Van Leeuwen Law Firm

Sharpening existing controls without unnecessary rebuilding of the system

A control framework does not need to be rebuilt from the ground up each time in order to be meaningfully strengthened. In practice, a significant part of the improvement potential lies in existing controls that are relevant in themselves, but insufficiently precise in their formulation, inconsistently performed, inadequately linked to risk indicators or incapable of producing sufficient evidence of their actual operation. A pragmatic approach therefore begins with the question of which parts of the existing system are already usable and can gain additional protective value through targeted refinement. This may involve clarifying control objectives, defining ownership more sharply, improving file documentation, making escalation criteria more concrete, aligning monitoring more closely with risk profiles, or resolving inconsistencies between policy and execution. In all such cases, the organisation does not opt for a costly and burdensome rebuild, but for strengthening existing foundations that are already familiar to the organisation and can therefore be applied more quickly, more consistently and with less resistance.

Unnecessary rebuilding carries significant risks. When an organisation too quickly decides to replace an entire framework, a period of transitional uncertainty often arises in which old and new ways of working coexist, responsibilities temporarily become unclear and employees must navigate changing instructions, systems and reporting lines. In the field of Financial Crime control, that uncertainty can have material consequences. Customer due diligence reviews may be delayed, alerts may be interpreted inconsistently, escalations may occur too late and management information may temporarily become less comparable. A full redesign may be necessary where the existing system is structurally unsound, but that is often not the case. Frequently, the framework functions at its core, but no longer aligns on specific points with changed risks, supervisory expectations or operational circumstances. In those situations, the most defensible route lies in targeted adjustment of existing controls, so that continuity is preserved and improvement is achieved without unnecessarily destabilising the organisation.

Targeted refinement nevertheless requires a high degree of precision. It is not enough merely to reword existing controls or expand them procedurally. The analysis must establish where the control falls short: in design, execution, frequency, evidence, data quality, system support, ownership, reporting or follow-up. A customer due diligence control may, for example, be substantively appropriate, but insufficiently effective because exceptions are not consistently recorded. A transaction monitoring control may technically exist, but provide too little value because scenarios are not recalibrated in time on the basis of typologies, customer behaviour or product risk. A sanctions screening process may be procedurally correct, but insufficiently robust because decision-making on potential matches is not documented uniformly. In such cases, the solution is not necessarily a new framework, but a sharper configuration of the existing control. Within Integrated Financial Crime Risk Management, that distinction is essential: improvement must align with the specific weakness in the system and must not lead to generic rebuilding where specific refinement is sufficient.

Identifying which controls require strengthening and which primarily require simplification

An effective control framework does not become stronger by giving every control the same level of attention. The value of pragmatic strengthening lies in differentiation. Some controls are critical because they relate directly to high-risk customers, sanctions risk, unusual transactions, correspondent relationships, complex ownership structures, geographic exposure or products with heightened integrity sensitivity. Other controls mainly have an administrative or supporting function. When all these controls are treated in the same way, the result is a system that produces a great deal of activity but insufficiently distinguishes between material and less material risks. It is therefore necessary first to determine which controls genuinely require strengthening. That requires an analysis of risk exposure, control performance, findings from audit and compliance monitoring, incident history, operational bottlenecks, data dependencies and the extent to which the control demonstrably contributes to risk reduction.

At the same time, it must be explicitly determined which controls can be simplified. In many organisations, controls exist that were once added in response to an incident, a temporary supervisory expectation, a specific project or a historic interpretation of regulation, but whose current added value is limited. Such controls often remain in place because abolition appears more sensitive from a governance perspective than addition. The result is an accumulation of controls that are no longer clearly connected to current risks. Simplification can then have a strengthening effect. Removing duplicate controls, combining overlapping checks, eliminating low-value documentation requirements or adjusting review frequencies can free up capacity for the controls that materially matter. Within Integrated Financial Crime Risk Management, simplification is therefore not a reduction of control, but a way to refocus the organisation’s attention on the risks with the greatest governance, legal and operational relevance.

