This informal CPD article ‘How to Conduct a Business-Wide Risk Assessment: A Practical Walkthrough‘, was provided by Nikolas Demetriades, founder of CPDs.Academy, a CPD training platform delivering compliance education for professionals in EU-regulated financial services.
The business-wide risk assessment, or BWRA, is the foundation of every obliged entity's anti-money laundering and counter-terrorist financing programme. It is the document that should answer one question: what are the money laundering and terrorist financing risks this firm is actually exposed to, and how well do its controls address them.
In our experience, the difficulty is rarely conceptual. Most compliance officers understand what a BWRA is meant to do. The difficulty is methodological. How do you actually get from a blank document to a defensible assessment that supervisors, internal auditors, and your own management body will accept as a true reflection of the firm's risk exposure.
This article walks through the methodology step by step. It is not a template and it is not a regulatory summary. It is an explanation of how the work itself is done, and in particular how the external reports that supervisors expect firms to draw on are actually embedded in the analysis rather than just listed as references.
1. Build a clear picture of the business
Every BWRA starts with the firm describing itself accurately. Not the marketing version, the operational version. What licences does the firm hold, what services does it actually provide, who are its customers, where are they located, how are they onboarded, what products and transaction types pass through the firm, and what jurisdictions does it operate in or transact with.
This sounds elementary but it is where many BWRAs go wrong. A firm that describes itself in general terms produces a risk assessment in general terms. A firm that describes itself with specificity produces an assessment that supervisors can engage with.
The four dimensions to capture are the ones the risk-based approach has consistently identified: customers, products and services, distribution channels, and geographies. Within each dimension the description should be granular enough that someone reading it understands the risk profile without needing to ask follow-up questions.
2. Identify and assess inherent risk
Inherent risk is the risk a firm faces before any controls are applied. It is the risk that comes from the business itself, simply by virtue of who the firm serves and what it does.
This is the step where the methodology lives or dies, and it is the step where external information sources play their largest role. The work has two parts running in parallel. The first is to look inward at the firm's own data. The second is to look outward at what supervisors, international bodies, and government authorities have already said about the risks present in the firm's customer base, products, channels, and jurisdictions.
The most important external sources for a BWRA in the EU are the European Commission's Supranational Risk Assessment, the relevant Member State's National Risk Assessment, the FATF's mutual evaluation reports and country-specific follow-up reports, and Moneyval's evaluations and follow-up reports for non-FATF jurisdictions. These are not optional reading. They are the documents that establish the baseline risk environment the firm operates in.
In addition to these primary risk assessments, credit and financial institutions and their competent authorities are addressees of the European Banking Authority's ML/TF Risk Factors Guidelines (EBA/GL/2021/02). The Guidelines apply directly to those firms and inform supervisory expectations. For other obliged entities they are not directly applicable, but where their content is relevant to the firm's activities they can be a useful methodological reference and a source of risk factors by analogy, applied with appropriate adjustment to the firm's sector.
What makes these reports particularly useful, and what is often missed, is that they do not simply describe risk in qualitative terms. They contain published risk scorings, rankings, threats, and vulnerabilities. The Supranational Risk Assessment, for example, scores specific products and services and specific sectors against money laundering and terrorist financing threat levels. National Risk Assessments rank threats and vulnerabilities specific to the country. FATF and Moneyval reports identify specific weaknesses in the country's AML framework, specific predicate offences of concern, and specific typologies that have been observed.
Embedding these into a BWRA means lifting the relevant scorings, rankings, threats, and vulnerabilities directly into the firm's analysis at the right point. If the Supranational Risk Assessment scores a product the firm offers as high risk for money laundering, that scoring should appear in the firm's inherent risk analysis for that product line, with the rationale given in the source report acknowledged. If the National Risk Assessment identifies a specific predicate offence as a high threat in the jurisdiction, the firm should test whether its customer base, products, or transaction patterns expose it to that threat. If FATF or Moneyval has flagged a particular vulnerability in the country's AML framework, the firm should consider whether that vulnerability creates a residual exposure for it specifically.
This is what supervisors mean when they say a BWRA should "take into account" external risk assessments. They do not mean cite them in a list of references. They mean use the published findings to inform the firm's specific risk ratings and to identify risks the firm might otherwise miss.
Beyond these primary reports, other sources can usefully contribute to the inherent risk analysis. Sector-specific publications from supervisors, such as thematic reviews and dear-CEO letters, often contain explicit risk indicators and supervisory expectations. Publications from international standard setters and law enforcement agencies, including Europol's Serious and Organised Crime Threat Assessment and FATF's typology reports, identify emerging risks and modus operandi. Sanctions lists and watchlists are essential inputs for assessing exposure to targeted financial sanctions risk. Industry bodies, professional associations, and credible commercial intelligence sources can provide additional context. Civil society publications, including corruption indices and country reports from organisations like Transparency International, can help calibrate the firm's view of jurisdictional risk.
The judgement the firm has to make is which of these sources are relevant to its activities and how to weight them. A small firm with a limited customer base and a single jurisdiction needs fewer sources than a cross-border firm with a complex product range. What matters is that the sources actually used are documented, that the way they have been embedded in the analysis is explained, and that the sources are kept up to date as new editions are published.
