How to build a firm-wide risk assessment as a small accountancy firm

Accountancy firm reviewing client documents as part of a firm-wide AML risk assessment

Last updated: July 1, 2026

A firm-wide risk assessment (FWRA) should explain how an accountancy practice could be exposed to money laundering, terrorist financing, and proliferation financing.

Under Regulation 18 of the Money Laundering Regulations, firms must keep an up-to-date assessment of their financial crime exposure and ensure it informs their AML procedures.

If the assessment is generic or disconnected from the firm’s actual work, it becomes harder to show a supervisor that the firm has understood its own risk.

This guide explains how a small accountancy firm can build a firm-wide risk assessment that reflects its practice and supports its AML procedures.

Key takeaways

  • Accountancy firms need a firm-wide risk assessment to explain how AML risk arises across the practice and how the firm’s controls respond to that risk.
  • Templates can be useful, but the final assessment needs to reflect the firm’s own work, client base, and operating context.
  • Small firms do not need an overcomplicated scoring system. A simple low, medium, and high approach can work if the reasoning is clear and tied to real controls.
  • The assessment should shape due diligence decisions, staff training, and ongoing monitoring arrangements.
  • The document should be kept up to date and reviewed when the firm’s services, client base, or working model changes, so its AML controls still reflect the risks it actually faces.

What is a firm-wide AML risk assessment?

A firm-wide risk assessment is the practice’s written view of its AML exposure across the business.

HMRC describes this as a business-wide assessment that records the steps taken to assess those risks. It also explains that the assessment should show whether it is driving the firm’s anti-money laundering procedures.

The assessment is therefore more than a compliance document kept on file. It is the firm’s reasoned explanation of where risk is likely to arise and how the practice responds to it.

Who is responsible for the assessment

The FWRA duty sits with the business, including a sole practitioner. The money laundering reporting officer (MLRO) may prepare or maintain the document, but the assessment belongs to the firm.

In a small or owner-led practice, approval may simply mean that the principal, partners, or senior person responsible for AML has reviewed the assessment and accepted its conclusions.

This approach reflects CCAB guidance, which refers to senior management responsibility for assessing money laundering and terrorist financing risk and approving the resulting risk analysis at the senior level.

This is still true when a firm uses a template or an external consultant. HMRC’s handbook notes that templates and third-party input may be acceptable, but the business remains responsible for ensuring the assessment identifies and assesses its own specific risks.

Firm-wide risk assessment vs client risk assessment

A firm-wide risk assessment looks at the business as a whole. Conversely, a client risk assessment is focused on one client or engagement.

The distinction is significant, as HMRC states that a client assessment on its own is unlikely to meet the business-wide requirement.

PointFirm-wide risk assessmentClient risk assessment
ScopeLooks at the practice as a whole.Looks at one client or engagement.
PurposeIdentifies where risk may arise across the firm’s services, clients, and working model.Assesses the risk presented by a specific client and the work being provided.
OutputInforms the firm’s AML policies, controls, procedures, and training.Informs CDD, EDD, monitoring, and review decisions for that client.
Review triggerReviewed periodically and when the firm’s services, client base, delivery model, or risk profile change.Reviewed when the client, engagement, or risk profile changes.

In essence, the firm-wide assessment sets the risk context, while the client assessment applies that context to the matter in front of the firm.

Read our separate firm-wide risk assessment vs client risk assessment article to learn more about the key differences and regulatory requirements.

Building the FWRA around the real practice

A strong firm-wide risk assessment starts with the firm’s reality. Before scoring risk, the practice needs a clear picture of the work it does, the clients it accepts, and where outsiders may rely on its work.

The assessment can be relatively short for a micro practice, but it still needs enough detail to show judgement.

For instance, a two-partner firm with 120 mainly local clients might produce a concise assessment. Yet, the same assessment would be weak if it ignored that 20 clients are cash-intensive, several are onboarded remotely, and the firm also provides registered office or company formation services.

Service risk

The services section should describe the firm’s actual work and group-related activities rather than list every individual service. This is because some services create risk because they produce records that others rely on. If the firm starts offering a new service, the FWRA may also need to be reviewed alongside its AML checks.

