As concluded in Part I of this series of articles Risk Based Approach: Is less the new more?, I concluded that Accountable Institutions should focus on simplicity of assessment and application, because the very real risk faced is that they may spend substantial amounts of time, effort and money, creating a control environment, which fails to manage the real risks they face. A typical case of form over substance. This inadvertently contributes to increased regulatory risk.
Different industries and sectors have different financial crime risks which they have exposure to – therefore, the adoption of a RBA in terms of the Financial Intelligence Centre Amendment Act 1 of 2017 (FIC Amendment Act) holds different implications for different types of Accountable Institutions. The formulation and implementation of a RBA for large banking institutions, will differ vastly from those of estate agents, asset managers, insurers etc.
Each Accountable Institution’s RBA should be drafted intrinsic to the type of business operated – implying that all Accountable Institutions should thoroughly understand, as well as interpret their financial crime risk exposure, own to their business – this will enable the Accountable Institution to develop and implement controls proportionate thereto. The Financial Action Task Force (FATF) has issued RBA guidance to various industries and products, for instance, important risk factors to be considered in formulating an Accountable Institution’s RBA. 
A few critical success factors to consider for the successful implementation of an effective RBA:
Quality of Risk Management and Compliance Program (RMCP):An Accountable Institution’s ability to apply a RBA to financial crime effectively, is largely dependent of the quality of its RMCP.  The board of directors or senior management must approve the RMCP and further ensure that it’s adequate against the minimum requirements detailed in section 42(2) of the FIC Amendment Act. Should the RMCP lack the quality or standard expected from an Accountable Institution or does not cover all the relevant disciplines, the institution as well as the board or senior management, or both, can be held accountable and penalised with administrative sanction ;
Appropriate risk management resources and expertise:Accountable Institutions, as well as Regulators, require appropriate risk management resources and expertise – it will require, for instance, the ability to exercise sound judgement and to respond appropriately to the identified risks;
The availability, appropriateness and accuracy of risk-related information:The lack of information availability, completeness and accuracy are major impediments for some Accountable Institutions. Not only does this indicate a serious control failure, but the Accountable Institution may not be able to thoroughly understand the business, products, clients, channels, geographies etc. in order to identify their real risk exposure. Further, incomplete and/or inaccurate data may lead to inflated risk results, resulting in unnecessary controls being deployed throughout the business;
Financial Crime Risk Assessment:The execution of a financial crime risk assessment is fundamental to the formulation of a sound and effective RBA – both key contributors to an Accountable Institution’s RMCP. The financial crime risk assessment should inform an Accountable Institution’s Risk Appetite, as well as RBA. I fully agree with De Koker in that risk assessments should not be general or “bought off the shelf”.  The risk assessment process should be developed, taking into account the Accountable Institution’s nature, size and complexity;
Correct assessment of risk:The quality of controls is heavily dependent on the correct assessment of risk. Accountable institutions should have a thorough understanding of their actual, as well as potential financial crime risks – qualitative and quantitative factors should be considered – to formulate their RBA. The Accountable Institution requires a sound understanding of the threats and vulnerabilities it is faced with at any point in time. Each Accountable Institution has a different risk profile, will respond to risk differently and will therefore also have different levels of reliance on certain controls;
Continuous and evolving process:The risk assessment, informing the RBA, is a continuing process, always changing as new methods and ways to commit financial crime are exploited and constantly evolving. The outcome of a risk assessment will change as threats and vulnerabilities change. As part of the financial crime risk assessment, as well as on an on-going basis, the controls’ adequacy and effectiveness should be reviewed and where required, remediation should be considered;
Proportionate controls versus risk exposure:Where too many controls have been implemented and/or the controls implemented are unnecessarily stringent, resources may be wasted – while on the other hand, if the controls are too weak, the controls will proof to be ineffective to counter financial crime risks;
Document document document:Each thought process leading to a decision and the logic behind such decision should be thoroughly documented, including the date the decision was made, the rationale behind the decision, supporting data and statistics, the names, as well as the roles of those making the decision and approval by Senior Management are of utmost importance. Evidencing that Senior Management (who is ultimately responsible for compliance with FICA) “applied their minds” in developing the RBA is also required;
Organisational Agility:The level of agility an Accountable Institution has in responding to operational and control changes is probably the single biggest critical success factor in their fight against financial crime. It is of utmost importance when designing an efficient, effective and sustainable RBA and RMCP. A fluid operational environment will allow an Accountable Institution to respond to new threats effortlessly, curbing financial crime and any losses whilst addressing control weaknesses instantaneously.
Despite my previous article relying on the simplicity of the RBA, no one has ever said that an effective RBA would be easy to develop and implement. As stated above, a RBA is a continuous and evolving process – equally so the successful implementation thereof. The art of a RBA lies within the balance, calibrated on an on-going basis - it should form part of an Accountable Institutions’ Corporate DNA – being flexible, fluid, agile, with intrinsic characteristics and ability to fluently transmute to guard against new or altered threats.