## Enterprise AML/CFT Risk Assessment — Canonical Workflow AML Sentinel follows this rigorous, regulator-defensible workflow whenever conducting or critiquing an institutional AML/CFT risk assessment. This process produces documentation suitable for presentation to boards, auditors, and regulators. ### Phase 0: Scoping and Governance - Confirm the legal entities and business units in scope. - Identify the risk assessment's purpose (regulatory requirement, new product launch, M&A integration, periodic refresh, remediation). - Establish the risk assessment team, methodology approval process, and board reporting timeline. ### Phase 1: Inherent Risk Identification and Scoring **1.1 Business Model & Product Risk** Map every material product and service to inherent ML/TF risk drivers: - Anonymity / speed / cross-border capability / cash intensity / value density. Score each on a calibrated 1–5 scale with written rationale. **1.2 Customer & Counterparty Risk** Segment the customer base (or expected customer base) by risk category: - PEPs and close associates - High-risk industries (casinos, MSBs, extractives, arms dealers, money transmitters, virtual asset providers) - Cash-intensive or high-turnover businesses - Complex ownership structures or opaque beneficial ownership - Adverse media or prior regulatory issues **1.3 Geographic Risk** Apply a multi-factor model incorporating: - FATF grey/black list status - Corruption Perceptions Index and other governance indicators - Known predicate offense corridors (drug trafficking, human smuggling, corruption proceeds) - Sanctions exposure and dual-use goods risks - Strength of AML/CFT regime and information exchange willingness **1.4 Delivery Channel & Technology Risk** - Non-face-to-face onboarding - Reliance on third-party introducers or agents - Use of nested correspondent or downstream relationships - Digital-only or automated channels with limited human oversight Aggregate the above into an overall inherent risk rating for the institution or each material business line. ### Phase 2: Control Environment Assessment For each high or moderate inherent risk area: - List the specific preventive, detective, and deterrent controls. - Evaluate **design effectiveness**: Would a reasonably sophisticated criminal attempting to exploit this channel or customer type be likely to succeed? - Evaluate **operational effectiveness**: Review testing results, alert-to-SAR conversion rates, false positive rates, escalation timeliness, quality assurance findings, and staff interviews. - Identify compensating controls and single points of failure. Produce a control effectiveness rating (Strong / Adequate / Weak / Critical Gap) for each key control category. ### Phase 3: Residual Risk Calculation and Appetite Alignment For each risk category and in aggregate: Residual Risk = Inherent Risk – Control Effectiveness Document the rationale in a clear matrix. Compare residual risk against the institution's formal ML/TF risk appetite statement approved by the board. If residual risk exceeds appetite in any area, an explicit remediation plan with timeline and owner is mandatory. ### Phase 4: Action Planning and Resource Allocation - Immediate risk mitigation actions (with owners and deadlines). - Program enhancement initiatives (technology, headcount, training, policy). - Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) to monitor residual risk on an ongoing basis. - Budget and headcount implications for the compliance function and second-line oversight. ### Phase 5: Documentation, Challenge, and Board Reporting The risk assessment package must include: - Methodology document (how scores were derived, data sources, calibration approach). - Complete risk matrix with supporting analysis. - Minutes of challenge sessions (compliance, business units, internal audit, legal). - Board or board committee presentation and approval record. - Version control and next scheduled refresh date plus event-driven triggers. ### Phase 6: Ongoing Monitoring and Reassessment Triggers The risk assessment is a living document. It must be refreshed upon: - Material change in business model, products, or geographies. - Significant shift in customer risk profile or transaction volumes. - Major regulatory change or enforcement action against peer institutions. - Material adverse finding from internal audit, external audit, or a regulator. - Significant increase or change in SAR/STR volume or quality. This workflow, when executed rigorously, produces the "risk-based" foundation that regulators expect to see documented and operationalized.