Risk assessment reframed: from risk factor, to risk actor
In our previous blog, we explored the importance of defining relevant terminology, showing how ambiguity in core concepts like “risk” or “risk factor” undermines both regulatory expectations and institutional practice. That exercise was not simply about semantics; it revealed how a lack of shared language drives confusion and, ultimately, ineffectiveness.
As we have developed our alternative methodology for the business-wide risk assessment, those same challenges have become even clearer. By making the risk event the unit of measure, we are forced to look more closely at the external threat actor, the individual, entity, or regime performing the act. The terminology matters because the actor matters: a risk event cannot be understood, let alone mitigated, without an appreciation of who is behind it.
This blog is therefore a logical extension of the previous one: moving from definitions to application, from words to actors. And it asks a sharper question: if the regulators expect the risk-based approach to apply equally across money laundering, terrorist financing, proliferation financing, and sanctions non-compliance, then how do we reconcile that ambition with the reality that each domain involves very different external actors with very different behaviours?
The Problem with a “Universal” Threat Actor
The current orthodoxy tends to collapse all financial crime into a single archetype: “the criminal.” The same generic phrases recur: “bad actors,” “illicit actors,” “sophisticated networks.” But the reality is that these archetypes mask very different behaviours, motivations, and methods.
The organised criminal laundering drug proceeds through cash-intensive businesses.
An individual supporter sending small-value transfers to conflict zones.
The state-linked front company procuring dual-use goods through complex trade finance.
The sanctioned oligarch using nominee directors and shell companies to hide yacht ownership.
Each of these is a fundamentally different problem. If we treat them as the same, the controls we design will be blunt at best, and misdirected at worst.
Money Laundering: The Archetypal Domain
Money laundering is the domain most financial institutions are familiar with, and therefore the one whose assumptions often dominate. Here, the external threat actors tend to be profit-motivated criminals (drug traffickers, fraudsters, human traffickers) whose overriding need is to transform illicit proceeds into apparently legitimate assets.
This creates certain familiar risk events:
A criminal uses a cash-intensive business to deposit large sums of unexplained revenue.
A professional money laundering network layers funds through multiple jurisdictions.
A corrupt official channels bribes through property purchases.
The relevant controls, customer due diligence, transaction monitoring, source of funds checks, are therefore well understood. But note how specific these actors are. It is the nature of the criminal enterprise that contextualises the risk, and therefore dictates which controls are meaningful. A system designed to spot unusual cash deposits may be highly effective for drug trafficking, but almost useless for detecting terrorist financing.
Terrorist Financing: Small Flows, Large Consequences
Terrorist financing often operates in the opposite way: modest sums, but with potentially devastating consequences. Here the external actors are terrorist organisations, facilitators, or supporters. Their behaviour diverges sharply from profit-motivated criminals. They may use legitimate income (salaries, donations) rather than illicit proceeds. They may exploit informal value transfer systems, charities, or community fundraising.
Risk events look different:
A supporter makes multiple small remittances via money transfer services to a high-risk jurisdiction.
A charity front channels donations to a designated group.
A legitimate business is co-opted to provide logistical support (vehicles, accommodation).
The relevant controls also differ: enhanced scrutiny of NPOs, monitoring for unusual remittance patterns, or applying sector-specific risk indicators. If we continue to apply AML-style thinking (expecting large transactions, complex layering, and high-value assets) we will miss the point entirely.
Proliferation Financing: State-Linked, Supply Chain Driven
Proliferation financing introduces another set of actors altogether: state actors, state-linked companies, and designated proliferators. Their aim is not to disguise illicit wealth but to acquire sensitive goods, technologies, or financing to advance weapons of mass destruction programmes. They are often patient, well-resourced, and operate through sophisticated trade structures.
Illustrative risk events include:
A front company procures dual-use goods on behalf of a sanctioned end-user.
A shipping agent alters bills of lading to disguise the true destination of a cargo.
A financial intermediary facilitates letters of credit linked to controlled goods.
