The AML Clinic Podcast

Episode 18 - How Do You Know If Your Risk Assessments Are Actually Working?

Michelle Clement

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 16:40

This episode explores the critical differences between having risk assessments and actively using them in law firms. Hosted by Michelle Clement, with AML consultant Kayleigh Smale, it emphasises how effective risk assessments can shape decision-making, influence behaviour, and ensure compliance.

This conversation is about what risk assessments are meant to evidence and why that’s harder than it looks.

Speaker

Hello and welcome to this episode of the AML Clinic Podcast. I'm your host, Michelle Clement. Former SRA AML regulatory manager, now working with law firms to build defensible frameworks grounded in how the SRA assesses risk and decision making in practice. In this episode, we're diving into the world of risk assessments. Majority of law firms have farmed risk assessments and complete client and meta-risk assessments, but fewer can actually explain what those assessments are doing. Today's conversation will focus on the difference between having risk assessments versus using risk assessments. Today we're joined by self-confessed AML Geek Kayleigh Smale, founder of Smale Compliance. Kayleigh has spent over a decade working in the legal sector and is known for helping law firms make sense of AML in a way that actually works in practice. She has a knack for breaking down complex AML topics and even bringing a bit of fun to the conversation. Kayleigh, you're welcome to the AML Clinic. Thank you for having me. Very excited to be here. Thank you. You're welcome. So, Kayleigh, I think we can start by assuming that most law firms listening will have and will be very comfortable with the idea of what a risk assessment is, whether firmwide or matter level. So, do you think it's fair to say that having a firm-wide risk assessment and using it are two different things? And if so, what should

The Difference Between Having and Using Risk Assessments

Speaker

using it look like in practice for firms?

Speaker 1

Absolutely 100%. I think most firms have that firm-wide risk assessment now. There's still a few out there that don't have one. But you know, everyone's kind of okay with the fact we need to have one now and we'll get into trouble if we don't. Um, but like you said, I think far fewer actually use it. Having one just means it exists, and using it means it's actively shaping decisions day to day, and that's what I want to see happening. Um, what should using it look like uh for firms? Um for me, using it means it influences real behaviour. Um, it should really affect how clients are onboarded, um, what feels comfortable, when enhanced due diligence is expected, um, what gets uh escalated um and when, and you know, also the firm's trading priorities. It brings all of those things in. Um, you know, if you ask someone why um a particular you know AML decision was made, they should be able to link it back to the firm's own profile, not just say because the rules say so, which I do hear quite a bit.

Speaker

Yeah, agreed. So using it is not about referencing it occasionally. Um and as you just described, that's exactly what the SRA would be looking for, or whoever your AML supervisor is if you don't fall under the SRA. So that point is often missed that the risk assessment is is designed, is there to actually shape real behaviour, be more, much more active. So let's build on that point. In some circumstances, um, there can be a breakdown in what the risk assessment's intended for and what it's actually used for. So, in your experience, what do firms think their risk assessment, their firmware specifically, risk assessment is doing for them? What does and then what does he actually end up doing in practice?

Speaker 1

So I think at the moment, firmware risk assessments are just seen as a bit of paper that they need to complete to, you know, show the regulator that they have something in place. I think there's still a lack of knowledge of what the firmware risk assessment is actually there for. And for me, when I go into a firm, I want to look at that firmwide risk assessment and um be able to understand the risks of the firm without asking any questions. Um, and I don't think that's actually what

The Purpose and Misconceptions of Firm Wide Risk Assessments

Speaker 1

firms realize that that's what it's for. I think as well, they don't realise that it should inform their processes. Um so what we found out in our firm wide risk assessment should actually inform our processes. Um and I think the reason for that was because we had AML policies before we had to do a firm wide risk assessment. Um, so the firm wide risk assessment was completed after the policies, and it was this mad rush in 2017. We need to do a firm wide risk assessment. We've never done one before, we don't know what we need to do. And they kind of put something together really quickly and just said, here you go. Um, and then we never really connected it in terms of their AML policy. Um, I as well, I think they don't understand, you know, that it is actually assessing the risks of the firm, you know, how risky is the firm in terms of you know, um potentially being used for money laundering. Um, and one of the examples that I often see is around peps. You'll tell me that you've got a certain amount of PEPs, but you know, how many are domestic, how many are non-domestic, how many matters do you have for each of them? You know, are they actually active still? Are they still an active client? Like that sort of data isn't captured. Um, but for me, if you're just acting for one non-domestic PEP, then you know, that that is risky, but it's different if you were acting for one domestic pet with one matter or one domestic pet with seven matters. Um, so it's really important to have that data, to have that clear image of risk in their mind, and how as a firm they're going to mitigate those risks. Um, and I think as well, that mitigation as well is really important and something that I've seen quite a lot recently is that they're very generic in terms of what they're putting down for their mitigating risks in terms of a particular area of risk. Um, and it's all, you know, we do client due diligence, we do training, um, we do client and matter risk assessments, but you know, sometimes that doesn't directly link to the actual risk that they're talking about. And I'm like, no, what are you doing for this actual risk? What do you do for your client account risks? Um, I understand yes, you do your CDD and you do this, but what what how did how's finance involved in this? How do they help? Tell me what those things are.

