Van Leeuwen Law Firm

Assessing Controls for Effectiveness, Operational Feasibility and Evidentiary Strength

An effective control must do more than cover a formal obligation. It must demonstrably intervene in the risk for which it was designed. In Financial Crime risk management, this means that the control must have an identifiable relationship with the risk of money laundering, terrorist financing, sanctions breaches, corruption, fraud, tax integrity risks or other forms of financial and economic crime. That relationship must be concrete. A client due diligence control, for example, must contribute to reliable client identification, insight into ultimate beneficial owners, determination of the purpose and intended nature of the relationship, and recognition of elevated risk indicators. A transaction monitoring control must be capable of detecting, prioritising and bringing relevant deviations forward for assessment. A sanctions screening control must, on the basis of current, complete and properly calibrated data, result in timely detection and adequate follow-up. Without that substantive link between risk, control activity, outcome and follow-up, the control remains vulnerable to the criticism that it functions merely as a procedural exercise.

Operational feasibility is an independent assessment criterion. A control may be conceptually logical but still fail if it does not fit the operational reality in which it must be applied. This includes controls that require too many manual steps, depend on fragmented data sources, contain unclear decision criteria, are insufficiently embedded in workflows, or impose such an administrative burden that staff become inclined to perform routine tick-box actions. In Integrated Financial Crime Risk Management, operational feasibility should not be regarded as a concession to compliance, but as a condition for sustainable risk management. A control that is not understandable, applicable and proportionate for the relevant first line, second line and supporting functions will, in practice, be performed irregularly, interpreted differently or documented inadequately. This creates the risk that formal compliance is presented while the actual protective value remains limited.

Evidentiary strength marks the difference between internal conviction and external defensibility. When an organisation asserts that a control works, that assertion must be capable of being supported by consistent, reliable and traceable evidence. That evidence must show what was checked, when it was checked, by whom, on the basis of which data, with what outcome, which exceptions were identified, which escalations took place and what follow-up was performed. In Financial Crime files, such evidentiary strength is particularly important because regulators and auditors do not only look at the existence of policies, but also at the demonstrable operation of processes over time. A control that is performed but insufficiently documented remains vulnerable. A control for which documentation exists but does not provide insight into the substantive considerations is equally vulnerable. Effectiveness, operational feasibility and evidentiary strength must therefore be assessed simultaneously, because a control is only convincing when it addresses the risk, functions in practice and remains testable afterwards.

Looking Beyond Design Effectiveness to Operating Effectiveness

Design effectiveness concerns the question whether a control, as designed, is suitable to manage the intended risk. That question remains indispensable. A poorly designed control may be executed with great operational diligence, but it will not adequately mitigate the risk if the control frequency is incorrectly chosen, the scope is too limited, the risk criteria are insufficiently precise, the data sources used are incomplete, or the escalation thresholds do not align with the organisation’s risk appetite. Within Integrated Financial Crime Risk Management, design effectiveness must therefore be assessed by reference to the specific risk typologies, the nature of the client portfolio, the products and services, country exposure, distribution channels, transaction flows and the extent to which the organisation depends on systems, third parties or manual judgement. A control design that has been generically adopted from a policy, template or group standard without alignment to the actual risk context provides insufficient assurance.

Operating effectiveness goes further and asks whether the control works in practice as intended. This criterion examines actual execution. Is the control performed on time? Are all relevant populations covered? Are exceptions correctly identified? Are alerts assessed substantively or closed primarily on an administrative basis? Are escalations followed up within agreed timeframes? Are employees sufficiently trained to apply the control? Is the control also performed when volumes increase, deadlines approach, systems slow down or commercial pressure intensifies? These questions are often more revealing than the control design itself. A control may be perfectly designed but structurally undermined in the operation by capacity constraints, unclear instructions, poor data, inadequate management information or a culture in which exceptions are accepted too readily.

