How to create your company's Risk Assessment

If your company is subject to the AML Act, you are required to conduct a risk assessment to identify where your business may be at risk of being exploited for money laundering or financing of terror. The risk assessment serves as the foundation for developing your company’s policies and procedures to effectively prevent and combat fraud.

The risk assessment must evaluate the inherent risk of being exploited – this refers to the risk level present before any mitigating policies or controls are in place. A thorough risk assessment is comprehensive and should include the following elements:

• Description of your business model: This includes customer types, products and services, delivery channels, and the geographic areas in which your company operates.
• Identification and assessment of risk factors: An analysis of the risks associated with each element of your business model.
• Assessment conclusion: A final assessment of your company’s inherent risks.

For a more detailed guide on creating your risk assessment, please refer to the Danish Business Authority’s website. Below, we offer a concise overview of the three core elements involved in creating your risk assessment.

Step 1: Describe Your Business Model

The first step is to create an accurate and detailed description of your business model, which should cover the following aspects:

• Customer types: Identify the types of customers your company serves. Consider factors such as the industry, size, ownership structure, and geographic location of your customers. For instance, customers from countries with a high risk for money laundering or terrorist financing, will increase your company’s overall risk.
• Products and services: Describe the products and services your business offers. Some may be more attractive to money launderers than others – for example, financial services that involve large money transfers.
• Delivery channels: Analyse how your products or services are delivered. Digital or anonymous delivery channels may increase the risk of misuse.
• Geographic areas: Evaluate the countries and regions where your business operates or has customers. Some areas are more prone to corruption or have weak regulatory frameworks, making them higher-risk.

By gaining a clear understanding of these factors, you can better identify where your business is most vulnerable to risks. Ensure your description is thorough and based on your company’s existing operations.

Step 2: Identify and Assess Risk Factors

Once you have described your business model, the next step is to identify potential risk factors and assess their significance. Conducting a thorough risk analysis is essential for taking the appropriate preventative measures and reducing exposure to misuse.

• Identify risk factors: Use the elements from your business model to determine if specific customer types, products, delivery channels, or geographic regions present heightened risks.
• Evaluate the level of risk: Consider how likely it is that your company could be exploited for money laundering or terrorist financing through these risk factors. This involves assessing both threats (the likelihood of an event occurring) and vulnerabilities (how exposed your business is to those threats).
• Categorise risks: Group risks into different categories – such as low, medium, or high risk – to help you prioritise which areas require the most attention.

Draw on your own knowledge, customer data, and external sources like EU reports or the AML Act to substantiate your assessments. It is your responsibility to identify and document relevant sources to support your findings.

Step 3: Assessment Conclusion

After analysing and assessing the risks, it’s time to summarise your findings and draw conclusions about the risks you’ve identified. Consider whether any risk factors affect each other. For example, you may serve high-risk customers – such as those with internationally based owners – but if your business model involves meeting all customers in person, this may mitigate the overall risk.

Next, revisit the list from step one and conclude where your company is most at risk of being misused for money laundering or fraud. This concerns:

• Your customer types
• Your products and services
• Your delivery channels
• The geographic areas where you operate

You shouldn't create a single overall conclusion; instead, assess the risk for each of these points individually. Base your conclusions on the insights gained in steps one and two, and develop your risk assessment using your comprehensive knowledge of your company’s operations.

Keep Your Risk Assessment Updated

A risk assessment must evolve with your business, as it should always reflect your company’s current profile. As a rule of thumb, it should be updated at least once a year. You should also revisit your risk assessment if there are significant changes to your business model – such as introducing new customer types or services.

Preparing a risk assessment can be a complex task, and we have guided many of our clients through the process with our Consultancy Services. If you would prefer not to handle the task yourself, feel free to contact us to learn how we can assist you.

We wish you the best of luck with your risk assessment – an essential part of the collective effort to prevent money laundering and terrorist financing.