This assessment requires a review framework that goes beyond the question of whether a control exists. Relevant questions include whether the control addresses a clear risk, whether it is positioned at the right point in the process, whether it is performed by the right function, whether the outcome is sufficiently evidentiary, whether deviations are actually followed up and whether the cost of execution is proportionate to the protective value. A control that requires significant capacity but rarely produces relevant findings deserves critical reconsideration. A control that is less visible but performs a crucial gatekeeping function may, by contrast, require strengthening. The outcome of this analysis is a differentiated improvement agenda: intensify where risk and effectiveness justify it, simplify where complexity adds little value, and maintain where the existing set-up functions appropriately. This results in a control framework that is driven less by historical accumulation and more by current materiality.

Focusing on targeted improvements with visible impact on risk reduction

Targeted improvements have value only when they visibly contribute to risk reduction. This means that every adjustment to the control framework must be capable of being linked to a concrete protective objective. In the Financial Crime context, that protective objective may relate to faster recognition of unusual patterns, improvement of the quality of customer acceptance, limitation of exposure to sanctions risk, strengthening of escalations in complex files, improvement of data quality for monitoring, or increased consistency in decision-making. Without that link, there is a risk that improvement measures are mainly procedural or optical. They create more activity, but provide insufficient evidence that the organisation is better able to prevent, detect, mitigate and account for Financial Crime risks.

Visible impact requires measurability, but not measurability in the abstract. The objective is not to produce as many indicators, dashboards or reports as possible, but to identify signals that say something meaningful about the operation of the improvement measure. Where an alert handling process is sharpened, for example, attention may be given to turnaround times, quality of reasoning, consistency of escalations, the ratio between false positives and relevant findings, and timely follow-up of high-risk cases. Where customer due diligence is improved, indicators may relate to completeness of UBO information, quality of risk classification, timely periodic reviews, substantiation of deviations and the extent to which enhanced due diligence actually leads to better-informed decision-making. The strength of pragmatic improvement lies in this direct connection between measure and visible effect. An improvement is not assessed by the amount of work it creates, but by the extent to which it demonstrably contributes to better control.

It is also important that risk reduction is not approached exclusively in quantitative terms. In Financial Crime control, many relevant effects are qualitative in nature: better judgement, sharper escalations, more consistent application of policy, better-substantiated decisions and stronger evidence for supervisory or audit purposes. A targeted improvement may therefore consist of sharpening decision-making criteria, improving the quality of case narratives, clarifying when senior management must be involved, or recalibrating the relationship between risk appetite and operational acceptance decisions. Such improvements may be less visible as simple numbers, but can carry considerable substantive weight. Integrated Financial Crime Risk Management therefore requires a balanced approach in which both measurable performance and qualitative decision-making are taken into account. Only then does a picture of risk reduction emerge that goes beyond procedural output and provides real insight into the protective value of the framework.

Avoiding additional complexity that delivers little additional protection

Additional complexity is one of the most underestimated risks within Financial Crime control. Complexity arises not only from extensive regulation, but also from internal responses to it: multiple layers of policy, overlapping procedures, divergent local practices, additional approval matrices, exception processes, escalation paths, manual controls and reporting formats that do not always align. Each addition may appear rational in isolation, but collectively the result is a framework that is difficult to understand, difficult to execute and difficult to test. Operational reality then becomes heavier without a proportionate increase in protective value. In such a system, attention shifts from risk assessment to process navigation. Employees spend more time following steps than understanding the risks those steps are intended to manage.

Avoiding complexity requires every proposed measure to be tested against proportionality. That test must not be limited to legal defensibility, but must also cover operational feasibility, impact on client processes, burden on the first line, dependence on systems, quality of available data, required expertise and maintenance burden. An additional approval layer, for example, may have only limited added value where the underlying risk assessment does not improve. An extensive form may offer little protection where the information entered is not used for decision-making or monitoring. A new report may be counterproductive where existing reports already contain the same signals, but are insufficiently discussed or followed up. Pragmatic strengthening therefore requires the question to be asked each time whether the additional complexity actually leads to better detection, better prevention, better decision-making or stronger evidence. Where the answer is negative, the measure should be reconsidered.

Reducing unnecessary complexity can also improve the quality of control. A simpler framework is not by definition lighter; it may be sharper, more consistent and more testable. Where controls are clearly positioned, responsibilities are assigned unambiguously, criteria are formulated intelligibly and evidentiary requirements correspond to the actual risks, there is less room for interpretive differences and less likelihood of execution gaps. Supervisors and auditors also benefit from a framework that shows why certain choices have been made and how they contribute to risk management. Within Integrated Financial Crime Risk Management, complexity reduction is therefore not cosmetic simplification, but substantive strengthening of the system. The organisation becomes better able to identify core risks, respond to them proportionately and account persuasively for the choices made.

