How to Do a Firm-Wide AML Risk Assessment

How to Do a Firm-Wide AML Risk Assessment

A firm-wide AML risk assessment is a documented analysis of where your accountancy practice is exposed to money laundering and terrorist financing, and what controls you apply to mitigate that exposure. In the UK it is required by regulation 18 of the Money Laundering Regulations 2017; in Ireland, by section 30A of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, which calls it the business risk assessment. It is the foundation document of your entire AML framework — your policies, client risk ratings, due diligence levels and training plan should all trace back to it.

What must the firm-wide risk assessment cover?

Both UK and Irish regimes require the assessment to address, at minimum, five categories of risk:

• Clients: Who do you act for? Consider concentrations of cash-intensive businesses, high-net-worth individuals, politically exposed persons, non-resident clients, complex group structures, trusts, and clients introduced remotely or through intermediaries.
• Geography: Where are your clients, their owners and their money? Exposure to high-risk third countries, jurisdictions subject to sanctions, and secrecy jurisdictions all raise the rating.
• Services: Which services are most abusable? Company formation, trust and company services, payroll handling, holding client money, insolvency work and tax structuring typically carry more risk than statutory audit of a long-standing domestic trading company.
• Transactions: Do you handle or advise on transactions that are large, complex, cash-based or international?
• Delivery channels: How do clients reach you? Fully remote onboarding without ever meeting the client, or work referred through unregulated introducers, increases risk relative to face-to-face local relationships.

You must also take into account the relevant national risk assessments and any sectoral risk information published by your supervisor — UK supervisors expect to see evidence that the firm has actually read and reflected the national risk assessment's findings for the accountancy sector, not just cited it.

How do you actually build the assessment? A six-step method

Step 1: Gather the data

Pull real numbers from your practice management system: client counts by type, sector, and country; services by fee volume; how many clients were onboarded remotely; how many PEPs or high-risk-country connections you have. Supervisors consistently distinguish assessments grounded in the firm's actual client book from generic templates with the firm's name typed at the top.

Step 2: Identify inherent risk in each category

For each of the five categories, list the specific risks that apply to your firm. "We act for 40 cash-based restaurants and takeaways" is a finding; "clients may pose risk" is not.

Step 3: Score it

Use a simple, consistent scale — low / medium / high, or a numeric likelihood-times-impact matrix. The method matters less than applying it consistently and explaining what each level means.

Step 4: Map controls and assess residual risk

Against each identified risk, record the mitigating controls: your CDD and EDD procedures, sanctions screening, client risk-rating model, training, file reviews, restrictions on accepting certain work. Then conclude on the residual risk after controls. A frequent supervisor criticism is assessments that identify risks but never conclude — the document must end with an overall risk rating for the firm and a clear statement of whether controls are adequate.

Step 5: Get it approved

The assessment should be approved by senior management — in practice, signed off by the partners or board, with the author and approval level recorded. Irish guidance is explicit that the business risk assessment should record its author and the management level at which it was approved, and be available to the competent authority on request.

Step 6: Connect it to everything else

The firm-wide assessment should drive your client risk-rating methodology, determine where simplified or enhanced due diligence applies, shape the topics in your training plan, and set your file review focus. If your assessment says trust and company services are your highest-risk line but your training and file reviews never touch them, an inspector will notice the disconnect.

How often should you review it?

Keep it up to date. In practice that means a full review at least annually — Irish guidance expects the business risk assessment to be revisited yearly — plus event-driven updates when something material changes: a new service line, a merger, a new office, a significant shift in the client base, new national risk assessment findings, or major legal change. For UK firms in 2026, the amendments to the Money Laundering Regulations and the planned transfer of AML supervision to the FCA are exactly the kind of developments your next review should reflect. Keep prior versions: regulators can ask for historical assessments as well as the current one.

What does a good risk finding look like? A worked example

The difference between a template and a real assessment is specificity. Compare two ways of recording the same risk:

• Weak: "The firm may act for clients in high-risk sectors. Mitigation: CDD is performed on all clients."
• Strong: "Approximately 35 of our 420 clients operate cash-intensive businesses (restaurants, taxi operators, convenience retail). Inherent risk: high — cash businesses are identified in the national risk assessment as attractive for placement of criminal proceeds. Controls: these clients are rated high risk at onboarding, partner approval is required, source of funds is corroborated for unusual capital introductions, and files are reviewed annually. Residual risk: medium. Action: bookkeeping staff serving these clients receive targeted red-flag training by Q3."

The strong version does four things the weak one does not: it quantifies the exposure from the firm's own data, links it to an external risk source, names the specific controls, and concludes with a residual rating and an action. Repeat that pattern across each of the five categories and the document essentially writes itself — and an inspector reading it can see immediately that the firm understands its own business.

Sole practitioners and small firms

The obligation applies regardless of size, but proportionately. A sole practitioner with 80 local clients can produce a perfectly compliant assessment in three or four pages, provided it is genuinely about their practice. The trap for small firms is the opposite of complexity: buying a template, leaving the placeholder text in, and concluding "low risk" without analysis. Supervisors read hundreds of these documents and recognise an untouched template instantly. If your firm offers no trust or company services, say so and explain why that lowers your service risk — that sentence demonstrates more engagement than ten pages of copied legislation.

What are the most common failings supervisors find?

• No assessment at all — now rarer, but still the most serious finding, and one that frequently leads to enforcement.
• Generic template content not tailored to the firm's actual clients and services.
• Missing categories — delivery channels and transactions are the ones most often skipped.
• No conclusion on the firm's overall risk level, or no link between identified risks and controls.
• Stale documents — assessments untouched for years, with no review date or version history.
• No evidence the national risk assessment was considered.
• No connection to practice — client files rated low risk that contradict the firm-wide assessment's own findings.

A quick documentation checklist

• Date, author, version number and approval signature.
• Data sources used (client book analysis, national risk assessment, supervisor guidance).
• Risks identified under all five categories, scored.
• Controls mapped to each risk, with residual risk conclusions.
• Overall firm risk rating and adequacy statement.
• Next review date and trigger events for earlier review.

Building and maintaining this document is a skill, and one your MLRO and partners can develop through structured CPD rather than trial and error at inspection time.

Study with Learnsignal

If your firm-wide risk assessment is overdue for an overhaul, Learnsignal's CPD-accredited AML and compliance courses walk through the risk-based approach in practical detail. Training is online and flexible, built for practitioners who need depth without classroom time. Explore the courses at Learnsignal CPD.