The most frequent questions we receive on risk assessment:
- How do I conduct a sanctions risk assessment?
- What is inherent risk?
- Doesn’t screening assess my risk?
What is a risk assessment?
A risk assessment is the means of identifying areas in your organization’s operations where there is inherent risk for potential sanctions violations or misconduct. Effective risk assessments are conducted regularly or as an ongoing exercise using a defined risk-based methodology that is tailored to the nature of your operations and evolves with the changing sanction environment.
The risk assessment identifies potential threats to your company’s sanctions compliance in every part of the business. The approach to find the inherent risk in your business should be both “top-down” and “bottom-up.” “Top down” means assessing the offerings that your company provides to your customers and counterparties in the form of all products and services offered directly and indirectly. “Bottom-up” means assessing from your customers and counterparties the risk they present including from their intentions for the use of your company’s products and services to their operations, partners, locations and other criteria. Taking this dual track approach will allow your company to a best practice effort to identify any direct or indirect engagement with a sanctioned party, sanctionable conduct, or efforts to circumvent or evade sanctions.
An inherent risk is a sanctions risk your company faces when there are no internal controls in place to mitigate these risks. Clients, customers, intermediaries, counterparties, products, services, supply chains, transactions, and geographical areas all pose inherent risks to your company and the purpose of the risk assessment is to identify those risks.
When conducting a risk assessment, your company should leverage existing information about your business, from the capabilities that your products and services offer to reviewing information obtained through onboarding and your KYC (Know Your Customer) or due diligence processes to review customers and counterparties. The information obtained through these processes should be used to assess the inherent sanctions risks related to your customers and counterparties. This will enable your company to focus your business and compliance activities to achieve the highest reward at the lowest risk.
Adapt to the changing risk environment
Adapting to the changing risk environment is critical to identify the sanctions risk for your organization. Sanctions can change on a daily basis so this means updating the methodology of risk assessments as new sanctions, guidances, advisories, and enforcement actions are announced, and staying abreast of the current legislation and regulatory requirements.
Even if your company only operates in the Nordics, there remains a risk of violating different sanctions regimes from authorities around the world or becoming subject to sanctions yourself from your business activity. It is therefore essential that your organization both understand the sanctions requirements that are directly applicable to where and how you operate, including the regimes directly applicable to your financial transactions, as well as the global sanctions landscape from the UK and US as being designated by either country can be as devastating to a company as violating legally applicable sanctions.
This can be a daunting task and providing tailored advice on the changing global circumstances is a core offering that Sanctions Advisory provides to our clients.
The importance of risk assessment during mergers and acquisitions
Mergers and acquisitions have proven to be a challenging area for assessing sanctions risk and is an area that has recently been the subject of repeated enforcement cases and as such highlighted by regulatory and enforcement agencies for special focus. The target or partner company of the merger or acquisition may have existing sanctions liabilities and it can often be the case of the due diligence process that sanctions risks are overlooked or revealed too late in the process to adequately address before the transaction has closed. This means that it is particularly important for your organization to conduct thorough sanctions risk assessments and customer due diligence on target or partner companies during mergers and acquisitions, and it is best that you integrate the focus on sanctions and thus sanctions compliance units into the process from the beginning.
Assessing the sanctions risks associated with the merging or acquired party is essential to avoid sanctions violations after the transactions has closed. Due diligence must be conducted both before and after the acquisition to ensure that sanctions requirements are met, and that sanctions risks are assessed and appropriately controlled.
Questions to ask to evaluate your organization’s risk assessments
The following questions are useful to ask when assessing your organization’s risk assessment. The answer to these questions will give you insight into whether your risk assessments are effective.
- Do we know the sanctions risk for every part of the business?
- Are KYC processes, screening and risk ratings conducted for all new customers? Is it a part of routine risk assessment?
Finally, keep in mind that the action of assessing, screening or rating a risk is not a control in itself. A risk assessment only tells you what the risks are and as a result where to focus your controls to mitigate the risk. We will explain how to control the risks you have identified in our post on internal controls coming next Wednesday.