Firm-Wide Risk Assessment: Complete Guide
How to conduct a compliant firm-wide risk assessment.
Answer-first summary
What is a firm-wide risk assessment for accountants?
A firm-wide risk assessment is a written assessment of how your accountancy practice could be exposed to money laundering or terrorist financing risk. It should identify the risks in your clients, services, geographies, delivery channels, transactions, and controls, then explain how the practice manages those risks.
- It sits above individual client risk assessments
- It should be reviewed when your practice, clients, or services change
- HMRC expects businesses to document risks, controls, monitoring, and records
TL;DR — Quick Summary
- •A firm-wide risk assessment should describe the real AML risks in your practice, not a generic template answer
- •The best assessment links each risk to a practical control, owner, and review process
- •Keep examples of client files, screening decisions, training records, and policy updates with the assessment evidence
Why the firm-wide assessment matters
For UK accountants, the firm-wide risk assessment is the foundation for a risk-based AML programme. It explains what could go wrong in the practice, how likely those risks are, how serious the impact would be, and which controls reduce the risk to an acceptable level.
A useful assessment is specific. A sole practitioner with local owner-managed businesses has different risk exposure from a multi-office practice handling overseas companies, complex ownership structures, high-value transactions, or high-risk sectors.
5-step firm-wide risk assessment process
Map your practice risk profile
List the client types, services, sectors, locations, delivery channels, payment routes, and transaction patterns your practice actually handles.
Score the main risk factors
Rate customer, service, geography, delivery-channel, transaction, and funding risks. Keep the scoring simple enough for staff to apply consistently.
Link risks to controls
For every material risk, record the control that reduces it: CDD, EDD, approval thresholds, screening, review cadence, training, or escalation.
Assign owners and review dates
Name the person responsible for the assessment, the approval date, and the next review date. Update earlier when your client base or services change.
Keep evidence with the assessment
Attach the rationale, data used, policy references, and examples of client files that show the risk-based approach working in practice.
Risk factors to cover
Your assessment should cover the risk factors that apply to your practice. Common categories include customer risk, service risk, geographic risk, delivery-channel risk, transaction risk, payment/funding risk, technology risk, staff capability, and the effectiveness of existing controls.
For each category, record what raises risk, what lowers risk, what evidence supports the rating, and what the practice will do when a client or matter sits outside normal risk appetite.
Evidence to keep with the assessment
- Firm-wide AML risk assessment and approval date
- Client risk assessment examples across low, medium, and high risk
- CDD and EDD procedures linked to risk ratings
- PEP and sanctions screening process
- Staff training records and MLRO escalation route
- Monitoring, file review, and policy update schedule
Common mistakes to avoid
The biggest mistake is treating the assessment as a static template. HMRC can ask how the assessment reflects your actual business, why the ratings were chosen, and whether controls are monitored. Keep language plain, dates current, and evidence close to the decisions.
Avoid unsupported statements such as "low risk because we know our clients." Instead, explain the client profile, verification process, screening approach, review cadence, and escalation route for exceptions.
How Certivus helps
Certivus helps accountancy teams collect CDD evidence, run PEP and sanctions screening, score client risk, record review decisions, and export audit-ready records. That gives the firm-wide risk assessment better supporting evidence, especially when preparing for HMRC review.
Primary sources
Read this alongside official HMRC guidance on money laundering risk assessments and AML responsibilities and record keeping. This article is general information for UK practices and is not legal advice.