Improving coherence between policy, processes, systems and monitoring

A control framework loses effectiveness when policy, processes, systems and monitoring do not align. Policy documents may be strict and complete, while operational processes provide insufficient room to implement the requirements. Systems may contain data fields that do not correspond to policy-based risk categories. Monitoring may report on indicators that have no clear connection with the key risks. Escalations may be formally described, but in practice not supported by workflow, ownership or management information. In such circumstances, fragmentation arises. The organisation has multiple components of control, but those components do not sufficiently reinforce one another. Pragmatic strengthening therefore focuses not only on individual controls, but on the connection between the layers of which the framework consists.

That coherence begins with the translation of policy into executable processes. Policy standards must be sufficiently concrete to enable operational application, without descending into mechanical instructions that exclude professional judgement. Processes must then be designed in such a way that they support policy standards at the moment when the risk arises. A customer acceptance policy, for example, has limited value if the necessary information is collected only late in the process or if commercial pressure effectively pushes the risk assessment into the background. A sanctions policy requires not only screening, but also clear procedures for potential matches, decision-making, freezing obligations, escalation and file documentation. A transaction monitoring policy requires not only scenarios, but also clear feedback loops between alert handling, typologies, customer knowledge and periodic model recalibration. Coherence arises when policy does not remain suspended above the process, but works through into the concrete design of activities, systems and decisions.

Monitoring is the connecting layer between design and actual operation. It must show whether the framework does what it is intended to do. That requires reports that do not merely show numbers, but give meaning to trends, deviations, bottlenecks and residual risks. Monitoring must feed back into policy where standards are insufficiently clear, into processes where execution stalls, into systems where data falls short, and into governance where decision-making or escalation does not function properly. Without that feedback, monitoring becomes a stand-alone control activity; with that feedback, it becomes a mechanism for targeted strengthening. Within Integrated Financial Crime Risk Management, this coherence is essential because Financial Crime risks do not respect organisational boundaries. They move through customer relationships, products, transactions, third parties, data environments and decision-making structures. A strong framework must therefore be able to follow that same movement and connect the different components of control into a consistent, testable and executable whole.

Strengthening control frameworks based on priority and materiality

A control framework within Integrated Financial Crime Risk Management can function sustainably and effectively only when strengthening is guided by priority and materiality. Not every deficiency carries the same weight, not every process bears the same risk, and not every control deserves the same level of governance attention. In practice, however, improvement agendas often emerge in which findings, incidents, audit points, regulatory actions, management preferences and operational bottlenecks are placed side by side without sufficient differentiation according to risk impact. The consequence is that organisations spend considerable energy on a broad range of improvement actions, while the most material vulnerabilities are not always addressed first or with the greatest depth. Such an approach may create the impression of movement, but it does not necessarily lead to better control. Prioritisation is therefore not a project-management luxury, but a condition for effective steering. It determines where capacity, management attention, change budget and control intensity are most needed.

Materiality requires that strengthening be connected to the nature, scale and severity of the Financial Crime risk that the control is intended to manage. A deficiency in a low-risk process with limited client impact and limited exposure calls for a different response than a deficiency in sanctions screening, transaction monitoring, correspondent banking, high-risk customer due diligence or escalation of unusual transactions. Nor is the frequency of a deficiency always decisive. An infrequent error can be material where it relates to a high-risk domain or may lead to serious legal, supervisory or reputational harm. Conversely, a frequently occurring deviation may be less critical where it is administrative in nature and has limited influence on actual risk management. A mature assessment of materiality therefore considers likelihood, impact, detectability, remediability, supervisory sensitivity, client impact, data dependency and the extent to which a deficiency undermines confidence in the broader framework.

A priority-driven approach also requires that the improvement agenda not be determined by the loudest source of pressure, but by an integrated risk view. Supervisory findings, audit observations and incidents naturally carry weight, but they must be placed alongside internal monitoring, operational performance, management information, external threat trends and the organisation’s strategic choices. This creates a sharper distinction between measures that must be taken immediately, measures that can be addressed in a planned manner, and measures that may be useful but do not deserve immediate priority. Within Integrated Financial Crime Risk Management, that ordering is essential, because Financial Crime control often competes with other change initiatives within the same organisation. Without prioritisation, fragmentation arises; with prioritisation, governance grip is created. The control framework is then not strengthened by attempting to improve everything at once, but by addressing the most material vulnerabilities first and with sufficient depth.

