According to guideline 1.2 of the ML/TF Risk Factors Guidelines each risk assessment should consist of two distinct but related steps:

1. the identification of ML/TF risk factors; and

2. the assessment of ML/TF risk.

These steps shall be proportionate to the nature and size of the obliged entities. For some firms it is however unclear how they should determine their nature and size.

Guideline 1.16 provides a little bit more clarity. Small firms for example that do not offer complex products or services and that have limited or purely domestic exposure, may not need a complex or sophisticated risk assessment.

Small and medium-sized enterprises (SMEs) are defined in the EU recommendation 2003/361. The main factors determining whether an enterprise is an SME are:

• staff headcount

• either turnover or

• balance sheet total

Small therefore means firms with a staff headcount lower than 50 and a turnover of less than € 10 million OR a balance sheet total of less than € 10 million.

The 9 Steps for conducting effective risk assessments

To be effective we recommend taking the following 9 steps:

1. Business inventory: make an inventory for each business unit/branch office/subsidiary of the organisation with respect to each risk factor: products, customers, countries, etc.

2. Risk scenarios: assess the form the risk of money laundering and terrorist financing is likely to manifest itself.

3. Scoring system: determine how to assess the likelihood and impact.

4. Inherent risks: for each scenario determine the likelihood of the scenario occuring and the resulting impact.

5. Risk appetite: assess the inherent risk and verify whether this is within the boundaries of your risk appetite.

6. Control measures: list and assess the control measures in place for each scenario.

7. Residual risks: determine the residual risk for each scenario by comparing inherent risk and level of control effectiveness.

8. Risk appetite: determine whether residual risk is within the boundaries of the risk appetite.

9. Measures required: determine the type of action to be taken, increase control or reduce risk.

Note that it will be impossible to reduce risk to absolute ‘zero’. Some residual risk may still remain after additional measures have been put in place. Where deficiencies in the control of risks that fall outside the risk appetite are found, it is however particularly important for Management to be aware of. Management will then have to act on the deficiencies identified in the risk assessment.