Once the inputs are gathered, the firm classifies its inherent risk. The classification should reflect the firm's specific exposure to the identified risk factors. A firm that operates exclusively with low-risk retail customers in a low-risk jurisdiction should not produce the same inherent risk profile as a firm with politically exposed clients in higher-risk jurisdictions. The classification should be granular enough that it can be linked to specific control responses in the next step.
EU's restrictive measures regime
3. Assess the quality of the controls
Once inherent risk is identified, the firm assesses how well its existing controls actually mitigate that risk. The key word is "actually". A control that exists on paper but is not implemented in practice does not mitigate anything. A control that is implemented but is not designed to address the specific risk it claims to mitigate is similarly limited.
The assessment therefore has two distinct dimensions. The design dimension asks whether the control, as written, is capable of mitigating the risk. The implementation dimension asks whether the control is actually being applied as designed.
For each material inherent risk identified in the previous step, the firm should be able to articulate which control or controls address it, how the control is designed to mitigate the risk, and what evidence supports the conclusion that the control is working. The evidence comes from compliance monitoring, internal audit reviews, transaction monitoring statistics, sample file testing, training records, and findings from any supervisory engagement. Where the evidence shows weaknesses, those weaknesses are documented as control gaps.
This is also the point at which the firm assesses its non-implementation and evasion of targeted financial sanctions controls. Targeted financial sanctions are not derived from ML/TF risk factor guidance. They flow from the EU's restrictive measures regime, the United Nations Security Council sanctions implemented through it, national sanctions requirements where Member States impose additional measures, and supervisory expectations on how firms are expected to put those measures into operation. The assessment should cover the firm's screening tools, the quality of its name matching against the relevant EU and UN consolidated lists, the speed at which new designations are reflected in screening, the procedures for handling matches, and the controls in place to detect indicators of sanctions evasion. Where the EBA's Guidelines on internal policies, procedures and controls for the implementation of Union and national restrictive measures (EBA/GL/2024/14) apply to the firm, they should inform the design of those controls.
The output of this step is a clear, evidence-based view of how strong the firm's mitigation capability is across each risk area, and where the gaps lie.
4. Determine residual risk and act on it
Residual risk is what remains after the controls have done their work. It is calculated by combining the inherent risk and the quality of the controls, on the principle that strong controls reduce residual exposure and weak controls leave it intact or worsen it.
Some inherent risks cannot be fully mitigated by controls regardless of how good those controls are. A product that is inherently high risk because of its anonymity features, for example, will retain residual risk even with strong screening. The methodology should reflect this. It should not produce results in which residual risk is uniformly low simply because controls exist.
The classification of residual risk feeds directly into the firm's risk management response. Where residual risk is acceptable, the firm continues with current arrangements and monitors. Where residual risk is high, the firm should identify what action is needed: enhanced controls, changes to onboarding criteria, restrictions on specific products or jurisdictions, additional training, additional resourcing, or in some cases a decision not to pursue certain business lines.
The BWRA should be subject to appropriate senior management or management body review, challenge, and approval. The point of approval is not procedural sign-off. It is to ensure that the people accountable for the firm's risk-based approach have engaged with the assessment, tested the conclusions, and committed to the resulting actions. The BWRA should close with a documented set of priority actions tied to the residual risks that need attention, with clear owners and timelines. Without this, the BWRA is an academic exercise. With it, the BWRA becomes the document that drives the firm's risk-based approach in practice.
Closing thoughts
A good BWRA is not a long document. It is an honest one. It describes the business accurately, draws on the external risk environment intelligently, assesses the firm's controls evidentially, and arrives at a residual risk picture that the firm and its supervisors can both engage with. The core methodology is the same regardless of sector or jurisdiction, but its application, weighting, and supporting sources must be tailored to the firm's sector, jurisdiction, products, delivery channels, and customer base. The discipline lies in applying it consistently and in not treating the published risk assessments and reports of supervisors and international bodies as background reading, but as direct inputs into the analysis.
We hope this article was helpful. For more information from CPDs.Academy, please visit their CPD Member Directory page. Alternatively, you can go to the CPD Industry Hubs for more articles, courses and events relevant to your Continuing Professional Development requirements.
References
Article 10 of Regulation (EU) 2024/1624 (the AMLR) sets out the obligation for obliged entities to conduct a business-wide risk assessment.
Financial Action Task Force, Recommendation 1: Assessing risks and applying a risk-based approach, International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation.
European Banking Authority, Guidelines on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions ('The ML/TF Risk Factors Guidelines') under Articles 17 and 18(4) of Directive (EU) 2015/849 (EBA/GL/2021/02). Addressed to credit and financial institutions and to competent authorities responsible for their AML/CFT supervision.
European Banking Authority, Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures (EBA/GL/2024/14).
European Commission, Report from the Commission to the European Parliament and the Council on the assessment of the risk of money laundering and terrorist financing affecting the internal market and relating to cross-border activities, COM(2022) 554 final, 27 October 2022.
European Commission, Commission Staff Working Document accompanying the Supranational Risk Assessment Report, SWD(2022) 344 final, 27 October 2022.
National Risk Assessments are published by individual Member States. FATF and Moneyval mutual evaluation reports and follow-up reports are published on the websites of the Financial Action Task Force and the Council of Europe's Committee of Experts on the Evaluation of Anti-Money Laundering Measures (Moneyval).
