What should a business-wide risk assessment cover?

A business-wide risk assessment explains where your business is exposed to money laundering, terrorist financing and proliferation financing risk, and how you manage those risks in practice. Every business regulated under the Money Laundering Regulations 2017 (as amended) (MLRs) must carry out a business-wide risk assessment.

Your business needs to use your business-wide risk assessment to inform its AML policies, controls and procedures (PCPs). And regulators use it as the starting point when assessing whether your policies, controls and procedures are genuinely risk-based or simply generic paperwork.

What is a business-wide risk assessment?

Regulation 18 of the MLRs requires every regulated business to:

• identify and assess the risks of money laundering, terrorist financing and proliferation financing to which its business is subject;
• take into account risk factors relating to customers, countries or geographic areas, products or services, transactions and delivery channels;
• keep the assessment up to date; and
• document the assessment and make it available to supervisors on request.

This is a business-wide risk assessment and serves three practical purposes.

First, it identifies where your real risks sit. That might be overseas clients, cash-heavy services, complex ownership structures or onboarding that’s done without meeting the client in person.

Second, it drives your controls. Your AML PCPs should directly respond to the risks you have identified.

Third, it provides evidence. When a supervisor asks why you treat certain clients as higher risk, or why enhanced due diligence is required in specific situations, the answer should already be documented in your risk assessment.

The core areas of your business-wide risk assessment

The MLRs are clear about the categories of risk you must consider. In practice, a robust business-wide risk assessment will cover the following areas in detail.

Client risk

You must assess the types of clients your business acts for and the risks they present. This includes considering:

• whether you act for individuals, companies, trusts or other legal arrangements;
• the likelihood of politically exposed persons, or their family members or close associates;
• clients connected to higher-risk jurisdictions;
• clients with complex or opaque ownership structures; and
• cash-intensive businesses or unusual funding models.

The assessment should explain which client types are higher risk for your business and why. It should also outline how those risks are mitigated, for example through enhanced due diligence, senior management approval or increased monitoring.

Service and product risk

Your business-wide risk assessment must consider the services you provide and how those services could be exploited. This will vary by sector, but might include:

• accountancy or tax services involving complex structures or overseas elements;
• legal services such as conveyancing, trusts, company formation or client accounts;
• property agency services involving high-value transactions or overseas buyers;
• trust and company service provision; and
• advisory services where you help structure transactions or assets.

For each service, your assessment should explain:

• how the service could be misused;
• whether it involves large sums of money; and
• whether it creates opportunities to disguise ownership or source of funds.

You should also explain how your controls reduce those risks, such as additional checks, approval thresholds or restrictions on certain work.

Delivery channel risk

How you interact with clients matters just as much as who they are. Your business-wide risk assessment must consider your delivery channels, for example:

• face-to-face onboarding;
• remote or online onboarding;
• use of digital identity verification; or
• reliance on third parties or introducers.

Non face-to-face relationships are specifically recognised in the MLRs as potentially higher risk. Your assessment should explain when remote onboarding is used, what safeguards are in place and when enhanced checks are triggered.

Geographic risk

You’re required to consider geographic exposure, even if you believe it is limited. This includes assessing:

• countries where your clients are based;
• countries where funds originate;
• jurisdictions connected to beneficial owners; and
• whether you deal with high-risk third countries or sanctioned territories.

Your assessment should explain how geographic risk is identified and what additional steps are taken when higher-risk jurisdictions are involved.

Transaction risk

Some transactions are riskier than others, even within the same client relationship. Your business-wide risk assessment should consider:

• unusually large or complex transactions;
• transactions with no clear economic or legal purpose;
• unusual payment methods or third-party payments; and
• changes in transaction patterns over time.

The assessment should link these risks to your ongoing monitoring processes and escalation procedures. This is particularly important for demonstrating that AML isn’t treated as a one-off onboarding exercise.

How risks are mitigated and controlled

Identifying risks is only half of the requirement. Your business-wide risk assessment must also explain how those risks are managed. This includes setting out:

• customer due diligence and enhanced due diligence measures;
• internal reporting and escalation procedures;
• training and awareness arrangements;
• record keeping and audit trails;
• oversight by the MLCO and MLRO; and
• frequency of reviews and updates.

Regulators expect to see a clear link between identified risks and the controls you rely on to mitigate them.

Keeping the risk assessment up to date

The MLRs require your business-wide risk assessment to be kept current. In practice, this means reviewing it:

• at least annually;
• whenever your services change;
• when your client base changes; or
• following regulatory updates or emerging risks.

An out-of-date assessment is treated in the same way as no assessment at all. A clear review date, documented updates and evidence of approval are essential.

Common reasons business-wide risk assessments fail inspections

Across sectors, supervisors consistently report the same problems:

• Generic templates copied from elsewhere
• No clear link to the business’s actual services or clients
• Risks listed without explanation or mitigation
• No evidence of regular review
• No connection between the risk assessment and AML policies

These failures are avoidable, but only if the risk assessment is treated as a live document rather than a compliance exercise.

Using AMLCC to structure a compliant business-wide risk assessment

AMLCC’s business risk assessment tools are designed around the requirements of the Money Laundering Regulations 2017. The platform guides you through:

• identifying risks across clients, services, delivery channels and geography;
• recording your rationale, not just yes or no answers;
• linking risks directly to mitigation measures;
• maintaining version control and review dates; and
• demonstrating a clear audit trail for supervisors.

This structure helps ensure your business-wide risk assessment reflects your business as it actually operates, and stays aligned with the rest of your AML framework.

Final thoughts

A business-wide risk assessment is the document that explains how your business understands and manages financial crime risk. If it’s clear, tailored and up to date, it strengthens every other part of your AML framework. 

Supervisors expect evidence of thought, proportionality and engagement with real risk. A well-constructed business-wide risk assessment gives you that foundation, and protects both your business and your professional reputation.