Compliance risk mapping for international holdings

In international business, a growth strategy today inevitably runs up against compliance: company registration in the EU and Asia, financial licenses, KYC/AML, sanctions compliance, cross-border operations: all of this becomes a single task of managing compliance risks at the group level, not of individual legal entities.

Over ten years of COREDO’s work with holdings from Europe, Asia and the CIS, I have become convinced: until a group has a clear map of compliance risks and an established compliance risk mapping, any new jurisdiction, license or bank adds not business opportunities, but points of vulnerability.

How to approach compliance risk mapping for international holdings practically: what to consider a risk, how to build the map, how to align it with the board of directors’ risk appetite and licensing, and which solutions have worked in practice in COREDO projects.

Compliance-risk map of the holding company

If you have:

• companies in several countries of the EU, Asia and the CIS;
• licenses (or plans) for payments, forex, crypto, EMI, investment services;
• ownership structure is multi-level, with trusts, SPV, separate holdco;

then your key resource: not only the corporate structure, but the transparency and manageability of compliance risks.

• bank de‑risking and denial of service: banks see an «unclear» structure, weak KYC/AML, unpreparedness for a sanctions audit;
• blocking & freezing of assets due to sanctions violations or errors in handling PEP/high‑risk jurisdictions;
• reputational damage and an increase in the cost of capital, investors and partners begin to factor a high cost of non‑compliance into valuations;
• prolonged regulator investigations in the EU and Asia, licensing restrictions, additional capital and reporting.

When the COREDO team enters a holding at the scaling stage, most problems come down to one thing: the compliance system cannot keep up with geography and product. There is no centralized risk register, no risk owners, compliance is perceived as a set of documents rather than as an enterprise risk management tool for international groups.

Compliance risk in an international context

Compliance objectives in a global holding are not only “avoiding fines”. They include:

• maintaining access to banking infrastructure and payment providers;
• protection against sanctions and AML incidents;
• compliance with licenses (payment, EMI, crypto, MiFID-like, local regimes in Asia);
• an acceptable level of reputational risk for investors and partners.

• a unified risk taxonomy for compliance;
• a formalized process for identifying, assessing, treating and monitoring compliance risks;
• a documented risk assessment report and a risk register.

When at COREDO we conduct a compliance risk assessment in a transnational group, we divide risks into:

• regulatory (regulatory compliance in the EU and Asia, licenses, reporting);
• sanctions and AML risks for holdings;
• operational (KYC/AML processes, onboarding, monitoring, IT GRC);
• legal (contracts, beneficial ownership transparency, CRS/FATCA, ESG compliance);
• reputational (incidents, investigations, media environment, customer complaints).

Compliance-risk map: methodology

The methodology for building a compliance-risk map relies on a detailed understanding of how the business is structured and where exactly vulnerabilities arise in its processes. Based on the business map, we step by step move to forming a structured compliance-risk map that shows which violations can occur, at which points, and with what probability.

Business map and risk map

Next, the steps:

1. Business-process approach to compliance mapping
   We explicitly describe key processes:
   sales, client onboarding (KYC/KYB), payments, account operations, work with suppliers and agents, HR, IT, reporting.
   On this basis, a compliance risk map by business processes is formed.
2. Identification of risk areas
   For each process we identify:
   • points of generation of sanctions risks and AML risks;
   • zones of cross-border compliance risks (payments, transfers between jurisdictions, use of different currencies, correspondent accounts);
   • contact with regulators, banks, payment systems, auditors.
3. Collection of data and incidents
   The COREDO team usually forms a centralized risk register of compliance incidents:
   regulator requests, payment blocks, bank inquiries, detected violations, red flags.
   This provides real statistics for assessing likelihood.

Likelihood and impact according to ISO 31000
Classic question: how to measure compliance risk, by probability or by severity of consequences?

In COREDO’s practice with holdings we use a two-dimensional assessment:

• likelihood, frequency of occurrence: from «rare» to «frequent»;
• impact, effect on: licenses, banking access, financial results, reputation, personal liability.

It is important to distinguish:

• likelihood as an expert assessment based on incidents and specifics;
• probability as a more strict, quantitative measure (where data exist).

Risk appetite and risk ownership
Without alignment with the board of directors’ risk appetite the risk map remains an academic document.

