1

2
 ISO 31000 defines risk management as:
► ‘’ Coordinated activities to direct and control an organization
with regard to risk ‘’
•
→Risk management is a coordinated effort from all units in the banking
organization.
→Everyone in the organization has a role to play in risk management.
→The three lines of defence model puts risk ownership across the
three levels in the bank:
→Business Lines,
→Risk Function,
→Internal Audit.

3
4
5
6
Bank risks can be broadly classified into financial risks and non-
financial risks.

7
 3 Major Parts of the Risk Management Standard

► 11 Principles for managing risk ( Clause 3 )

► 5 components to the framework for managing risk
(Clause 4 )
► 5 processes for managing risk ( Clause 5 )
►

8
9
10
11
12
13
 Terms and definitions
→Risk- effect of uncertainty on objectives. An effect is a deviation from
the expected. Risk is often expressed in terms of a combination of
the consequences of an event (including changes in
circumstances) and the associated likelihood of occurrence.
→Risk management - coordinated activities to direct and control an
organization with regard to risk.
→Risk management framework- set of components that provide the
foundations and organizational arrangements for designing,
implementing, monitoring, reviewing and continually improving
risk management throughout the organization.
● The foundations include the policy, objectives, mandate
and commitment to manage risk.
● The organizational arrangements include plans,
relationships, accountabilities, resources, processes
and activities.
14
 Risk management policy
● Statement of the overall intentions and direction of an
organization related to risk management.
Risk attitude
● Organization's approach to assess and eventually pursue, retain,
take or turn away from risk.
Risk management plan
● Scheme within the risk management framework specifying the
approach, the management components and resources to be
applied to the management of risk.
● Management components typically include procedures, practices,
assignment of responsibilities, sequence and timing of
activities.
● The risk management plan can be applied to a particular product,
process and project, and part or whole of the15organization.
 Risk owner
► Person or entity with the accountability and authority to manage a risk.
Risk management process
► Systematic application of management policies, procedures and
practices to the activities of communicating, consulting,
establishing the context, and identifying, analysing,
evaluating, treating, monitoring and reviewing risk.
Establishing the context
► Defining the external and internal parameters to be taken into
account when managing risk, and setting the scope and risk
criteria for the risk management policy.
External context
► External environment in which the organization seeks to achieve its
objectives. External context can include:
► Political, legal, regulatory, financial, technological, economic, natural
and competitive environment, whether international, national,
regional or local. 16
 Internal context
► Internal environment in which the organization seeks to achieve its
objectives. Internal context can include:
►
► Governance, Compliance, organizational structure, roles and
accountabilities;
► Policies, objectives, and the strategies that are in place to
achieve them;
► The capabilities, understood in terms of resources and
knowledge (e.g. capital, time, people, processes, systems
and technologies);
► Standards, guidelines and models adopted by the organization;
► Information systems, information flows and decision-making
processes (both formal and informal);
► The organization's culture. 17
 Communication and consultation
▬ Continual and iterative processes that an organization conducts to
provide, share or obtain information and to engage in dialogue
with stakeholders regarding the management of risk.
• The information can relate to the existence, nature, form, likelihood,
significance, evaluation, acceptability and treatment of the management of
risk.
♦ Consultation is a two-way process of informed communication
between an organization and its stakeholders on an issue prior
to making a decision or determining a direction on that issue.
Consultation is:
→ a process which impacts on a decision through influence rather
than power; and
→ an input to decision making, not joint decision making.

18
 Stakeholder
♦ Person or organization that can affect, be affected by, or perceive
themselves to be affected by a decision or activity.
♦ A decision maker can be a stakeholder.
Risk assessment
● Overall process of risk identification ,risk analysis and risk
evaluation.
Risk identification
► Process of finding, recognizing and describing risks.
► Risk identification involves the identification of risk
sources ,events ,their causes and their potential consequences.
► Identification can involve historical data, theoretical analysis,
informed and expert opinions, and stakeholder's needs.

19
 Risk source
▬Element which alone or in combination has the intrinsic potential to
give rise to risk.
▬A risk source can be tangible or intangible.
Event
♦ Occurrence or change of a particular set of circumstances.
♦ An event can be one or more occurrences, and can have several
causes.
♦ An event can sometimes be referred to as an “incident” or
“accident”.
♦ An event without consequences can also be referred to as a “near
miss”, “incident”, “near hit” or “close call”
♦
20
 Consequence
► Outcome of an event affecting objectives.
● An event can lead to a range of consequences.
● A consequence can be certain or uncertain and can have positive or
negative effects on objectives.
● Consequences can be expressed qualitatively or quantitatively.
● Initial consequences can escalate through knock-on effects.
Likelihood
→Chance of something happening.
→In risk management terminology, “likelihood” is used with the intent
that it should have the same broad interpretation as the term
“probability” has in many languages other than English.