Using existing governance and reporting lines wherever possible

Pragmatic strengthening means using existing governance and reporting lines wherever possible before adding new structures. In many organisations, deficiencies in Financial Crime control trigger a tendency to establish new committees, consultation forums, escalation bodies, dashboards or reporting lines. Sometimes this is necessary, particularly where existing structures lack sufficient mandate or fail to make material risks visible in time. Often, however, a parallel system emerges that reduces rather than increases governance clarity. Multiple forums discuss similar topics, reports overlap, decision-making shifts between bodies and ownership becomes less clear. The result is that governance becomes more formal, but not necessarily stronger. A pragmatic approach therefore starts from the question which existing lines are already available, which of those can be sharpened, and where decision-making most naturally belongs.

Using existing governance requires that the function of each line be clearly established. The first line owns operational execution and risk management within processes. The second line has a standard-setting, advisory and challenge role. The third line independently assesses whether the system is adequately designed and operating effectively. Management committees, risk committees, executive boards and audit committees each have their own position in decision-making, oversight and accountability. When Financial Crime information moves through these existing structures, it must be aligned with the purpose of the relevant body. An operational meeting requires different information from a governance-level risk committee. An audit committee needs insight into structural deficiencies, assurance outcomes and management response. An executive board needs decision information on risk acceptance, prioritisation, investment and strategic consequences. Reporting becomes stronger when it does not tell the same story everywhere, but gives the same underlying facts the right meaning for each line.

Existing reporting lines can also be strengthened through sharper content rather than additional volume. A Financial Crime dashboard that contains many numbers but little interpretation does not automatically lead to better decision-making. Management reporting must provide insight into trends, causes, residual risks, escalations, backlogs, data quality, control performance and the progress of material improvement measures. It must be clear which information is for awareness, which information requires action and which decisions must be taken at governance level. Within Integrated Financial Crime Risk Management, value arises when reporting does not merely look backwards, but also enables steering. Existing governance then does not need to be replaced; it becomes more effective because Financial Crime information moves through the organisation in a sharper, more consistent and more decision-oriented manner. This prevents governance inflation while strengthening governance control over material risks.

Embedding improvement measures that remain executable for the first line

A control framework can be persuasive from a policy perspective and still fail where the first line cannot execute it consistently. The first line is where client interaction, commercial reality, operational pressure, system limitations and risk assessment converge. Improvement measures that do not sufficiently take that reality into account create a gap between design and execution. Employees are then confronted with additional steps, new forms, additional documentation requirements, stricter review moments or more complex escalation criteria without it being clear how those obligations fit within available time, systems and expertise. This creates the risk that controls are performed mechanically, that file documentation is repaired after the fact, that exceptions are resolved informally or that risk signals are lost in procedural pressure. Executability is therefore not a secondary precondition, but a core criterion for effective strengthening.

Embedding executable improvement measures requires thorough knowledge of processes. A measure must be placed at the moment when information is available, decision-making takes place and risk can actually be influenced. A control placed too early in the process may be performed without sufficient information. A control placed too late may mainly lead to remediation work, delay or escalation after the risk has already been accepted. The degree of manual work is also relevant. Where an improvement depends on manual checks, free-text fields or individual interpretation, it must be established whether the first line has sufficient capacity, training and guidance to execute that control consistently. Wherever possible, systems, workflow design, standard decision rules, risk classifications and clear prompts should support execution. This reduces differences in interpretation and increases the likelihood that the control not only formally exists, but is also applied in the intended manner.

Executability does not mean, however, that the first line is spared at the expense of risk management. It means that the measure is designed in such a way that it can function effectively within the operational context. A strict control can be executable when it is clear, well supported, applied proportionately and focused on material risks. A light control can be unexecutable when it is unclear, ambiguous or poorly embedded. Within Integrated Financial Crime Risk Management, the point is therefore the combination of normative sharpness and practical applicability. The first line must understand why the measure exists, which risk it manages, what decision space exists, when escalation is required and what evidence must be recorded. Where those elements are absent, compliance arises without conviction. Where they are present, the first line is not merely an executor of controls, but a carrier of effective Financial Crime risk management.

