NorthRow

Why firm-wide risk assessments fail – and what to do about it
Picture of Natalie Davies

Natalie Davies

Many law firm risk assessments fall short. This guide explores common failures and offers practical steps to build effective, SRA-compliant FWRAs using real operational data.
Firm Wide Risk Assessment guidance

Ask any compliance manager at a law firm how confident they feel in their firm-wide risk assessment (FWRA), and you’ll often get a measured pause before a cautious answer. And that hesitation says more than most official policies ever could. The truth is, while most law firms have an FWRA, many don’t fully use it in a meaningful, consistent, or ongoing way.

As firms grapple with increasingly sharp expectations from the SRA and more frequent scrutiny from auditors and supervisors, the importance of building a risk assessment model that reflects how the firm actually works has never been more pressing.

Eloise Butterworth, Compliance Manager at Foot Anstey, Gavin Ball, Co-Owner of HiveRisk, and Arsalan Abbasi, LegalTech Consultant at Aventine Lab recently joined us on our Wired-In webinar series to explain how ineffective risk assessments can threaten Anti-Money Laundering (AML) compliance in legal firms.

Watch the roundtable discussion:

A policy in name only?

At a glance, it might seem like most firms are satisfying the requirement to have a risk assessment. There’s a documented FWRA. It’s reviewed annually. There’s a policy that outlines high-risk sectors and a set of controls mapped against them. But scratch just below the surface and the weaknesses start to show. 

As Eloise noted: “All firms are required to have a firm-wide risk assessment under the 2017 regulations. They’ve been in place now for many years.”

Having a document labelled “firm-wide risk assessment” is not the same as having one that actually informs behaviour, controls, and decision-making across the firm. 

“What we’re seeing from the regulator is twofold: firms that still don’t have a firm-wide risk assessment even after all these years, and then those that do have them, the SRA deeming them to be ineffective or not compliant with what the regulations require you to have,”  Eloise continued.

So what’s going wrong? And more importantly, how can you build something better?

Common blind spots

It’s rare to find firms today that have no FWRA at all. But having an ineffective one is far more common. That might mean assessments that are too generic, missing mandatory components, or disconnected from actual business operations. 

Gavin shared his extensive experience of supporting multiple legals firms with their FWRAs: “The things that we do see are ones that are either insufficient, not in depth enough, have missing areas… and there are certain areas that are mandatory to have in a firm-wide risk assessment.” 

One of the most common blind spots is policies that are too abstract. Many FWRAs are so high-level they become disconnected from day-to-day realities. You’ll see phrases like “We assess the risk of money laundering from high-risk jurisdictions” but no practical mechanism for how that risk is tracked across live client matters.

Too often, the FWRA ends up being drafted backwards: a top-down exercise that starts from broad policies or outcomes, rather than beginning with the actual risk indicators emerging from client activity, geographic, products or services offered, transaction type, and delivery risks.

Eloise added: “It’s not wrong to work backwards, but you will probably see that in the flow of processes, and you’re more likely to have inconsistencies across your documentation and processes if you haven’t followed a logical order in terms of the preparation of those documents and what data you thought about.”

Start with what you can control

Too many firms begin their FWRA by trying to mirror what they think regulators want to see, or by filling in someone else’s template or, indeed the SRA template, with generic answers. 

One of the clearest patterns in firms that do FWRAs well is a willingness to start with what they can realistically measure and analyse: client types, service areas, transaction volumes, source of funds and geographic exposure.

Start there. Speak to finance. Ask what they regularly have to chase before a transaction completes. Ask where documentation breaks down. Finance teams are often the last gatekeepers before money moves, which gives them a unique perspective on recurring compliance gaps.

“The finance team are a great source of information… They see the end product right before you do the transaction. They get to review everything that’s gone before it from an Anti-Money Laundering (AML) process so they are a good source of information,” Gavin shared.

Don’t stop at finance. Work with IT to understand what kind of reporting is possible. Which fields are being filled in consistently? What systems could pull useful reports on client demographics, fee earner activity or matter types? Then, ask the departments themselves. This isn’t something that should be drafted in isolation. One of the most common mistakes in FWRA creation is assuming you already know how every team operates.

