Effective Business Risk Assessments

• Published date: 03 January 2023
• Subject Matter: Finance and Banking, Government, Public Sector, Financial Services, Terrorism, Homeland Security & Defence, Money Laundering
• Law Firm: Baker & Partners
• Author: Barry Faudemer

Under the various Codes of Practice issued by the Jersey Financial Services Commission (the "JFSC") the Boards of regulated businesses are required to undertake and keep an up to date Business Risk Assessment ("Risk Assessment"). Based on the Risk Assessment the Board must consider, on an ongoing basis, its risk appetite, and the extent of its exposure to money laundering, the financing of terrorism and the financing of proliferation risks "in the round" or as a whole, taking into account its organisational structure, its customers, the countries and territories with which its customers are connected, its products and services and how it delivers those products and services. It may also be beneficial for your money laundering, terrorism and proliferation risks and controls each to be considered separately. The Risk Assessment must also consider the cumulative effects of the risks identified. It must be kept up to date and subject to review in response to changing internal or external events. Failing to compile a Risk Assessment or neglecting to keep it up to date places the business and/or its principal or key persons at a very real risk of regulatory sanction.

The Risk Assessment should be regarded as the foundation stone that needs to be put in place before a business strategy can be built around the Risk Assessment to counter the money laundering, the financing of terrorism and the financing of proliferation risks. As with any building work, inadequate foundations places all that follows in jeopardy. Effective policies and procedures provide the detail of how the risk of money laundering, the financing of terrorism and/or the financing of proliferation will be managed. Poor policies and procedures or failing to follow your own policies and procedures increasingly places your principal persons, key persons and any person who performs or performed a senior management function at risk of a civil penalty, regulatory sanction, and/or a public statement.

The Codes of Practice require (not optional) Boards to undertake the following in relation to its Risk Assessment.

• Organise and control its affairs in a way that mitigates the risks that it has identified, including areas that are complex.
• Be able to demonstrate the existence of adequate and effective systems and controls (including policies and procedures) to counter money laundering, the financing of terrorism and the financing of proliferation.
• The Board must document its systems and controls and clearly...