Most regulated firms understand the importance of risk assessments. Business-Wide Risk Assessments (BWRAs) and Customer Risk Assessments (CRAs) are well-established parts of a firm’s financial crime framework, helping identify where risks exist and ensuring controls remain proportionate.
Many firms consider their financial crime risk assessments robust, supported by documented processes, annual reviews and board approval. However, FCA Good and Poor Practice observations indicate that firms often remain unaware of weaknesses until identified during regulatory engagement.
As firms expand into new markets, launch new products and navigate a complex regulatory environment, risk assessments should do more than meet regulatory requirements. They must actively inform business decisions and the overall risk-based approach.
Risk assessments should drive your entire financial crime framework
A Business-Wide Risk Assessment is more than a compliance document. It should form the foundation of the financial crime framework and directly influence customer due diligence, risk ratings, transaction monitoring and broader financial crime controls.
In mature frameworks, individual business areas conduct their own risk assessments, which are then consolidated into a Business-Wide Risk Assessment to provide a comprehensive view of the firm’s financial crime risks.
An effective risk assessment should be tailored to the firm’s products, services, customers and operating model. It should combine qualitative and quantitative analysis, apply appropriate weightings, document mitigating controls, assess their effectiveness and identify any residual risks.
The BWRA should inform the firm’s risk appetite, controls testing and overall risk-based approach. Customer Risk Assessments should reflect the risks identified in the BWRA, ensuring due diligence, transaction monitoring and other controls remain aligned with the firm’s risk profile.
Weaknesses in the risk assessment can affect the broader business. Customer risk ratings may not reflect actual exposure, transaction monitoring may miss emerging risks and controls can become outdated as the business evolves.
The common weaknesses highlighted by the FCA
The FCA’s observations highlight recurring examples of weak practices that firms should consider when reviewing their risk assessment processes.
Treating risk assessments as a yearly exercise
A common weakness is treating the Business-Wide Risk Assessment as a document that is only updated annually.
Best practice is to conduct a formal reassessment each year, rather than relying on previous versions, and to review risks whenever significant business, operational or regulatory changes occur.
Leading firms also conduct quarterly or event-driven reviews to ensure risk assessments remain responsive to emerging risks, business changes and evolving regulatory expectations.
Risk assessments should evolve in step with the business, not after changes have occurred.
Lack of meaningful detail
A robust risk assessment should explain more than whether a risk is high, medium or low.
It should clearly document why a risk exists, the controls in place, how effective those controls are, the residual risk that remains and whether further action is required.
Without this detail, firms may struggle to demonstrate how conclusions were reached or to justify subsequent decisions.
Weak governance and limited challenge
Risk assessments should not be the sole responsibility of the compliance function.
The FCA found that stronger firms share their Business-Wide Risk Assessment and management summaries with senior management and governance committees, highlighting trends, conclusions, recommendations and actions. High-performing firms also document discussions, challenges, approvals and agreed actions, providing clear evidence of effective oversight.
The FCA also noted that senior management often has a stronger understanding of fraud risk than other financial crime risks, highlighting the need for broader oversight across the financial crime framework.
Risk assessments should evolve with the business
Weaknesses often emerge during periods of growth.
The FCA observed examples of firms expanding their products, services and customer types without first considering whether existing financial crime controls remained appropriate and effective.
Risk assessments should be embedded in strategic planning. Before launching new products, entering new jurisdictions or targeting different customer segments, firms should assess whether due diligence, transaction monitoring, governance, compliance resources and financial crime controls remain proportionate to the new risks.
Financial crime risks should be considered during product development, business continuity planning, marketing, sales and broader strategy discussions. Involving the MLRO, CAMLO or another senior compliance representative in these discussions helps ensure risks are identified and managed before changes are implemented.
Expert Insight – Sue Hinchliffe, Managing Director, Neopay Group
“One of the biggest mistakes we see is firms treating risk assessments as documents to complete rather than tools to manage the business. A Business-Wide Risk Assessment should influence strategic decisions across the organisation. If you’re launching a new product, entering a new jurisdiction or targeting a different customer base, your risk assessment should be one of the first documents you revisit—not the last. The strongest firms continually assess whether their controls remain appropriate as their business evolves.”
Evidence matters just as much as the assessment itself
Producing a Business-Wide Risk Assessment is only one part of the process.
The FCA’s observations show that stronger firms document their methodology, record committee discussions, formally log and approve changes, evidence senior management challenge, assign ownership of actions and regularly review their risk assessment models and processes.
Firms should also test their risk assessment methodology, especially after significant enhancements or automation, to ensure it continues to support effective decision-making.
To determine if your BWRA is driving your financial crime framework, ask: if your risk assessment changed tomorrow, which controls would change as a result? If the answer is “none”, the assessment may be disconnected from the wider framework.
Questions every firm should be asking
Instead of asking whether your Business-Wide Risk Assessment is complete, consider the following questions:
- Does it accurately reflect how our business operates today?
- Have recent products, customers or jurisdictions changed our risk profile?
- Do our Customer Risk Assessments reflect the risks identified within our BWRA?
- Can we evidence meaningful senior management challenge and approval?
- Are actions arising from our risk assessments tracked, assigned and completed?
- Would changes to our BWRA directly influence our customer due diligence, transaction monitoring and other financial crime controls?
If these questions are difficult to answer, it may be time to review whether your risk assessment process provides the assurance your business needs.
Looking ahead
The FCA’s observations reinforce that effective risk assessments should shape a firm’s financial crime framework, not merely satisfy regulatory requirements.
As financial crime risks evolve, firms should regularly reassess whether their Business-Wide Risk Assessment reflects their current business, customers and operating environment. A BWRA should not exist in isolation; it should influence customer onboarding, risk ratings, transaction monitoring, governance, controls testing, strategic planning and growth. If these decisions would not change even if the BWRA changed, it may be time to reconsider whether the assessment is truly driving the financial crime framework.
How Neopay can help
Neopay supports payment firms, e-money institutions, fintechs and other regulated businesses with Business-Wide Risk Assessments, Customer Risk Assessments, AML framework reviews, independent compliance audits and ongoing regulatory consultancy.
Whether you are reviewing an existing framework, preparing for growth or responding to evolving regulatory expectations, our team can help ensure your risk assessments remain practical, proportionate and aligned with your business and current financial crime risks.
If you’d like to discuss your Business-Wide Risk Assessment or wider financial crime framework, contact Neopay to find out how our experienced consultants can support your business.
