Annex C: Package of NRA Tools (World Bank, International Monetary Fund, Council of Europe)

A combination of threat and vulnerability at the national and sectoral levels. Threat for ML is a function of proceeds of crime, including those generated by predicate offences and international criminal flows. Analyses predicate offences, typologies, materiality of sectors and other factors. 

Inherent and residual risk concepts do not exist in the World Bank’s Generic NRA Tool. Instead, it has “inherent vulnerability” and “final vulnerability” concepts. The “final vulnerability” is a weighted average of inherent vulnerability and deficiencies in AML controls. Therefore, the AML controls impact the risk level as a part of vulnerability, and the final “risk” levels generated by the tool are “residual risk”. As an extension of NRA tool, recently the World Bank has developed a risk monitoring framework for the supervisory authorities. This tool generates both inherent and residual risk level of reporting entities in a sector.

The tool does not include likelihood as a standalone element in risk assessment. However, likelihood is integrated in the design of the vulnerability modules. Likelihood is the basis of Bayesian Networks. The vulnerability modules of the World Bank tool use “cause and effect " and a logical sequence of events like in Bayesian Networks, but they use weights and conditionality instead of probabilities.

Included as part of threat and vulnerability assessment rather than as a separate assessment. The methodology assumes that higher threats and vulnerabilities will also lead to higher consequences. In the tool there is an optional template for the assessment of consequences.

Vulnerability ratings are calculated by the tool based on assessment inputs, as well as the built-in model assumptions, weights, and pre-conditions. Weight and preconditions can be changed by the user countries based on a justification. Threat ratings are determined by expert opinion, which should be supported by qualitative and quantitative information. Pre-defined indicators are provided. In the threat assessment countries can add or change indicators, while this is not possible in vulnerability modules. Threat rating and vulnerability rating are combined in a matrix to give the country's overall risk rating. A second matrix is generated to illustrate the sectoral risks.

Self-assessment tools - country coordinates the stakeholders, collects and analyses the information and data, conducts the assessment, fills in the excel templates and documents justifications and evidence for their views. The country is expected to collect the data on ML cases and typologies, proceeds of crime, capacity and effectiveness of government agencies, activities and compliance of reporting entities.

Provides the tool and excels for completion by country. Provides training, guidance, and review of materials. Risk assessment is done and owned by the country. Countries can have references to the World Bank tool but cannot use the name or logo of the World Bank on their assessment reports or any other documents. Also, these documents should include a disclaimer that explains the limited role of the World Bank team in the assessment. The tool is publicly available, and countries can use the tool without WB technical assistance.

Matrices of overall ML risk in a jurisdiction based on threat and vulnerability, and heatmap of sectoral risks. Country drafts the NRA. The World Bank also provides a risk-based action plan template and guidance on it. The action plan should be completed by the countries.

• World Bank Financial Integrity Unit Website
• Generic National Money Laundering Risk Assessment Tool (2015), Guidance and Training Video
• Terrorist Financing Risk Assessment Tool (2022), Guidance, and Training Video (same link as above)
• VA Risk Assessment Tool (2022), Guidance, and Training Video (same link as above)
• Legal Persons Risk Assessment Tool (2022), Guidance, and Training Video (same link as above)
• NPO Risk Assessment Tool (2022), Guidance, and Training Video (same link as above)
• Environmental Crime Proceeds Risk Assessment Tool (2022), Guidance, and Training Video (same link as above)
• Illicit Financial Flows Data Collection Tool (feeding into ML threat assessment), (not public, but available upon request)
• Lessons Learned from the First Generation of Money Laundering and Terrorist Financing Risk Assessments (English)
• National Assessments of Money Laundering Risks: Learning from Eight Advanced Countries’ NRAs
• A draft framework for money laundering/terrorist financing risk assessment of a remittance corridor (WB-IMF Joint Report)
• Financial Inclusion Product Risk Assessment Tool and Guidance (2015 - available upon request)
• Risk Assessment Tool for Proceeds of Tax Crimes (2024 –available upon request) 
• New version of VA Risk Assessment Tool (available upon request) 
• Proliferation Financing (PF) Risk Assessment Tool (available upon request)
• TBML Risk Assessment Tool (currently being developed jointly with UNODC

Likelihood of ML events occurring successfully multiplied by the consequences of those events.

Methodology measures residual risk ("net risk") - risk remaining after taking into account preventative/mitigating measures and how they reduce risk. The absence of poor controls cannot increase inherent risk, good controls can only reduce it.

 Derived from risk analysis modules containing factors, sub-factors, and their indicators. Uses quantitative (data and objective) and qualitative (subjective and perceptions based) indicators from public and private sources. Each module is scored on a 7-point scale, with higher scores equating to higher likelihood that substantial ML abuse will occur successfully.

Short- and long-term impact of ML abuse successfully occurring. Derived primarily from perceptions of officials, using a structured approach to make informed judgments. Short-term = minimising successful ML over 12-month period, used to analyse sector risk. Long-term = effect of likely level of successful ML on various social/economic/political objectives.

Semi-qualitative focusing on key risk events associated with ML which make a difference to risk profiles. Authorities can add risk events to this.

Requires countries to establish an NRA coordinating mechanism and determine the objectives of the NRA exercise. Surveys on data availability and domestic and transnational ML threat. Fill in Web-based tools providing statistics, and perceptions on the threats, vulnerabilities and consequences in the country. The national authorities are responsible for drafting the NRA.

The IMF provides all data collection tools, the raw analysis, data and a template for the written report. Conduct research into country's proceeds of crime environment and threat indicators. Run capacity-building workshops with authorities. Collect publicly available information on vulnerabilities and threats to generate preliminary risk level rating, collect publicly available information on consequences. Provides a technical assistance report to the country that describes the risk assessment process used and formally conveys the results of the analysis conducted. 

Domestic proceeds of crime table. Summary risk matrix. Heat maps for risk events (generic and identified by authorities). Summary tables for sectors and entities. NRA document itself.

A combination of the probability and scope of the consequences - in alignment with ISO Standard – Risk Management Vocabulary. In the ML/TF context, risk is defined as the effect of criminal ML/TF capabilities on financial, economic and social objectives.

Inherent risk refers to the ML/TF initial risk that exists before any control is applied to address or reduce the impact of that risk. Residual risk refers to the level of ML/TF risk that still exists after taking account of both the controls applied to mitigate them and vulnerabilities that may aggravate or maintain the level of risk present. Residual risk refers to the level of risk based upon which country must then determine, based on its risk appetite, the risk treatment it will apply to address those which it determines to exceed its risk appetite.

The CoE NRA and Sectoral Risk Assessment (SRA) methodologies are supported by tools which assist in aggregating initial data to assess inherent risks, support the selection of appropriate scores for likelihood and consequence and evaluate controls and vulnerabilities, to determine final residual risk ratings. The tools are designed to provide both visual and quantitative findings, allowing users to drill down into specific threats and risk areas, as needed. The tool allows users to adjust their own scoring, providing transparency and the ability of customising the rating process, where needed.

Country “owns” the assessment process, leading the establishment of national coordination groups, the identification and collection of data and information and soliciting the active participation of stakeholders from the public and private sector during the assessment process. 

ML/TF NRA Report with interactive matrix and heat map showing preliminary and final assessment results; summary tables to support concise recording of findings (“risk events”) from each risk area assessed. Risk mitigation and monitoring tool (basis for the Action Plan) template is integral part of the Methodology.