Risk assessments are supposed to be the backbone of an effective, risk-based approach to financial crime compliance. Yet, recent supervisory work from the Financial Conduct Authority (FCA)^[1]Risk assessment processes and controls in firms: our findings | FCA, the Solicitors Regulatory Authority (SRA)^[2]SRA | Client and matter risk assessments | Solicitors Regulation Authority and the Gambling Commission^[3]Anti-money laundering and counter-terrorist financing casino casework trends: October 2025  all highlight the same thing: too many risk assessments remain generic, static, reactive, and disconnected from the realities of real world risk.  

For Money Laundering Reporting Officers, this creates more than just audit frustrations. A weak or superficial risk assessment is now a direct route to regulatory challenge, personal accountability, and reputational harm. 

Financial crime spans money laundering (ML), terrorist financing (TF), proliferation financing (PF), market abuse, sanctions evasion, facilitation of tax evasion, bribery & corruption, and fraud. When risk assessments fail, firms face more than audit findings; they expose themselves to regulatory penalties, financial loss, and high-profile reputational harm. 

This article explores what’s going wrong, why it matters, and how leaders can transform risk assessments into a decision-ready, data-driven tool that actively steers and supports business. We’ll examine regulatory expectations, common pitfalls, and practical steps that strengthen governance and provide demonstrable protection for regulators, auditors, and boards.  

Cornerstone of a riskbased approach 

Financial crime risk assessments are not optional, they are the foundation of a risk-based approach (RBA). Global standards start with the Financial Action Task Force^[4]The Financial Action Task Force is an inter-governmental body established in 1989 by the Ministers of its Member jurisdictions. The mandate of the FATF is to set standards and to promote effective … Continue reading (FATF), whose very first Recommendation mandates risk assessments as the basis for applying controls. This principle is embedded in Anti-Money Laundering (AML) legislative and/or regulatory frameworks worldwide^[5]In this article, reference to AML incorporates Counter-Terrorist Financing and Counter-Proliferation Financing..  

In the UK, obligations go further. Legislation such as the Bribery Act, the Criminal Finances Act, and the Economic Crime and Corporate Transparency Act all require risk assessments, amongst other controls, to demonstrate reasonable preventative procedures that provide a defence against corporate criminal liability for the facilitation of tax evasion, bribery, and fraud. Whilst not an explicit requirement, for market abuse^[6]Market Watch 69 | FCA and sanctions^[7]SRA | Complying with the UK Sanctions Regime | Solicitors Regulation Authority, risk assessments are still considered good practice.  

Beyond the UK, the trend is clear: regulators are strengthening expectations for risk assessments. The UAE^[8]Rulebook CBUAE | Home; CBUAE | AML/CFT Supervision and its free zones^[9]ADGM Anti-Money Laundering and Sanctions Rulebook (AML); DFSA AML Rulebook (January 2024) mandate enterprise-wide risk assessments with quantified methodologies and senior oversight. From 31 March 2026, Australia is shifting its AML requirements from a compliance-based approach to a risk-based, outcomes-oriented approach^[10]AML/CTF Reform | AUSTRAC. This change will make the requirement for risk assessments explicit, will incorporate PF and codify the risk factors that should be considered. In the United States, risk assessments remain good practice under the BSA, but FinCEN’s 2024 proposal^[11]FinCEN Fact Sheet, FIN-2024-FCT1, June 28, 2024 signals a move toward making them mandatory.  

Regulatory expectations regarding risk assessments continue to evolve. Regulators are mandating that risk assessments must identify, assess, mitigate, and manage risk with clear governance, evidential support, and a demonstrable link to controls, monitoring, and resourcing. FATF guidance is explicit: an RBA cannot exist without a credible risk assessment. How is it then that firms claim to operate a RBA without an adequate risk assessment? 

The regulatory drumbeat: poor quality is widespread 

Regulators are sounding the alarm: risk assessments are falling short across multiple sectors.  

The findings from the FCA multi-firm review are stark^[12]Risk assessment processes and controls in firms: our findings | FCA: 

• “Few firms” identify relevant risks and tailor assessments to their business – despite the mandated requirement to have a written risk assessment since 2017.  

• Both Business-Wide Risk Assessments (BWRA) and Customer Risk Assessments (CRA) frequently lack detail, lack quantitative analysis, and evidence of control effectiveness and residual risk.  

• Good practice “often goes beyond the minimum regulatory requirements” signalling rising expectations. 

The Solicitors Regulation Authority (SRA) echoes these concerns in the legal sector. Its Warning Notice^[13]SRA | Client and matter risk assessments | Solicitors Regulation Authority highlights systemic issues with many firms lacking client and matter risk assessments. Other UK regulators, such as The Gambling Commission, report similar shortcomings; risk assessments that fail to consider all relevant risks and are disconnected from the control framework^[14]Anti-money laundering and counter-terrorist financing casino casework trends: October 2025.  

