The firm-wide risk assessment (FWRA) often sits at the heart of a law firm’s approach to managing Anti-Money Laundering (AML) risks. Yet many compliance managers face the challenge of turning what can feel like an unwieldy, checklist-driven document into a tool that genuinely reflects the risks their firm faces. Recent conversations among compliance professionals have highlighted some common hurdles and practical ways to improve the FWRA without adding unnecessary complexity.
As firms grapple with increasingly sharp expectations from the SRA and more frequent scrutiny from auditors and supervisors, the importance of building a risk assessment model that reflects how the firm actually works has never been more pressing.
Eloise Butterworth, Compliance Manager at Foot Anstey, Gavin Ball, Co-Owner of HiveRisk, and Arsalan Abbasi, LegalTech Consultant at Aventine Lab recently joined us on our Wired-In webinar series to explore how to build a FWRA that can strengthen AML compliance in legal firms.
Watch the roundtable discussion
Get into the details
One of the most straightforward improvements firms can make is focusing on the data behind the assessment. Compliance expert Gavin Ball pointed out how important it is to gather granular information from your existing systems, like practice management or finance software. Knowing which teams generate the most fees and how much money moves through client accounts provides a clearer picture of where risks might be concentrated.
“If you don’t have any granular data, you need to be getting some from your practice management system, your finance system… What’s the split across the work you do in any year by fees, for example, between the teams?”, Gavin shared.
This level of detail matters because it grounds your assessment in reality. For example, if a team identified as higher risk only produces a small share of your income, that changes how you prioritise controls and monitoring. Tracking the geographic spread of clients and work types is another detail that regulators look for. Collecting and analysing this data might not be the most glamorous task, but it makes the risk assessment far more meaningful.
Why starting from scratch can sometimes backfire
When faced with an outdated or overcomplicated FWRA, it might seem tempting to discard it and start fresh. Eloise Butterworth shared that her team has felt the pull to “reinvent the wheel” when dealing with documents that have been patched together over several years. While a new format can bring clarity, it also requires careful cross-referencing to avoid missing important points, which creates room for errors.
“Sometimes if you’re dealing with a document that perhaps you didn’t write in the first place and it’s been amended and amended and amended… it can be useful to think, right, I’m going to have a crack in a different format or from scratch,” Eloise added.
Gavin added that many firms end up with a FWRA that has grown unwieldy because it’s been edited repeatedly to add legislative changes or address partner concerns. This patchwork approach turns the document into a cluttered resource that can be hard to follow or update.
“You put that in the firm wide risk assessment… then you have an issue with a client or a complaint and you think, that’s something we haven’t covered, we need to put that in there and it just grows and grows and grows,” said Gavin.
When this happens, revisiting the structure or starting anew may be worthwhile, but it should be a deliberate process, not a quick fix.
Keep the document practical and manageable
The FWRA should support your compliance efforts, not hinder them. Overly long or poorly organised documents can make it harder for staff to understand risk priorities. Gavin reflected on the common pattern of adding new sections in response to specific incidents or partner feedback, which causes the document to balloon over time:
“It just becomes this jumble with information, so there’s definitely a good point where you get to where you think we need to rewrite this or reformat it or start again.”
A clearer, well-organised FWRA makes it easier to communicate risk across the firm and respond to regulatory expectations. Taking time to review what remains relevant and trimming excess detail can help keep the document lean and accessible.
Get help when you need it
Smaller firms or those with diverse practice areas may find it hard to pull together a comprehensive FWRA on their own. Gavin recommended bringing in external experts who have worked on these assessments many times before. Their experience can help avoid common pitfalls and speed up the process:
“Use the experts, use the professionals out there as well. That’s what I would do. I wouldn’t do this on my own.”
Using external support also offers insight into what other firms are doing, which can be hard to see from within a single firm. Combining this outside perspective with internal collaboration helps produce a more balanced and realistic assessment.
Staying connected and aware
One final point the panel emphasised was the importance of staying informed about changes and developments in the regulatory environment. Gavin highlighted how many compliance professionals rely on LinkedIn and other networks to keep up with news, updates, and best practices:
“LinkedIn is huge… if I didn’t have LinkedIn, I wouldn’t know about 90 percent of the updates going on.”
For those who don’t, there’s a risk of missing out on important shifts that could affect their FWRA. Regular engagement with peers and industry forums offers fresh perspectives and early warning of emerging risks. This ongoing awareness supports a more responsive and relevant risk assessment.
Practical steps forward
Building a more useful FWRA doesn’t require starting from zero or reinventing the whole process. Collecting meaningful data from your existing systems, adapting proven templates rather than creating documents from scratch, and bringing in expertise when needed all help make the assessment manageable and relevant.
“Use the templates. Don’t try and do this from scratch. There are really good templates out there… The SRA provides them, use them, but adapt them,” Gavin concluded.
Technology, when applied thoughtfully, can reduce administrative burdens and provide up-to-date insights. Keeping connected with the wider compliance community adds an extra layer of awareness that benefits any firm’s approach. By making these changes, compliance managers can transform the FWRA into a clearer, more actionable document that reflects the risks the firm faces and supports better decision-making.
How NorthRow can help firms to build better FWRAs
NorthRow is an AML and risk intelligence platform that helps law firms:
- Accelerate and strengthen KYC/KYB onboarding
- Maintain real-time AML risk profiles
- Build FWRA models based on actual data, not assumptions
- Stay compliant with SRA regulations and MLR2017
- Streamline and automate ongoing due diligence