Crucially,“make no assumptions that you know everything that’s happening on the ground in your law firm. You need to go out and get that information,”  Eloise said.

An effective approach many firms use is to send tailored questionnaires to department heads, asking them to confirm the types of clients they work with, how matters are typically initiated, and what AML red flags they commonly see. This doesn’t need to be exhaustive, the point is to get a conversation going and test your assumptions. 

“It’s a good opening piece just to get some input from all departments either to find out what they’re doing or to confirm that what you think they’re doing is what they’re actually doing.”

The result should be a document that reflects your firm, not a theoretical version of one. And that’s exactly what the regulator wants, as Gavin explained: “One of the big things that the SRA doesn’t like, and one of the things that it picks law firms up for, is using the template without adapting it. If you use the template SRA risk assessment, that’s great as a document, as a base document, but tailor it to your business.”

Risk isn’t static – and your FWRA shouldn’t be either

One of the most persistent issues is that too many firms still treat the FWRA as a fixed document. It gets written once a year, signed off, then stored until the next review.

Risk shifts. A surge in client intake from a particular country. A new practice area was introduced by lateral hires. Changes in payment methods. All of these should feed into your FWRA in real-time or at least quarterly. Without that feedback loop, you’re only managing yesterday’s risks. 

If your FWRA still treats risk as something that’s defined once a year and left unchanged until the next review cycle, it’s not working. Risk doesn’t operate in fiscal quarters. It shifts with geopolitical movements, market volatility, and even your firm’s own evolving practice areas.

“It requires constant work. Constant changes, tweaks, updates, and amendments. You might have a new starter, a new team, or there could be a change in guidance from the SRA. All of this requires an update to that document. 

“For firms that don’t have a centralised resource, either internally, with someone whose sole responsibility is to handle this sort of thing, or externally, with the means to outsource to someone like Hive Risk, the challenge is having the bandwidth and time to prepare the document in the detail that the SRA expects,” Eloise explained.

How NorthRow can help firms to build better FWRAs

As expectations around anti-money laundering (AML) compliance grow sharper, law firms face increasing pressure to ensure their FWRAs are not only in place but actively informing day-to-day decisions. NorthRow is purpose-built to help law firms meet these obligations with confidence by integrating Know Your Customer (KYC), Know Your Business (KYB), and ongoing AML monitoring into a single, intelligent platform.

Real-time KYC and KYB onboarding

Before risk can be assessed, firms need accurate client data. NorthRow automates KYC and KYB checks using global data sources, including sanctions, PEPs, adverse media, and corporate registries so you can verify identities and ownership structures quickly and confidently.

Dynamic risk scoring

NorthRow’s platform doesn’t stop at verification. It assesses individual and entity risk using configurable AML risk profiles aligned with your firm’s policies. These can include geography, sector, transaction type, and client type – core components of any effective FWRA.

Audit-ready records

NorthRow maintains a complete audit trail of all KYC/KYB checks, risk decisions, and due diligence activity. That means when the SRA or an auditor asks how you reached a risk decision, the evidence is already in place.

Ongoing monitoring and alerts

AML compliance isn’t a one-time event. NorthRow continuously monitors clients and businesses for changes from new sanctions listings to corporate structure updates, and alerts your compliance team when follow-up action is needed.

NorthRow is an AML and risk intelligence platform that helps law firms:

  • Accelerate and strengthen KYC/KYB onboarding
  • Maintain real-time AML risk profiles
  • Build FWRA models based on actual data, not assumptions
  • Stay compliant with SRA regulations and MLR2017
  • Streamline and automate ongoing due diligence

New posts

Firm Wide Risk Assessment best practice

Building a smarter FWRA: A practical guide with expert insight

05/06/2025
Firm Wide Risk Assessment guidance

Why firm-wide risk assessments fail – and what to do about it

29/05/2025

Sign up to our newsletter

Repost

Categories

login4

Become a compliance hero

Join 55,000 others and learn the secrets to compliance success with our weekly blog posts.

compliance hero

You may also like.