The strength of a demonstrably working control lies in the coherence between design and execution. Design effectiveness without operating effectiveness creates theoretical control. Operating effectiveness without strong design creates well-executed but potentially irrelevant activity. Integrated Financial Crime Risk Management therefore requires an integrated assessment in which the control is traced from risk definition to design, from design to execution, from execution to evidence, and from evidence to improvement. It must also be established whether control outcomes are actually used for decision-making. Where findings from client reviews, transaction monitoring, sanctions screening, fraud detection or third-party due diligence do not lead to adjustments in risk scores, escalations, client measures, system settings or policy choices, the operational value remains limited. A control only works convincingly when design, execution, recording and follow-up demonstrably operate in continuity with one another.

Testing Whether Controls Actually Mitigate the Relevant Risk

Testing risk mitigation requires, first, a precise determination of the risk the control is intended to manage. In practice, that precision is often absent. Controls are then linked to broad risk categories such as “AML”, “sanctions”, “fraud” or “ABC”, without clarity as to which specific threat, vulnerability or risk driver is being addressed. This makes it difficult to assess whether the control actually has an effect. A periodic client review, for example, may be intended to update outdated client information, identify elevated risk factors, place unusual transactions in context or reassess the appropriateness of the client relationship. Each objective requires different criteria, different evidence and different outcomes. A control that is not connected to a clearly defined risk scenario is difficult to test convincingly.

Actual mitigation then requires insight into how the control operates in relation to the risk. This means that it must be established not only that a control activity took place, but also whether the control affects the risk profile. Did the control lead to the detection of relevant deviations? Were high-risk clients, transactions or third parties actually identified? Were false positives and false negatives analysed? Was it established whether the control operates too broadly, too narrowly, too late or too superficially? Is the control adjusted on the basis of typologies, incidents, regulatory findings, internal audit results or changing threat patterns? In Integrated Financial Crime Risk Management, the assessment of risk mitigation must therefore not stop at process compliance; it must show whether the control actually reduces the likelihood or impact of Financial Crime risks.

An important element of this is distinguishing activity from effect. High numbers of completed client reviews, closed alerts, completed screenings or finalised checklists may create the impression of intensive control, but they say little if it is unclear whether relevant risks were detected and followed up. A control can generate substantial output without meaningful risk reduction. Conversely, a sharply targeted control with limited administrative volume can make a substantial contribution to control when it addresses the critical risk points. The test must therefore focus on whether the control makes a demonstrable contribution to prevention, detection, escalation, decision-making or remediation. Only when that contribution can be substantiated does a credible basis arise for stating that the control actually mitigates the relevant risk.

Identifying Where Controls Are Formally Present but Substantively Deficient

One of the most persistent vulnerabilities in Financial Crime risk management is the presence of controls that formally exist but are substantively deficient. This situation often develops gradually. A control is introduced in response to regulation, an audit finding, an incident or a group standard, but is not subsequently maintained sufficiently. The organisation changes, products develop, client behaviour shifts, systems are adapted, data become dispersed across multiple sources and threat typologies evolve. The control, however, remains on paper and is included in reports as though it continues to be effective. This creates a dangerous form of apparent control. The control framework appears complete, while the actual protection against Financial Crime risks lags behind.

Substantive deficiencies can take different forms. A control may occur too late in the process, meaning that risks are only identified after the client relationship has already been entered into or transactions have already been executed. A control may depend on data that are incomplete, outdated or inconsistent. A control may only relate to the initial assessment, while relevant risks arise during the lifecycle of the client relationship. A control may be formally mandatory but, in practice, performed by employees without sufficient expertise or authority. A control may generate exceptions but fail to require robust follow-up. A control may also be framed so broadly that its application becomes dependent on individual interpretation, creating inconsistency between teams, countries, business lines or entities.

Identifying such deficiencies requires critical testing that goes beyond document review. Files, system logs, sample testing, management information, escalation history, decision-making notes, data lineage, incidents, exceptions, complaints, audit findings and regulatory communications must be examined. Only then does it become visible whether the control does in practice what it purports to do. Integrated Financial Crime Risk Management requires a willingness not to protect controls merely because they have historically formed part of the framework, but to assess them on current relevance and actual contribution. Where formal presence is not supported by substantive operation, the conclusion must be clear: the control requires redesign, strengthening, replacement or termination. A control that primarily produces administrative assurance can distract the organisation from the risks that truly require attention.

