One risk, many purposes?

I’ve recently read Doing Business with Criminals [1] by Anton Moiseienko, and it got me reflecting on a couple of my recent blogs, and, more broadly, on a practitioner debate that has been circling financial crime risk management for years.

In “One risk becomes many: The case for a holistic, behaviour-led BWRA”, I argued that financial crime risks are deeply interconnected. Treating money laundering, fraud, sanctions, bribery and other domains as neat, standalone silos creates blind spots, because in the real world the same behaviours, incentives and control weaknesses often underpin multiple outcomes. That interconnectivity matters if we want risk assessments to reflect how financial crime actually manifests, rather than how it is organised in regulation.

In “Risk Appetite: The Emperor’s New Clothes, Revisited”, I extended that argument. That blog was explicitly inspired by, and written in response to, Lee Hale’s article The Emperor’s New Clothes: Debunking Financial Crime Risk Appetite Statements. Hale’s central challenge, that many financial crime risk appetite statements are either incoherent or quietly ignored, resonated because it reflected what many of us see in practice: carefully drafted positions that sound reassuring, but collapse as soon as someone tries to operationalise them.

What Moiseienko’s work adds is a useful lens for understanding why these problems persist. That lens is purpose.

The insight that stopped me mid-page

In discussing the differences between AML/CTF and sanctions regimes, Moiseienko makes a deceptively simple observation. Anti-money laundering and counter-terrorist financing regimes are characterised by a duality of purpose: excluding known criminals from the financial system, while also surveilling suspected criminals to generate intelligence. Sanctions regimes, by contrast, are geared towards exclusion and asset freezing.

This distinction matters far more than it might first appear. When we talk about “financial crime risk”, we are often talking about risks that exist for fundamentally different reasons, and that are tolerated (or not tolerated) for very different policy objectives. Yet most BWRAs flatten these differences into a single assessment logic, as if all regimes were trying to achieve the same outcome.

Holistic risk does not mean identical risk

There is an apparent tension here. In my earlier blog on holistic, behaviour-led risk, I argued strongly that financial crime risk cannot be understood in silos. Criminal behaviour does not respect regulatory taxonomies, and the same underlying weaknesses often give rise to multiple forms of misconduct. I still believe that is true.

But recognising interconnectivity does not require us to pretend that all financial crime domains are trying to achieve the same thing. In fact, doing so is precisely where many BWRAs start to lose credibility. Holistic does not mean homogeneous. A genuinely holistic BWRA should help organisations connect the dots across behaviours, processes and incentives, while still recognising that different regimes exist for different reasons and tolerate different kinds of risk.

Why risk appetite keeps failing (and why Hale was right)

This is where risk appetite comes back into the picture. Lee Hale’s critique was uncomfortable because it exposed a basic truth: organisations routinely declare positions they cannot operationalise. “Zero tolerance” is the most obvious example.

Zero tolerance for sanctions breaches is entirely reasonable. Zero tolerance for money laundering risk is conceptually incoherent. Zero tolerance for fraud is commercially implausible. The problem is not poor drafting or weak governance; it is that organisations are trying to express a single appetite for risks that exist for very different reasons, and that regulators themselves approach in very different ways.

Once you introduce the concept of purpose, this contradiction becomes obvious, and avoidable.

Different regimes, different reasons for caring about risk

If we step back, most financial crime regimes can be distinguished by what they are ultimately trying to achieve. AML tolerates uncertainty because it values intelligence. The system is expected to encounter criminality; the goal is to surface it, understand it and disrupt it. Suspicious activity is not evidence of failure if it is detected, escalated and reported effectively.

CTF sits somewhere between AML and sanctions. Exclusion is critical, but surveillance still matters, sometimes uncomfortably so, particularly where humanitarian or coercive dynamics are involved. Sanctions regimes, by contrast, are not about intelligence gathering at all. They are about categorical exclusion and enforcement of political or national security decisions. Once a designation exists, tolerance effectively disappears.

Fraud regimes (particularly as failure-to-prevent models emerge) are explicitly about harm reduction. Outcomes matter. Victims matter. Bribery and corruption frameworks focus on deterrence and behaviour shaping, reducing opportunity structures rather than monitoring flows. Failure-to-prevent tax evasion regimes are about accountability for organisational failure, with governance and “reasonable procedures” at their core.

These are not academic distinctions. They go to the heart of what “risk” actually means in each domain.

Purpose changes what “good” looks like

One of the quieter failures of many BWRAs is that they assess controls without first being clear about what those controls are meant to achieve. In AML, an effective control environment may still generate large volumes of suspicious activity. That is not a failure if it produces intelligence and supports disruption. In sanctions, the same outcome would be unacceptable.

In fraud, particularly under failure-to-prevent regimes, effectiveness is increasingly judged by whether harm was foreseeable and avoidable, not simply whether a policy existed. Purpose determines whether uncertainty is tolerated, whether ongoing exposure is acceptable, and whether detection is success or failure. When BWRAs ignore this, they tend to over-value form and under-value function: controls are mapped, scores are reduced, and everyone quietly hopes no one asks what any of it actually achieved.

Why a holistic BWRA still needs domain-specific purpose

This is where the concept of differential purpose helps reconcile the apparent tension between my earlier blogs. A holistic BWRA should connect behaviours, incentives and control weaknesses across domains. But it must also apply domain-specific lenses of purpose when interpreting risk, prioritising action and judging effectiveness.

One risk system can support many purposes. The alternative is what we see today: identical risk scores, identical remediation plans, and identical risk appetite statements applied to risks that regulators themselves approach in fundamentally different ways.

Why this matters now

Regulators are increasingly focused on outcomes rather than artefacts. Boards are increasingly sceptical of abstract scoring. Enforcement actions rarely criticise organisations for lacking a BWRA; they criticise them for having one that did not meaningfully inform decisions. Differential purpose offers a way to explain why not all “high risks” are equal, justify why some risks are managed while others are eliminated, and give substance to risk appetite beyond slogans.

It also creates space for more honest conversations about tolerance, trade-offs and effectiveness, conversations that many organisations currently avoid by retreating into generic language.

A final thought

If there is a common weakness in financial crime risk management, it is not the absence of frameworks. It is the failure to agree, explicitly, what each regime is actually trying to achieve. Purpose does not fragment the BWRA; it gives it meaning, and it may finally give risk appetite some clothes.

[1] Anton Moiseienko, Doing Business with Criminals (Cambridge University Press, 2025), especially his discussion of the differing purposes of AML/CTF and sanctions regimes.