I observed recently how old-fashioned tabular or matrix-based risk assessments were questioned and challenged by regulators and also by white-label service providers during due diligence reviews.

The challenge looked like a series of questions or (in some cases remarks that looked quite biased and even rude) from the reviewers:

• Your risk assessment process appears to be very confusing and hard to follow.
• Your risk assessment is hard to understand.
• It is difficult to reconcile the criteria used for your risk assessment with the regulatory requirements.
• Your risk assessment does not differentiate clearly between the product risk, AML risk, fraud risk, and other risks.
• Your controls descriptions are unclear.
• Your risk assessment is not actionable…

You would be surprised to know, but these comments did not come from a junior intern on their 3rd day in the office, they came from reasonably mature professionals. As a result, the due diligence reviews and license reviews were delayed because of these additional questions and clarifications around the risk assessment methodology.

So – what was the problem? Why do reviewers pay attention to the risk assessment documentation?

Reviewers currently use risk assessment documents as the main document to learn about your business and the maturity of your team. If they are able to get a clear picture easily, the risk assessment is good. If your reviewers feel overwhelmed and unable to understand your business, the risk assessment is bad.

This is what makes your risk assessment confusing, overwhelming, and hard to follow:

• When it looks like a long list with too many lines and columns.
• When there is no executive summary.
• When you have more than 3 high residual risks.
• When you use internal jargon, names of your internal tools and systems, or other abbreviations to describe risks and controls.
• When you overcomplicate calculations of weights, probabilities and, in general, use too many numbers and formulas.

In the old-fashioned world of traditional finance, the risk and compliance teams viewed their main role as information providers for the senior managers and the board. The more information they collected, processed, reorganized, and dumped on others, the better they felt about their jobs done well. These days are over if you work in FinTech. Risk and Compliance are no longer viewed as information services, they are assessed based on their ability to implement and finish and launch new projects and get approvals.

What’s the new way of preparing and presenting your Business Wide Risk Assessment:

• View it as the main marketing document describing your business, this is where your reviewers will start learning about what you do as a company.
• Forget Excels and Google sheets. Use plain language and bullet points. 
• Minimize or drop entirely your use of calculations, weights, probabilities, and other numerical elements.
• Start with an Executive summary and an action plan. No longer than 1 page.
• No more than 3 high residual risks. Otherwise, you should not be in business.

If these observations resonate with you, I have GREAT NEWS:

On August 23rd, 2022, I will be offering a brand new FinTech Risk Assessment Workshop where I will walk you through my entire process of preparing the risk assessment in a simple and easy-to-replicate way. It will take you no longer than 60 minutes to keep it up-to-date in the future. I will also give you the template I’ve used with my clients and refined over time.

During this workshop we will cover all required risk assessment elements any FinTech may need:

• An executive summary with key takeaways and an action plan.
• Product Risks for bank and card payments, wallets, BNPL, and crypto.
• AML/CTF risks (covering FATF, EBA, and JMSG criteria)
• InfoSec and fraud risks
• Crypto and VASP-specific risks (covering FATF and EBA criteria)
• Governance and regulatory risks
• Operational and financial risks
• Startup environment risks

If your startup is in the middle of opening bank accounts or seeking approvals from white label partners, you definitely need this training ASAP.

Please reach out and let me know if you have questions!