What Does an AML Firm-Wide Risk Assessment Look Like?

Too many firms still treat their Firm-Wide Risk Assessment (FWRA) as a box-ticking exercise, and as expected, regulators are noticing. The SRA has placed significant emphasis and scrutiny on  FWRAs as part of its AML thematic reviews and inspections, and rising threats (such as proliferation financing) mean yesterday’s assessment may no longer be adequate today.

Under Regulation 18 of the Money Laundering Regulations 2017, firms must maintain a written FWRA that is proportionate to their size and the nature of their business. A robust FWRA should be reviewed at least annually, updated after any material change in risk, and supported by clear evidence of how relevant individuals monitor and mitigate those risks.

So, what should your FWRA actually contain, and how do you demonstrate that your controls stand up under regulatory scrutiny? This guide will discuss the practical triggers, key risk areas, and simple steps towards making your FWRA both compliant and defensible.

Contents

• What Is a Firm-Wide Risk Assessment & Why Do You Need One?
• FWRA vs Client & Matter Risk Assessment
• The Importance of Regularly Updating Your FWRA
• How To Conduct a Firm-Wide Risk Assessment
• Should You Use a Firm-Wide Risk Assessment Template?
• FWRA Compliance Considerations for 2026 & Beyond

What Is a Firm-Wide Risk Assessment & Why Do You Need One?

A Firm-Wide Risk Assessment is the written, firm-level review required by Reg 18 of the MLRs 2017. It’s not just a compliance document; it should be the backbone of your AML framework. 

When combined with your Customer Due Diligence (CDD) procedures and controls for Source of Wealth, an FWRA helps practices to identify the extent to which they are exposed to money laundering risks. The SRA treats the FWRA as a “living document” and expects it to be proportionate to the size, structure, and activities of your practice.

FWRAs require law firms to consider four main factors:

1. To identify potential risks in relation to money laundering and other financial crimes
2. To assess the severity of each risk by considering the likelihood and potential impact
3. To evaluate if your practice has appropriate policies, processes, or controls in place, and to ensure you are implementing those to mitigate risks
4. To review and assess your FWRA in relation to any changes in the SRA's Sectoral Risk Assessments.

However, despite being a requirement since 2017, the SRA say they are still finding a significant number of firms falling short. The 2024/2025 AML report by the SRA reveals that of 814 FWRAs reviewed, only 47% were compliant. 9% were non-compliant, and the remaining 44% were only partially compliant. Alarmingly, 19 firms did not have an FWRA at all - they were referred for investigation.

“Most worrying are those firms who only put in place a firm wide risk assessment after we request to see it. The requirement to have a firm wide risk assessment has now been in force since 2017. The purpose of a firm wide risk assessment is help mitigate the risks a firm is or could be exposed to, and the measures which should then be put in place to help mitigate the firm's exposure to financial crime. It is a crucial step in being able to prevent money laundering. We will continue to take robust action against any firms who do not have a firm wide risk assessment in place.”

(Source: Solicitors Regulation Authority)

What "Living Document" Means in Practice

The SRA frequently refers to the FWRA as a “living document,” but in practice, this means far more than scheduling an annual review. A genuinely embedded FWRA should shape how your firm identifies, manages, and monitors risk on an ongoing basis.

In practical terms, this involves several key elements:

Your FWRA sets the firm’s own risk parameters… 

Rather than relying solely on broad regulatory risk categories, your assessment should define what heightened risk looks like in the context of your specific client base and services. What size or structure of transaction is unusual for your firm? Which client characteristics warrant enhanced due diligence? These firm-specific benchmarks should be clearly articulated and consistently applied across departments.

Operational controls are aligned with risk findings… 

Where your FWRA highlights increased exposure in particular practice areas or client types, those conclusions should translate into proportionate safeguards within matter-opening and monitoring procedures. Risk identification must lead directly to tailored control measures.

