RISK & COMPLIANCE

A practical guide to running an Enterprise-Wide Risk Assessment (EWRA)

I once helped a client discover they owned an entire private bank they didn’t even know existed.

It came to light during an Enterprise-Wide Risk Assessment (EWRA). The private bank had been a legacy part of an acquisition, quietly ticking along under the radar, completely invisible to group oversight.  

For another banking client, we uncovered that they were still paying a branch manager’s salary 25 years after the branch had closed.  

These stories sound extreme, but after 20+ years of working in financial crime prevention, I can tell you they’re not unusual. Risks like these are hidden in plain sight when the organisation hasn’t taken a structured, enterprise-wide view. That’s why a well-run EWRA is one of the most valuable tools a financial crime or compliance team has.  It should be more than just compliance with Reg 18!

In this article, I want to share a simple step-by-step approach to conducting an EWRA, having overseen this process over many years and within many different organisations. 

 

Hubspot blog post featured images (9)
Hubspot blog post featured images (9)

Ultimately, as a leader within an organisation, you need to be able to come to a robust conclusion on the institution’s levels of residual risk. Let’s start with the basics: mathematically, residual risk is a simple calculation – inherent risks (a natural or underlying level of risk without any controls or mitigations in place), minus effective controls (controls which have been documented and assessed as adequately managing risk), equals residual risk… the complexity comes later!

An EWRA is how you determine that level of residual risk, and how you can put (or improve) effective controls in place to lower those levels.  

It’s not just that EWRAs are valuable – they’re expected. Financial regulators set clear expectations that these are compulsory. The FCA’s Financial Crime Guide states that firms should assess their exposure to fraud (2.2.4, 4.2.1), bribery (6.6.2), and other financial crime risks as part of a structured, documented process. Under Article 18 of the UK Money Laundering Regulations (reinforced in Articles 27 and 28), firms are required to carry out a business-wide risk assessment.  

In particular, with the UK’s new Failure to Prevent Fraud offence due to come into force this September, there is a clear expectation that firms need to conduct appropriate risk assessments. These don’t have to be standalone (you can embed a Failure to Prevent Fraud risk assessment within your EWRA), but you do need to ensure they meet legal obligations in any given year. 

 

When looking to create an EWRA, I find the guidance from the Wolfsberg Group and the Basel Committee on Banking Supervision incredibly valuable. For UK firms, the FCA’s Financial Crime Guide (FCG) offers clear direction, both on risk assessments in general, and on specific typology risks like fraud and bribery. Combine that with the JMLSG guidance and the obligations set out in Article 18 of the Money Laundering Regulations (2017), and you’re already going a long way towards meeting UK regulatory expectations. 

Of course, there are many other sources depending on your regulatory jurisdiction (for example, FFIEC or OFAC guidance if you’re operating in the U.S). 

With that regulatory and industry context in mind, here’s how I typically approach the EWRA process – step by step: 

1. Assess inherent risks with a questionnaire or workshop

The first step in any EWRA is understanding, for your specific business, customers and product lines, what could go wrong. We call this identifying your ‘inherent risks’, which are risks that exist before you apply any controls. 

Start by determining what area you are assessing. Your way into an assessment is through a so-called ‘assessable unit’, which could mean assessing by business line, countries, products, or by functional area. Choosing your route here can be tricky, but there’s no right or wrong answer – choose based on what makes sense for your circumstances. 

Once you’ve decided on your assessable units, the next step is to gather information on the inherent risks. I recommend doing this through a questionnaire, but if time is tight, I will run a workshop where I invite all key stakeholders to map risks together. 

When designing your questionnaire or workshop, make sure you ask questions that elicit information about the risks inherent to your business, rather than anything about the controls in place. Through the assessment process, you are testing whether or not the stakeholders involved understand the inherent risks.  

As you build your own domain knowledge around risk assessments you should be able to challenge the information presented to you. As a simplified example, the stakeholders you ask might say there are only five inherent risks at play, but you might need to go back and say there are actually ten. 

In any case, as you receive responses to your questionnaire, or hear feedback in a workshop, always ask yourself: 

  • Are these really all inherent risks? 
  • Have we missed any inherent risks? 

The point here is to get a clear, honest view of risk exposure. Everything that follows in your risk assessment process depends on it. 

