Risk Assessment

1. What is a risk universe?

 A risk universe is a listing of the risks that an entity faces and is included in the initial risk
identification process.
2. How are risks typically organized?
 Risks are typically organized by standard risk categories such as strategic, financial, operational, and
compliance, but may also be divided into sub-categories based on function, division, sections, etc.
3. What are the steps involved in the assessment of residual risk?
 The steps involved in the assessment of residual risk typically include risk response, establishment of
controls, testing and assessment of internal controls, and corrective action.
4. What is the purpose of risk response?
 The purpose of risk response is to design risk responses at various levels based on the analysis of the
risk (impact and likelihood) and on the defined level of risk tolerance.
5. What are the categories of risk response?
 The categories of risk response typically include acceptance, avoidance, reduction, and sharing.
6. What are controls?
 Controls are any activities that mitigate or reduce risk, and typically involve an additional activity to
ensure that a process occurs as it should.
7. Where are controls typically established?
 Controls are typically established in those operations areas that are essential, and acceptance is too
risky, and avoidance and sharing are not possible or practical.
8. What is the purpose of testing and assessment of internal controls?
 The purpose of testing and assessment of internal controls is to ensure that controls are operating
efficiently, particularly in automated processes, and to provide confidence that controls have reduced
risk to a tolerable level.
9. When is corrective action warranted?
 Corrective action is warranted when a control is weak, not in place, or not functioning properly.
10. What is the purpose of a final executive level report?
 The purpose of a final executive level report is to present and categorize residual risks and to identify
key obstacles to the achievement of objectives from an entity-wide perspective.

tell me about high-risk customers in banking

High-risk customers in banking refer to individuals or entities that present a higher risk of
involvement in financial crimes or non-compliance with regulations. These could include individuals
or entities that operate in high-risk industries, such as money service businesses, or those with a
history of non-compliance or suspicious activity.

To manage the risks associated with high-risk customers, banks are required to implement enhanced
due diligence measures, which may include obtaining additional information about the customer,
performing more frequent monitoring, and obtaining senior management approval for the business
relationship.
High-risk customers may also be subject to additional screening and monitoring, such as screening
against sanctions lists, politically exposed persons lists, and adverse media. Banks may also use
advanced analytical tools, such as artificial intelligence and machine learning, to identify and manage
risks associated with high-risk customers.

The failure to properly identify and manage risks associated with high-risk customers can result in
significant financial, regulatory, and reputational harm for banks. Therefore, it is critical for banks to
have effective risk management systems and controls in place to mitigate the risks associated with
high-risk customers.

tell me about the scale of risky bank clients

The scale of risky bank clients can vary widely depending on a number of factors, including the size
and scope of the bank's operations, the types of products and services offered, and the geographic
regions in which the bank operates.

Some banks may have a relatively small number of high-risk clients, while others may have a
significant proportion of their client base deemed to be high-risk. For example, banks that specialize
in international trade finance or correspondent banking may have a higher concentration of high-risk
clients due to the nature of these businesses.

In addition, the level of risk associated with a particular client can also vary over time, depending on
changes in their business operations or other factors that may impact their risk profile. As such,
banks must constantly monitor their client base to ensure that they are appropriately assessing and
managing the risks associated with each individual client.

what is the usual scale in european union

The European Union (EU) has set guidelines for its member states to identify and assess high-risk
customers. These guidelines are in line with international standards, such as those set by the
Financial Action Task Force (FATF), and aim to ensure a consistent and effective approach to
managing money laundering and terrorism financing risks across the EU.

The EU defines high-risk customers as those who are more likely to pose a higher risk of money
laundering or terrorism financing. Examples of high-risk customers may include politically exposed
persons (PEPs), customers from high-risk countries, or customers with complex ownership structures.

Banks in the EU are required to conduct enhanced due diligence (EDD) measures for high-risk
customers. This may include obtaining additional information on the customer, the source of their
funds, and the purpose of their transactions. Banks may also be required to conduct ongoing
monitoring of high-risk customers to ensure that their transactions are consistent with their expected
activity and to detect any suspicious activity.

The scale of high-risk clients can vary depending on the size and type of bank. Some banks may have
a relatively small number of high-risk customers, while others may have a larger number. Regardless
of the scale, managing the risks associated with high-risk customers is an important part of a bank's
overall risk management framework.

explain the part about acceptance, avoidance, reduction and sharing in risk assessment
Acceptance, avoidance, reduction, and sharing are categories of risk response that are part of the risk
assessment process.

Acceptance means that the bank is willing to accept the risk and continue with the operation or
transaction. This approach may be taken if the risk is small, or if the cost of implementing controls to
mitigate the risk is greater than the potential loss.

Avoidance means that the bank decides not to undertake the operation or transaction that presents
the risk. This approach may be taken if the risk is high and the potential loss is significant.

Reduction means that the bank implements controls to mitigate the risk to an acceptable level. This
approach may be taken if the potential loss is high and the cost of controls is lower than the
potential loss.

Sharing means that the bank shares the risk with another party, such as an insurance company. This
approach may be taken if the potential loss is high and the cost of controls is also high.

The choice of risk response depends on the level of risk tolerance of the bank, as well as the specific
circumstances of the operation or transaction. The goal is to find a balance between risk and reward
that is consistent with the bank's overall risk appetite and business objectives.

explain this part further and give examples: Sharing means that the bank shares the risk with another
party, such as an insurance company. This approach may be taken if the potential loss is high and the
cost of controls is also high.
Sharing is a risk response strategy where the bank transfers some or all of the risk to another party,
usually an insurance company, by purchasing an insurance policy. This can help the bank reduce its
exposure to a particular risk while still retaining some level of control.

For example, if a bank wants to reduce the risk of losses due to cyber attacks, it can purchase a
cybersecurity insurance policy from an insurance company. The insurance company will then bear the
financial losses incurred by the bank if it suffers a cyber attack, up to a certain limit. The bank will pay
a premium to the insurance company for this coverage.

Another example is in the case of a construction loan where the bank shares the risk with the
developer. In this case, the bank may agree to finance a portion of the construction loan, while the
developer covers the remaining portion. If there are any losses during the construction process, the
developer would bear a portion of the loss along with the bank.
Sharing is an effective strategy for managing risks that are too costly or difficult to control using
other methods. However, it is important for the bank to carefully consider the terms of the insurance
policy or other sharing arrangement to ensure that it provides sufficient protection and is a cost-
effective solution.

how about in assessing high risk customers?

When assessing high-risk customers in banking, sharing the risk can also refer to sharing information
with other financial institutions and regulators. This helps to create a more complete picture of the
customer's financial activity and potential risks. For example, if a customer is flagged as high-risk due
to their involvement in suspicious transactions, a bank may share this information with other banks
and regulatory authorities to prevent money laundering and terrorist financing. By sharing
information, the risk is spread across multiple parties who can work together to mitigate it.

explain likelihood in risk assessment

Likelihood refers to the probability or chance of a particular risk event occurring. In risk assessment,
likelihood is often assessed in terms of high, medium, or low probabilities of occurrence. This
assessment is based on a combination of factors such as historical data, expert judgment, and other
relevant information.

For example, if a bank is assessing the likelihood of a customer defaulting on a loan, they might look
at factors such as the customer's credit history, current financial situation, and economic indicators to
determine the probability of default. If the likelihood is deemed high, the bank may take additional
measures to mitigate the risk such as requiring collateral or higher interest rates.