Assessing Control Operation Across Processes, Systems and Chains

Financial Crime risks rarely move within the boundaries of a single process, department or system. Client acceptance, client review, transaction monitoring, sanctions screening, fraud detection, product approval, payment processing, third-party management, tax integrity, legal review, compliance monitoring and audit assurance together form a chain of control. When controls are assessed separately, a distorted picture may arise. Each control may function reasonably well within its own process, while the overall system falls short due to handover problems, data quality issues, inconsistent use of risk scores, missing feedback loops or inadequate escalation between functions. Integrated Financial Crime Risk Management therefore requires assessment of control operation across processes, systems and chains.

That chain-based perspective reveals where risk information is lost or insufficiently used. An elevated client integrity risk identified during onboarding must, for example, feed into monitoring intensity, review frequency, alert prioritisation and management information. A sanctions hit that has been resolved may be relevant to the broader client assessment or group-level risk. A fraud pattern identified in payment activity may call for adjustments to client segmentation, product conditions or transaction monitoring scenarios. An audit finding on data quality may affect multiple controls that rely on the same source data. Where these connections are absent, controls remain isolated measures. They may function within their own domain, but they do not contribute sufficiently to the coherent management of Financial Crime risks.

Assessing chain-wide operation requires attention to system integration, data definitions, ownership, handover points, escalation criteria, decision rights and evidence across the full lifecycle of the risk. It must be established whether the organisation can reconstruct how a risk signal arose, which systems were involved, which employees or functions carried out an assessment, which decisions were made, which deviations were accepted and what follow-up took place. Where that reconstruction is not possible, traceability is lacking. Where signals are not shared between processes, coherence is lacking. Where controls depend on systems that use different definitions or data quality standards, structural vulnerability arises. Demonstrably working controls therefore require not only strong individual measures, but a chain in which risk information flows reliably, decisions are made consistently and the evidentiary record withstands scrutiny as a whole.

Attention to Proportionality Between Control Burden and Risk Reduction

Proportionality is an essential criterion when assessing controls within Integrated Financial Crime Risk Management, because control can never be separated from the operational, commercial and organisational context in which it must function. A control that, in theory, seeks maximum assurance may, in practice, create disproportionate burdens without any corresponding increase in additional risk reduction. That risk is particularly visible in Financial Crime risk management. In response to supervisory pressure, incidents, audit findings or changing regulation, organisations often develop a reflex to expand controls, increase review frequencies, add approval layers, intensify documentation requirements or further restrict exceptions. Although such measures may appear prudent at first sight, they can lead to a control environment in which capacity is consumed by activities with limited risk value, while material threats receive insufficient attention. Proportionality therefore requires a business-like, legally defensible and risk-based assessment: what control burden is justified in light of the nature, scale, likelihood and impact of the relevant Financial Crime risk?

That assessment requires more than a general reference to risk-based working. An organisation must be able to explain why a certain level of control intensity is appropriate for a specific client group, product line, jurisdiction, transaction flow, distribution model or third party. Enhanced due diligence for a complex international corporate structure with opaque ownership arrangements requires a different level of depth than a periodic review of a low-risk private client relationship. Sanctions screening of payment traffic with high country exposure requires different sensitivities than screening a static supplier database with limited geographic spread. A fraud detection control for real-time digital transactions must be configured differently from a periodic reconciliation based on data available only after the event. Proportionality therefore does not mean less control, but more targeted control. The question is not how much effort can be made visible, but which effort demonstrably contributes to better risk management.

At the same time, proportionality must also be assessed from the perspective of feasibility and behavioural effects. An excessive control burden can lead employees to perform controls mechanically, close alerts more quickly, standardise documentation without substantive analysis, avoid escalations or routinely accept exceptions in order to limit operational backlogs. As a result, a control intended to increase assurance may, in fact, contribute to reduced sharpness. Integrated Financial Crime Risk Management therefore requires periodic assessment of the relationship between control burden and risk reduction. This assessment should consider turnaround times, capacity, error rates, alert quality, escalation ratios, file quality, client impact, rework, exceptions, and findings from monitoring and assurance. A proportionate control is not the lightest control, but the control for which it can be demonstrated that its burden, depth, frequency and complexity stand in reasonable proportion to the risk being managed.