HMRC’s accountancy-sector risk guidance highlights that accounts or returns prepared from incomplete or unverified records can give an apparently legitimate source for illegitimate funds. It also points to service-specific risks, particularly around tax, payroll, and work involving client accounts, shell-like entities, or audit.

That said, a firm that holds no client money, forms no companies, and only deals with UK owner-managed businesses may record a lower exposure in some areas. Still, the firm’s conclusion is stronger when the assessment explains the basis for it.

Client base and working model

The client base section should describe the types of clients the firm acts for. This should cover the client profile, ownership, and introduction routes, and explain any features that change risk.

A small practice may know its clients well, but that knowledge still needs to be reflected in the written assessment. If many clients operate in higher-risk sectors, such as hospitality, construction, or labour supply, the firm should consider the sector-specific risks those clients create.

The working model is also important because remote or intermediary-led work can make it harder to complete reliable onboarding. It also creates challenges in understanding the business reason for the engagement, especially when overseas ownership is involved.

HMRC’s risk guidance treats overseas connections and remote delivery as requiring specific consideration, especially if high-risk third countries are involved.

Main risk factors for accountancy firms

The firm-wide assessment should cover the required risk categories, but the language can be accountant-facing. The FWRA document needs to explain how the practice could be used instead of repeating abstract headings.

The 2025 National Risk Assessment helps place the firm’s assessment in the wider UK risk picture. The firm then needs to translate that wider risk context into the specific ways its own services, clients, and working model could be misused.

FWRA risk map

Main risk areas to assess

These four areas give the firm a practical way to organise the assessment before considering each risk in more detail.

Client and sector risk

Who the firm acts for and whether the client profile creates extra exposure.

Service and engagement risk

How the firm’s work could be misused or relied on by others.

Geography and delivery channel risk

Where the client has connections and how the firm receives instructions.

TF and PF risk

Whether terrorist financing or proliferation financing exposure needs to be considered.

Client and sector risk

Client risk starts with who the firm acts for and what the firm knows about them. Cash-intensive businesses may present higher risk if cash levels do not match the apparent trade. In addition, clients with complex ownership can create difficulty in identifying who ultimately controls the business.

Other client risks may arise if ownership, wealth, financial pressure, or labour-exploitation indicators make the client profile harder to understand. HMRC warns that shell companies can be used to hide assets, ownership, and criminal activity, especially when beneficial ownership is unclear or overseas secrecy is involved.

A realistic assessment also considers combinations of risk. A remote client with overseas ownership and pressure to minimise tax presents a different risk from a long-standing local trader with complete AML records and a clear business history.

Service and engagement risk

Different services expose the firm in different ways. Bookkeeping and accounts preparation may involve turning incomplete records into formal accounts or returns. While tax work may involve pressure from clients who want an aggressive or unsupported outcome.

Payroll can be misused to make illicit funds appear to be legitimate wages or to support fabricated employees. HMRC’s guidance gives examples of red flags when the payroll instructions, supporting evidence, or payment arrangements do not fit the business.

Company formation, registered office, and company secretarial work need separate consideration. A firm that provides these services may be helping to create or maintain structures, so the assessment needs to evaluate whether the firm understands the commercial purpose and ownership control of the entities involved.

Geography and delivery channel risk

Geography includes the locations connected to the client’s ownership, trading activity, and flow of funds.

For instance, a UK company with overseas shareholders or a business moving funds through several countries can create greater exposure.

HMRC’s guidance says services linked to high-risk third countries carry additional risk and require enhanced due diligence before a business relationship or transaction with a person established in such a country.

Moreover, delivery channel risk concerns how the firm gets instructions and evidence. A firm that relies on remote or intermediary-led evidence may need stronger onboarding checks than a firm that meets clients regularly and sees original evidence.

Terrorist financing and proliferation financing risk

Terrorist financing still needs to be addressed even where the firm’s exposure appears limited. The assessment should show that the firm has considered the issue and reached a reasoned conclusion.

Supervised businesses have also been required to document proliferation financing risk assessments since September 2022, and firms should therefore review their AML risk assessment and policies to ensure they take account of HM Treasury’s national risk assessment and HMRC guidance.

Proliferation financing risk in most small practices will usually depend on whether the firm has any clients or services with a realistic connection to sensitive trade, higher-risk jurisdictions, or structures that could obscure control.

