Risk Assessment and Risk Appetite Policy
ORAX CORPORATION LLC
Registered Address: Marshall Islands, Majuro, P.C. 9696, Ajeltake Road No. 1
Legal Basis: Marshall Islands Business Corporations Act; Banking Act 1987 (as amended); Anti-Money Laundering Regulations 2002 (as amended 2023); Proceeds of Crime Act; FATF Recommendations; RMI FIU Guidelines.
1. Purpose
This Policy establishes the framework for identifying, assessing, managing, and monitoring risks faced by ORAX CORPORATION LLC (“Company”), with a particular focus on money laundering (ML) and terrorist financing (TF) risks. It ensures alignment with:
- The Company’s AML/CFT Policy and compliance program;
- Regulatory obligations under the Republic of the Marshall Islands (RMI);
- International standards (FATF Recommendations, APG Guidance).
The objectives are to:
- Ensure risks are systematically identified and categorized;
- Define the Company’s risk appetite and thresholds;
- Provide a structured methodology for scoring and mitigating risks;
- Establish governance, reporting, and escalation processes.
2. Scope
This Policy applies to:
- All Company employees, directors, officers, and contractors;
- All agents, intermediaries, and service providers engaged by the Company;
- All products, services, transactions, and delivery channels;
- All client relationships (individuals and entities).
3. Legal and Regulatory Framework
This Policy is developed in compliance with:
- Marshall Islands Business Corporations Act;
- Banking Act 1987 (Sections 1(x) and 166 et seq.);
- Anti‑Money Laundering Regulations 2002 (as amended 2023);
- Proceeds of Crime Act;
- Guidance issued by the RMI Financial Intelligence Unit (FIU) and Banking Commission;
- United Nations Sanctions and Anti‑Terrorism Measures implemented in RMI law;
- FATF Recommendations and Asia/Pacific Group (APG) best practices.
This Policy complements and directly integrates with the Company’s AML/CFT Policy, particularly sections on Client Due Diligence (CDD),Enhanced Due Diligence (EDD), and Suspicious Activity Reporting (SAR).
4. Risk Assessment Framework
4.1 Objectives
- Identify inherent risks in client onboarding, transactions, and operational processes.
- Assign risk ratings to clients and transactions to determine the required level of due diligence.
- Link risk assessment outcomes to AML/CFT controls and monitoring intensity.
4.2 Risk Categories
The Company evaluates risks across four dimensions:
a) Client-Related Risks – PEP status, ownership structure, adverse media, source of wealth/funds.
b) Jurisdictional Risks – High-risk or sanctioned jurisdictions (FATF, UN, OFAC).
c) Product/Service Risks – Virtual assets, private placements, high-value transfers.
d) Delivery Channel Risks – Remote onboarding, intermediaries, anonymity features.
5. Risk Assessment Methodology
5.1 Likelihood Scale
| Likelihood Level | Probability | Description |
|---|
| Very Unlikely | <10% | Rare occurrence |
| Unlikely | 10–35% | Possible but infrequent |
| Possible | 35–60% | May occur under certain conditions |
| Likely | 60–90% | Expected to occur periodically |
| Almost Certain | >90% | Frequent or imminent |
5.2 Impact Scale
| Impact Level | Criteria |
|---|
| Negligible | Financial loss < USD 10,000; no regulatory breach |
| Minor | Loss up to USD 50,000; corrective actions required |
| Moderate | Loss USD 50,001–100,000; reputational harm; national regulatory reporting |
| Major | Loss USD 100,001–300,000; significant operational disruption; media exposure |
| Extreme | Loss > USD 300,000; international sanctions; litigation risk |
Risk Scoring and Matrix
Risk Score = Likelihood × Impact (scale 1–25)
| Score Range | Risk Level | Action |
|---|
| 1–5 | Low | Accept/Tolerate |
| 6–8 | Moderate | Manage & mitigate (Treat) |
| 9–12 | High | Reduce, transfer, or redesign control (Transfer) |
| 15–25 | Extreme | Prohibit or terminate (Terminate) |
6. Risk Appetite Statement
6.1 Definition
Risk Appetite is the aggregate level of risk the Company is willing to accept in pursuing strategic objectives, consistent with its risk capacity and regulatory obligations.
6.2 Principles
- Zero tolerance for ML/TF risk, sanctions breaches, or anonymous transactions.
- Limited tolerance for operational risk, subject to effective controls.
- Prohibited activities:
- Clients from FATF-blacklisted or UN-sanctioned jurisdictions;
- Shell companies with non-transparent ownership;
- Transactions lacking lawful economic purpose.
6.3 Integration with AML/CFT Policy
- High-risk clients automatically trigger Enhanced Due Diligence (EDD) as per AML Policy.
- Risk ratings directly influence transaction monitoring thresholds and reporting obligations.
7. Governance and Responsibilities
7.1 Board of Directors
- Approves this Policy and reviews it annually.
- Ensures risk appetite aligns with strategic and compliance objectives.
- Receives quarterly risk reports from the AML/CFT Compliance Officer.
7.2 AML/CFT Compliance Officer (AMLCO)
- Implements the risk assessment framework.
- Maintains the Risk Register (inherent, residual, and mitigated risks).
- Investigates and escalates high/ extreme risks.
- Coordinates with regulators (e.g., FIU) for SAR submissions.
7.3 Management
- Ensures employees adhere to risk controls.
- Provides resources for training, monitoring, and audits.
- Reviews risk reports and supports mitigation measures.
7.4 Employees
- Conduct ongoing client monitoring and escalate red flags immediately.
- Complete required AML/CFT and risk training annually.
- Report suspicious activity to AMLCO without delay (“no tipping off”).
8. Monitoring and Escalation Procedures
8.1 Ongoing Monitoring
- Transaction monitoring: Automated systems detect unusual patterns (e.g., structuring, rapid inflows/outflows).
- Periodic reviews: Risk reassessment every 12 months (or quarterly for high-risk clients).
8.2 Escalation Steps
- Immediate escalation of red flags to AMLCO.
- AMLCO conducts preliminary investigation within 24–48 hours. If suspicion confirmed → file SAR to FIU (within 14 days max).
- Board notified of material risks or regulatory investigations.
8.3 Coordination with AML/CFT Policy
All escalations follow SAR procedures described in the AML/CFT Policy (confidentiality, anti‑tipping‑off provisions).
9. Risk Examples
- Client Risk Example: High-net-worth client from a sanctioned jurisdiction → Automatic rejection.
- Jurisdictional Risk Example: Payment routed via high-risk offshore hub →Trigger EDD and enhanced monitoring.
- Product Risk Example: Large-volume cryptocurrency trades with inconsistent source of funds → Intensified review and SAR consideration.
- Operational Risk Example: Data breach exposing client KYC files →Immediate Board notification and regulator reporting.
10. Review and Update
- Annual review or earlier if regulatory changes or new products emerge.
- Updates approved by the Board of Directors and communicated to all staff.
- Changes documented and linked to training refreshers.
Annex: Risk Appetite Scale
Low Risk (1–5): Acceptable; standard CDD.
Moderate Risk (6–8): Manage actively; additional controls applied.
High Risk (9–12): Senior approval required; EDD mandatory.
Extreme Risk (15–25): Prohibited unless Board-approved exception and mitigation plan.
Approval
This Policy has been formally adopted by the Board of Directors of ORAX CORPORATION LLC and is effective as of the date of adoption.
