Energy firms grapple with rising customer risk

A case study on developing dynamic risk-based customer screening


  • Customer-related risk is rising in an age of increased geopolitical tensions, sanctions and penalties.
  • Having a wide range of customers and counterparties, often with complex ownership structures, makes accurate customer screening more essential and challenging than ever. 
  • There are several customer-screening models an organisation can choose from, starting with an entry-level customer identification programme.
  • Risk-based analysis can take more factors into account and can be manual, automated or dynamic.  
  • Once complex relationships between firms have been mapped accurately, a dynamic programme can be set up allowing risk scores for individual firms to be calculated afresh every time real-time world events occur that increase or decrease risk.

Understanding customer risk is vital in today’s environment of heightened geopolitical tensions, growing sanctions and increasing regulatory scrutiny.

It is essential that firms are able to identify and avoid counterparties and customers that might be involved in terrorism, bribery or corruption, or that are operating fraudulently or dishonestly. Given the complex interlinkages between companies globally and the range of customers that most firms have these days, customer screening is becoming increasingly more important, but ever more challenging. As a result, many energy firms are now grappling with how to develop a sophisticated customer-screening programme. There are several models to choose from, each with differing costs and offering varying levels of risk protection.

The case for developing such a programme today is certainly strong. Heightened geopolitical risk has become the new norm in recent years. US sanctions against Iran, US tariffs against China, turmoil in Venezuela and Libya and the big ‘unknown’ of Brexit are just some of the risks that firms doing business in the energy markets are exposed to each day. Meanwhile, regulatory scrutiny and penalties are increasing. In the last decade, regulators globally have issued fines of $26 billion for breaches of sanctions, anti-money laundering (AML) violations and non-compliance with know-your-customer guidelines, according to a report by financial software firm Fenergo.

Fines issued by US regulators were some of the highest, with the total coming in at $23.52 billion, or 91% of total global fines, despite the number of cases making up only 44% of the global total. The US Department of Justice issued 50% of all sanctions and AML fines globally in the last decade, including issuing the highest ever penalty: $8.9 billion to BNP Paribas in 2015. This was the first time an international bank pleaded guilty to violations of US economic sanctions.

European regulators and lawmakers have imposed 83 fines, totalling $1.7 billion in the past decade. The majority were issued by the UK’s Financial Conduct Authority. Since 2011, regulators in the Asia-Pacific region levied 79 fines, worth almost $609 million.

Moreover, fines are growing, with 2018 being a record year for AML and sanctions fines. A total of $905 million was levied, which is three times more than in 2017.

As well as the financial damage of a hefty fine, dealing with the wrong customer could bring significant reputational risk. Although not externally regulated, this risk could still have a monetary impact. A strong, positive reputation attracts better customers that tend to be more loyal and buy more products and services. On a bigger scale, brand equity, intellectual capital and goodwill, which can significantly impact the market value of an organisation, are susceptible to a reputational hit.

It’s easy to see, therefore, why interest is growing in customer screening. Once the case for a customer-screening programme has been made, the next step is to decide which programme will work best for your organisation, taking into account what it needs to achieve and what resources are available for the project.

Entry-level screening

An entry-level customer-screening programme, or customer identification programme (Cip), reviews the customer you are doing business with, and, if applicable, its guarantor. The following questions would be asked:

  1. Is the firm sanctioned?
  2. Is it based in a high-risk jurisdiction?
  3. Does it carry out any criminal activity?
  4. Does it have any negative media associated to it?
  5. Is it a state-owned entity?

If all these checks come back as ‘negative’ then it may appear the customer is low risk. However, by focusing only on the customer, you could be assuming hidden risks. One of the key drivers of introducing a customer-screening programme is to understand the risks associated with the many, to truly know the risk of doing business with your one customer.

For example, many firms have several levels in their ownership structure (see figure 1). Each entity or individual could be a potential risk. By not identifying the full ownership structure and performing a review on each, you could be exposing yourself to many unforeseen risks.

In Figure 1, the indirect parent becomes sanctioned. If it was only a Cip review that had been carried out, you could be trading with a sanctioned entity, depending on how broadly the applicable laws are written. This  may  become apparent only after the government informs you of the violation.

Customer risk analysis

Carrying out a risk-based analysis is a good way of taking more factors into account and can be manual, automated or dynamic. Each model has increasing levels of data accessibility and objectivity. 

Handling a risk review via a slow manual paper-based process is an inefficient use of valuable resources, including needing a high full-time employee (FTE) count. It also leads to duplication of effort with a new report being written every time a customer is reviewed. Additionally, finding a single piece of information on a customer could require reading an entire report. Finally, it can be very subjective, based on an individual’s opinion of perceived risk compared to an objective normalised view. This could lead to skewed or misleading estimates of the counterparty’s overall risk exposure.