One quick note before we go further: document everything. Why you chose certain assessable units, whether you ran workshops or used questionnaires, what questions you asked, what scoring approach you took – it all matters. If anything is challenged down the line, your documentation (aka methodology) becomes your defensible position. It’s not just about transparency; it’s about being able to stand behind your conclusions with confidence.

2. Understand what controls are in place

The control assessment stage of the process will help you understand how the inherent risks are currently being managed. You can do this in a couple of ways.  

If your organisation has a formal control library, start there. Ask each assessable unit to map the controls they use against the inherent risks identified. The goal is to see not just whether there are controls in place (if there’s a control library, there clearly are!), but to assess whether these are the right controls for the risks you’re facing. 

Without a control library, this stage can be conducted through either another questionnaire or in a workshop setting. 

In any case, the key is to ask lots of questions to gather as much information as possible about how the controls are working. When was the control last tested? What was the outcome of that testing? 

Importantly, don’t take the answers to these questions at face value. Cross-reference your data with audit findings or compliance monitoring reports. This step isn’t about catching people out – it’s about getting an accurate picture of where your control environment is strong, and where it needs work. 

3. Create a heat map by scoring your risk exposure

With your inherent risks identified and your controls assessed, the next step is to bring it all together in a useful piece of analysis. 

At this point, it's worth highlighting that consistency between EWRAs is crucial. Don’t keep reinventing the process – that will only make it harder for you to spot changes between assessments. Equally, things change from year to year, but with a well-defined, documented methodology capturing updates and being able to make a comparative analysis to previous conclusions is possible (note: not necessarily “easy”, but doable).

One way to make it easier to compare EWRAs year-on-year is to move away from delivering them through spreadsheets, and instead adopt a tech-led approach with risk assessment tooling. The platforms that are now available offer advanced data integration, configurable scoring models, auditable decision trails and the ability to recut data through different risk lenses without rewriting formulas. They also make it easier for you to document the methodology used, and to generate heat maps and reports at the right level of granularity for different stakeholders. I've found that a good risk assessment tool, if set up optimally, can reduce the time it takes to run an EWRA significantly.

Whether you use a spreadsheet or a risk assessment tool, when scoring your risk exposure you will take your raw data and applying a scoring methodology. Your methodology can be simple or complex. I’ve seen everything from basic high/medium/low ratings through to 0-100 models with weighted criteria. The important thing is to agree upfront on your methodology with key stakeholders, to document how you came to that methodology, and to apply it consistently throughout. 

Once you have your data and scores, you can plot each assessable unit (whether that’s a business line, country or product) onto a risk matrix. Most organisations use a 3x3 or 6x6 grid, with probability on the X-axis and severity on the Y-axis. 

Top right is your danger zone: high likelihood, high impact. This exercise shows where your highest residual risks still pose a threat, after existing controls have been taken into account. 

4. Take action through an implementation plan

If your heat map is showing areas of high residual risk where controls are weak or ineffective, you’ll need an implementation plan. 

As an example, an EWRA might surface that the due diligence process is inconsistent, overly manual, or no longer aligned to your risk profile. The next step is to understand the root cause – what’s gone wrong, and why? Your implementation plan might involve redesigning workflows, applying smarter automation, or upskilling teams to ensure checks are meaningful and repeatable. Whatever the fix, the outcome should be a measurable improvement. And once those changes are embedded, you revisit the scoring to reflect your improved risk position. 

This whole cycle of conducting a risk assessment and creating an implementation plan helps you prioritise where to spend your organisation’s budget. If in the future your CEO is tempted to put millions into an ambitious AI initiative, your risk assessment can tell you that fixing a broken due diligence process is either a more urgent priority or maybe the AI initiative should focus on that first.

That’s the power of a risk-based approach. It gives you a clear view of where the real threats are, so you can direct time, budget and effort to where it’ll make the most impact. 

 

If your organisation hasn’t run a proper EWRA in a while, or if you’re not confident in the one you’ve got, now’s the time to do something about it. Whether you need a full assessment or just a second opinion, BeyondFS can help you get it done quickly, properly, and in a way that supports day-to-day decision-making. 

Let's make change happen.

We help Financial Institutions accelerate digital transformation – delivering improved efficiencies, better risk controls and enhanced customer experiences.