Core Features
Fully configurable financial crime risk assessment platform designed for larger enterprises that want to tailor their own risk and control models, digitise their approach and conduct data driven risk assessments across their organisation.
RISK ASSESSMENT PLATFORM
Putting you in control
Within RAP, there are three roles, Super Admin (managed by Arctic), Company Admin (has Super Admin features, for your company) and General Users (which can be varied by role-based access controls). In this section, we’ll focus on the role of the Company Admin in terms of the “App Setup” functions, as well as the role of General Users in the end-to-end workflow.
PLATFORM CONFIGURATION
Company Admin Users
Typically, platform configuration is undertaken by second-line risk and compliance teams who take responsibility for setting up the methodology, inherent risk questionnaires and who support the rollout by assisting first-line business teams. In this section, we talk through the main steps and activities that can be completed and in another section, we’ll cover the “Settings”, such as User Access Controls and other options that can be configured.
RAP has been designed to be risk domain ‘agnostic’, meaning our clients can create any risk domain and start building risk and control libraries linked to the domain.
Arctic has built risk and control libraries for a range of financial crime and non-financial crime topics, which contain hundreds of risk factors and hundreds of controls, which can be completely modified and can be used as a starting point for your risk assessments.
Unlike most GRC Platforms that are built using one hard-wired methodology, RAPs methodology is completely configurable so you can apply levels, definitions and colours to inherent risks, control effectiveness and residual risks. Users can configure the heatmaps to suit your organisation's risk management framework. We’ve developed a few methodology examples, which can be used out of the box or easily configured to your needs.
Many organisations refer to these as Inherent Risk Questionnaires (IRQs), we refer to them as Risk Models which contain Inherent Risk Indicators (questions) that are organised into a flexible hierarchy including Risk Groups, Risk Categories, Risk Factors and Risk Indicators. These can be built natively in the platform or they can be imported from a spreadsheet. Arctic has helped many large financial institutions to deconstruct excel based risk assessments, align to RAPs data model and reimport these.
Risk Models have a number of features including applying weighting to all levels of the risk model, applying rationale behind configuration decisions, applying advanced calculation techniques such as weighted average, additive, dynamic weight indicators and skip rule logic, as well as, creating and calibrating Answer Sets against each Risk Indicator.
We’ve developed our own country risk methodology based on a large variety of data sources which can be used to provide context to the assessment, but if you have your own methodology or are already subscribing to a third-party source you can corporate this instead.
In a future release, we’re planning on integrating Country Risk Ratings and detailed Country Risk Reports directly into the platform, so watch this space!
Every Risk Indicator has an Answer Set, comprising either Qualitative or Quantitative responses (or a combination of both across a risk model). Users can define the type of Answer Set (Option List for Qualitative and Number Input for Quantitative responses). Users can also align the actual responses to the Inherent Risk Rating, as defined in the Methodology. For Number Inputs (Quantitative), these can be defined as numbers or percentages and thresholds can be configured too. For example, a risk indicator might be “How many Foreign PEPs have been onboarded in the last 12 months?” and the Answer Set thresholds might be set to the following; if between 1 and 3 % = Low, 3.01% and 5% = Medium and >5.01% treat as high.
Quantitative Answer Sets are really helpful for being able to achieve a data driven approach as a stepping stone towards full automation using our Data Sets Add On.
Data Sets is a premium Add On module and is covered in this section, which more fully explains who it suits, why we built it, who it is targeting and how we’re planning to evolve this.
Our controls function is highly configurable in a number of ways. First, users can create a Screen Form with any Control Properties (often mirroring their GRC system), Second, in Company Settings users can configure the properties that are (or are not) displayed and the display order on the Control Library page. Once the desired Control Library page layout has been configured (or simply use the global default), users can ‘download’ the file format, prepare a corresponding import file and then import the controls directly into the platform. In a future release we plan to integrate to the world’s most widely used GRC platforms to allow data to asynchronously flow based on a suite of API integrations.
Once the controls data has been imported (or manually entered) into the Control Library, the user can start an assessment and include the Controls Assessment as part of the end-to-end assessment. In this step, there are one of two Control Effectiveness testing methods that could be used.
The first is what we call the Control Metric approach, meaning that up to four control metrics can be defined in the methodology (Arctic’s default uses just two - control design and control performance) and in this approach the Assignee assesses this based on their overall judgement (which is subject to review through the workflow).
