Acing Your Compliance Risk Assessment

Acing Your Compliance Risk Assessment

August 03, 2021

Design a Robust Compliance Program That Satisfies Regulatory Requirements

When setting up the compliance program for your financial institution, the fundamentals are to:

  1. Understand the unique financial crime and compliance risks that you are exposed to.
  2. Design the controls, processes, and staffing needs that will help you mitigate those risks (collectively called your compliance “program”).
  3. Conduct ongoing assessments of your program to ensure that it is effective.

For more information on understanding your risks and setting up a program (items 1 and 2), see our 5-part series on setting up an Anti-Money Laundering Compliance program.

Once you have the program designed, your program risk assessment will help you understand how well you’ve protected your financial institution. A risk assessment is a critical component of any compliance program and is generally the first document a regulator or auditor heads to when checking your work..

To help conduct a comprehensive and thorough risk assessment, a company should look to the “Five Pillars” and “Three Lines of Defense” paradigms in compliance. These are useful frameworks that will help you think through your system of defenses holistically.

Let’s take a look at both of these frameworks and what’s included in each.

Five Pillars

The design of a healthy compliance program typically incorporates these five components: internal controls, a compliance officer or compliance staff, training, independent testing, and customer due diligence.

Internal controls

The first pillar of your compliance program is your internal controls. In a nutshell, internal controls are policies and procedures, which include those that define all the roles and responsibilities within the company. If you already have internal controls, make sure they’re available in written form and fit with your company’s risk profile.

A compliance team

Your compliance team, whether that’s one compliance officer or an entire staff of personnel, is the second pillar. This person (or these people) should have the right knowledge and experience level necessary to adequately manage the compliance program at your company.


Training is the third pillar of compliance. It assumes that the appropriate training on programs and controls will be provided to employees based on their roles within the company. A solid training program includes all personnel, including senior leadership and the board. Keep records and refresh training material proactively, not reactively.

Independent testing

The fourth pillar of compliance is independent testing of your program – essentially asking an impartial 3rd party to check if your defenses are strong. The testing should be conducted by a third-party or by personnel with no responsibility for the compliance program. The testers should be knowledgeable about AML compliance. The purpose of independent testing is to confirm the effectiveness of internal controls.

Customer due diligence

The final pillar is a requirement for covered financial institutions to implement and maintain appropriate risk-based procedures for conducting ongoing customer due diligence. Specifically, one of the intentions is for financial institutions to identify the beneficial owner of legal entity customers – i.e. the person or people who ultimately control the funds, as opposed to false identities, intermediaries, or shell companies.

Three Lines of Defense

The “Three Lines of Defense” is a more procedural framework that checks if you are sufficiently putting the defenses you’ve designed into active use. The framework calls for understanding potential risks in a business function, designing controls to mitigate those risks, and incorporating those controls into the daily operations of the team.

Understanding potential risks

The first line of defense of compliance is to understand potential risks in a business function. The first step in doing so is to incorporate controls into business teams outside of the compliance function. Then, managers of said teams are held accountable for their teams’ regulatory errors, and the compliance teams work with these managers to provide training and guidance on the controls.

Designing mitigation controls

In the second line of defense, designing mitigation controls, the compliance team samples completed work from processes to determine what mistakes, if any, were made. The information discovered is sent to the teams on the first line of defense, who implement any necessary changes to the processes.

Incorporating controls into daily operations

Incorporating controls into daily operations is the third and final line of defense. In this phase, your team, or a third party (as described in the section on the “Five Pillars”), conducts audits to determine whether the first two lines of defense are functioning properly. An ideal compliance program is one that tests continuously year-round, looking at the results from the testing program and performing its own independent reviews.

Using these two frameworks will help you design a more comprehensive compliance program, and will help you assess your program’s effectiveness the way an auditor might. Regularly revisiting your risk assessment will also ensure that you keep up with evolving risks that you may be exposed to.

If you’re building a compliance program, you’ll need the right tech for the job. When it comes to AML, we’ve got you covered. Hummingbird is the premier software for simplified case management, consistent workflows, and easy-to-use controls. For tighter compliance and less frustration, all wrapped in a smooth interface, contact us to request a demo of Hummingbird.