Ticking Boxes vs Managing Risks
A few weeks back, I had a call with the board of an impact fund trying to wrap their heads around “financial crime.” They’d been managing anti-money laundering (AML) risks for a while. Their regulator was obsessed with “the origin of funds.” This fund is backed by development finance and large sustainability-minded institutional investors. Ticking boxes to confirm that a Nordic government’s funds are okay seems like a good use of everyone’s time. Oddly, the regulator was much less concerned with the fund’s investments—where all the risk actually lies. The fund invests in emerging market scale-ups in renewables, education, and microfinance.
Wearily, the COO asked me if my work (around anti-corruption, fraud prevention, and associated areas) would require the same box-ticking BS. “No,” I thought—and then said. But I needed to back up that assertion.
What came out of my mouth next shaped my thinking: “Some elements of compliance will be tedious. Most of that work usually fixates on elements within your control. It’s the bits you can’t easily control where the risk lies.”
When organisations get massive, they start resembling huge municipal buildings—badges for everyone and signs plastered everywhere, telling you what (not) to do on every inch of wall not already covered by toxic beige wallpaper (thanks, Danielle, for that lovely phrase). This fund, however, is not mega. They know exactly where their funding comes from. It’s not from El Chapo or Putin. They don’t collect heaps of personal data, and their “vendors” are mainly office supplies and professional advisors. So, the usual money laundering, sanctions, anti-trust, data privacy, and third-party sustainability concerns could be checked off quickly and efficiently. We explored ways to do just that.
On the other hand, anti-corruption and fraud risks in emerging markets and impact investment are substantial. Fraud and corruption—especially among third parties (the investments, in this case)—are more about what people do to or for you. So we focused our efforts on reducing risk in those two areas. We approached this in three stages: deal screening, onboarding, and monitoring.
Nothing groundbreaking here, yet I continue to be amazed at how many organisations’ risk frameworks fail to distinguish between what I’ve previously described as shark and mosquito risks. Fraud is always a mosquito. Sanctions are a shark. We obsess over sharks even though most staff never swim in those waters. Meanwhile, we gloss over mosquito risks, even when we’re living in the tropics. You get the picture.
How do you balance regulatory performance with actual risk management?