Speaker

Yeah. So I completely agree. So I think sometimes oh there is a gap between the intended purpose, which is, as you said, to articulate and govern the risks and then the operational reality. And just to pick up on something you just said, I don't want to um make anyone think they have to include mitigation because they don't, the law doesn't say so. But actually it's helpful to because when your fee earners or whoever's actually doing the work picks up the risk assessment, it's helpful for them to understand this is what they need, this is the action they should be looking at taking. So let's take a closer look at firm wide risk assessments specifically. So firm wide risk assessments are meant to be high level. But when

Feedback Loops In Risk Assessments

Speaker

would you say high-level slips into non-specific?

Speaker 1

Oh, that's an interesting question. Um, I think that is when the assessment could belong to almost any law firm. If it doesn't reflect your client base, your services, your geographies, or the way you work, um, you know, or the way that work actually comes through the door, um, it's no longer high level and it's actually lost its value.

Speaker

Yeah. So high level should still feel specific to the firm. Um, and from my time at the SRA, we saw every single template that's available on the market. And after a while, it's just so easy to tell when somebody's actually, you know, adapted to the form properly to their phone, or whether they just stick their name on it. Um, so let's turn our attention to file level risk assessments or client and matter risk assessments, as they're otherwise called. Do you find that the risks firms identify are often reasonable, but then the explanation for the decisions are sometimes a bit thin?

Speaker 1

Yeah, not all the time. And I'm sure you saw this as well. Um, the risk itself is usually sensible, um, but what's missing is that explanation as to why the firm was comfortable with proceeding. Um, I also see that the risk level um doesn't always match the level of due diligence actually carried out. Um, so um, for example, I was carrying out for reviews for a probate team, and all of their risk assessments were assessed as low. Um, and it was to do with the actual distribution of the estate. Um, and I was like, you might want to think that that might be a little bit higher because you know you're distributing funds at the end of this. Um, and um, sometimes as well, I've seen where people have electronic risk assessments, um, you know, and it's gone down some sort of like logical conditioning or something like that in terms of how they answer their questions. Um, and I've gone, oh, it says this is the client's low risk, um, the matter's high risk, but actually I would say both of them are medium risk. Um, and without that explanation as to why that outcome um, you know, was was made, it makes it really difficult for me to see if you really have assessed the risks, or you're just going down this process of ticking a box. And I I don't hate saying tick boxing, but sometimes it definitely is like that. Um, I also saw a firm not so long ago who actually had um switched the yes and no boxes over so they could just go down a line and tick them all off, which was quite interesting to see. Um, so I think as well, I I feel as well that sometimes um there's just not enough training. Um again, it was that mad rush, right? We have to have client and matter risk assessments. Here you go, here they are, you need to be completing this form now. But the why behind it was never explained. So I think some staff members really struggle with that because it is just a course of opening a matter for them, not am I assessing the risks here? Um, I saw a really good example of on one um risk assessment form, and it was like, is there a risk of proliferation financing? And they said no. Well, the company was a chemical company, it actually had chemical in the name of the company, and they were actually distributing chemicals. So for me, I was like, I think there's like this lack of understanding internally as well, in terms of how they should be answering the questions, um, and and then really assessing the risks.

Speaker

I think that's really that's a really helpful example to bring the point to life about the gap between having something in place and actually using it. So obviously, I don't know what was on their firm wide risk assessment, but potentially, you know, you might see a firm wide risk assessment that says we have no risk of PF or our risk of PF is really low. But actually, as you just

The Importance of Specificity in Risk Assessments

Speaker

described there, in that particular circumstance, it might still have been low risk, but they didn't even identify the risk, which is clearly a concern. So that brings us on to connecting the dots between firmware risk assessment and client matter risk assessments. It's like you preempted my question. Um, same risk keeps appearing at matter level, for example. What should that trigger at a firm wide level?