21
 Risk profile
► Description of any set of risks.
♦ The set of risks can contain those that relate to the whole organization,
part of the organization, or as otherwise defined.
Risk analysis
● Process to comprehend the nature of risk and to determine the level of
risk.
● Risk analysis provides the basis for risk evaluation and decisions about
risk treatment.
● Risk analysis includes risk estimation.
Risk criteria
► Terms of reference against which the significance of a risk is evaluated.
► Risk criteria can be derived from standards, laws, policies and other
requirements.
► Risk criteria are based on organizational objectives, and external and
22
internal context.
 Level of risk
v Magnitude of a risk or combination of risks, expressed in terms of the
combination of consequences and their likelihood.
Risk evaluation
Ø Process of comparing the results of risk analysis with risk criteria to
determine whether the risk and/or its magnitude is acceptable or
tolerable.
• Risk evaluation assists in the decision about risk treatment.
Risk treatment
● Process to modify risk. Risk treatment can involve:
▬ Avoiding the risk by deciding not to start or continue with the activity
that gives rise to the risk;
▬ Taking or increasing risk in order to pursue an opportunity;
▬ Removing the risk source;
▬ Changing the likelihood;
23
▬ Changing the consequences;
▬ Sharing the risk with another party or parties (including contracts and
risk financing); and
▬ Retaining the risk by informed decision.
► Risk treatments that deal with negative consequences are sometimes
referred to as “risk mitigation”, “risk elimination”, “risk
prevention” and “risk reduction”.
Control
♦ Measure that is modifying risk.
→ Controls include any process, policy, device, practice, or other actions
which modify risk.
→ Controls may not always exert the intended or assumed modifying
effect.

24
 Residual risk
v Risk remaining after risk treatment.
§ Residual risk can also be known as “retained risk”.
Monitoring
♦ Continual checking, supervising, critically observing or determining the
status in order to identify change from the performance level
required or expected.
► Monitoring can be applied to a risk management framework, risk
management process risk or control.
Review
Ø Activity undertaken to determine the suitability, adequacy and
effectiveness of the subject matter to achieve established objectives.
♦ Review can be applied to a risk management framework ,risk
management process risk or control.
25
 Principles
• For risk management to be effective, an organization should at all
levels comply with the principles below.
Risk management creates and protects value
→Risk management contributes to the demonstrable achievement of
objectives and improvement of performance in, for example,
human health and safety, security, legal and regulatory compliance,
public acceptance, environmental protection, product quality, project
management, efficiency in operations, governance and reputation.
Risk management is an integral part of all
organizational processes.
→Risk management is not a stand-alone activity that is separate from
the main activities and processes of the organization. Risk
management is part of the responsibilities of management and an
integral part of all organizational processes, including strategic
planning and all project and change management 26 processes.
 Risk management is part of decision making.
→Risk management helps decision makers make informed choices, prioritize
actions and distinguish among alternative courses of action.
Risk management explicitly addresses uncertainty
→Risk management explicitly takes account of uncertainty, the nature of that
uncertainty, and how it can be addressed.
Risk management is systematic, structured and timely.
→A systematic, timely and structured approach to risk management
contributes to efficiency and to consistent, comparable and reliable
results.
Risk management is based on the best available information.
→The inputs to the process of managing risk are based on information sources
such as historical data, experience, stakeholder feedback, observation,
forecasts and expert judgement.

27
 Risk management is tailored.
→Risk management is aligned with the organization's external and
internal context and risk profile.
Risk management takes human and cultural factors
into account.
→Risk management recognizes the capabilities, perceptions and
intentions of external and internal people that can facilitate or hinder
achievement of the organization's objectives.
Risk management is transparent and inclusive.
→ Appropriate and timely involvement of stakeholders and, in particular,
decision makers at all levels of the organization, ensures that risk
management remains relevant and up-to-date.
→ Involvement also allows stakeholders to be properly represented and
to have their views taken into account in determining risk criteria.
28
 Risk management is dynamic, iterative and responsive
to change.
→Risk management continually senses and responds to change. As external and
internal events occur, context and knowledge change, monitoring and review of
risks take place, new risks emerge, some change, and others disappear.
Risk management facilitates continual improvement of the
organization.
→Organizations should develop and implement strategies to improve their risk
management maturity alongside all other aspects of their organization.
General Framework
→The success of risk management will depend on the effectiveness of the
management framework providing the foundations and arrangements
that will embed it throughout the organization at all levels.
→The framework assists in managing risks effectively through the
application of the risk management process at varying levels and
within specific contexts of the organization. 29
30
31
32
33
34
35
36
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 Risk treatment
● Risk treatment involves selecting one or more options for
modifying risks, and implementing those options.
● Risk treatment involves a cyclical process of:
●
► Assessing a risk treatment,
► Deciding whether residual risk levels are tolerable,
► If not tolerable, generating a new risk treatment,
► Assessing the effectiveness of that treatment.
►
● Risk treatment options are not necessarily mutually exclusive or
appropriate in all circumstances.
● The options can include the following:
54
♦ Avoiding the risk by deciding not to start or continue with the
activity that gives rise to the risk,
♦ Taking or increasing the risk in order to pursue an opportunity,
♦ Removing the risk source,
♦ Changing the likelihood,
♦ Changing the consequences,
♦ Sharing the risk with another party or parties (including
contracts and risk financing)
♦ Retaining the risk by informed decision.

