Skip to main content

What Does a Firm-Wide Risk Assessment Look Like?

17 October 2023
business people examining documents

Firm-Wide Risk Assessments (FWRA) are a common area of regulatory non-compliance in legal practices. Many law firms draft FWRAs that fall short of the level of detail required, data sets and topics that need to be included. So widespread is the problem, that the SRA is including particular scrutiny of FWRAs as part of its ongoing campaign for AML thematic review visits to law firms around the UK.

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR17) require firms to have a written Firm-Wide Risk Assessment in place. Furthermore, Regulation 18 informs that the FWRA must be appropriate for the size and nature of your firm.

But what exactly is a FWRA, what factors do you need to consider, and what are the potential implications of non-compliance? In this article we look at:

What is a firm-wide risk assessment and why are they important?

First introduced in 2017, Firm-Wide Risk Assessments are an important tool in the fight against money laundering and criminal or terrorist activities.

When combined with your Customer Due Diligence (CDD) procedures, a FWRA helps practices to identify the extent to which they are exposed to money laundering risks.

FWRAs require you to consider four main factors:

  • To identify potential risks in relation to money laundering
  • To assess the severity of each risk by considering the likelihood and potential impact
  • To evaluate if your practice has appropriate policies, processes or controls in place, and to ensure you are implementing those to mitigate risks
  • To review and assess your FWRA in relation to any changes in the SRA's Sectoral Risk Assessments.

However, despite being a requirement since 2017, the SRA say they are still finding a significant number of firms falling short. The 2022/2023 AML report by the SRA reveals that, despite improvements in recent years, of 216 FWRAs reviewed, only 49% were compliant. 7% were non-compliant, and the remaining 54% were only partially compliant. Eight firms were referred for investigation for failing to provide an FWRA.

“Most worrying are those firms who only put in place a firm wide risk assessment after we request to see it. The requirement to have a firm wide risk assessment has now been in force since 2017. The purpose of a firm wide risk assessment is help [sic] identify the risks a firm is or could be exposed to, and the measures which should then be put in place to help mitigate the firms' exposure to financial crime. It is a crucial step in being able to prevent money laundering. We will continue to take robust action against any firms who do not have a firm wide risk assessment in place.

(Source: Solicitors Regulation Authority)

The importance of regularly updating your FWRA

FWRAs can only work effectively if they are regularly reviewed and updated. This is another area where many legal practices fall short.

There have been numerous AML and sanction regime changes in recent years, so it is important that your FWRA is kept up to date and aligned with these changes. For example, in July 2023, the SRA’s Sectoral Risk Assessment was updated to:

  • remove legal cannabis and COVID-19 as key risks
  • enhance emphasis on proliferation financing and financial sanctions risk

In addition, in July 2023 the National Crime Agency's National Strategic Assessment was updated to include threats posed by:

  • proliferation financing
  • sanctions against Russia and Russian-linked individuals
  • increasing levels of cybercrime, including theft, malware and ransomware
  • usage of money mules
  • Chinese underground banking networks
  • international controller networks that exchange cash for crypto-assets
  • vulnerabilities in the creation and oversight of UK corporate structures

However, both our experience and that of the SRA show that FWRAs often fail to keep aligned with these changes. This is sometimes due to a lack of time or resources within the firm, but as often as not, it’s because firms feel they do not have sufficient insight or knowledge to do so.

Action Point:

Before you read on, stop. Please take a minute to check the following.

Find your FWRA and take a look to see if it takes into account the above changes. If it doesn’t, it most likely needs to be updated. If you can’t readily access current FWRAs, this in itself presents a significant concern. In all cases, we can help you.

Book a free initial consultation now before reading on.

How to conduct a firm-wide risk assessment

Poorly composed FWRAs are a common area of non-compliance. Quite simply, firms fail to describe and apply the level of detail and analysis required.

According to the SRA, of the 73 firm-wide risk assessments reviewed between 2021-2022:

  • Almost 20% did not refer to areas identified in the SRA sectoral risk assessment
  • 10% of firms failed to correctly consider money laundering risks associated with how their services were delivered. This is an area of growing concern due to the proliferation of services being delivered digitally
  • Almost a third of firms used templates which had not been tailored to the firm

In addition, data recently released within the SRA’s 2022-2023 Anti Money Laundering Report revealed that of 249 money laundering-related reports, 48 reports stated that there had been a failure to carry out a FWRA, thus making it the 4th most frequent failure with AML controls.

Our own experience has revealed that many firms are trying to operate with FWRAs which are just 2-4 pages in length, with only summarised detail and scant analysis. In contrast, FWRAs drafted by PDA Legal are typically more than 30 pages long. This demonstrates the need to have FWRAs produced by experts who can help guide and inform, to arrive at a risk assessment that adequately describes the risks to which your practice is subject.

The bulk of the time and work involved goes into gathering and analysing data. Risks should then be grouped into the categories listed below.

Potential risks to consider

  • Client type
  • Products & Services
  • Geographical areas covered
  • Transaction type
  • Delivery channels

Whilst aimed at accountants, the Institute of Chartered Accountants in England and Wales (ICAEW) have created a very useful and in-depth guide on how to conduct a firm-wide risk assessment.

Should you use a firm-wide risk assessment template?

Whilst technically you could use a template, as mentioned above, the SRA highlights template usage as being  the largest reason why firms fail to achieve compliance; not because of using a template per-se, but because each firm is unique and therefore templates fail to provide a suitable framework without adequate knowledge and customisation to become fit for purpose for a given firm.

To provide an example - a particularly popular, but ill-suited, template is known as the “R18 template” which we encounter in one form or another, almost every week. Unfortunately, it is now very out-of-date, lacks the facility for analysis and fails to reflect the complexities of contemporary AML risks in a modern legal practice.

There is no substitute for an expert individual producing a unique FWRA for a firm; tailored to the legal practice's own individual situation. But, for firms that would like to prepare some of the backdrop of their own template for a FWRA, we have produced some free guidance notes and firm-wide risk assessment template outline by way of points for consideration that we hope you will find useful. We emphasise that these guidance notes are not ‘advice’ and that firms are solely responsible for their own assessment of AML risk.

Get help evaluating or performing a firm-wide risk assessment today

With over 25 years experience within the legal sector, we have helped over 500 legal practices, and have been aiding firms with evaluating, creating or updating their firm-wide risk assessments since they were introduced in 2017. Therefore, you can rest assured that you’re in safe, knowledgeable hands.

We also provide a range of other services relating to AML including:

So whether you need help with FWRAs specifically, or AML advice in general, we can help. Contact us today for a free, no obligation consultation.

Get in touch for a free no obligation quote today
  • Law Society Lexcel Assessor. Legal Practice Quality Mark.
  • Cyber Essentials  logo
  • Information Commissioner's Office logo
  • ISO logo
  • Legal Aid Agency logo
  • Solicitors Regulation Authority