Risk assessment processes and controls in firms: our findings

Transforming to a Forward Looking Regulator
Law, Regulation & Guidance, Regulationgracechurchfcp

We share findings and highlight good and poor practice to help firms reflect on how they are meeting the existing risk assessment requirements.

In 2025, we carried out a multi-firm review focusing on business-wide risk assessment (BWRA) and customer risk assessment (CRA) processes.

Our key findings centre around how firms:

Identify, understand and assess risk.
Appropriately mitigate risk.
Effectively manage risk.
This review is part of our wider financial crime supervisory work in support of our 2025–30 strategy.

Who this applies to
Firms.
Money Laundering Reporting Officers (MLROs).
Senior Managers with oversight.
Industry practitioners working in financial crime prevention roles and responsible for assessing risk and setting strategy.
What we looked at
We assessed BWRA and CRA systems and controls through a questionnaire, desk-based review of policies and procedures, and firm interviews.

We evaluated firm controls against:

Money Laundering Regulations 2017Link is external
Financial Crime Guide (FCG)
Senior Management Arrangements, Systems and Controls (SYSC)
Joint Money Laundering Steering Group (JMLSG) guidanceLink is external
Financial Action Task Force (FATF) guidanceLink is external
We also reflected on findings from other recent individual firm reviews.

Good practice often goes beyond the minimum regulatory requirements but shows how firms approach these topics.

We compare how a range of firms have approached BWRA and CRA processes and share insights from these assessments.

Firms involved in this review include:

building societies
platforms
custody and fund services
payments (e-money)
wealth management firms
What we found
Identifying, understanding and assessing risk
Most firms we reviewed have a BWRA, but few are identifying relevant risks and tailoring the BWRA to the specific business. Several consider qualitative and quantitative data to assess and score inherent risks, mitigating controls and residual risk.

We saw larger firms integrating risk assessment activities into business functions and forming aggregated views across the firm.

We are concerned that some firms could not explain sufficiently how they are managing and mitigating identified risks.

Some firms have used sub-factors and weightings to tailor their CRA process to the business and specific risks they face.

We are encouraged that some firms can show how risk appetite, BWRA and CRA processes work together to identify and assess risk.

Examples of good practice
Comprehensive risk assessments
Annual detailed review
Tailored assessments
Risk assessments that:

Are quantitative and qualitative.
Consider a range of internal and external factors.
Are weighted.
Risks are assessed by business areas, and the results are combined in the BWRA.

BWRAs consider:

Inherent risks.
Control effectiveness.
Residual risks.
Examples of poor practice
Lack of detail
Missing quantitative analysis
Unclear processes
Lack of evidence
Some BWRAs focus mainly on fraud or generic risks, often ignoring specific money laundering, sanctions, anti-bribery and corruption, proliferation financing, and terrorist financing risks.

We saw firms:

Oversimplify the risks they are exposed to.
Fail to explain how each risk affects the firm.
Mitigating risk
Our findings indicate that financial crime risk is often considered in business strategy, growth and product development. However, there is little evidence of how risk assessments, decision-making and monitoring activities are joined up.

Some firms we reviewed have a clear risk appetite that is closely linked to the BWRA. But very few firms have documented actions resulting from their risk assessment. We saw some firms reflecting on whether their people, technology and training are suitable for the size of the business, risks posed and can be scaled as the business grows.

Examples of good practice
Plan for compliance alongside growth
Risk assessments feed into firm’s wider work
Track actions to reduce risk
Risks considered throughout business
Firms consider capacity of their compliance and financial crime functions to support the current and future growth strategy.

Examples of poor practice
Growth outpaces risk assessment
Lack of records
Rapid expansion
Some firms have not developed their CRAs in line with business growth to ensure scalability, consistency and accuracy.

Managing risk
Many firms we reviewed recognise the importance of appropriate governance and oversight to ensure risk awareness and thorough risk assessments. However, senior management appear to better understand and be more aware of fraud risk, compared with other financial crime risks.

Most firms have considered how they document and share their risk assessments. Better firms record risk assessment discussions, changes and approvals. A few firms have integrated dynamic risk assessments into their financial crime frameworks and consider how they continually test and refresh risk assessment models and processes.

Examples of good practice
Senior oversight and challenge
Continuity plans
Clear, consistent methods to assess risk
Regular review
Joined-up assessments
Firms share BWRA document and summary with senior management and committees for review and approval – highlighting trends, conclusions, recommendations and actions.

CRA management information is provided to senior management committees for discussion.

Evidence of MLRO and committee challenge on risk assessments.

Examples of poor practice
Lack of evidence of senior oversight
Narrow focus
Lack of testing
Static approach to assessment
Some firms do not document senior management discussion, challenge and approval of BWRAs.

Next steps
We expect firms to already be complying with existing requirements, specifically, to:

Understand the risks your business is exposed to.
Have robust financial crime systems and controls to manage and mitigate those risks.
We encourage firms to consider our findings and suggestions within the context of their firm and continue to review your risk-based approach to systems and controls.

Where we identified weaknesses, we are working with those firms to make improvements.

We will continue to monitor firms through our supervisory work to make sure firms are considering the points raised here to drive improvements and reduce risk across the industry.

Article Credit: https://www.fca.org.uk/publications/good-and-poor-practice/risk-assessment-processes-and-controls-firms-our-findings