When it comes to automating the process, an organisation needs to decide whether it's going to use an off-the-shelf application or develop a hybrid model. Off-the-shelf software does have the benefit of being ready to use right away. Most will have data storage capabilities, risk score calculation functionalities and a link to a risk intelligence database of politically exposed persons and heightened risk individuals or organisations. On the downside, off-the-shelf packages can be costly and most require a lot of customisation, which can cause delays in implementation. 

For a firm that has the necessary talent in-house, competencies in database design and programming languages (such as VBA and SQL), the hybrid route is another option. Doing a lot of the build in-house enables firms to have the control to fit the programme to the organisation’s own level of risk and budget. A hybrid solution allows firms to mix and match in-house build and buying, for example buying specific functionality, such as a risk intelligence database, and building the database management system (DBS).

When building a DBS, it’s necessary to think about what sort of data is required and how it should be structured in order to achieve the end goals. When we designed our DBS, the goals were the following: to enable better decision-making; to improve end-user productivity; to create a risk-score calculator; and to create an objective final risk score.

Once you have a system in place that holds all your data electronically and you have thought about how it needs to be structured to achieve the results you want, you can think about the table structure you require. Our team went through many different iterations of table structures before we settled on the structure in figure 2.

Initially, we didn’t hold all the entities and individuals that were part of the hierarchy in our DBS as their own individual line item. This led to inconsistency and duplication of data as, for example, you could have an ultimate beneficial owner (UBO) linked to several of your customers, but any information identified on them would be individually stored under each customer to which it was linked. In the structure in figure 2, each counterparty/individual is stored as an individual entity that has its own risk-review data associated with it and therefore its own risk level as well.

Once all the entities are held individually it opens the door to create a relationship table. This allows the user to maintain and adjust through time the hierarchical relationships between different entities within the database. It not only connects counterparties with their ownership structures, but also shows how UBO and parent companies can be interlinked with multiple customers. 

The risk-review table structure enables the normalisation of the data identified during risk reviews into buckets. This process helps improve objectivity when calculating the risk score as you can assign scores to buckets. Figure 3 shows an example of a risk score calculation where the counterparty was: a) based in Angola, a country with a high corruption score; b) publicly listed; c) has a parent that had undergone a past investigation into bribery involvement. This gave the counterparty a total risk score of 14, which flagged it as high risk.

Dynamic matrix

This data structure allows the risk-review process to be automated. However, to really take it to the next level, the data needs to be leveraged to make it dynamic. In the automated process, once you have calculated the risk score, it will stay the same until the next time the counterparty is reviewed. That is not a true reflection of risk. Risk factors are not static. Sanctions, crime, bankruptcy, fraud, investigations and bribery are happening all the time. They might be huge news one day and disappear the next. A dynamic approach to customer screening allows the risk score to constantly reflect the current risk associated with a customer.

When designing a dynamic risk matrix, you need to consider the ripple effect and how you can incorporate that into the process. The ripple effect represents how one event can touch many things. For example, if a country becomes sanctioned, any counterparties registered in that country could be impacted, as could any subsidiary or individual linked to those counterparties. Several of your customers could end up being affected by this sanction. Manually updating this information in the DBS and correctly identifying all the interlinking parts would be very time-consuming and carry a high probability of errors and inconsistencies.

To design a ripple effect into your risk matrix it is necessary to have:

  • all counterparties/individuals in a hierarchy stored electronically as their own entity along with risk-factor details, such as type of counterparty, registered country, negative media;
  • hierarchical relationships to be maintained between counterparties and individuals; and
  • ongoing monitoring – if you are unaware that a risk has changed, then you are not going to be able to add it to your risk matrix.

Once the data structure is in place, the first step to developing a dynamic risk matrix is to create risk-factor groupings. This will help normalise the data further by separating the risk factors into smaller groupings than seen in figure 3.

Figure 4 shows some examples of risk groupings that have then been prioritised in order of risk, and a score applied to them. Once scores have been assigned, you can work out the risk level bands, which will assign a counterparty based on their score, to a low, medium or high risk. In figure 4, the bands are set at 0–4 for low, 5–9 for medium and 10+ for high risk.

It’s important to note here that this is a cumulative score. Here's an example of how it works. During an initial review of a counterparty through a media search, an analyst identifies only a single item of concern: a past bribery investigation. As a result, the analyst enters a line item in the DBS with a flag of ‘Information – Concern’ (score of four), making the counterparty a low risk. In six months, ongoing monitoring alerted the analyst to the fact that this counterparty is now trading with Iran, which leads the analyst to enter another line item with a flag of ‘Information – Concern’. This now makes the counterparty a medium risk. By having two ‘Information – Concern’ line items, which each have a score of four, you get a total score of eight. It works the other way around too, if a risk-review item is no longer relevant you can change it to ‘Information – General’, giving that line item a score of zero and lowering the counterparty’s total risk score.

Once you create the risk groupings, you should spend time reviewing your old risk-review data and reformatting it so you can assign each item the correct risk grouping. For example, if you use the matrix in figure 4 and you have a counterparty that has in its risk review a past AML violation along with a Chapter 11 bankruptcy, you should create two line items, one for ‘Information – Concern’ and the other for ‘Bankruptcy Chapter 11’.   

