Risk assessment processes and controls in firms: our findings

Good and poor practice Published: 11/11/2025 Last updated: 11/11/2025

Print this page

We share findings and highlight good and poor practice to help firms reflect on how they are meeting the existing risk assessment requirements.

In 2025, we carried out a multi-firm review focusing on business-wide risk assessment (BWRA) and customer risk assessment (CRA) processes.

Our key findings centre around how firms:

Identify, understand and assess risk.
Appropriately mitigate risk.
Effectively manage risk.

This review is part of our wider financial crime supervisory work in support of our 2025–30 strategy.

Who this applies to
What we looked at
What we found
Next steps
Useful papers to read alongside this review

We share findings and highlight good and poor practice to help firms reflect on how they are meeting the existing risk assessment requirements.

In 2025, we carried out a multi-firm review focusing on business-wide risk assessment (BWRA) and customer risk assessment (CRA) processes.

Our key findings centre around how firms:

Identify, understand and assess risk.
Appropriately mitigate risk.
Effectively manage risk.

This review is part of our wider financial crime supervisory work in support of our 2025–30 strategy.

Who this applies to

Firms.
Money Laundering Reporting Officers (MLROs).
Senior Managers with oversight.
Industry practitioners working in financial crime prevention roles and responsible for assessing risk and setting strategy.

What we looked at

We assessed BWRA and CRA systems and controls through a questionnaire, desk-based review of policies and procedures, and firm interviews.

We evaluated firm controls against:

We also reflected on findings from other recent individual firm reviews.

Good practice often goes beyond the minimum regulatory requirements but shows how firms approach these topics.

We compare how a range of firms have approached BWRA and CRA processes and share insights from these assessments.

Firms involved in this review include:

building societies
platforms
custody and fund services
payments (e-money)
wealth management firms

What we found

Identifying, understanding and assessing risk

Most firms we reviewed have a BWRA, but few are identifying relevant risks and tailoring the BWRA to the specific business. Several consider qualitative and quantitative data to assess and score inherent risks, mitigating controls and residual risk.

We saw larger firms integrating risk assessment activities into business functions and forming aggregated views across the firm.

We are concerned that some firms could not explain sufficiently how they are managing and mitigating identified risks.

Some firms have used sub-factors and weightings to tailor their CRA process to the business and specific risks they face.

We are encouraged that some firms can show how risk appetite, BWRA and CRA processes work together to identify and assess risk.

Examples of good practice

Comprehensive risk assessments

Risk assessments that:

Are quantitative and qualitative.
Consider a range of internal and external factors.
Are weighted.

Risks are assessed by business areas, and the results are combined in the BWRA.

BWRAs consider:

Inherent risks.
Control effectiveness.
Residual risks.

Annual detailed review

Firms formally assess BWRAs yearly, rather than simply refresh.

Tailored assessments

Risk assessments are tailored to the firm, products and customers. Also, the firm documents how it is managing these risks.

Risk assessments that:

Are quantitative and qualitative.
Consider a range of internal and external factors.
Are weighted.

Risks are assessed by business areas, and the results are combined in the BWRA.

BWRAs consider:

Inherent risks.
Control effectiveness.
Residual risks.

Firms formally assess BWRAs yearly, rather than simply refresh.

Risk assessments are tailored to the firm, products and customers. Also, the firm documents how it is managing these risks.

Examples of poor practice

Lack of detail

Some BWRAs focus mainly on fraud or generic risks, often ignoring specific money laundering, sanctions, anti-bribery and corruption, proliferation financing, and terrorist financing risks.

We saw firms:

Oversimplify the risks they are exposed to.
Fail to explain how each risk affects the firm.

Missing quantitative analysis

Some firms’ risk assessments are solely qualitative.

Unclear processes

Some BWRAs lack clarity on how the firm identifies and assesses inherent risks.

Lack of evidence

We saw firms conclude their business is low risk, or that controls are effective/mature without appropriate evidence to support this.

Some BWRAs focus mainly on fraud or generic risks, often ignoring specific money laundering, sanctions, anti-bribery and corruption, proliferation financing, and terrorist financing risks.

We saw firms:

Oversimplify the risks they are exposed to.
Fail to explain how each risk affects the firm.

Some firms’ risk assessments are solely qualitative.

Some BWRAs lack clarity on how the firm identifies and assesses inherent risks.

We saw firms conclude their business is low risk, or that controls are effective/mature without appropriate evidence to support this.

Mitigating risk

Our findings indicate that financial crime risk is often considered in business strategy, growth and product development. However, there is little evidence of how risk assessments, decision-making and monitoring activities are joined up.

Some firms we reviewed have a clear risk appetite that is closely linked to the BWRA. But very few firms have documented actions resulting from their risk assessment. We saw some firms reflecting on whether their people, technology and training are suitable for the size of the business, risks posed and can be scaled as the business grows.

Examples of good practice

Plan for compliance alongside growth

Firms consider capacity of their compliance and financial crime functions to support the current and future growth strategy.

Risk assessments feed into firm’s wider work

BWRA feeds into risk appetite, controls testing and the firm’s overall risk-based approach.

CRAs which directly impact firms’:

Customer due diligence.
Transaction monitoring.
Other processes and controls used to mitigate identified risks.