The second approach is what we call the Control Questions approach, meaning companies can define the control tests and suggested evidence they plan to test for each control (or use the thousands of control tests in our risk domain content) and depending on how each control test is assessed, this will automatically calculate the Control Effectiveness Rating based on a weighted average, which is more quantitative than qualitative.
During the assessment, controls can be mapped against risks (and vice versa) and there is a counter displaying how many controls have been mapped. It is also possible to “sync” controls, which is helpful where an organisation has common controls (such as governance, training or record keeping, for example) and only wants to assess them once and keep the responses in sync, then this can be easily achieved.
During the assessment, it is also possible to upload evidence, such as control test results, stakeholders consulted and other relevant information and a Control Effectiveness Rating is produced at the Risk Factor Level, and then aggregated up automatically to Risk Category (if selected), Risk Group and Assessment Unit (Enterprise Level).
We’ve designed this to be highly configurable and suitable and it is well worth booking in a demo to see the various levels of complexity, simplified.
Traditionally, when conducting financial crime risk assessments manually, storing documentary evidence that provides context and/or supports the key findings, observations, issues and / or remediation plans. The Supporting Documents Template can be configured to allow any documents to be uploaded, so that these serve as an artefact in the review and can be accessed at any future point in time.
CONDUCTING RISK AND CONTROLS ASSESSMENTS
General Users
Once the application setup is completed, the assessment and assessment unit structure is set up in the platform and ready to be completed. The table below summarises the main end-to-end business process:
Getting started on a new assessment is easy, simply click New Assessment, select the Risk Domain, Methodology and Name the Assessment and decide whether to start from a pre-completed Assessment (i.e., copying over from a previous year and if so, deciding the properties to copy over) or start from New, which will not copy any data over.
As well as, copying data over, users can either select the Global default Country Risk Model (or their own one, if defined), select the Context Screen (which can also be defined if the user has access to the Screen Forms Add On) and define the dates and once these details have been provided (and you can always change some of this later), you’re ready to create your first set of Assessment Units.
First, click on the New Assessment Unit button and complete the following details; the name of the assessment unit, a description and whether to start from either new or a previously conducted one and then select the risk model that the assessment will be based upon. Next decide if a supporting document is required (if not selected at this stage this stage in the process will remain hidden) and outline whether during control assessment, whether both the control design and operational performance are to be assessed. Finally, select the Screen Forms (if this Add On is activated), such as Context, Risk Analysis or Controls Assessment (otherwise the default will be applied) and the Owner(s) associated with the Assessment Unit and hit the Create Button, which will be enabled as soon as all the required fields have been completed.
The purpose of the context screen is to document the nature, size and complexity of the assessment unit (and assessment) as possible as it provides important context, such as the type of business the organisation is running, the types of customers the organisation deals with, the types of products and services offered by the organisation and the channels through which customers access these products and services, as well as, the types of transactions and geographic exposures.
Having done a clear understanding will be provided to any stakeholders that are reviewing the risk assessment.
Based on the template that was created (or if not the default template will appear), upload relevant documents and request that other users do the same.
One major limitation of risk assessments being done manually on spreadsheets is the amount of documents being emailed back and forth, which essentially is achieved within the platform by allowing risks and controls to be assigned to different system users, setting up to 3 levels of approver and tracking the status as risks or controls are picked up, assessed, reviewed awaiting approval and those that have been approved.
The workflow is fully drillable and very helpful in managing multiple assessments and keeping track of the risks and controls that require attention - users can even be notified via email to remind them to take action.
Risk Analysis is where inherent risk assessments are performed. There are two main screens, the first is the Inherent Risk Summary which provides an overview of the inherent risks at the risk factor, risk category and risk group level based on the selected Risk Model. The second is the Inherent Risk Questionnaire, which contains the individual risk indicators that sit beneath each risk factor or risk category (depending on the hierarchical levels in the Risk Model).
In the Inherent Risk Questionnaire there are two techniques for assessing Inherent Risk, the first is Manual, meaning the user is assessing the likelihood and impact manually, which is calculating the Inherent Risk Rating (IRR), whereas, the second is less judgemental and is an Automatic method, meaning the IRR is automatically derived based on the risk indicators weight and the response (which in turn is linked via an Answer Set for each risk indicator itself in turn linked to the methodology).