Maintaining attention to timing, capacity and change pressure at the client

The quality of an improvement measure is partly determined by the moment at which it is introduced and the extent to which the organisation can absorb it. Financial Crime organisations often operate in an environment in which multiple change initiatives are running simultaneously: regulatory change, system migrations, data quality programmes, remediation trajectories, model recalibrations, policy updates, training programmes, audit remediation and operational backlogs. When additional control enhancements are placed on top of these without careful phasing, the total change pressure can become too great. The result is not more control, but fatigue, priority conflict and execution risk. Teams face new instructions before previous measures have stabilised. Management information becomes less reliable because processes remain in motion. Training loses effect because practice has already changed before new behaviour has become embedded. Timing is therefore a substantive factor in the effectiveness of the framework.

Capacity must be understood broadly in this context. It is not only about the number of available employees, but also about expertise, management attention, system capacity, data support, change management, training, quality assurance and decision-making space. An organisation may have enough people and still lack sufficient capacity to implement an improvement properly where expertise is missing or key individuals are overloaded. A measure may also be substantively desirable, but depend on system changes that will become available only later. In that case, a temporary manual solution may be necessary, but only where the risk of that interim solution is explicitly recognised and managed. Pragmatic strengthening therefore requires a realistic implementation analysis: what can be done immediately, what requires preparation, which dependencies exist, which temporary measures are defensible, and which risks arise during the transition phase.

Change pressure also has a behavioural dimension. When employees are continually confronted with new controls, new definitions, new reports and new escalation rules, the likelihood increases that change is experienced as an administrative burden rather than as an improvement in risk management. That affects the quality of execution. An effective improvement agenda must therefore provide sufficient rhythm, sequence and stability. Not every measure needs to be introduced at the same time. Some improvements require immediate action because of material risk, others can be bundled with existing change programmes, and others can wait until systems or processes are better prepared. Within Integrated Financial Crime Risk Management, this phasing is of great importance. A framework does not become stronger because all improvements are launched at once, but because the organisation is enabled to understand, implement, embed and demonstrably operate changes.

Pragmatic strengthening as the most sustainable route to Integrated Financial Crime Risk Management

Pragmatic strengthening provides a sustainable route to Integrated Financial Crime Risk Management because it does not treat the control framework as a collection of separate obligations, but as a coherent system that must function under real conditions. Financial Crime risks are dynamic, complex and often intertwined with client behaviour, international structures, digital transactions, sanctions regimes, fraud typologies and changing supervisory expectations. A control framework that is primarily expanded in response to pressure will, over time, become increasingly heavy and less agile. A framework that is strengthened pragmatically, by contrast, remains focused on the question which controls genuinely add value, which risks deserve priority, where simplification is needed and how policy, processes, systems, monitoring and governance can reinforce each other. That approach makes it possible to connect rigour and executability.

Sustainability in this context means that the framework not only meets today’s requirements, but is also resilient to change. New regulation, new typologies, new products, new markets and new supervisory signals will continuously give rise to recalibration. Where the system is too complex, too heavy or too dependent on manual repairs, every change becomes costly and disruptive. A pragmatically strengthened framework, by contrast, has clear priorities, clear ownership, usable monitoring, proportionate controls and governance that supports decision-making. As a result, the organisation can determine more quickly which changes are needed and which are not. The framework becomes less dependent on ad hoc projects and more suitable for continuous improvement. That is of great importance within Integrated Financial Crime Risk Management, where control must not only be reactive, but also forward-looking, risk-based and explainable at governance level.

The most sustainable form of strengthening arises when pragmatism, materiality and demonstrability reinforce one another. Pragmatism ensures that measures remain executable. Materiality ensures that attention is directed toward the risks with the greatest significance. Demonstrability ensures that the organisation can show why choices have been made and how controls operate. Together, these elements form a powerful counterweight to both under-control and over-control. Under-control arises when risks are insufficiently addressed. Over-control arises when an organisation adds so many procedural burdens that visibility of material risks becomes blurred. Integrated Financial Crime Risk Management requires a balance between the two. Pragmatic strengthening provides that balance because it makes the control framework sharper, more consistent and more defensible, without making it unnecessarily heavy. This creates an approach that not only satisfies formal requirements, but also provides protection against Financial Crime risks in day-to-day practice.