Training reflects your actual exposure profile… 

Effective AML training should address the vulnerabilities identified in your FWRA, equipping staff to recognise the types of red flags most relevant to your work. Generic online webinars or ‘awareness’ sessions are unlikely to meet supervisory expectations if they do not reflect your firm’s unique risk profile.

Governance and oversight are informed by the FWRA… 

Senior management and the MLRO should demonstrably rely on the FWRA when assessing new business initiatives and responding to breaches or audit findings. Regulators increasingly expect to see documentary evidence that the assessment informs real decision-making, not merely policy drafting.

FWRA vs Client & Matter Risk Assessments: Understanding the Difference

One of the most common areas of confusion flagged by the SRA is the distinction between a firm-wide risk assessment and client or matter risk assessments. These are separate documents with different purposes, and both are required under the Money Laundering Regulations 2017.

Your Firm-Wide Risk Assessment (Regulation 18) is a strategic, practice-level document. It identifies and evaluates the inherent money laundering risks across your entire firm, considering your client base as a whole, the types of matters you handle, your geographical reach, your service delivery model, and your internal controls. The FWRA asks: "What are the money laundering risks this firm is exposed to, and how do our policies and procedures mitigate them?"

Client and matter risk assessments are operational, case-by-case evaluations. For each new client or matter, you assess the specific risk that particular engagement poses, considering factors such as the client's identity, source of funds, transaction complexity, and jurisdictional concerns. This assessment determines the appropriate level of CDD you must apply to that client or matter.

How These Documents Connect

Your FWRA should inform your approach to client risk assessment. For example, if your FWRA identifies conveyancing for high-value properties as a higher-risk service line, your client risk assessment process for those matters should reflect increased scrutiny. The FWRA sets the strategic framework; client risk assessments apply it to individual engagements.

The SRA has noted that firms sometimes mistake a collection of client risk assessments for a firm-wide risk assessment, or vice versa. Having robust client risk procedures does not exempt you from maintaining a separate, comprehensive FWRA. Both are regulatory requirements, and both serve distinct compliance functions.

The Importance of Regularly Updating Your FWRA

Since mid-2023, supervisors have updated sectoral guidance, and enforcement agencies have taken a much tougher approach to breaches of AML and sanctions rules. In practice, this means firms should review their FWRA at least annually and immediately after any material change in risk, for example, new sanctions or a change in a major client profile.

Supervisors now explicitly expect firms to address emerging threats, including proliferation financing and sanctions, and to demonstrate how those risks are mitigated through day-to-day controls. The SRA has refreshed its FWRA guidance and published supporting material to assist firms. Other agencies, including the Office of Trade Sanctions Implementation (OTSI), have increased enforcement activity and issued further guidance on strategic threats, making timely updates to your FWRA both a compliance obligation and a reputational safeguard.

If your firm lacks the capacity or specialist expertise to keep its FWRA under active review, an external gap analysis or consultancy review can help ensure that the assessment remains proportionate, defensible, and aligned with current regulatory expectations.

How To Conduct a Firm-Wide Risk Assessment

Poorly composed FWRAs are a common area of non-compliance. Our own experience has revealed that many firms are trying to operate with FWRAs that are just 2 to 4 pages long, with only summarised detail and scant analysis. 

According to the SRA, of the 73 firm-wide risk assessments reviewed between 2021 and 2022:

• Almost 20% did not refer to areas identified in the SRA sectoral risk assessment
• 10% of firms failed to correctly consider money laundering risks associated with how their services were delivered. This is an area of growing concern due to the proliferation of services being delivered digitally
• Almost a third of firms used templates which had not been tailored to the firm

In contrast, FWRAs drafted by PDA Legal are typically more than 30 pages long. This demonstrates the need to have FWRAs produced by experts who can help guide and inform, therefore shaping a risk assessment that adequately describes the risks to which your practice is subject.

However, should you choose to conduct your own Firm-Wide Risk Assessment, here’s what we would recommend considering:

1. Define Scope & Ownership

• Decide which entities, offices, service lines, and channels are included.
• Appoint an accountable senior owner (e.g. your MLCO or MLRO) and a small project team (compliance, ops, head of practice).

