Risk management reframed

Written By Stefania Cirignano

When most people in financial services hear the phrase risk-based approach, their minds jump straight to risk assessment. They picture heat maps, scoring methodologies, or spreadsheets. But risk assessment is not the same thing as the risk-based approach. It is just one step within a broader risk management process. 

The first step in any credible risk management cycle, whether you look to ISO 31000, the threat intelligence lifecycle, or standard enterprise risk management frameworks, is to define the objectives. What exactly are we trying to achieve when we talk about being “risk-based”? 

Too often in AML and financial crime compliance, those objectives are left implicit or reduced to a compliance shorthand. We assume our job is simply to “prevent money laundering” or to “comply with regulations.” In reality, the objectives of a risk-based approach are wider and more nuanced. And unless we articulate them clearly, our risk assessments, however sophisticated, will be incomplete. 

The missing objective 

In most institutions, AML risk management is structured around two implicit objectives: 

  • Prevention: stop criminals from accessing products and services in the first place. 

  • Detection: identify suspicious behaviour if and when it does occur. 

These are essential, but incomplete. 

A new handbook jointly published by FATF, the Egmont Group, INTERPOL and UNODC highlights a third, often overlooked, objective: enabling intelligence

The handbook makes clear that the regulated sector is not just responsible for preventing misuse of its own services. It also plays a vital role in the global intelligence cycle, ensuring that investigators, FIUs, and prosecutors have the information they need to detect, investigate, and ultimately prosecute financial crime. 

This means regulated institutions are not just compliance actors. They are intelligence nodes in the international AML/CFT system. 

Why intelligence is an objective in its own right 

Think about what investigators actually rely on to build cases. It isn’t abstract “risk scores” or model outputs. It is: 

  • CDD and KYC records 

  • Beneficial ownership information 

  • Suspicious transaction reports (STRs) 

  • Transaction data 

  • Digital identifiers (IP addresses, wallet IDs, device IDs) increasingly held by VASPs, fintechs, and digital service providers 

If this information is missing, incomplete, or irretrievable, investigations stall. A weak control environment around record capture or retention is not just a compliance issue. It undermines the effectiveness of the global AML system itself. 

That is why intelligence should be considered a primary objective of any risk-based approach, alongside prevention and detection. 

The two dimensions of the intelligence role 

Once we accept intelligence as an objective, we can see more clearly the dual role of regulated institutions: 

1. Producers of intelligence 

  • Capturing and maintaining high-quality data. 

  • Filing structured, targeted STRs that can be actioned by FIUs. 

  • Retaining records so they can be retrieved quickly when needed, even years later. 

  • Contributing to industry-wide intelligence databases and utilities (such as CIFAS in the UK, or shared KYC/fraud platforms internationally), which pool information across firms to create a richer picture of threats.

2. Consumers of intelligence 

  • Receiving and operationalising alerts, typologies, and red flags from FIUs, regulators, and public–private partnerships. 

  • Assessing and applying industry-wide intelligence sources (such as shared databases and typology reports) to strengthen their own monitoring and investigative capabilities. 

  • Integrating those insights into monitoring systems, customer risk scoring, and investigations. 

Most risk assessments approach intelligence only indirectly, by focusing on the production side (“Do we collect and report?”) as if that were sufficient. Far fewer recognise that being an intelligence partner also requires the ability to consume, interpret, and apply insights received from others. Without that dual perspective, institutions are not truly pursuing the intelligence objective, and their risk assessments remain incomplete. Both roles (producer and consumer) must be explicit if a firm is to be a trusted partner in the intelligence chain. 

Implications for risk assessments 

So, what does this mean in practice for business-wide risk assessments? If the objectives of prevention, detection, and intelligence are explicit, then the assessment needs to ask tougher questions about control design and effectiveness: 

  • Capture: Are onboarding and monitoring systems structured to ensure complete, accurate data collection, not just meeting the minimum regulatory checklist? 

  • Maintenance: Are CDD files and transaction records preserved in ways that maintain integrity and support long-term accessibility, including for cross-border requests? 

  • Retrieval: Can investigators (internal or external) access information quickly and in a usable format when an inquiry arises? 

  • Consumption: Are external intelligence products (from national risk assessments to FIU advisories) systematically embedded into monitoring and scenario design? 

These questions shift the BWRA from a narrow compliance tick-box exercise to a genuine effectiveness test. 

From paperwork to intelligence assets 

Reframing the objectives also changes how institutions should view their AML data. These are not static records filed away to satisfy auditors. They are intelligence assets

Investment in data governance, record management, and retrieval systems is not just a cost of compliance. It is a form of risk mitigation, strengthening both the institution’s own resilience and the effectiveness of the broader system. 

Seen this way, strengthening AML information management becomes a strategic priority, not just a back-office chore. 

The regulatory trajectory 

This intelligence objective is not speculative. It aligns with where regulators and international bodies are already heading. 

  • FATF and its partners emphasise the importance of informal, rapid information exchange to complement formal mutual legal assistance. 

  • Enforcement cases in the UK and EU increasingly criticise firms not only for failing to detect suspicious activity, but also for being unable to provide complete or usable data when requested. 

  • Public–private partnerships are expanding precisely because authorities recognise the need for two-way intelligence flows. 

In short, regulators are already judging firms on whether they are reliable intelligence partners. That trajectory will only accelerate. 

Conclusion: rethinking the risk-based approach 

The industry has made a mistake in equating the risk-based approach with the act of risk assessment. A genuine risk-based approach starts with objectives. 

  • Prevention: keeping criminals out. 

  • Detection: identifying misuse when it occurs. 

  • Intelligence: ensuring the institution’s data can be transformed into actionable insight for the wider AML ecosystem. 

Unless all three are embedded into the way we design and assess controls, our business-wide risk assessments will remain incomplete. 

The question for every institution is therefore not just: “Have we done our risk assessment?”  It is: “Have we defined the right objectives, and are our controls delivering on them?” 

Only by embracing the intelligence objective can regulated firms position themselves not merely as compliant, but as trusted partners in the global fight against financial crime

Stefania Cirignano
Next

Risk assessment reframed: from risk factor, to risk actor