Financial crime risk and operational risk: Same threats, different questions

Written By Stefania Cirignano
Close up of woman's eye behind glasses. Title overlaid reads "Risk assessment reframed. Financial crime risk and operational risk: same threats, different questions"

In a recent conversation with a Head of Operational Risk, I found myself circling a familiar but surprisingly under-articulated question:

What is the relationship between operational risk and financial crime risk,  really?

On the surface, this can sound like an academic or organisational design question. In practice, it is a very real issue for MLROs trying to deliver a credible Business-Wide Risk Assessment (BWRA) in an environment where alignment with enterprise risk frameworks is not just encouraged, but increasingly expected.

Fraud losses show up in operational risk data. Sanctions breaches become operational incidents. AML failures are described in enforcement notices as “systems and controls breakdowns”. It is therefore entirely reasonable for operational risk teams to ask: are we not assessing the same thing twice?

This blog is not an argument against alignment. Quite the opposite. It is an attempt to surface a gap in how these risks are commonly framed, and to explain why, if a financial crime BWRA is simply treated as a subset of an operational risk process, it is unlikely to be fit for purpose.

The recurring tension between alignment and independence

It is often said that financial crime risk and operational risk are “converging”. In practice, the reality is more nuanced, and more cyclical.

Across firms, there is a constant swing between separation and alignment. New senior leaders arrive to simplify, integrate and “join the dots”; a few years later, the organisation rediscovers that something important has been diluted, and the cycle reverses.

Regulators have largely tolerated this ebb and flow. What they have been consistently clear about, however, is not where financial crime risk sits organisationally, but what must be demonstrable.

There are clear and legitimate touchpoints between the two disciplines:

  • From a prudential perspective, fraud and misconduct losses are routinely treated as operational risk events once they crystallise.

  • From an operational resilience perspective, financial crime controls sit within important business services, shared technology platforms and third-party dependencies.

  • From a governance perspective, boards increasingly expect a coherent view of non-financial risk, even if accountability remains distributed.

None of this implies that the two risks must be collapsed into a single framework. It does, however, mean that they cannot be assessed in isolation, and that the points of intersection need to be understood explicitly.

And for MLROs, in practice this creates a genuine tension.

On the one hand, there is pressure to align with enterprise risk management, reduce duplication, and speak a common language. On the other, there remains a clear regulatory expectation that firms understand their exposure to money laundering, terrorist financing, sanctions and other financial crimes in a way that is specific, defensible and forward-looking.

The risk is not that these frameworks talk to each other. The risk is that, in the name of efficiency, one is collapsed into the other without recognising that they are trying to answer different questions.

Same threats, different lenses

A useful starting point is to acknowledge what is shared.

Operational risk and financial crime risk are exposed to many of the same underlying threats:

  • criminal actors and organised crime groups,

  • insider abuse,

  • third-party exploitation,

  • weaknesses in data, systems and technology,

  • jurisdictional, geopolitical and cross-border complexity.

Where they diverge is not in what threatens the firm, but in how those threats are examined.

Operational risk frameworks are, by design, process- and control-centric. They are concerned with how the firm operates, where processes might fail, and what the consequences of those failures might be in terms of loss, disruption or harm. Risk is often articulated through the lens of control effectiveness, residual exposure and tolerance.

A financial crime BWRA, by contrast, is supposed to be threat- and scenario-centric. Its purpose is to understand how the business could be exploited for criminal purposes, what forms that exploitation could take, and where the inherent exposure lies, before controls are applied. Even where that ideal is not fully realised in practice, the BWRA remains fundamentally regulatory in its orientation, concerned with the firm’s exposure to criminal misuse and its obligations to prevent it, rather than with operational failure per se.

These are not competing perspectives. They are complementary. But they are not interchangeable.

What happens when the BWRA is absorbed into operational risk?

In many organisations, the path of least resistance is to embed financial crime risk within an existing operational risk register or RCSA process.

This typically results in a number of subtle but important shifts.

First, risk articulation moves away from criminal scenarios and toward control or regulatory failure. Instead of asking “how could this business be misused for laundering or sanctions evasion?”, the assessment asks “what could go wrong in our AML processes?”. The criminal threat becomes implicit rather than explicit.

Second, the unit of analysis changes. Risks are framed around processes (onboarding, monitoring, investigations) rather than around threat–act–process combinations. Different forms of exploitation can collapse into a single line item because they touch the same operational process.

Third, the assessment becomes backward-looking. Operational risk frameworks are excellent at learning from past incidents and losses. They are less well suited to isolating emerging or low-frequency, high-impact financial crime scenarios that have not yet crystallised as failures.

None of this makes the operational risk framework “wrong”. It simply reflects what it was designed to do.

The problem arises when this becomes the only articulation of financial crime risk.

Why this matters for the MLRO

For an MLRO, the BWRA is not just an internal risk document. It is the foundation for a wide range of downstream decisions: customer risk models, due diligence standards, training priorities, escalation frameworks, resource allocation and, ultimately, regulatory accountability.

To perform that role, the BWRA needs to do more than catalogue where controls might fail. It needs to demonstrate that the firm understands:

  • why it is exposed to particular forms of financial crime,

  • how those exposures manifest across a firm’s specific products, customers, channels and geographies,

  • which threats and scenarios are most relevant given its business model.

If the BWRA is reduced to a subset of an operational risk register, the MLRO may be able to explain where controls exist and how they are monitored,  but struggle to articulate the underlying risk narrative in a way that stands up to scrutiny.

This is particularly important when controls are assessed as “effective”. An effective control environment does not eliminate inherent risk. Without a threat-led articulation, it becomes difficult to explain why residual exposure remains, or why certain areas still warrant focus and investment.

Alignment without dilution

None of this is an argument for financial crime risk to exist in isolation.

In fact, the relationship between the two disciplines is strongest when each is clear about its role.

A threat-led financial crime BWRA can inform operational risk by:

  • identifying which processes are critical from a crime-prevention perspective,

  • highlighting where control failures would have the greatest impact,

  • providing scenario-based inputs that can be translated into operational risk events and resilience planning.

Operational risk frameworks, in turn, bring:

  • discipline around control assessment,

  • loss data and impact analysis,

  • escalation, tolerance and capital considerations.

Seen this way, the BWRA does not duplicate operational risk. It feeds it — upstream.

The sequencing matters. Understanding the threat first allows controls and processes to be assessed in context, rather than in abstraction.

The gap worth talking about

What is striking is not that this relationship exists, but that it is rarely articulated explicitly in guidance, blogs or industry discussion.

There is plenty of material treating fraud as an operational risk event, and plenty of commentary on AML systems and controls failures. There is much less that explains how a financial crime BWRA should sit alongside operational risk without losing its distinct purpose.

For MLROs, that gap matters. They are expected to align with enterprise frameworks while still owning a regulatory obligation that is explicitly about understanding criminal risk, not just managing operational failure.

Calling out this gap is not about drawing boundaries for the sake of it. It is about ensuring that alignment does not come at the expense of insight.

A final thought

Operational risk and financial crime risk are exposed to the same threats, but they are trying to answer different questions.

Operational risk asks: how could our business fail, and what would it cost us? Financial crime risk asks: how could our business be exploited, and what harm would result?

Both questions matter. But if the second is absorbed entirely into the first, something important is lost.

The real challenge, and opportunity, is not convergence, but sequencing: understanding the threat before measuring the failure.

That is a conversation worth having more openly.


Stefania Cirignano
Next

When sanctions controls fail, it’s usually a BWRA problem