2. Gather Data & Intelligence

• Pull client intake, transaction data, matter types, country exposure, and supplier lists.
• Review external intelligence such as SRA sectoral guidance, NCA strategic assessment, OFSI/OTSI guidance, recent enforcement cases, and UK sanctions lists.

3. Identify & Map Risks

• List inherent risks across clients, transaction types, services, and geographical areas. 
• Include sanctions, crypto, cyber-enabled fraud, and corporate-structure vulnerabilities.
• For each risk, note typical threat levels and likely scenarios (how the firm could be exploited).

4. Assess Risk Likelihood & Impact

• Score each risk for likelihood and impact (e.g. 1 to 5 or ‘low’ to ‘high’) and calculate inherent risk.
• Document assumptions and data used for scoring.

5. Record Controls & Test Effectiveness

• For each risk, list mitigating policies, CDD procedures, sanctions screening, training, monitoring, and firm-wide reporting lines.
• Evaluate whether controls are operating as intended (reports, KPIs, audit results, client file checks). Derive a residual risk score.

6. Produce Written FWRA

• Summarise findings, risk ratings, control gaps, prioritised actions, owners, deadlines, and metrics to track.
• Include a short executive summary for senior management and other compliance officers.

Should You Use a Firm-Wide Risk Assessment Template?

Whilst technically you could use a template, the SRA highlights template usage as being one of the prime reasons why firms fail to achieve compliance; not because of using a template per se, but because each firm is unique - templates fail to provide a suitable framework without adequate knowledge to become fit for purpose for a given firm.

There is no substitute for an expert individual producing a unique FWRA for a firm, tailored to the legal practice's own individual situation. But, for firms that would like to prepare some of the backdrop of their own FWRA, we have produced some free guidance notes and a firm-wide risk assessment template outline by way of points for consideration. 

We emphasise that these guidance notes are not ‘advice’ and that firms are solely responsible for their own assessment of AML risk.

Free FWRA Template Guidance

FWRA Compliance Considerations for 2026 & Beyond

Expectations around Firm-Wide Risk Assessments will continue to rise during 2026. Regulators are no longer focused solely on whether an FWRA exists, but on whether it is current, risk-led, and demonstrably embedded in how a firm operates.

Your assessment should account for both existing and rising threats, such as trade sanctions exposure, proliferation financing, and vulnerabilities in complex corporate structures, as these risks cut across multiple service lines and cannot be dealt with in isolation. Firms should be ready to evidence interim reviews triggered by material changes, as and when they occur.

Looking Ahead to the FCA Transition

The government has confirmed that AML supervision of law firms will transfer from the SRA to the Financial Conduct Authority (FCA) as part of the Single Professional Services Supervisor (SPSS) initiative. While the transition is unlikely to begin before 2028, firms should anticipate a phased handover over the next 2-3 years. The FCA is expected to adopt a more data-driven supervisory approach, with greater scrutiny of risk assessment methodologies and evidence of control effectiveness. Firms that maintain robust, well-documented FWRAs now will find themselves better positioned when the transition occurs.

It is important to remember that FWRAs are increasingly viewed as part of wider governance and risk management. Firms should ensure their FWRA aligns with training programmes, internal audits, breach reporting, and board-level oversight, with clear accountability for ongoing ownership.

Get Help Evaluating or Performing a Firm-Wide Risk Assessment Today

With over 25 years of experience within the legal sector, we have helped over 500 legal practices and have been assisting firms with their firm-wide risk assessments since they were introduced in 2017. Therefore, you can rest assured that you’re in safe, knowledgeable hands.

So, whether you need help with FWRAs specifically or AML advice in general, we will be more than happy to help. Contact us today for a FREE, no-obligation consultation.

Book Free FWRA Consultation

Our Other AML Services

• Anti-Money Laundering Audits
• Anti-Money Laundering Consultancy
• Anti-Money Laundering Training
• Anti-Money Laundering Inspection Support