Risk matrix 101

Get started with using risk scoring matrices.
Florent Robert

A risk scoring matrix is one of the tools that help risk professionals sleep better at night. It is used across various industries: security, climate change, fraud, compliance … and anti-money laundering teams. Here, we will focus on building and implementing a very simple risk matrix in the context of a B2B fintech that assesses the money-laundering risk of incoming business customers. We will also share a basic template.

Why use a risk assessment matrix?

When onboarding new customers, financial institutions need to:

  • Collect customer information (we have written about this and shared a template here),

  • Perform KYC procedure,

  • Assess risk, and

  • Decide whether or not to do business with this new customer

The KYC procedure is a sequence of tasks to assess the identity of a business. For example, risk teams usually check that the company exists, is currently active and operational, etc ... KYC procedures also require verifying the individuals’ IDs, performing sanction/PEP/adverse media screening checks, and conducting fraud prevention checks.

Once this is done, risk teams usually have extensive data about a new business. That is when the risk scoring matrix comes into play.

A risk scoring matrix is a simple way to summarise this information into one risk score: a number that is high when the business looks risky to deal with and which is low when the company doesn’t look risky. A risk assessment matrix is a tool to get a consistent, unbiased bird’s-eye view of customers.

And to even simplify further, financial services companies usually map this score with a risk label thanks to a scale. An example of a scale would be:

  • from 0 to 7, risk label is Low

  • from 7 to 15, risk label is Medium

  • from 15 to above, risk label is High

Once the risk score and the risk label have been computed: low and medium-risk customer files are ready for decisioning while risk teams will continue keeping additional diligence on high-risk customers. A “High” risk label doesn’t necessarily mean a company should not work with this business. A specific set of processes and controls can be set expressly for such customers.

Risk matrices work and are broadly used across B2B financial services companies. Increasingly regulators are requiring businesses to build and maintain them.

How is it built?

A simple risk matrix applicable to B2B fintechs can be built using the following logic:

First, a set of straightforward rules is defined that can assess the various risks of a new business.

The rows of the risk matrix are made of rules. Each rule is associated with a weight. A rule assesses a risk factor with a set of conditions. When the result of this condition is true, the total risk score is increased by an amount equal to the weight associated with the rule.

Second, a risk score is generated for each new business by applying all the rules and summing up the weights of the triggered rules.(Here, note how the last two rules will be cumulative if the new business is less than 1 year old.). Also, note that, in our example, the maximum score is technically unlimited because a company can have as many directors as it pleases. But if a company had two directors triggering the PEP rule and all the other rules were activated, that would be a score of 16 points.

The recommended label scale for this risk matrix would be:

  • 0: Low

  • 1 to 3: Medium

  • 4 to more: High

Third, iterate by adjusting the weight of each rule and the label scale's range to improve efficiency.

This template is a simple one to start building your matrix. And your risk management muscle 💪

Muscling up

Building a risk matrix is about determining your rules and having a consistent framework to assess risk across all incoming businesses.

The more rules you add, the more granular your total score becomes. The complexity of a risk matrix often depends on a fintech’s activity. For example, institutions that process payments usually have the most complex risk matrices. Having more than a dozen rules is common in these industries. On the contrary, low-risk activities from an AML perspective - like for certain types of insurance products- might use fewer rules in their scoring matrices.

It is important to note that the risk scoring matrix is usually reviewed and updated regularly to reflect changes in the market and the business environment. It is an ever-evolving tool.

Also, risk management is like a muscle. So, even though you are early in your journey, you can begin with a simple risk matrix right from the beginning, even with three rules sitting in a tool as simple as a Google Sheet. The tools you are using and the risk matrix you have initially designed will grow with your activity, and it will feel more natural than implementing a risk matrix from scratch after you have added a thousand clients.