Enterprise-Wide Risk Assessment *(OUTLINE + BULLET BODY)*

Here's a question examiners love: "Why does your bank monitor this product more closely than that one?" If your answer is "because we always have," you fail. The right answer points to a document — the enterprise-wide risk assessment. It's the brain of the whole compliance program. Every control, every monitoring rule, every EDD trigger should trace back to a risk the institution identified and rated. Get the risk assessment right and the rest of the program has a rationale. Get it wrong — or skip it — and you're applying the same controls to a cash-intensive money transmitter and a retiree's savings account. Let's build one properly.

- The **risk-based approach** (FATF Recommendation 1; FFIEC manual) requires institutions to **identify, assess, and understand** their ML/TF risks and **allocate resources** proportionately — more controls where risk is higher. - The **enterprise-wide risk assessment** is the documented analysis that supports this: it justifies the program's design and is the **first thing examiners ask for**. - It is **institution-specific** (your products, customers, geographies, delivery channels) — not a generic template — and it **drives** CDD/EDD thresholds, monitoring scenarios, and resourcing. - It should be **approved by senior management/board** and **kept current**.

- **Customer risk:** types of customers and their profiles — e.g., **PEPs**, cash-intensive businesses, MSBs, non-resident customers, complex legal-entity/trust structures, charities/NPOs. Higher-risk customers warrant EDD. - **Product/service risk:** features that enable anonymity, rapid movement, or cross-border transfer — e.g., **wire transfers, correspondent banking, private banking, trade finance, prepaid/stored value, virtual-asset services**. Some products are inherently higher risk. - **Geographic risk:** locations with elevated risk — **FATF grey/black-listed jurisdictions**, countries with weak AML controls, high corruption, sanctions exposure, or known drug/terror financing — both where customers are and where transactions flow. - **Channel (delivery/distribution) risk:** how the relationship is established and serviced — **non-face-to-face/online onboarding, third-party intermediaries, agents, correspondent relationships** raise risk versus in-person. - Exam cue: memorize the four — **Customer, Product, Geography, Channel** — and be able to slot a scenario factor into the right one.

- **Inherent risk:** the level of risk **before** applying any controls — the raw exposure from the customer/product/geography/channel mix. - **Control effectiveness:** the **mitigating effect** of the program's controls (CDD/EDD, monitoring, screening, training, independent testing). - **Residual risk:** the risk that **remains after** controls are applied. The relationship: **Inherent risk − control effectiveness = residual risk.** - The goal is not zero risk (impossible) but **residual risk within the institution's risk appetite**. Where residual risk is too high, the institution **strengthens controls, restricts the activity, or exits (de-risks)**. - Exam cue: "before controls" = inherent; "after controls" = residual. A weak control turns moderate inherent risk into high residual risk.

- Each category is typically rated (e.g., **low/medium/high**) using defined factors and then **aggregated** into an overall risk profile for products, customer segments, and the enterprise. - The assessment should be **evidence-based** — using data (transaction volumes, SAR trends, customer counts, geographic exposure) — not just judgment. - The output **calibrates the program**: high-risk segments get **EDD, lower CDD thresholds, more frequent review, tighter monitoring**; low-risk segments get **simplified/standard measures**. - It also feeds the **customer risk rating** assigned to each customer at onboarding and over time.

- **Document everything:** methodology, factors, data sources, ratings, control assessments, conclusions, and approvals — so the assessment is **defensible to examiners** and repeatable. - **Refresh periodically** (commonly **annually**) and **on trigger events:** new products/markets, mergers/acquisitions, regulatory changes, new typologies, or significant findings (e.g., a spike in SARs or an audit finding). - Tie it back to the program: when the assessment changes, **controls, monitoring, and resourcing should change with it** — a stale risk assessment is a common examination criticism. - Exam cue: "risk assessment must be current and drive the program"; refresh on material change, not just on a calendar.

- A **generic/template** assessment that doesn't reflect the institution's actual products and customers. - **No link** between the assessment and the controls (the assessment exists but doesn't drive anything). - **Only inherent risk** considered, with no analysis of **control effectiveness/residual risk**. - **Stale** assessment — never refreshed after launching a high-risk product or entering a high-risk market. - Exam cue: the right "next step" in many scenarios is **"update the risk assessment"** before changing controls or onboarding a new high-risk line.

The enterprise-wide risk assessment is the brain of the program. You rate risk across four categories — customer, product, geography, and channel — and you separate inherent risk, the raw exposure before controls, from residual risk, what's left after your controls do their work. Where residual risk exceeds appetite, you strengthen controls or exit. Document the methodology, get it approved, and refresh it on a schedule and whenever something material changes. With the risk assessment driving the program, the next lecture zooms into the customer level — Customer Due Diligence, Enhanced Due Diligence, and beneficial ownership: how you verify identity, find the real owners, and decide when a customer needs the enhanced treatment.