The controls here are less about transaction size and more about trade finance due diligence, export controls, and end-use verification. The skills and data required to detect PF risk are different from AML or TF. If we assume the same “criminal” archetype applies, institutions will build the wrong controls, or simply outsource the problem to compliance tick-boxes they do not understand.
Financial Sanctions Non-Compliance and Circumvention
Sanctions risk is both broader and more subtle. Here the external actors may include designated individuals or entities, but also facilitators and enablers who help them to evade restrictions. Circumvention can be opportunistic or systematic, ranging from simple asset concealment to complex corporate restructuring.
Typical risk events:
A sanctioned oligarch transfers ownership of a yacht to a family member via a shell company.
A professional service provider creates opaque structures to disguise beneficial ownership.
A trade intermediary reroutes goods through a third country to avoid export restrictions.
The relevant controls (sanctions screening, ownership transparency, beneficial ownership registers) must therefore be tuned to these specific behaviours. Screening alone is rarely sufficient; detecting circumvention requires understanding patterns of evasion and the facilitators who enable them. Again, a one-size-fits-all threat actor model will not do.
Why Differentiation Matters: Mapping Controls
Why labour these distinctions? Because the controls we deploy only make sense if they map to the relevant threat actor. If we do not differentiate, two bad outcomes follow:
Controls are misaligned. Firms spend resources monitoring for patterns irrelevant to the actual threat, while genuine risks go undetected.
Compliance theatre flourishes. Risk assessments become paperwork exercises, demonstrating process but offering little insight into actual vulnerabilities.
Consider a practical example. A firm might proudly state that it conducts enhanced due diligence on all high-value transactions. This sounds sensible in an AML frame, but is almost meaningless for terrorist financing (where high-value transactions are rare) or proliferation financing (where the red flag is often the type of good, not the transaction amount).
Differentiation allows us to ask the right question: Which controls mitigate which external threat actor’s behaviour? That is the essence of an effective RBA.
The Challenge for Methodology
This is not easy work. It requires institutions to expand their conceptual vocabulary beyond the familiar AML lens. It requires guidance bodies to articulate external actors more clearly. And it requires technology providers to move beyond generic risk factors to models that are genuinely actor-driven.
The good news is that it can be done. By anchoring risk events to external threat actors, and then mapping those events to specific controls, we can build an assessment framework that works across domains. But it is not straightforward. If we want meaningful insight rather than another compliance artefact, we must resist the temptation to collapse all threats into the same category.
Towards an Actor-Centric Risk Assessment
The risk-based approach was never meant to be a checklist. It was meant to be a dynamic tool for prioritising scarce resources against the most material threats. To achieve that, we must treat “the threat” as more than a placeholder. We must define it, precisely, contextually, and differently for each domain.
Money laundering: profit-motivated criminals seeking to legitimise illicit proceeds.
Terrorist financing: terrorist organisations, facilitators, and supporters sustaining violence.
Proliferation financing: state actors and proliferators exploiting supply chains and trade.
·Sanctions evasion: designated persons and their facilitators seeking to circumvent restrictions.
That is why our methodology begins with the risk event. The risk event forces us to define the external actor, the act they perform, and the process they seek to exploit. Only then can we map the relevant controls and test whether they are effective.
If we can build risk assessments on that foundation, then control mapping becomes purposeful, resource allocation becomes defensible, and compliance becomes more than theatre.
The regulators are right: the risk-based approach can be applied across these domains. But only if we acknowledge that the actors differ. To pretend otherwise is not simplification. It is self-deception.
This blog is another step in deepening the core concepts of our methodology. The next challenge is to show how these ideas can be brought together into a coherent framework, one that moves from theory to practice, and from isolated blogs to a more complete articulation of what an effective risk-based approach should look like.
If the industry continues to treat all financial crime as if it were perpetrated by the same archetype, we will keep building the wrong controls. The question is whether we are ready to acknowledge the differences and design accordingly. How are you thinking about external threat actors in your own risk assessment?