Embedding Measurability, Documentation and Traceability

Measurability is necessary to prevent control operation from remaining dependent on impressions, assumptions or general management statements. Within Integrated Financial Crime Risk Management, a control must be designed in such a way that performance, deviations, outcomes and trends can be established. This requires predefined criteria: which population falls within the scope of the control, which action must be performed, which quality requirements apply, which timeframes are relevant, which exceptions are permitted, which escalations must follow, and which outcomes indicate effective operation. Without measurable criteria, it remains difficult to determine whether a control is performed consistently and whether it contributes to management of the relevant risk. A control that is not measurable can, at most, be described; it cannot be convincingly assessed.

Documentation then becomes the carrier of that measurability. In Financial Crime risk management, documentation is not merely administrative recording, but an essential component of the control itself. The documentation must show which data were used, which analyses were performed, which red flags were assessed, which deviations were identified, which considerations underpinned a decision and which follow-up was carried out. In client integrity files, this means, for example, that the rationale for risk classification, UBO assessment, source-of-funds analysis, source-of-wealth assessment, sanctions hit handling or transaction clarification must be clearly recorded. In transaction monitoring, this means that alert closure cannot consist of generic standard phrases, but must provide sufficient insight into why a pattern is or is not unusual. In sanctions screening, this means that false positive handling must be traceable to concrete identification criteria and not to unverifiable assumptions.

Traceability connects measurability and documentation to external defensibility. An organisation must be able to reconstruct afterwards how a control operated, from the emergence of the risk or signal through to the final decision. That reconstruction must not depend on personal recollections, informal explanations or loose files outside the system of record. It must rest on reliable data, consistent recording, clear timestamps, accountable functions, approval trails and traceable decision-making. Traceability is especially important in supervisory investigations, internal audits, external reviews, incident analyses and board accountability. When it cannot be established what happened, who decided and why a particular decision was defensible, an evidentiary problem arises that undermines the substantive operation of the control. Measurability, documentation and traceability should therefore not be added to controls afterwards, but embedded in the control from the design stage.

Establishing Whether Controls Continue to Function Under Pressure or Disruption

A control that only works under ideal circumstances provides limited assurance. Financial Crime risk management is often tested at moments when processes come under pressure: rising alert volumes, sanctions list updates, system migrations, staff shortages, urgent payments, commercial deadlines, backlogs in client reviews, onboarding peaks, incidents, data quality issues, outsourcing disruptions or sudden regulatory changes. Under such circumstances, it becomes visible whether a control is structurally robust or proves dependent on incidental capacity, informal knowledge, manual corrections or exception management. Integrated Financial Crime Risk Management therefore requires that control operation is assessed not only in regular process conditions, but also in situations in which the organisation is confronted with disruption, urgency or heightened pressure.

This test is particularly important because Financial Crime risks often escalate during periods of change. New products, new markets, mergers, IT transformations, reorganisations, outsourcing, automation, client migrations or remediation programmes may weaken existing controls or temporarily render them ineffective. A sanctions screening control may, for example, become vulnerable when client data are migrated and data fields are not transferred correctly. A transaction monitoring control may become less effective when scenarios are not adjusted in time to new product characteristics. A client review process may build up backlogs when capacity is shifted to remediation projects. An escalation control may slow down when responsibilities change or governance becomes temporarily unclear. The question is therefore not only whether controls work in business-as-usual conditions, but also whether they can withstand changes that affect the risk position.

Establishing resilience under pressure requires scenario analysis, stress testing, incident review, backlog analysis, quality measurement and assessment of contingency arrangements. This should include consideration of signals such as increasing turnaround times, declining file quality, a growing number of exceptions, rising false positive ratios, untimely escalations, manual workarounds, system outages, capacity overrides and deviations from standard process steps. It must also be established whether compensating measures are available when primary controls temporarily weaken. An organisation that can demonstrate that critical Financial Crime controls continue to function under disruption has a significantly stronger position before the board, the regulator and the audit function than an organisation that can only demonstrate that controls were performed under normal circumstances. Control operation only becomes truly convincing when it does not collapse as soon as pressure arises.

