Don’t do stupid sh*t
Matt’s sunning himself this week, so I thought I’d take the opportunity to hijack his weekly blog and provide my thoughts on Complyse and all things risk assessment.
At Avyse Partners we’ve always tried to answer the question – what’s the purpose? Through our advisory and assurance work we kept coming back to the conclusion that the purpose of a risk assessment has been lost and wouldn’t it be great to do something about it. Over the last 12 months, we have. We’ve built a risk assessment tool that focuses on real risks, can be executed quickly, and delivers great MI and reporting on the back end. And importantly, unlike competitors in this space we’re practitioners that have built a tech tool – not a tech firm that has built a compliance tool.
I’ve just finished the book “Everyone Loves Our Dollars: How Money Laundering Won” by Oliver Bullough. It is fascinating, incredibly logical, and on the whole pretty depressing. I really enjoyed it. The book covers a lot of ground, but at the heart of it is the conclusion that AML efforts have failed. Throughout the book I found myself drawing parallels with what we’re doing at Complyse:
“Don’t do stupid sh*t” is a Barack Obama quote referenced in the book. Bullough relates it to continuing down a path because that’s what has been done in the past. He states “The best time to stop doing stupid sh*t is immediately; the second best time is right now, and doubling down on a policy just because that’s what’s been done in the past is foolish” Continuing to churn out risk assessments that do not address real risks and that do not inform and drive decisions is also foolish.
Bullough notes that “The process of compliance has become the point”, and in keeping with our tag line of ‘end compliance theatre’, Jim Richards states that “Regulatory pageantry has trumped the original purpose”. These quotes refer to AML efforts more broadly, but can absolutely be levelled at the majority of risk assessments we see. Assessments whose purpose is ticking a regulatory box, as opposed to driving anything meaningful.
“And, what’s wrong is that, basically we’re 25% through the 21st century, and we’re saddled with a system that was developed in the twentieth century, and we need to modernise that system, and we need to get smarter and more effective about the rules we put in place”. Daniel Glaser – former Assistant Secretary for Terrorist Financing and Financial Crimes in the U.S. Department of the Treasury’s Office of Terrorism and Financial Intelligence. Glaser could be talking directly about risk assessment – it hasn’t evolved – it’s the same as it always was – which was fundamentally flawed in the first place.
The book reflects the feelings of many MLROs I’ve spoken to about risk assessments specifically. The strong, unified opinions I keep hearing are “risk assessments are a regulatory obligation. We know they are not informing judgement, prioritisation and action – but we simply do not have the time to properly address the shortcomings”. And this is where Complyse comes in. We have spent thousands of hours geeking off about how risk assessments should be focused on real risks, and challenging everything about how a ‘traditional’ risk assessment is constructed. Terminology has been central to our discussions. We quickly recognised that traditional ‘regulatory risks’ – customer, product etc. are not real risks – they are risk factors (that describe characteristics). We are more interested in risk events and threat vectors (that describe behaviour) in our pursuit of addressing real risk.
We’ve had long discussions around controls – does listing ‘Policy’ as a control in a risk assessment mean anything or add any value? Spoiler: our view is that controls such as Policy or generic training are environmental and do not meaningfully mitigate risk.
And debates on risk appetite – one of the key, useful outputs of a good risk assessment – have been fascinating to be part of. Fundamental questions such as whether risk appetite should be measured against inherent or residual risk have been discussed… at length!
It’s been a mammoth effort to get to this point, where we believe we have a tool that could genuinely revolutionise the way firms think about and execute risk assessments. With our approach your risk assessment genuinely will be the foundation of your financial crime framework, and not an annual exercise that ticks a regulatory box but delivers negligible value at significant cost.
If you’re at the annual ICA Conference in May come find us for a chat. Being a tech bro now, I’ll be in a black t-shirt with “end compliance theatre” in orange on the back – so hopefully easy to spot! And if you’re not at the conference, drop me a line if you’d like to know more about Complyse and our innovative approach to risk assessment.
It’s time to stop doing stupid sh*t.