When no material indicators are present, the FWRA should mention this clearly. This is more defensible than leaving terrorist financing or proliferation financing out of the assessment altogether.

Assessing likelihood, impact, and controls

Once the risks are identified, accountancy firms need to assess them. ICAEW’s firm-wide risk assessment methodology highlights the need to identify money laundering risks, assess their likelihood and impact, and review the controls that mitigate them.

A micro practice can use simple ratings such as low, medium, and high, provided the reasoning is clear. Put otherwise, a small firm should not copy a large enterprise’s scoring system if it cannot explain how the scores were reached.

Inherent risk, controls, and residual risk

The FWRA is easier to defend when the firm separates the initial risk from the controls applied and the risk that remains afterwards.

StageMeaningExample
Inherent riskThe exposure before the firm applies its own controls.Payroll work for labour-intensive sectors may carry higher initial risk.
ControlsThe checks or procedures the firm uses to reduce risk.The firm may check payroll evidence, question unusual instructions, and review higher-risk payroll activity more often.
Residual riskThe remaining risk after those controls are considered.The risk may reduce if the controls are clear, applied consistently, and understood by staff.

This approach helps the firm avoid unsupported conclusions. Crucially, a statement that a service is low risk is weak if the firm has not explained why.

Evidence used to support the assessment

The most reliable evidence is usually already in the accountancy practice, especially in its client and onboarding records, service data, and staff knowledge.

The practice’s own website can also help test whether the assessment is complete. If the website advertises higher-risk or specialist services, such as company formations or international tax, the FWRA should state whether the firm actually provides those services and what controls apply.

CCAB supports evidence-based decision-making and warns against a tick-box approach to risk assessment. It also notes that different risk factors may combine to create a higher overall risk in a particular client or transaction.

Link the FWRA to policies, controls, and procedures

The firm-wide risk assessment should lead to decisions. If it identifies higher-risk areas, the firm’s procedures need to respond through stronger checks, clearer escalation, and appropriate review routines.

ICAEW compliance sequence

Where the firm-wide risk assessment fits

ICAEW presents the FWRA as the starting point for the firm’s wider AML controls:

1. FWRA

Assess the firm’s financial crime exposure.

2. Policies and controls

Set procedures that respond to the risk assessment.

3. CDD

Apply checks that reflect client and engagement risk.

4. Staff training

Train staff on risks, red flags, and escalation routes.

5. Nominated officer

Route internal concerns through the SAR process.

The key point is that the FWRA should sit at the start of the firm’s AML control cycle, instead of being treated as a separate document.

How the assessment should affect AML controls

The FWRA should shape how higher-risk work is handled in practice. If the firm identifies a risk area, the response should be visible in the way that work is accepted, checked, reviewed, or escalated.

For example, if the firm treats cash-intensive clients as higher risk, the control should be more specific than ‘apply extra care’. It might require a closer look at whether turnover patterns fit the apparent trade, and whether unusual cash movements need explanation before the work continues.

While these AML controls do not need to be excessive, they must match the risk the firm has identified.

How it informs client-level risk assessment

Client-level risk assessments should be consistent with the firm-wide conclusions. If the firm-wide assessment says non-face-to-face onboarding is higher risk, the client risk assessment should not treat a remote client as low risk without explaining why.

The client assessment needs its own judgement, too. For instance, a firm-wide assessment may rate a service as medium risk, while the particular client’s rating depends on its overall risk profile and the information provided.

Approval, documentation, and review

The firm-wide risk assessment must be written and available to a supervisory body if requested. HMRC states that the risk assessment can be in any format, but it must be in writing, and supervisors may compare it against the firm’s underlying records and explanations.

The document should be approved by senior management and understood by the people who apply it. In a sole practitioner practice, approval may simply be a dated sign-off by the principal.

Contents of the written record

A well-written assessment should show the firm’s risk profile, explain the ratings, and connect them to the controls, gaps, and follow-up record.

It should also show what sources informed the judgement. This could include external guidance and internal service data, as well as previous compliance findings.

Although templates can help with consistency, they need to be completed with the firm’s own facts. A template that says overseas risk is low will be difficult to defend if the firm acts for clients with non-UK owners or supply chains.

Review timing

The FWRA should be reviewed at least annually, or sooner if the firm begins offering a higher-risk service or takes on a materially different type of client.