Once the IRR has been calculated, the user can map controls (many-to-many) against each risk factor and on a weighted average basis the overall controls effectiveness rating is calculated and the Residual Risk Rating (RRR) is automatically calculated by systematically referencing the Risk Methodology.
Any comments or attachments that are added to this page will appear in the Report. Any actions (such as actions, findings, issues or incidents) can be created and linked to the risk factor, which are summarised in the Task dashboard.
Often a common challenge with manual risk assessments is explaining the calculation logic behind the risk model and in the Risk Assessment Platform this is easy to do by simply clicking the calculator icon, which provides a full breakdown of exactly how the risk model rules engine is calculating risks and controls to derive the risk rating.
Once the risk assessment has been completed it can be submitted (with or without comments) and this will progress the risk factor through to the next stage in the workflow).
Controls Assessment is where the user performs control design and operational effectiveness testing. Similarly, to the Risk Analysis screen there is a Controls Summary tab which displays controls by control category (which can be modified in the App Setup) and in this screen users can flag key controls and apply control weightings at both the control category and/or individual control level, with the control effectiveness rating being displayed.
The second screen is the Controls Questionnaire, which is for performing controls testing and there are two different approaches that can be used. The first approach we call a Control Metric based approach where the user can define up to 4 control metrics (in App Setup), with two being the default, Control Design and Operational Performance, where the user rates each of these and the system automatically determines the control effectiveness rating (as defined in the App Setup stage). The second approach we call Control Questions based, where the user has defined a series of individual control tests for each control and the assessment is applied at each control test level (i.e., passed, failed or whatever other logic has been defined) and over a series of control test ratings the system automatically calculates the Control Effectiveness rating on a weighted average basis.
After the control testing has been completed there are areas to add control test comments, upload supporting evidence (i.e., sample files tested) and document the stakeholders consulted in the assessment. The workflow works in an identical way to Risk Analysis.
On the Reports tab, there is both an onscreen dashboard and an exportable report.
The Assessment Unit Report contains only information that relates to the Assessment Unit and represents an aggregation of risk indicators to risk factors, risk factors to risk categories, risk categories to risk groups and risk groups to the Assessment Unit level (and there is a further aggregation to the Assessment, or Enterprise level).
The Assessment Unit Report summarises the overall IRR, CER and RRR, and permissioned users may override these whilst being required to add explanatory comments. The on-screen dashboard is fully drillable and contains these sections:
- Inherent Risk Rating by Group
- Controls Effectiveness Rating by Control Category
- Residual Risk Rating - plotting each Risk Factor by RRR and displaying based on the methodology
The charts are fully interactive and users can drill into the detail by clicking on any chart segment to be taken to the underlying data representing that part of the chart, allowing users to zoom in, zoom out on the data.
The text boxes allows users to provide context behind the assessment and this comes with an optional Add On, we call Automations, which contains speech to text, text to speech, a GenAI co-pilot and a translation service to over 130 languages, including translating the entire report and nested charts using Microsoft Azure’s services.
The Report is able to be generated exporting a Word Report automatically with all of the data completed on the Assessment Unit. There is a Report Configuration option allowing the user to select which sections appear (or are hidden from) the Word Report.
On the Reports tab at the Assessment (Enterprise) level, there is an aggregation of all Assessment Units allowing users to instantly see the inherent risks, control effectiveness and residual risks comparatively between all Assessment Units providing clarity into those Assessment Units with higher inherent risks, weaker control effectiveness and higher residual risk ratings.
These are also drillable so users can drill into any Assessment Unit and underlying data by clicking on any chart segment. Further users can create Custom Report Groups, that essentially allow the data to be “sliced and diced” depending on which Assessment Units are included or excluded from different groups.
The Report is able to be generated exporting a Word Report automatically with all of the data completed across all Assessment Units. There is a Report Configuration option allowing the user to select which sections appear (or are hidden from) the Word Report and an option to sort the display order.
Other notable features include:
- Full audit trail - which documents every action taken by every user, with date and time stamps and a summary of what things were changed, to what and from what
- Exportable files - provide on all aspects of the Assessment and Assessment Unit in an excel file ready to analyse (or sign up to our Analytics Add On)
- Branding - apply your organisations colours, logo and branding styling
- Email templates - customise your own email templates and messaging to your users
- Notifications - configure how you get notified of actions needing your attention
- User access controls - define roles and fine-grain permissions over functionality.