Global scandals reinforce the consequences of inadequate risk assessment. From Danske Bank’s non-resident exposure, to HSBC’s failure to assess risks in Mexico, to Westpac’s blind spots in correspondent banking, the pattern is consistent illustrating how superficial, outdated, or siloed risk assessments can lead to material regulatory, financial, and reputational damage. 

Root Causes of Failure 

1. Templated and generic narratives. Too many risk assessments are copypasted, bought in without sufficient firm input, or not effectively tailored to the business. It’s the easy option, the tick-box approach. Such risk assessments fail to reflect the nuances of specific products, transactions, channels, geographies, and customer segments. As a result, employees and senior management cannot articulate the financial crime risks because the output is too generic or misunderstood, and the risk assessment does not meet regulatory expectations. 

2. Confusion between risk types. Some firms conflate inherent risk and operational risks. Confusing the two undermines credibility and leads to poor control evaluation and undermines the integrity of the BWRA.  
   
   Inherent risk is the level of financial crime risk that exists before the application of any controls. i.e. what is it about the nature of your business, the products you provide, the customers you target, the way you find them and interact with them, the geographies you and your clients operate in and the types of transactions they are expected to undertake that makes your firm susceptible to financial crime risk?  
   
   Operational risks are risks that your financial crime controls fail to mitigate in practice, which for the purposes of a BWRA should be assessed as part of your controls effectiveness and incorporated into ongoing testing plans.  
   
   If your inherent risk assessment describes risks in terms such as the: 
   – risk of onboarding a criminal  
   – risk a customer will launder the proceeds of crime through the institution 
   – risk a customer will provide false documentation 
   
   …then the assessment needs reworking. These are operational risks or control-failure scenarios, not inherent risks. 

3. Over-reliance on qualitative judgement. Regulators repeatedly flag that risk assessments lack quantitative evidence. Many have no weightings, subfactors, exposure metrics, or databased rationales for scores and residual risk. Instead, they rely on undocumented qualitative judgments, making supervisory challenge uncomfortable. Some have no controls assessments or blindly present that the controls environment is effective despite there being evidence to the contrary. 

4. Lack of documented methodology and transparency. Without a clear methodology, assurance is difficult and regulators question credibility. Unclear scoring mechanisms, untested thresholds, and undocumented inputs and risk ratings. The steps taken to complete your risk assessment must be documented as per MLR18(4). 

5. Inadequate coverage of risk types. Despite explicit regulatory emphasis, TF and PF are frequently poorly covered. Other risk types such as fraud, facilitation of tax evasion, and bribery & corruption also tend to receive limited coverage. This narrow scope leaves firms vulnerable to emerging threats. 

6. Weak governance and limited senior challenge. Assessments are not updated alongside growth, new products, or acquisitions. Senior oversight is inconsistent, sometimes focusing narrowly on fraud while neglecting sanctions, bribery, or ML risks. Governance gaps also mean findings rarely translate into documented remediation plans, owners, timelines, or tracked delivery. 

7. Dormant documents with no follow-through. Risk assessments exist ‘on paper’ but do not drive decision making, resourcing, or monitoring design. They become compliance artefacts rather than live tools, another ‘tick-box’ solution leaving firms exposed to regulatory criticism. 

8. Over-reliance on technology without understanding. Firms increasingly depend on automated scoring models but cannot explain how these models work or validate their outputs. This creates blind spots and undermines confidence in the risk assessment process. 

9. Knowledge and resource gaps. Too often, responsibility falls to junior staff without sufficient support or investment from senior management, resulting in rushed, underdeveloped outputs. Producing an effective risk assessment requires deep business knowledge, financial crime and risk assessment expertise. 

10. Lack of industry-wide risk standardisation. Beyond certain anchors, e.g., foreign PEPs and correspondent banking which are generally considered higher risk, many risk factors remain subjective and are left to a firm’s own discretion meaning inconsistent approaches, and  making supervisory evaluation and peer benchmarking difficult. 

Practical Steps to Get it Right 

1. Right knowledge and resources. Conducting a robust risk assessment takes time and expertise. It is far better to perform the risk assessment internally, as no one understands your business better than you do. However, if you have not done one before, it can be helpful to bring in external expertise to coach you through the process and drive the right outcomes. When engaging external resources, validate their  experience in conducting risk assessments and ensure they understand key concepts such as the difference between inherent and operational risk, leaving you with a risk assessment that your business owns, understands, and can maintain. 

2. Keep it simple and tailor to your business. Start with a practical approach. If your business is not overly complex, use a simple spreadsheet to capture risks discussed in small workshops with relevant stakeholders. Workshops bring together risk and financial crime experts, and business specialists, fostering collaboration and knowledge-sharing. Systematically review the five core risk factors  (customers, jurisdictions, products, transactions, and channels) and document how each creates risk for your business. 

3. Use data to power your risk assessment. Data helps identify risks and adds credibility and precision to scoring. Incorporate both external and internal sources: 
   
   External data:  
   – national risk assessments, FATF updates, regulatory trends and sector typologies help identify risks relevant to your business. Do not deviate from industry or national risk assessments unless you have a robust reason to do so, which should be fully documented; and 
   – enforcement notices and open-source information provide insight into crystalised events, such as reputational risk pertaining to Politically Exposed Persons. These can be used to assess impact. 
   