Track actions to reduce risk

Firms formally track BWRA actions and note recommendations on how the firm plans to mitigate or reduce the overall risk.

Risks considered throughout business

Firms consider financial crime risks in product development, business strategy, growth and sales discussions.

The MLRO is represented in the associated committees to articulate the risks and financial crime framework enhancements needed to support the business.

Firms consider capacity of their compliance and financial crime functions to support the current and future growth strategy.

BWRA feeds into risk appetite, controls testing and the firm’s overall risk-based approach.

CRAs which directly impact firms’:

Customer due diligence.
Transaction monitoring.
Other processes and controls used to mitigate identified risks.

Firms formally track BWRA actions and note recommendations on how the firm plans to mitigate or reduce the overall risk.

Firms consider financial crime risks in product development, business strategy, growth and sales discussions.

The MLRO is represented in the associated committees to articulate the risks and financial crime framework enhancements needed to support the business.

Examples of poor practice

Growth outpaces risk assessment

Some firms have not developed their CRAs in line with business growth to ensure scalability, consistency and accuracy.

Lack of records

Some firms do not record BWRA actions or assign them owners.

Rapid expansion

We saw some firms rapidly expand product, service and customer type without considering and ensuring controls remain appropriate and effective beforehand.

Some firms have not developed their CRAs in line with business growth to ensure scalability, consistency and accuracy.

Some firms do not record BWRA actions or assign them owners.

We saw some firms rapidly expand product, service and customer type without considering and ensuring controls remain appropriate and effective beforehand.

Managing risk

Many firms we reviewed recognise the importance of appropriate governance and oversight to ensure risk awareness and thorough risk assessments. However, senior management appear to better understand and be more aware of fraud risk, compared with other financial crime risks.

Most firms have considered how they document and share their risk assessments. Better firms record risk assessment discussions, changes and approvals. A few firms have integrated dynamic risk assessments into their financial crime frameworks and consider how they continually test and refresh risk assessment models and processes.

Examples of good practice

Senior oversight and challenge

Firms share BWRA document and summary with senior management and committees for review and approval – highlighting trends, conclusions, recommendations and actions.

CRA management information is provided to senior management committees for discussion.

Evidence of MLRO and committee challenge on risk assessments.

Continuity plans

Firms consider CRA processes in business continuity plans.

Clear, consistent methods to assess risk

Firms document risk assessment methodologies in detail and formally log, discuss and approve changes.

Regular review

Firms review their risk assessment models and processes.

Quarterly or triggered updates to risk assessments to make sure they are responsive to emerging risks and changes in regulatory requirements.

Joined-up assessments

Firms reflect the risks identified and assessed within the BWRA in the CRA through weightings or sub-factors.

Firms share BWRA document and summary with senior management and committees for review and approval – highlighting trends, conclusions, recommendations and actions.

CRA management information is provided to senior management committees for discussion.

Evidence of MLRO and committee challenge on risk assessments.

Firms consider CRA processes in business continuity plans.

Firms document risk assessment methodologies in detail and formally log, discuss and approve changes.

Firms review their risk assessment models and processes.

Quarterly or triggered updates to risk assessments to make sure they are responsive to emerging risks and changes in regulatory requirements.

Firms reflect the risks identified and assessed within the BWRA in the CRA through weightings or sub-factors.

Examples of poor practice

Lack of evidence of senior oversight

Some firms do not document senior management discussion, challenge and approval of BWRAs.

Narrow focus

Senior management understanding of financial crime risk mainly focuses on fraud.

Lack of testing

Some firms carry out limited or no testing and reviews of risk assessment processes when they make enhancements, upgrades or automation.

Static approach to assessment

Risk assessments are not sufficiently dynamic – this could lead to outdated risk profiles adversely informing business strategy and decisions on control design.

Some firms do not document senior management discussion, challenge and approval of BWRAs.

Senior management understanding of financial crime risk mainly focuses on fraud.

Some firms carry out limited or no testing and reviews of risk assessment processes when they make enhancements, upgrades or automation.

Risk assessments are not sufficiently dynamic – this could lead to outdated risk profiles adversely informing business strategy and decisions on control design.

Next steps

We expect firms to already be complying with existing requirements, specifically, to:

Understand the risks your business is exposed to.
Have robust financial crime systems and controls to manage and mitigate those risks.

We encourage firms to consider our findings and suggestions within the context of their firm and continue to review your risk-based approach to systems and controls.

Where we identified weaknesses, we are working with those firms to make improvements.

We will continue to monitor firms through our supervisory work to make sure firms are considering the points raised here to drive improvements and reduce risk across the industry.

Useful papers to read alongside this review

Firms may find the publications below useful:

Financial crime controls in corporate finance firms: survey findings (October 2025)
Money laundering through the markets (January 2025)
The treatment of politically exposed persons (July 2024)
Annex 1 Dear CEO letter (March 2024)

Contact us

What we do

How we regulate

How we operate

Who we are

Join us

Firms overview

Regulated firms

Primary markets

Markets policy

Regulated markets

Market abuse

Short selling

Transaction reporting

Our Consumer section

Your rights

Complaints

Scams

Report a firm

Sign up to receive daily alerts on the warnings we issue

Media centre

Share