The AML risk assessment is the foundation document of the firm's entire compliance programme. Regulation 18 of MLR 2017 makes the firm-wide risk assessment mandatory; Regulation 28(12) requires risk assessment at client level; the firm-wide National Risk Assessment and the supervisor sectoral risk assessments must be considered as inputs. Despite this, the typical template that lands at HMRC supervision visits is a generic two-page download with the firm's name pasted at the top. This guide walks through what a working template looks like at both levels.
The firm-wide risk assessment - what it must cover
Regulation 18(2) lists the minimum risk factors the firm-wide assessment must consider: the firm's customers, the countries or geographic areas in which it operates, its products or services, its transactions, and its delivery channels. Each factor must be addressed individually, not lumped into a single narrative.
Beyond the regulatory minimum, the firm should also consider: the supervisor sectoral risk assessment (which is binding context), the National Risk Assessment, internal incident history (any SARs raised, any near-misses), and any new service lines added in the period.
Quantify wherever possible
A risk assessment that says "we have some high-risk clients" carries far less weight than one that says "9% of our client book is rated high-risk, concentrated in property and financial intermediation, with 60% of the high-risk segment located in [region]." Quantification forces honesty and gives the assessment something to be reviewed against year-over-year.
Even rough quantification - client counts by sector, fee revenue by jurisdiction, EDD file counts by trigger - beats narrative impressionism. Pull the numbers from the practice management system rather than guessing; if your system cannot produce them, fix the system before the next regulator visit.
Document the methodology, not just the conclusion
The assessment should describe how risk has been measured: the scoring scale, the weighting between factors, the threshold for moving a client between bands, and the moderation process by which the MLRO calibrates ratings across the team. A regulator can replicate your conclusions only if your method is visible.
A defensible scoring scale typically uses 3-5 bands per factor (geographic, sectoral, product, delivery, customer) with stated criteria for each band, and a composite mechanism (highest single factor, weighted average, or modified average with overrides) for the overall rating.
Tie the assessment to controls
Every elevated risk identified must have a corresponding control. If the assessment flags "elevated risk in trust clients," the document should reference the specific procedure that triggers EDD for trusts, the training that staff have completed on trust-specific risks, and the monitoring cadence applied. A risk identified without a control is a finding waiting to happen.
Review triggers and frequency
Annual review is the floor, not the ceiling. The assessment should also be reviewed on the following triggers: changes to the National Risk Assessment, updates to the supervisor sectoral assessment, material changes to the client base or service lines, regulatory changes (such as updates flowing from the Economic Crime and Corporate Transparency Act), and material internal incidents.
Each review should produce a version-controlled update, a change log noting what shifted and why, and a fresh senior-management sign-off. A risk assessment that has not been touched in 18 months is an immediate adverse finding.
The client-level risk assessment template
At client level, the assessment should capture, against each factor from the firm-wide model: the client's position on the factor, the resulting score, and any qualitative notes. It should produce an overall rating (low, standard, high), the resulting CDD/EDD path, and the next scheduled review date.
The client-level assessment is not a one-off onboarding artifact. It must be refreshed on a cadence proportionate to the rating (high-risk typically every 12 months, standard 24-36 months, low up to 36 months) and on trigger events. Holding the assessment and review history against the client profile in Accupe means the next review date surfaces automatically rather than slipping into a spreadsheet that nobody opens.
Common findings to pre-empt
Five findings recur in published HMRC and ICAEW supervision letters: (1) firm-wide assessment that does not address the Regulation 18(2) factors individually, (2) no quantification of the client base, (3) no link between risk factors and controls, (4) client-level ratings inconsistent across team members, and (5) no evidence of refresh on trigger events. Pre-empt each one by building it into the template before HMRC arrives.
The UAE comparison point
UK firms with a UAE office or UAE clients should be aware that the UAE's AML framework under Federal Decree-Law No. 20 of 2018 also requires risk-based assessment, registered against each Designated Non-Financial Business or Profession (DNFBP) through the goAML platform. The two regimes are conceptually aligned (both are FATF-driven) but the documentation expectations differ - do not assume a single assessment covers both jurisdictions.
Sign-off and storage
The firm-wide risk assessment must be approved by senior management (the partners or board), with the approval minuted. Store it alongside the version history, the supporting data extracts, and the link to the MLRO annual report that references it. Access should be controlled to AML-relevant staff - not buried so deep that nobody can find it.
Closing
A risk assessment that survives a regulator review is specific, quantified, dated, version-controlled, and tied to live controls. It is rebuilt - not just refreshed - at least every two years. Treat it as a working document the firm actually uses to shape its AML operations, and the supervision conversation becomes much shorter.