Risk culture and risk appetite are two related but distinct concepts in the field of risk management. Risk culture is developed and shaped by the people at all levels of an entity by what they say and do. It is people who establish the entity’s mission, strategy, and business objectives and put ML/TF risk management practices in place. ML/TF risk management helps people make decisions while understanding that culture plays an important role in shaping those decisions.
AML/CTF risk culture is developed and shaped by the people at all levels of an entity by what they say and do. It is people who establish the entity’s mission, strategy, and business objectives and put ML/TF risk management practices in place. Similarly, ML/TF risk management affects people’s decisions and actions. Each person has a unique point of reference, influencing how they identify, assess, and respond to ML/TF risk. Risk management helps people make decisions while understanding that culture plays an important role in shaping those decisions.
Rather, culture, practices, and capabilities are integrated and applied throughout the entity. Integrating risk management with ML/TF risks, business activities, and processes results in better information supporting improved decision-making and enhancing compliance performance.
Risk Culture and Risk Appetite of an Organization
It helps organizations with the following:
Anticipate risks, including ML/TF risks earlier or more explicitly, opening up more options for managing the risks and minimizing the potential for deviations in performance, losses, incidents, or failures.
Identify and pursue existing and new opportunities by the entity’s risk appetite and strategy.
Develop and report a more comprehensive and consistent portfolio view of risk, allowing the organization to allocate finite resources better.
Improve collaboration, trust, and information sharing across the organization.
Risk culture integration enables the organization to make decisions better aligned with the speed and potential disruption of individual risks and the pursuit of new opportunities. Risk-aggressive entities may need to obtain risk-related information quickly and have streamlined decision-making processes to pursue fast-moving opportunities.
Where risk management practices and capabilities are separate, collecting relevant information, identifying stakeholders, and making decisions all take longer, and that can jeopardize an entity’s ability to meet urgent deadlines. In short, the more risk aggressive the entity, the greater the integration value.
Instilling more transparency and risk awareness into an entity’s culture requires actions such as the following:
Implementing forums or other mechanisms for sharing information, making decisions, and identifying opportunities.
Encouraging people to escalate ML/TF issues and regulatory breaches without fear of retribution.
Developing and sharing a strong understanding of the AML/CTF regulations and rules.
AML/CTF Compliance Culture
To maintain the AML/CTF compliance culture, the organization routinely hires capable compliance individuals with relevant experience who can exercise judgment and oversight by their responsibilities. The organization can access capable individuals, subject matter experts, or other technical resources to support decision-making. When investing in compliance technology, management considers the tools required to enable AML/CTF risk management responsibilities.
Risk appetite is the willingness of the organization to take and accept the risk. The organization defines its risk appetite level in the context of creating, preserving, and realizing value.
Decisions in selecting strategy and developing risk appetite are not linear, with one decision always preceding the other. Nor is there a universal risk appetite that applies to all entities. Many organizations develop strategy and risk appetite in parallel, refining each throughout strategy–setting. Some boards will provide input and may challenge management on its choice of risk appetite, while others will be expected to concur with management and approve the risk appetite set.
Regardless of how the decisions are made, the organization would have a preliminary understanding of its risk appetite based on the established mission and vision and prior strategies. These are important inputs into any risk appetite, refined when an organization reviews alternative strategies and selects the desired strategy.
The best approach for an entity aligns with the analysis used to assess ML/TF risk in general. Developing the ML/TF risk statements is an exercise in documenting the relevant ML/TF risks and mapping those risks with the AML/CTF controls. Some entities consider ML/TF risk in qualitative terms, while others prefer to use quantitative terms. Whatever the approach for describing ML/TF risk, it should reflect the entity’s compliance culture and business operations.
Moreover, if the organization wants to change some aspect of the AML/CTF compliance culture, defining a strong ML/TF risk appetite can help create and reinforce that desired AML/CTF compliance culture.
Final Thoughts
Risk culture refers to the values, beliefs, behaviors, and attitudes that shape an organization’s approach to risk. It encompasses the norms and practices that determine how risk is perceived, assessed, and managed within the organization. A strong risk culture promotes transparency, accountability, and proactive risk management, while a weak risk culture may lead to a lack of awareness or complacency towards risks.
On the other hand, risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. It reflects the organization’s risk tolerance and defines the boundaries of acceptable risk-taking. Risk appetite is influenced by various factors such as the organization’s strategic objectives, regulatory requirements, and risk management capabilities.
Both risk culture and risk appetite are essential components of effective risk management. A strong risk culture helps to ensure that risk is managed proactively and transparently, while a clearly defined risk appetite helps to guide risk-taking decisions and promote consistency across the organization. Organizations that prioritize risk culture and risk appetite are better equipped to manage risks effectively and achieve their strategic objectives.