What I do at the governance level:

• the board of directors formulates the compliance risk appetite:
  which sanctions, AML, regulatory, operational risks are acceptable and which are not;
• risk tolerances are established – acceptable ranges for key KRIs (for example, the number of payments rejected for sanctions reasons, frequency of regulator inquiries);
• risk owners / owners of compliance risks are appointed – generally business unit leaders, not only compliance officers.

Centralized, Decentralized and Hybrid Compliance Models

In international holdings, I see three patterns of compliance governance in multinational holding structures.

Competence Center
A compliance competence center at the head office:

• a single methodology for constructing the compliance risk map;
• centralized risk register and risk assessment report;
• common policies: sanctions compliance, AML, KYC/KYB, TPRM, ESG, data protection;
• a single IT GRC core and compliance infrastructure (RegTech, case-management, monitoring).

Decentralized system model
Local compliance officers in subsidiaries:

• strong adaptation to regulatory compliance in the EU and Asia (local regulators, reporting, languages);
• their own practices for interacting with banks, payment institutions, and financial intelligence units.

Hybrid Model
In most COREDO projects, I promote a hybrid model of compliance risk management in the group:

• head office: methodology center, governance, risk & compliance (GRC approach), a common risk map for the holding;
• subsidiaries: adaptation and detailing of the compliance risk map for the holding with assets in Europe and Asia to their own processes;
• unified standards (ISO approach, policies, KYC/AML framework), but local procedures where required by the regulator.

Sanctions and AML risks in multi‑level structures

Sanctions and AML risks in multi‑level structures are amplified by complex ownership chains, cross‑holdings and beneficiaries from different jurisdictions. To avoid inadvertent exposure to restrictions and regulatory enforcement, businesses need a systematic sanctions audit and a detailed sanctions risk map that covers every level of the structure.

Sanctions audit and risk map
For private equity groups and complex ownership structures, the COREDO team often starts with a sanctions audit and sanctions Due Diligence:

• analysis of beneficial ownership transparency: who the ultimate beneficiaries are and at which levels;
• assessment of multi‑level ownership structures, trusts, funds, SPVs, offshore entities;
• mapping cross‑border chains: payments, dividends, intercompany financing.

On this basis we develop:

• sanctions risks and the holding’s risk map:
  • risk of being listed on sanctions lists;
  • compliance risks when dealing with PEPs and high‑risk jurisdictions;
  • risk of indirect ownership/relationships with SDN‑listed parties;
• “red flags” for internal systems:
  • anomalous payment chains;
  • new counterparties from high‑risk countries;
  • atypical changes in ownership structure.

Integration of AML systems into the risk map
A classic mistake: building the AML system separately from the overall compliance risk map.

A solution that COREDO has successfully implemented in holdings with payment and crypto licenses:

• integration of AML systems into the holding’s overall compliance risk map;
• use of a risk‑based approach when building the compliance risk map:
  • client segmentation by risk;
  • risk‑based KYC and differentiated procedures;
• setting up an AML transaction monitoring system as a source of KRIs:
  • proportion of transactions subject to manual review;
  • number of identified red flags;
  • number of reports to the financial intelligence unit.

Digital infrastructure: IT GRC and RegTech

In holdings with a large number of jurisdictions, licenses and banking relationships, manual compliance risk mapping becomes unmanageable.

Therefore I consider digital platforms for managing compliance risks (RegTech, GRC systems) as the core of the compliance infrastructure:

• IT GRC and compliance for international holdings provide:
  • a centralized risk register and incident register;
  • case management for compliance incidents;
  • process documentation and audit trail;
  • dashboards and dashboards / scorecards for management.

• Integration of AML/KYC with GRC:
  • data lineage and data quality in AML/KYC systems;
  • the ability to link client and counterparty cases and incidents to specific risks on the risk map;
  • monitoring key risk indicators (KRI) in near‑real time.

The COREDO team acted as architect on several projects:
we described the compliance infrastructure, developed requirements for RegTech solutions, and then integrated them with banking, payment and CRM systems.

Compliance risk map and corporate governance

The compliance risk map becomes a practical tool that links corporate governance with the actual areas of responsibility and control within the company, showing where and how violations may occur. Through this link, the ‘three lines of defence’ model helps build a transparent allocation of roles, from the operational level to the board of directors, and provides a unified system for managing compliance risks.

The three lines of defence in a bank
An effective compliance system as a risk management tool does not operate in isolation:

1. First line: business units and operational staff.
   They are the key risk owners; it is here that primary risks arise and are managed.
2. Second line: legal, risk and compliance functions.
   Their task – methodology, monitoring, updating the compliance risk map and control.
3. Third line: internal audit.
   It validates the compliance risk map, checks the realism of assessments, the presence of controls and the effectiveness of processes.

