How to Conduct a Firm-Wide Risk Assessment

Firm-wide risk assessments (FWRAs) are one of the leading causes for fines issued. In the Solicitors Regulation Authority ’s recent report, they have found that only 52% of FWRAs were compliant. During their inspections, they’ve noticed that some firms:

• Have only one in place after they were asked to see it.
• Provided an alternative document, such as an AML Policy instead
• Using a template but not tailoring it to the firm

The FWRAs has been a requirement for all firms since 2017, set out in regulation 18 of the money laundering regulations (MLRs). The risk assessment must be appropriate to the size and nature of your business and also take into account, after a recent amendment in regulation 18A, the risk of proliferation financing.

Here are the main steps to help your firm stay compliant:

Understand the Purpose of an FWRA

Before creating a FWRA, you must understand what it’s used for. The FWRA helps identify, assess, and manage risks associated with money laundering, fraud, and other financial crimes. It serves as the foundation for your AML framework, ensuring that your policies, controls, and procedures (PCPs) are fit for purpose.

Key Goals:

• Identify high-risk areas within your firm.
• Evaluate the effectiveness of existing controls.
• Ensure compliance with the latest regulatory standards.

Identify Key Risk Factors

The SRA categorises risk factors into five main areas:

• Geographic Risk:?Evaluate the risks based on the jurisdictions where your clients operate or originate.
• Transactional Risk:?Consider the nature and complexity of the transactions your firm handles.
• Client Risk:?Assess risks based on the client's industry, background, and business activities.
• Product/Service Risk:?Identify risks associated with the services you offer.
• Delivery Channel Risk:?Review vulnerabilities in how services are delivered, including online platforms.

Identify Risk Of Proliferation Financing

A recent amendment has required that all firms to include the risk of their firm being used for proliferation financing. This can be done within your firm-wide risk assessment or separately, depending on the firm’s approach to risk management. Proliferation financing refers to the provision of funds or financial services that could be used to support the development, production, or acquisition of weapons of mass destruction (WMD) and their delivery systems.

Completing the FWRA (Step by Step)

Step 1:?Gather Data

Compile information on all clients, transactions, and jurisdictions your firm interacts with.

Step 2:?Analyse Risks

Assess the data against your identified risk categories.

Step 3:?Score Risks

Assign risk levels (e.g., low, medium, high) to each category. The scoring helps prioritise where to focus your resources.

Step 4:?Implement Controls

Introduce or update controls based on the risk assessment. For example, enhance due diligence procedures for high-risk clients or transactions.

Step 5:?Document Findings

Maintain detailed records of your risk assessment, including methodologies, findings, and decisions to demonstrate correct procedures.

Develop a Tailored Risk Management Policy

Generic "off-the-shelf" policies won't cut it. Your risk management policy must reflect the unique risks your firm faces. This policy should include:

• Procedures for conducting risk assessments.
• Guidelines for escalating and mitigating identified risks.
• Regular updates to align with evolving risks and regulations.

Provide AML Training Sessions

Creating your PCPs is not enough, the next step is to make your staff fully aware of these risks and understand their role in identifying and mitigating them. This can be achieved through the delivery of effective AML training sessions that ensures staff at all levels are provided with the knowledge and tools necessary to act according to your firm’s PCPs, which they will be tested for when your firm is being inspected.

Regularly Review and Update Your FWRA

The legal and regulatory environment changes quickly. Your FWRA must adapt accordingly. Set a schedule for regular reviews and updates, especially after significant changes in your operations or to reflect current regulation changes.

Foster a Risk-Aware Culture

Every member of your firm plays a role in managing risk. Provide regular training to ensure staff understand the importance of risk assessments and their role in the process. Encouraging open communication about risks throughout the firm, can further strengthen your firm’s compliance culture.

Integrate Technology for Efficiency

Manual risk assessments can be time consuming and arduous. Investing in AML technology can streamline the FWRA process by:

• Ensuring a consistent and auditable process.
• Automating data collection and analysis.
• Providing real-time risk updates.

Summary

Conducting a firm-wide risk assessment is not just about meeting regulatory requirements; it's about building an adaptable, resilient practice. These steps can help your firm better navigate your firm's management of risk whilst continuing to deliver excellent client service.

You can find a template and further guidance here