   Internal data: 
   – customer and transaction data to strengthen likelihood scoring;
   – outcome data such as SAR trends, incident logs, and screening hits highlight risks and aid likelihood scoring; and 
   – assurance results validate controls evaluation.   

4. Document the methodology. Your methodology should be detailed enough for someone new to replicate the process and achieve similar results. It should capture the sources of data, the risk scoring logic including weightings and aggregations methodology. Document any formulas or code embedded in spreadsheets. Transparent calculation logic supports internal audit and regulatory scrutiny and helps answer the inevitable “why did you score this as low?” moments. 

5. Make it forwardlooking by design. Risk assessments should not be backward looking snapshots. The use for a 2025 risk assessment in 2026 is limited. Define and quantify risk at the time of execution and anticipate future risks. Incorporate future business strategy, horizon scanning, scenario analysis, and stress testing. Consider geopolitical shifts (sanctions regimes), technology changes (crypto asset exposure), and typology evolution (mule networks, cyberenabled laundering). Use “Whatif” scenarios, for example sudden sanctions expansion or entry into higherrisk corridors, and premap control requirements and resourcing impacts. Make risk assessments strategic, not static. 

6. Review dynamically, not just annually. Don’t wait for the annual cycle. Trigger off-cycle reassessments for new products, market entries, major client onboarding changes, or sanctions events. Document the review process in your methodology to demonstrate responsiveness. 

7. Embed governance and challenge. Good practice goes beyond regulatory minimums as highlighted by the FCA. Share the BWRA or a summary report with senior management and the Board. Ensure action plans include resource requirements, ownership, and deadlines; track progress through to completion. Document challenges to assumptions and decisions to demonstrate robust oversight. 

8. Don’t leave it in the drawer: make the assessment work for you. The mark of a mature programme is how visibly the risk assessment drives business decisions: 

• Governance & strategy: Use BWRA outputs to set and monitor adherence to risk appetite, and inform growth decisions; minute board and senior management discussions to demonstrate engagement and accountability. 

• Continuous improvement: Maintain an action log tied to each assessment finding; regulators have flagged the absence of recorded actions and owners as poor practice.  

• Link to controls. For example, ensure risks identified in the BWRA align with transaction monitoring scenarios. 

• Monitoring: Align monitoring controls with the BWRA output; for example, more frequent reviews of high-risk areas and weaker controls. 

• Resource allocation: Prioritise headcount, tooling, and training where residual risk is highest, evidenced by metrics rather than anecdote.  

• Train to the risk. Direct training budgets to areas the BWRA show as rising risk. Ensure training covers risk pertinent to the business, not generic financial crime training. 

Conclusion: from compliance artefact to strategic instrument 

If the past few years have taught us anything, it’s that a weak risk assessment is not merely an audit finding, it’s a strategic blind spot that can snowball into regulatory, financial, and reputational harm. The FCA’s 2025 multi-firm review and the SRA’s enforcement record reinforce the expectation that firms must produce tailored, evidenced, forward-looking assessments, and actively use them to steer controls, monitoring, and investment.  

Leaders who embrace a data-rich, scenario-driven, governance-anchored approach will transform risk assessments from a tick-box obligation into a tactical advantage. One that keeps pace with evolving typologies, supports credible risk appetite, and builds trust with regulators, boards, and customers alike. 

Review your current risk assessment framework. Ask: 

• Is it tailored to your business model? 
• Does it integrate data and anticipate future risks? 
• Does it drive governance, resource allocation, and monitoring decisions? 
• Is the outcome aligned to my understanding of the business?  Does it make sense? 

If the answer is “no” to any of these, now is the time to act. A well-designed risk assessment is more than a regulatory requirement, it is the foundation of your RBA and a strategic instrument that protects and strengthens your business and positions it for sustainable growth. 

How can HKA help

HKA is an independent consultancy with specialists in financial crime compliance, fraud and integrity risk management, remediation and response matters. Our experts assist financial institutions, corporates, charitable and purpose-driven organisations, and public sector organisations in navigating complex regulatory landscapes, strengthening compliance frameworks, and aligning with global and industry standards.

About the Author:

Priya Giuliani is a specialist in financial crime investigations & compliance with nearly 30 years’ experience, including a decade as a Partner. She specialises in helping clients on a proactive basis to assess and manage the risk of financial crime including assessing governance, oversight, conduct, and training Senior Managers and Boards. Her investigative experience provides insight in to how various financial crime types (e.g. money laundering, terrorist and proliferation financing, sanctions and tax evasion, bribery, corruption and fraud) can occur, including through the use of professional enablers, and the controls required to manage these risks effectively. Priya has been appointed on many Skilled Person engagements. Widely regarded as a well-qualified and highly experienced expert in financial crime risk management and investigations. She understands risk well and works with clients to assess and develop proportionate and effective control frameworks.