In one of COREDO’s projects for a holding with licenses in the EU and Asia, we began by ‘reworked’ the risk map together with internal audit:
some risks that were considered low turned out in practice to be critical because of cross‑border characteristics and the requirements of specific regulators.

Tone at the top and compliance culture
Without tone at the top and a compliance culture, any risk map turns into bureaucracy.

• approve risk appetite and risk tolerance;
• include compliance KPIs at the top‑management level;
• support regular reviews of compliance risk mapping and reports on KRIs;
• allocate resources for compliance training and awareness‑programs.

COREDO’s practice shows: when compliance KPIs become part of the management bonus system, residual risk begins to materially decrease.

Compliance risk mapping in an international holding company

That very «step-by-step plan» the COREDO team uses in a typical project for a group with assets in Europe and Asia.

1. Diagnostics
   • analysis of jurisdictions, licenses, banking and payment relationships;
   • assessment of the maturity of the current compliance‑function and IT‑landscape;
   • collection of incidents, requests from regulators and banks, sanctions and AML‑cases.
2. Risk taxonomy and processes
   • development of the compliance‑risk structure for international holdings;
   • process descriptions (onboarding, payments, TPRM, HR, IT, reporting);
   • identification of cross‑border chains and areas of sanctions/AML risk.
3. Assessment and map construction
   • compliance risk assessment according to the ISO‑approach: likelihood and impact;
   • creation of the risk register and the risk assessment report;
   • visual risk map / heat map for the board of directors.
4. Linkage to risk appetite and governance
   • alignment of risk levels with the board of directors;
   • appointment of risk owners and roles;
   • choice of model: centralized, decentralized, hybrid.
5. Integration with internal control and audit
   • building the link «risk map: control procedures – checks»;
   • involvement of internal audit in validation of assessments and scenario analysis;
   • stress‑testing of the compliance‑system and scenario risk analysis.
6. Digitalization and RegTech
   • definition of requirements for the GRC‑platform and AML/KYC‑solutions;
   • integration with CRM, payment, banking and accounting systems;
   • launch of dashboards and automated compliance monitoring.
7. Continuous monitoring and review of the risk map
   • regular updating of the compliance‑risk map (at least annually, and more often in case of significant regulatory changes);
   • analysis of new jurisdictions, products, partners;
   • adjustment of KRIs and processes.

Compliance risk map: ROI and impact

From COREDO’s experience I see several consistent effects:

• Reduction in cost of non‑compliance
  Fewer fines, fewer blocks, fewer bank refusals.
  For fintech and holding groups this directly affects the cost of capital raised and business valuation.
• Faster expansion into new jurisdictions and licenses
  When you have established compliance management in an international business, regulators and banks view the holding differently – as a predictable and understandable player.
• Reduction of reputational risks
  A clear compliance risk map, scenario analysis, and properly structured sanctions and AML compliance reduce the likelihood of events that could undermine market trust.
• Manageability of growth
  When scaling into new markets, in M&A deals, or launching new products, the risk map becomes a filter:
  what can be done, where additional control is needed, where it’s better to refrain.

In one of COREDO’s cases for a group with assets in the EU and Asia, the implementation of a compliance risk map and a GRC platform:

• reduced the number of problematic requests from banks by more than half;
• reduced the share of manual transaction reviews thanks to better risk‑based calibration;
• allowed the regulator to approve the license expansion, relying on the provided risk assessment report and governance structure.

What you should personally consider

1. Does the group have a formalized compliance‑risk map, rather than a set of fragmented policies?
2. Do the board of directors and top management understand their risk appetite specifically in terms of compliance and sanctions?
3. Are your IT systems, AML/KYC and processes tied to a single GRC approach, or does each legal entity operate independently?

Команда COREDO за последние годы сопровождала холдинги в ЕС, Великобритании, Чехии, Словакии, на Кипре, в Эстонии, Сингапуре и Дубае – от регистрации юридических лиц и получения финансовых лицензий до построения комплексных комплаенс‑систем и risk map на уровне группы. Этот опыт убеждает меня в одном:

Your compliance‑risk map is essentially a strategic map of the holding’s resilience. And the more complex your geography and licenses, the more important it is that this map is not only drawn but actually works every day.