Enterprise Risk Assessment

Enterprise Risk Assessment

The enterprise-wide AML/AFC risk assessment is the analytical foundation of the entire program. Regulators expect every institution to identify its financial-crime exposures, weigh its controls, and direct people, monitoring, and technology where residual risk is highest. CAMS frames this as the step that justifies the risk-based approach — without it, a program cannot show why it does more for one customer and less for another.

The inherent-control-residual model

The risk-assessment equation tested on the exam is:

Residual risk = Inherent risk − effect of mitigating controls

A classic trap: an item lowers a customer's rating because controls are strong. Strong controls reduce residual risk, but the inherent risk of, say, a private-banking client in a secrecy jurisdiction stays high. Confusing the two is a flagged error.

FFIEC risk-factor categories

The Federal Financial Institutions Examination Council (FFIEC) manual groups inherent risk into recurring categories that you should be able to list:

• Products and services — wire transfers, private banking, prepaid cards, correspondent banking, virtual assets, trade finance.
• Customers and entities — politically exposed persons (PEPs), cash-intensive businesses, non-resident customers, complex legal structures.
• Geographies — high-risk and sanctioned jurisdictions, FATF grey/black-list countries, locations with weak AML regimes.
• Channels/delivery — non-face-to-face onboarding, third-party introducers, agent networks.

Each factor is scored, weighted, and aggregated. The 6th-edition CAMS emphasis means virtual assets and beneficial-ownership opacity now appear as material inherent-risk drivers in many scenarios.

Refresh and triggers

A risk assessment is not a one-time document. It must be refreshed periodically (commonly annually) and re-run on triggers: launching a new product, entering a new market, an acquisition or merger, a regulatory change, or a significant external event (a new typology or sanctions program). An item describing a bank that bought a remittance company but never updated its assessment is testing this trigger.

Scenario workflow

Given a risk-assessment scenario, ask:

• Is the question about inherent risk (raw exposure) or residual risk (after controls)? Keep them separate.
• Which FFIEC category drives the exposure — product, customer, geography, or channel?
• Are controls actually mitigating the named risk, or merely present on paper?
• Did a material change trigger a required reassessment?

The best answer correctly distinguishes inherent from residual risk, maps the exposure to the right factor category, and updates the assessment when the business changes. Options that treat every customer or geography identically contradict the risk-based approach the assessment exists to support.

Worked example

A bank scores its correspondent-banking product. Inherent risk is high: cross-border flows, nested relationships, and limited visibility into the respondent's customers. It documents controls — respondent due diligence, transaction monitoring, and a prohibition on serving shell banks. After weighting control effectiveness as "strong," residual risk lands at medium-high. That residual rating, not the inherent rating, decides how much monitoring and how many investigators the product receives.

If the bank had instead recorded "low" because controls exist, it would have under-resourced a genuinely risky product — the error examiners look for.

Methodology and scoring

A defensible assessment is transparent and repeatable: each factor is scored on a consistent scale, weighted, and aggregated to a documented conclusion that management signs off.

The assessment also feeds upward and downward: it justifies the risk appetite statement, calibrates the customer-risk-rating model, and tells the board where the program's real exposures sit. A program cannot defend why a given customer gets EDD unless the enterprise assessment shows the underlying risk. The 6th-edition CAMS treats virtual-asset exposure, beneficial-ownership opacity, and sanctions nexus as live inherent-risk drivers, so expect scenarios where a new crypto on-ramp or an opaque trust structure forces a reassessment.

The recurring trap is an answer that rates risk on controls alone or applies one uniform rating to every customer — both abandon the analytical separation the assessment is built to maintain.

Customer-risk-rating models

The enterprise assessment cascades down to a customer-risk-rating (CRR) model that scores each relationship at onboarding and on review. A typical model weighs the same factor families — customer type, product usage, geography, and channel — and produces a low/medium/high rating that drives the diligence tier. Two principles examiners test: the model must be documented and consistently applied (not left to individual judgment), and a customer's rating must be dynamic — recalculated when behavior, ownership, or geography changes.

A scenario where a previously low-risk customer suddenly transacts with a high-risk jurisdiction should bump the rating, not stay frozen.

Governance of the assessment

Who owns the assessment matters. The second line generally builds and maintains it; senior management and the board review and approve the conclusions; and independent testing validates the methodology. The assessment's output — a documented risk profile — is what justifies every downstream choice: appetite limits, staffing, monitoring thresholds, and EDD triggers. If an examiner asks "why does this customer get enhanced monitoring?" the answer must trace back to the assessment, not to ad hoc preference.

Tie the section together with one rule: separate inherent from residual risk, map exposure to the right factor category, keep ratings current, and let the documented assessment — not intuition — drive how the program allocates its finite attention.