Skip to content
AML ComplianceRegulationsLawyers

How to prepare your firmwide risk assessment

Published

Stack of papers titled "Firmwide Risk Assessment" on a gray background with blue circles.

For money laundering reporting officers (MLROs) and Compliance Officers for Legal Practice (COLPs) at law firms, the firmwide risk assessment sits uncomfortably between strategic priority and administrative burden. Everyone knows it needs to be done well. The data required to do it well is genuinely hard to gather. And once it's filed, the temptation to leave it until the next audit is understandable.

The problem is that a risk assessment built on last year's data doesn't tell you much about this year's risk. And regulators have become considerably more focused on how firms arrived at their conclusions, not just what those conclusions say.

This guide is aimed at SRA-regulated law firms in England and Wales. It covers what the regulations require, where to go for authoritative external guidance, where most firms come unstuck, and how to make the firmwide risk assessment genuinely useful rather than a document that lives on a shelf.

Why is a firmwide risk assessment important

A firmwide risk assessment helps you to take a risk-based approach to preventing money laundering. It helps you identify the risks that you may be exposed to.

It helps you develop proportionate policies, controls and procedures. It can aid Fee earners when assessing risk at client and matter level.

What the regulations actually require

Under Regulation 18 of the Money Laundering Regulations 2017 (MLRs), firms must identify and assess the money laundering and terrorist financing risks to which their business is subject, document that assessment, keep it up to date, and have it approved by senior management.

It's worth being specific about what "senior management approval" actually means here. Regulation 18(4) specifies that approval must come from a member of the board of directors or equivalent, not simply from the compliance team signing off internally. In firms without a formal board structure, that means identifying who holds equivalent authority and ensuring their approval is documented. An assessment endorsed only at MLRO or COLP level, without board-level sign-off, doesn't satisfy the requirement.

The assessment must cover the risk factors set out in the money laundering regulations, namely:

  • Your firm's customers.

  • The countries or geographic areas in which you operate.

  • The products or services which your firm provides

  • Your firm's transactions.

  • How your firm's products and services are delivered.

Firms should also factor in any risks specific to their own business that don't fall neatly into those categories.

One requirement that's often treated as background context rather than a direct input: your firmwide risk assessment should be informed by the National and Sectoral Risk Assessment (NRA). The NRA sets out the government's view of the money laundering and terrorist financing threats facing the UK. Ignoring it gives the impression that your assessment was arrived at in isolation, which regulators will notice.

Start with the right external guidance

For law firms, there are two essential reference points before beginning any firmwide risk assessment.

The first is the Legal Sector Affinity Group (LSAG) AML guidance. This is the primary practical reference for legal sector firms and is what the SRA will be referencing when it reviews your approach. It interprets the MLRs specifically in the context of legal practice.

The second is the SRA's own published materials: its sectoral risk assessment and its thematic reviews. The SRA regularly publishes findings from its supervisory work, identifying areas of legal practice it considers higher risk, historically including high-value residential property, trust and company services, and client account handling. These aren't just background reading. They should be feeding directly into your own assessment. If the SRA considers a particular area of practice to carry elevated risk and your firm does a significant volume of that work, your assessment needs to reflect that and explain how you're managing it.

The data challenge

The five risk categories give you a framework. Filling them with accurate, firm-specific data is where the actual work lives. It's about building both a qualitative and quantitative picture of the risks your specific firm faces, not a fictional story.

At the client level, you need a clear picture of your client base: the breakdown of individual versus corporate clients, the geographic spread of nationalities and jurisdictions involved in transactions, the proportion of clients who are politically exposed persons (PEPs) or have generated sanctions matches, and the outcome of those investigations. At the transaction level, you need to understand volumes and values across practice areas, any concentrations of high-value or high-cash transactions, and the source of funds data your team has been collecting.

For anti-money laundering (AML) screening, it helps to know your firm-wide alert rate, what proportion of alerts were investigated and escalated, and whether there are patterns such as in particular teams, particular client sectors, particular jurisdictions, that wouldn't be visible from individual check results alone. These are the specifics that give your assessment credibility and give your MLRO the evidence base they need.

Gathering all of this from multiple systems is time-consuming work. The practical consequence is that most firms end up with an assessment that's partially out of date by the time it's written up. Being realistic about that gap, and building a process to close it, is more useful than pretending it doesn't exist.

Six things to do before you start writing

  1. Ground it in external guidance first. Before you open a blank document, read the LSAG guidance and the SRA's most recent thematic review. Understand how the regulator characterises the risks facing firms like yours. Your assessment should respond to that picture, not just describe your firm in isolation.

  2. Be specific about your firm's data. Generic risk assessments that could apply to any firm are a red flag. Capture specific data: client nationality breakdowns, PEP and sanctions match rates, transaction volumes by practice area, source of funds flag rates, identity document types used. These specifics are what separate a credible assessment from a form-filling exercise.

  3. Consider the risk of proliferation financing. Regulation 18A of the money laundering regulations also requires you to identify the risk of proliferation financing to your business. This can either be considered separately or within your firm-wide risk assessment. Further guidance on how to carry out a proliferation financing risk assessment can be found in the Legal Sector Affinity Group guidance.

  4. Connect the firmwide assessment to your matter-level framework. A firmwide risk assessment doesn't exist in isolation, it should be directly informing your matter risk assessment templates and your client risk scoring methodology. If the firmwide assessment concludes that a particular client type or jurisdiction carries elevated risk, that should cascade down into how fee-earners are risk-rating individual matters. Treating them as separate exercises creates a gap that regulators will find.

  5. Document your rationale, not just your conclusions. If you've rated geographic risk as medium, explain why. What data informed that, what factors you considered. Regulators are interested in your reasoning. A well-evidenced medium is considerably more defensible than an undocumented low.

  6. Get board-level sign-off and record it properly. Under Regulation 18(4), approval must come from a member of the board or equivalent. Record who approved the assessment, when, and in what forum. If it goes to a management board meeting, minute it. The when matters as much as the who. Ensure you keep old versions and maintain a record of version control.

Helpful resources

These resources are useful further reading.

Subscribe to our newsletter

Subscribe to our monthly newsletter for recaps and recordings of our webinars, invitations for upcoming events and curated industry news. We’ll also send our guide to Digital ID Verification as a welcome gift.

Our Privacy Policy sets out how the personal data collected from you will be processed by us.

Related articles