Risk assessment is the backbone of risk management, and, as most credit unions know through managing compliance with the complex set of laws and regulations associated with BSA/AML and Office of Foreign Assets Control (OFAC)/Sanctions, a dynamic risk assessment is key. The most recent update to the FFIEC Examination Manual reflects this; the authors put new emphasis and clarity into revising this section of the manual. Although the phrase “risk-based” has been around for several years, the examiners are just now getting trained on what that means.

In my nearly 25 years in risk management, a few key themes have emerged that I want to share with you as you consider writing and revising your BSA/AML and OFAC/Sanctions risk assessment.

Tip 1: You are the expert at your credit union.

You and your management team are the experts on the BSA/AML and OFAC/Sanctions risks faced by your credit union. “Know your member” and the various categories of risk have been in the BSA/AML vernacular for years. Complying with the various laws and regulations puts your team in the unique position to truly understand the risks faced by your credit union. These risks are a mix of the members you serve, the communities in which your members conduct their transactions, the products and services you provide, and the competitors within your market, among other factors. There is no “one size fits all” approach to risk assessment. Asset size does not matter as much as your member profile does. A small credit union can have huge exposures to geopolitical instability based on the composition of its membership while a large credit union may choose to minimize its international payment risks. The updates to the Examination Manual make it clear that our examiners must take our well-crafted risk assessment at face value rather than assert their own opinions about your credit union’s risks.

Tip 2: Establish and document your risk appetite.

Second, your board and management team need to set and document your risk appetite. The amount of risk your board is willing to accept must be clearly defined and understood by staff and be incorporated into your risk assessments, including in BSA/AML and OFAC/Sanctions. An examiner will look for consistency and for monitoring and mitigating risks consistent with that appetite. Decisions about how management will respond to identified risks must be consistent with the risk appetite – thus, managements’ decisions are risk-based. If your credit union is launching a new product or service that has a BSA/AML exposure, make sure that you document the risk and the controls necessary to mitigate the risk consistent with the board’s appetite statement.

Tip 3: Craft a dynamic assessment.

Third, your risk assessment needs to be dynamic. And by dynamic, I mean that it must feature ongoing and effective productivity or change. The risk-assessment exercise cannot be an annual event that culminates in putting the board-approved risk assessment in your electronic folder to be dusted off annually. The recently passed AMLA is one example of the changing regulatory and legal landscape, and one does not have to tell someone working in OFAC/Sanctions compliance about changes and complexity. For example, on May 19, OFAC announced that Sudan is no longer a State Sponsor of Terrorism, and there have been multiple days since 9/11 when the “OFAC List” has changed several times in a single day. A change in the administration in Washington on January 20, 2021, ushered in a new secretary of state and the potential for changing geopolitical priorities, as well.

For credit unions with members that have ties to countries outside the U.S., geopolitical instability can make a transaction permitted yesterday sanctioned tomorrow. Your management team may decide to limit transactions to certain parts of the world because exposure to that part of the globe is no longer consistent with your credit union’s risk appetite. But management must know the exposure even exists, and the risk assessment is key in sizing up that risk in the first place.

Tip 4: Share your risk assessment with internal departments.

Finally, your risk assessment must be communicated not only with your board of directors and senior management but also (and especially) with your internal audit department. Frankly, your risk assessment is not truly accurate until the asserted controls have been tested and found effective. And only internal audit can verify that the controls you rely upon to mitigate your risks do their job. Policies and procedures are fantastic back-up documents, but testing ensures that the documented processes are followed. Make sure that internal audit’s annual testing plan is reviewing the controls you have documented and then confirm with your senior auditor that periodic testing has been completed. Testing is risk-based.

Hopefully sharing the experience and knowledge I’ve gained over the years will help you as you prepare your risk assessments this year.