Risk Assessments and Controls: FCA Insight on Good and Poor Practices

In November 2025, the UK Financial Conduct Authority (FCA) published findings from a multi-firm review examining business-wide risk assessment (BWRA) and customer risk assessment (CRA) processes.

The findings reveal a mixed picture: while most firms have basic frameworks in place, many fall short in tailoring assessments to specific business risks, documenting decisions effectively, and ensuring controls scale with growth.

Scope of the FCA BWRA and CRA Review

The FCA examined questionnaires, desk-based reviews of documentation, and interviews with firms, plus incorporated insights gathered from other recent supervisory engagements. The review covered building societies, platforms, custody and fund services providers, e-money payment firms, and wealth management firms.

Firm controls were evaluated against the following regulations: 

• Money Laundering Regulations 2017
• Financial Crime Guide (FCG)
• Senior Management Arrangements, Systems and Controls (SYSC)
• Joint Money Laundering Steering Group (JMLSG) guidance
• Financial Action Task Force (FATF) guidance

Identifying, Understanding and Assessing Risk

The review found that while most firms have a Business-Wide Risk Assessment in place, few are tailoring these to their specific business models and customer bases. Several firms use qualitative and quantitative data to assess inherent risks, mitigate controls, and quantify residual risk, with some larger firms integrating risk assessment activities across business functions.

However, some firms could not adequately explain how they are managing and mitigating identified risks, revealing a critical disconnect between risk identification and action.

Watch a video on taking a proactive approach to managing regulatory change and compliance obligations

Good Practices for Identifying, Understanding and Assessing Risk

• Comprehensive risk assessments that are quantitative and qualitative, weighted, consider a range of internal and external factors, and are assessed by area of business. Results are combined with BWRAs, which consider inherent risks, control effectiveness and residual risk.
• Annual detailed reviews to formally assess BWRAs at least yearly.
• Tailored risk assessments that are bespoke to the needs of the firm and that include documentation on how the firm is managing the risks

Poor Practices for Identifying, Understanding and Assessing Risk

• Lack of business-specific detail in assessments that generalize and ignore specific regulatory requirements, over-simplify risks or fail to explain how risks affect the firm's operations, products or customer base.
• Missing quantitative analysis, relying solely on qualitative judgments without supporting data.
• Unclear processes with poorly documented methodology for identifying and assessing inherent risk.
• Lack of evidence with risk assessments lacking appropriate evidence to support conclusions

How Does MyComplianceOffice Help Firms Effectively Identify, Understand and Assess Risk?

☑️Evidencing Risk Management

MCO’s Know Your Obligations^® (KYO) solution enables firms to link specific controls directly to each identified risk, providing clear, demonstrable evidence of how risks are being managed and mitigated with an auditable, real-time view that supports regulatory scrutiny.

☑️Supporting Evidence with Substance

Know Your Obligations centralises all supporting evidence—control testing results, documentation, attestations and monitoring outcomes—allowing firms to attach and reference evidence directly during risk assessments to ensure ratings are substantiated.

Mitigating Risk

The review found that while financial crime risk is often considered in business strategy and product development, there is frequently insufficient evidence of how risk assessments translate into practical actions, including decision-making and monitoring of activities.

Some firms reviewed demonstrated a clear risk appetite linked to the BWRA, but very few documented the actions resulting from their risk assessments.

Good Practices for Mitigating Risk

• Planning for compliance alongside growth to adequately resource compliance and financial crime functions in alignment with growth strategy.
• Risk assessments that feed into the firm’s wider work, feeding into risk appetite, controls testing and the firm’s overall risk-based approach. Customer Risk Assessments directly impact customer due diligence, transaction monitoring and other processes and controls used to mitigate identified risk.
• Formal tracking plans to track Business-Wide Risk Assessment actions and recommendations for risk mitigation and reduction.
• Consideration of risks across the business, including product development, business strategy, growth and sales discussion. The Money Laundering Reporting Officer (MLRO) is represented in firm discussions to articulate risks and requirements.

Poor Practices for Mitigating Risk

• Growth outpacing risk assessments with CRA development not in line with business growth, compromising scalability, consistency and accuracy.
• Lack of records with firms not documenting BWRA actions or assigning owners.
• Rapid expansion without control enhancement as firms expand products, services and customer types without considering control appropriateness and effectiveness.

How Does MyComplianceOffice Help Firms Effectively Mitigate Risk?