This is because a firm’s AML procedures and training are meant to follow from its assessment of business-wide risk. When that risk profile changes, the FWRA may no longer support the controls the firm is using.

Monitoring findings or new supervisory guidance can also justify an earlier review, particularly if they expose a weakness in the firm’s current assessment.

Regulatory developments can affect how a firm reviews its AML risks and controls. Our FCA AML supervision report explains the wider policy direction for accountancy supervision. Additionally, our guide to the 2026 AML Amendment Regulations covers rule changes that firms may need to factor into their AML procedures.

Common mistakes small firms should avoid

One common weakness is treating a generic template as the assessment. HMRC accepts that templates may be used, but only where they are fully completed and accurately identify the specific risks of the business.

Another weakness is assuming that a low-risk practice has no meaningful risk. CCAB makes clear that a risk-based approach does not exempt low-risk clients, services, or situations from due diligence or other risk mitigation procedures.

Supervisory findings also show where small firms often miss risk. ICAS reported in its 2025 thematic review that many lower-risk firms failed to identify all client risks in their FWRA. The missed risks included:

  • Cash-based businesses
  • Overseas or sanctions exposure
  • High-net-worth or high-value-dealer clients
  • Non-face-to-face clients
  • Organisations vulnerable to human trafficking.

It also found that trust or company service provision was a commonly missed service risk.

ICAEW highlights similar failings, where some firms complete a firm-wide assessment but neglect to cover all risks or fail to conclude on the level of risk present in the firm.

In summary

A defensible firm-wide risk assessment explains the firm’s judgement rather than just the categories it has reviewed. The document should make clear why the firm sees certain work as lower or higher risk, and why the controls in place are proportionate to that view.

A supervisor should be able to follow the logic from the firm’s actual services and client base through to its due diligence, ongoing monitoring, training, and escalation arrangements. If that link is missing, the firm may struggle to show that its AML procedures are genuinely risk-based during review.

Kane Pepi, Founder of Evidentia Compliance
Kane Pepi Founder, Evidentia Compliance

Kane Pepi is the founder of Evidentia Compliance, with a strong academic background in accounting, finance, and financial crime, and peer-reviewed research in money laundering and terrorist financing.

His work focuses on making AML compliance more practical for small regulated firms that face rising supervisory expectations and limited compliance capacity.

AMLWATCH BY EVIDENTIA
AML compliance updates and regulatory guidance for the accountancy sector

Stay informed on AML supervision, FCA developments, enforcement trends, and common compliance weaknesses affecting UK accountancy firms. AMLWATCH by Evidentia is written for small practices that need AML insight without the regulatory jargon.

    FAQs

    How often should an accountancy firm review its firm-wide risk assessment?

    Firms should review their firm-wide risk assessment at least once a year. They should also review it when the practice changes in a way that could affect AML risk, such as offering a new service or changing how clients are onboarded.

    Can a sole practitioner use a template for a firm-wide risk assessment?

    Yes, a sole practitioner can use a template as a starting point. The final FWRA should still reflect the actual practice, including the services offered and the type of clients served. A short assessment is only suitable if it clearly explains the practitioner’s own conclusions.

    What should a low-risk accountancy practice include in its assessment?

    A low-risk practice should explain why it has reached that view. For example, it may record that it works mainly with local owner-managed businesses or that it does not provide company formation services. It should still show that the firm has considered the main areas of AML risk relevant to its work.

    How should remote clients affect a firm-wide AML risk assessment?

    The FWRA should explain how the firm verifies identity, understands ownership, and assesses the remote client’s reason for using the practice. This is even more important if the client also has overseas links or a more complex business structure.

    What evidence can a small firm use to support its risk ratings?

    A small accountancy firm can use information it already holds to support its risk ratings. Client records, onboarding information, and previous compliance findings can all help show why a risk has been rated low, medium, or high. The assessment should connect those ratings to the firm’s actual client base and services.

    How does the firm-wide risk assessment affect client AML checks?

    The firm-wide assessment should guide how the firm thinks about individual clients. If the assessment identifies higher-risk areas such as cash-intensive clients or overseas ownership, client-level AML checks should take those factors into account. Each client still needs to be assessed on its own facts.

    References and Source Material

    Leave a Reply

    Your email address will not be published. Required fields are marked *