Speaker 1

It should actually trigger a rethink. Um, repeated risks are not coincidence. They're telling you something about your client base or your services that should view back into the firm wide risk assessment. Um, so that example of the proliferation financing one, I did see firm wide risk assessment, and they said that they don't act for anyone, you know, with a proliferation financing risk. So it was for me to say to them then, you need to go back and assess that because actually there are clients where there is a potential risk of proliferation financing. Um, so it it is that trigger to go back and have a look at your firmware assessment and say, you know, have the risk changed because it's it evolves all the time, doesn't it? It's not a let's have a look at it at the end of the year and see if anything's changed, because you you might forget that capturing that sort of data is really tricky um for law firms. You know, they don't really have the right systems to be able to help them with those sorts of things. So as soon as you hear something like that, you need to be picking up your firm-wide risk assessment and amending it straight away to make sure that it does reflect the risk. And actually, do we need to change our processes? Do we need to change our policy because we've had this change in our risk assessment? So again, it's always remembering to link it back to do we need to change something here because we're not capturing the right information?

Speaker

Yeah, absolutely. So, what I've taken from that is that a mature framework has feedback loops. Um, so let's go to supervision um or regulatory reality. So the SRA publishes its annual AML report of patterns it has found in the preceding year of publishing that report. And obviously, each year it seems the same patterns keep coming up. What sort of patterns are you seeing when you're looking at risk assessments?

Speaker 1

Um, so I see a lot of generic questions on risk assessment forms or questions with no guidance um uh at all in terms of what they mean like that. And I always use proliferation financing as an example because it is a really good one because proliferation financing is really tricky. And although, you know, law firms have been typically assessed as low risk for it, you know, there's people panicked when you know the rules came out to say you need to assess proliferation finance, and just stuck a question in there saying, Does this matter involve proliferation finance? And I always say to people, do your staff know what that means? Yeah. Um, because if they don't, then you know it's they're not going to be able to answer that properly. Um, and I think as well, those static forms make it really difficult as well. It's seen as that one-off, um, you know, at the start of the matter, I've done my risk assessment, I don't need to think about risk anymore. Um, and it's really difficult to find those triggers to be able to get people to go back and look at it. And it's not because they don't care. Um, I don't think that, I mean, there are a few naughty lawyers out there that, you know, are a bit difficult sometimes, but they're few and far between. A lot of the time, you know, their job is being a lawyer and you know, servicing their client, um, then they haven't been um taught how to do the, you know, all the compliance pieces that they need to do now. Um, so I think as well, you know, that lack of guidance, um, that lack of training um is is really um is really key in terms of making sure that these forms are completely and and and they're not forms, are they, really? I know we call them forms, but they're not. They're a really vital piece of the process in terms of assessing risk.

Speaker

Yeah, so I'd agree with all of that. Um, so something that I used to see a lot when I worked with, well, when I used to inspect smaller firms um for the SRA, and as somebody who's analysed the data for the reports um and written the report, is that the assessments usually fell in sort of three categories. Either they were too generic, they were not clearly linked to client files, or like you said, there was no the reasoning behind the decisions were just unclear.

Testing your Risk Assessments

Speaker

So, Kayleigh, I always like to end the podcast with a practical tip for those listening. So, to bring everything we've discussed together, if a firm wanted to sense check whether their risk assessments are actually working, what would you suggest they pay attention to?

Speaker 1

So I think they need to ask whether they help people in making decisions rather than just justifying them after the fact. Um, do they change behaviour? Do they prompt escalation? Um, does it influence training and controls? And could someone outside of the firm read them and genuinely understand how the firm thinks about risk? And I think that's really important. I think um a good way of doing that sometimes is getting the new starters to read it and have a look through it. Um, you know, you don't necessarily have to pace like a consultant to come in and look at it. Um, you know, get those new starters to have a look at it, see if they understand it. Also get others like staff who've been there for a long time to have a look at it and ask their opinion on it and see if they understand it. Um, but I think it's really important to see like, are we changing behaviour? Are we prompting lawyers to really think about risk? And if you're not, then it's probably not working properly.

Speaker

I think that's really practical tips. Thank you. So that's a wrap for today, and thank you to you, Kayleigh, for sharing your insights. I really do hope the episode has made it clear that a risk assessment only truly works when it shapes decisions and drives consistent controls and evolves based on the matter level insights. If you found this episode useful, um consider sharing it with your colleagues who live in the world of nuanced risks and razor thin judgment calls. And if you've got a topic you would like me to cover, I'd love to hear from you. Thanks for listening to the AML Clinic. Until next time, stay informed and stay compliant.