☑️A Framework to Take Risk Assessment to Action

Know Your Obligations provides structured findings, actions, and incident management workflows, allowing firms to record issues, assign actions, track remediation progress, and evidence completion, ensuring that every risk assessment drives tangible, documented follow-up activity linked to risks and control gaps.

Managing Risk

Many firms reviewed recognised the importance of governance and oversight for thorough risk assessments. However, senior management's understanding of financial crime tends to focus disproportionately on fraud, with less awareness of money laundering, sanctions, terrorist financing and bribery risks.

The review notes that most firms have considered how risk assessments are documented and shared, but more strategic firms also record risk assessment discussions, changes, and approvals. A few firms included dynamic risk assessment into their frameworks.

Good Practices for Managing Risk

• Strong senior oversight and challenge, including sharing Business Weide Risk assessment documents and summaries with senior management/committees for review and approval, providing Customer Risk Assessment management information for discussion and evidence of MLRO challenge on risk assessments.
• Business continuity plans considering CRA processes in planning to ensure resilience during disruption.
• Clear and consistent methods to assess risk, including documentation of methodologies to formally log, discuss and approve change.
• Regular review of risk assessment models and processes, including quarterly or triggered updates to make sure risk assessments are responsive to emerging risks and regulatory changes.
• Combined assessments that reflect the risks identified and assessed within the BWRA in the CRA through weighting and sub-factors.

Poor Practices for Managing Risk

• Lack of documented senior oversight with insufficient evidence of senior management discussion, challenges and approval of Business Wide Risk Assessments.
• Narrow focus with senior management understanding skewed towards fraud rather than wider financial crime risks.
• Limited testing and review when firms make enhancements, upgrades or automation.
• Static risk assessment approaches that are not sufficiently dynamic or responsive to emerging risks or regulatory change, resulting in outdated risk profiles.

How Does MyComplianceOffice Help Firms Effectively Mitigate Risk?

☑️Dynamic and Current Risk Profiles

Know Your Obligations provides firms with automated reminders, periodic reviews and trigger-based updates, ensuring risk assessments remain current and reflect emerging risks, control changes and business growth, preventing stale assessments and keeping risk profiles aligned with strategic decision-making.

Know Your Obligations enables assignment of obligations and controls across the first and second lines of defense, with escalation workflows and a clear audit trail that provides evidence to internal and external stakeholders.

Reports show overdue assessments, and workflows automatically follow up on them, reducing the compliance team's burden and streamlining the process across the firm. In addition, the system. In addition, reports provide the outputs required to support senior management and the audit committee's expectations.

Next Steps for UK Firms to Effectively Assess, Mitigate and Manage Risk

To keep up with stringent FCA regulatory expectations around risk assessment and controls, firms should:

• Review their own practices against the good and poor practice examples identified
• Consider the findings within their specific business context and make improvements
• Ensure their risk-based approach to systems and controls remains appropriate as the business evolves

The FCA will continue monitoring firms through supervisory work and expects to see industry-wide improvements.

MCO’s Know Your Obligations Supports FCA Expectations for Risk Assessments and Controls

MCO’s Know Your Obligations solution embeds the discipline required to demonstrate good practice rather than just meet minimum regulatory expectations.

The solution is purpose-built to meet FCA requirements, providing a configurable platform to monitor risks and controls, dashboards that support senior management oversight, full audit trails, and the scalability needed as a firm grows. KYO’s flexible configuration allows firms to modify business units and jurisdictional obligations without system rebuilds.

Learn more about the Know Your Obligations product suite: 

• Compliance Obligations Manager: Identify the legislative and regulatory changes that matter to your business
• Compliance Risk Manager: Review and assess compliance obligations to identify controls in need of adjustment
• Compliance Assurance Manager: Test and verify that controls are working as expected
• Policy Content Governor:  Streamline the policy lifecycle while ensuring coverage of controls

Know Your Obligations Delivers the Framework that UK Firms Need to be Compliant with FCA Expectations

MyComplianceOffice is not just software—it’s a framework that can align a firm’s risk assessment and compliance infrastructure to the good practices the FCA sets out. By embedding consistent, evidence-ready processes and controls, MCO enables firms not only to meet today’s regulatory obligations but to demonstrate ongoing good practice in a way that stands up to supervisory scrutiny and evolves with their business.

Ready to learn more about how Know Your Obligations can help your firm effectively manage FCA requirements? Contact our team of UK experts for a demo today.