries (or no exposure), position regarding 3rd party directors, registered office business etc
Welcome to the blog, Cathy, and thank you for your suggestions – they’ve all gone on the list! What do you mean by “registered office business”?
I am not sure what type of business the risk appetite is for but say for example it is a trust and company service provider their appetite may only be to do registered office business for certain clients or may have no appetite
Ah, I see – that could certainly be a useful risk discussion to have. Many thanks, Cathy.
Susan,
Having identified your risks can you not attempt to “numericise” them from the point of view were that to happen what would it do to the business (Impact/consequences) then how likely is it to happen (Likelihood) before you detail the actions taken to manage the risks (perceived) then you could do the metrics again. The impact probably wouldn’t change but the likelihood should reduce. You could then do a colour chart to show the numbers in colour before and after (Boards love traffic lights – means you don’t have to read anything -) You could amalgamate the Impact and Likelihood into a single number before and after your ‘mitigating actions’. (Getting all the terminology in !!)
This sounds like a plan, CDWOS – and with lots of business bingo potential too! So it’s assessing impact and likelihood both before and after the mitigation is put in place – and comparing the two. Sounds good to me.