Providing Insight Into Control Gaps, Compensating Measures and Priority Improvements

Demonstrably working controls do not assume that every risk has been fully eliminated or that every part of the framework functions without issue. A credible approach to Integrated Financial Crime Risk Management recognises that control gaps may exist and that not every deficiency has the same severity, urgency or governance significance. The point is that gaps are identified in a timely manner, analysed sharply, prioritised consistently and provided with appropriate follow-up. A control gap may arise from missing controls, inadequate design, deficient execution, weak evidence, data quality issues, system limitations, insufficient ownership, untimely escalation or poor alignment between processes. Without systematic insight into these gaps, there is a risk that the organisation mainly reports on what is present, while insufficient visibility exists as to what is substantively missing.

Compensating measures play an important role in this regard, but they must be assessed critically. In practice, temporary manual reviews, additional sampling, extra management approvals, enhanced monitoring, restrictions on client activities or temporary reporting are often used to absorb deficiencies in primary controls. Such measures may be necessary and defensible, provided it is clear which specific risk they temporarily mitigate, what scope they have, who is responsible, what end date or evaluation point applies, and what the structural solution looks like. A compensating measure must not grow into permanent dependency without formal assessment. When temporary workarounds remain in place for an extended period, a new vulnerability often emerges: the organisation relies on measures that were not designed for sustainable control, are insufficiently scalable and remain difficult to test.

Priority improvement then requires ordering based on risk, impact and feasibility. Not every control gap warrants immediate large-scale remediation, but material gaps in critical processes require clear governance attention. This requires consideration of the nature of the Financial Crime risk, the organisation’s exposure, the quality of existing compensating measures, the degree of legal or supervisory urgency, the potential client impact, the dependency on technology or data, and the speed with which improvement can realistically be implemented. Proper prioritisation prevents improvement programmes from becoming bogged down in extensive action lists without clear risk logic. Integrated Financial Crime Risk Management requires transparency: which gaps exist, which risks they create, which temporary control has been put in place, which structural improvement is needed and which decision-making is required to enforce progress.

Demonstrable Operation as a Core Criterion of Integrated Financial Crime Risk Management Control

Demonstrable operation is the decisive criterion through which Financial Crime controls acquire their meaning. An organisation may establish policies, publish procedures, implement systems, assign roles and produce reports, but without demonstrable operation the question remains unanswered whether the relevant risk is actually being managed. Within Integrated Financial Crime Risk Management, demonstrable operation must therefore be regarded as a core criterion for the quality of control. It concerns the ability to show, with concrete, reliable and traceable information, that controls are appropriately designed, consistently performed, address relevant risks, identify exceptions in a timely manner, require escalations, support decision-making and lead to improvement when deficiencies are identified.

This approach also has governance significance. Boards, senior management, risk committees and control functions do not need mere confirmation that controls exist; they need insight into the extent to which the control environment actually provides protection against material Financial Crime risks. This requires reporting that goes beyond numbers of activities performed or percentages of timely handling. Management information must provide insight into control quality, risk trends, deviations, root causes, recurring findings, compensating measures, open improvements and the extent to which controls contribute to risk reduction. Only then can decision-making take place on the basis of substantive control information rather than process indicators that suggest assurance but have limited meaning.

Demonstrable operation ultimately brings discipline to the entire system of Integrated Financial Crime Risk Management. It forces sharper risk definition, better control designs, realistic execution models, stronger data governance, better documentation, clearer ownership, more targeted assurance and more effective prioritisation of improvements. It makes visible which controls genuinely contribute to control and which primarily produce administrative complexity. It helps prevent organisations from being assessed on the size of their control framework rather than on the credibility of their risk management. In a domain in which regulators, auditors and societal stakeholders increasingly demand evidence of effective operation, Integrated Financial Crime Risk Management cannot rely on presence, intention or effort alone. The standard is whether controls demonstrably function, stand in proportion to the risk and withstand scrutiny when their operation is critically questioned.