55
 Selection of risk treatment options

♦ Selecting the most appropriate risk treatment option involves

balancing the costs and efforts of implementation against the
benefits derived, with regard to legal, regulatory, and other
requirements.
♦ Decisions should also take into account risks which can warrant risk
treatment that is not justifiable on economic grounds, e.g. severe
(high negative consequence) but rare (low likelihood) risks.
♦ Risk treatment can also introduce secondary risks that need to be
assessed, treated, monitored and reviewed.
♦ The link between the two risks should be identified and maintained.

56
 Preparing and implementing risk treatment plans
► The purpose of risk treatment plans is to document how the chosen
treatment options will be implemented.
►
► The information provided in treatment plans should include:
→ The reasons for selection of treatment options, including expected
benefits to be gained;
→ Those who are accountable for approving the plan and those
responsible for implementing the plan;
→ Proposed actions;
→ Resource requirements including contingencies;
→ Performance measures and constraints;
→ Reporting and monitoring requirements;
→ Timing and schedule.
57
 Monitoring and review
♦ Both monitoring and review should be a planned part of the risk
management process and involve regular checking or surveillance.
♦ It can be periodic or ad hoc.
♦ Responsibilities for monitoring and review should be clearly defined.
♦
▬ The organization's monitoring and review processes should
encompass all aspects of the risk management process for
the purposes of:
► Ensuring that controls are effective and efficient in both design and
operation;
► Obtaining further information to improve risk assessment;
► Analysing and learning lessons from events (including near-misses),
changes, trends, successes and failures;
58
► Identifying emerging risks;
► Detecting changes in the external and internal context, including
changes to risk criteria and the risk itself which can require revision
of risk treatments and priorities.
►
♦ Progress in implementing risk treatment plans provides a performance
measure.
♦ The results can be incorporated into the organization's overall
performance management and measurement.
♦ The results of monitoring and review should be recorded and externally
and internally reported as appropriate.
♦ Should also be used as an input to the review of the risk management
framework.

59
 Recording the risk management process
Ø Risk management activities should be traceable.
Ø In the risk management process, records provide the foundation for
improvement in methods and tools, as well as in the overall process.
Ø
Decisions concerning the creation of records should take into
account:
→ The organization's needs for continuous learning;
→ Benefits of re-using information for management purposes;
→ Costs and efforts involved in creating and maintaining records;
→ Legal, regulatory and operational needs for records;
→ Method of access, ease of retrievability and storage media;
→ Retention period;
→ Sensitivity of information. 60
 Attributes of enhanced risk management
v All organizations should aim at the appropriate level of performance of
their risk management framework in line with the criticality of the
decisions that are to be made.
v The list of attributes below represents a high level of performance in
managing risk.
v To assist organizations in measuring their own performance against
these criteria, some tangible indicators are given for each attribute.

Key outcomes
▬The organization has a current, correct and comprehensive
understanding of its risks.
▬The organization's risks are within its risk criteria.

61
 Continual improvement
§ An emphasis is placed on continual improvement in risk management
through the setting of organizational performance goals,
measurement, review and the subsequent modification of
processes, systems, resources, capability and skills.
§ Normally, there will be at least an annual review of performance
and then a revision of processes, and the setting of revised
performance objectives for the following period.
§
Full accountability for risks
► Enhanced risk management includes comprehensive, fully defined and
fully accepted accountability for risks, controls and risk treatment
tasks.
► Designated individuals fully accept accountability, are
appropriately skilled and have adequate resources to check
controls, monitor risks, improve controls and communicate
62
effectively
about risks.
63
► To conduct the risk assessment, first assess your company’s risk score in the
various components in Appendix 1 and 2.
► Then adjust the risk weight accordingly to your company specific conditions,
and enter the risk scores in the table to arrive at the Risk Assessment Score.
► A Risk Score (1-Lower risk, 5-Higher Risk) is assigned to each individual factor
based on its relative importance in identification of ML/TF risks.
► Each Risk Score is then weighted according to its level of risk exposed by the
Company based on the individual factors.
► A weighted summation of the Risk Scores gives an overview of the risk
exposure on an enterprise-wide basis.
► Refer to Appendix 2 and 3 for possible approaches and considerations in
deriving the Risk Scores.
► Risk weights of 20%, 40%, 30% and 10% has been allocated to the table
sections. 64
65
Appendix 2 – Risk Scoring

66
Appendix 2 – Risk Scoring

67
Appendix 2 – Risk Scoring

68
69
70
71
72
73
74
75
76
77