After you have done the above, you can calculate all your counterparty’s new risk scores and that would then move customers into certain buckets of low, medium or high. Doing this for the first time might result in a number of surprises. We ended up with a larger number of high-risk counterparties than we had before we recalculated the risk score. This suggested going back and reviewing the risk line items, the risk groupings and the risk bandings to make small adjustments until we were finally able to look at the data and feel comfortable that all the counterparties were sitting at the correct risk level. As a final test, you could take a handful of medium-risk counterparties and compare them. If you feel comfortable that they are comparable to one another, then you know that you have hit the sweet spot.

Once the initial recalibration is done, you can then move on to the analytical capabilities that a dynamic structure can give you.

Risk crunch, status change

We will call the first functionality the ‘risk crunch’, and it demonstrates how the ripple effect can be applied to a customer-screening programme.

Here’s an example of how this works. Imagine news breaks that rebels have taken control of the indirect parent (IP) in figure 1. This would cause an analyst to go to the risk-review table and insert a line item against IP’s profile with a flag of ‘Information – Serious’, which would make the IP’s risk score high risk. What the risk crunch then does is search for any subsidiary relationships in the database and automatically change their risk scores to high risk as well.

At a later date you receive news that the IP has taken back control of its refinery and an analyst should go back into the risk-review table and change the line item from serious to ‘Information – Concern’ and this would downgrade IP to a medium risk. The analyst would run the risk crunch again and all the high-risk counterparties would be automatically downgraded to medium. The risk crunch allows you to update multiple counterparties and customers within a couple of seconds. Compare that to how resource intensive and error-prone it would be to complete this process manually. 

Risk crunch, CPI change

This next functionality also uses the risk crunch but in a different way. A Corruption Perceptions Index (CPI) is published once a year by Transparency International in order to score most of the countries in the world based on their corruption rating. Our DBS has a table that holds this information and, through our risk matrix, we band the CPI scores into a low, medium or high score (see figure 4). For example, a CPI score of 0–30 = a risk matrix score of 10, which is high risk; a CPI score of 31–60 = a risk matrix score of 5, which is medium risk; and a CPI score of 61–100 = a risk matrix score of 0, low risk. The result is that every counterparty and individual has a risk-review line item with an associated score based on its registered country or nationality.

So, let’s go through another sequence of events. Azerbaijan had a CPI score of 31 in 2017 which, according to our risk matrix, corresponds to the medium risk bucket. In 2018, however, Azerbaijan dropped to a score of 25 which then put it in the high-risk bucket. An analyst would insert the new CPI list into the CPI table. When you run the risk crunch, any counterparties or nationals of Azerbaijan would become high risk as their risk-review line item linked to their registered country or nationality would change to a score of 10. But also, any subsidiaries of these counterparties’ or individuals’ line item would also change to a score of 10. By just changing the CPI score for one country you can change the risk score of multiple counterparties, individuals and customers. Also, by just updating your CPI table with the new country-corruption scores, which could have gone up or down, you could update the risk of a vast number of entities/individuals in your DBS with just one click of a button.

Mass identification, sanctions

Sanctions lists can have thousands of entities and individuals and are constantly being amended, with not much direction on what has changed. When the Russian Sectoral sanctions were published by the US in 2014, our group dropped everything and spent two days making sure none of our counterparties or individuals were sanctioned. After that work, we decided to implement a programme, as described below, that converted a four-analyst, two-day effort to a one-analyst, 30-minute process. 

Our group created a table to hold the sanctions list. We then generated a Soundex code for each entity in the list. Soundex is a phonetic algorithm for indexing names by sound, as pronounced in English, which enables you to match ‘like’ words despite minor differences in spelling. We then compared the Soundex code for the sanctioned entities against our DBS entities that already had a Soundex code.

We ended up with a manageable list of entities/individuals to review. Figure 6 shows an example of potential results. Customers are listed on the left and their potential matches on the sanction list on the right. It is easy to see from the list what needs to be investigated further and rule out anything that is not a clear match.

Risk factors are not static and not isolated events, and you should therefore not treat them as such. A dynamic approach can help you maintain objectivity while normalising your risk analysis to assist you leveraging the data for better decision-making. A strong dataset allows you to ripple risk events through related entities/individuals efficiently and identify areas of potential risk quickly.

The dynamic system has beaten our expectations, reducing manual effort, producing extra clarity and reducing our full-time employee count. It has enabled our team to think outside the box and do things that were initially not possible, allowing us to continually innovate and adapt to the ever-changing risk environment.

Jennifer Plank is a senior analyst, global trade monitoring and analysis, at ConocoPhillips. The opinions expressed in this article are the views of the author and are not intended to be the views of ConocoPhillips nor should they be relied upon without consulting relevant experts.

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here:

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: