A practical guide to running an Enterprise-Wide Risk Assessment (EWRA)

Ultimately, as a leader within an organisation, you need to be able to come to a robust conclusion on the institution’s levels of residual risk. Let’s start with the basics: mathematically, residual risk is a simple calculation – inherent risks (a natural or underlying level of risk without any controls or mitigations in place), minus effective controls (controls which have been documented and assessed as adequately managing risk), equals residual risk… the complexity comes later!

An EWRA is how you determine that level of residual risk, and how you can put (or improve) effective controls in place to lower those levels.  

It’s not just that EWRAs are valuable – they’re expected. Financial regulators set clear expectations that these are compulsory. The FCA’s Financial Crime Guide states that firms should assess their exposure to fraud (2.2.4, 4.2.1), bribery (6.6.2), and other financial crime risks as part of a structured, documented process. Under Article 18 of the UK Money Laundering Regulations (reinforced in Articles 27 and 28), firms are required to carry out a business-wide risk assessment.  

In particular, with the UK’s new Failure to Prevent Fraud offence due to come into force this September, there is a clear expectation that firms need to conduct appropriate risk assessments. These don’t have to be standalone (you can embed a Failure to Prevent Fraud risk assessment within your EWRA), but you do need to ensure they meet legal obligations in any given year. 

When looking to create an EWRA, I find the guidance from the Wolfsberg Group and the Basel Committee on Banking Supervision incredibly valuable. For UK firms, the FCA’s Financial Crime Guide (FCG) offers clear direction, both on risk assessments in general, and on specific typology risks like fraud and bribery. Combine that with the JMLSG guidance and the obligations set out in Article 18 of the Money Laundering Regulations (2017), and you’re already going a long way towards meeting UK regulatory expectations. 

Of course, there are many other sources depending on your regulatory jurisdiction (for example, FFIEC or OFAC guidance if you’re operating in the U.S). 

With that regulatory and industry context in mind, here’s how I typically approach the EWRA process – step by step: 

The first step in any EWRA is understanding, for your specific business, customers and product lines, what could go wrong. We call this identifying your ‘inherent risks’, which are risks that exist before you apply any controls. 

Start by determining what area you are assessing. Your way into an assessment is through a so-called ‘assessable unit’, which could mean assessing by business line, countries, products, or by functional area. Choosing your route here can be tricky, but there’s no right or wrong answer – choose based on what makes sense for your circumstances. 

Once you’ve decided on your assessable units, the next step is to gather information on the inherent risks. I recommend doing this through a questionnaire, but if time is tight, I will run a workshop where I invite all key stakeholders to map risks together. 

When designing your questionnaire or workshop, make sure you ask questions that elicit information about the risks inherent to your business, rather than anything about the controls in place. Through the assessment process, you are testing whether or not the stakeholders involved understand the inherent risks.  

As you build your own domain knowledge around risk assessments you should be able to challenge the information presented to you. As a simplified example, the stakeholders you ask might say there are only five inherent risks at play, but you might need to go back and say there are actually ten. 

In any case, as you receive responses to your questionnaire, or hear feedback in a workshop, always ask yourself: 

• Are these really all inherent risks? 
• Have we missed any inherent risks? 

The point here is to get a clear, honest view of risk exposure. Everything that follows in your risk assessment process depends on it. 

One quick note before we go further: document everything. Why you chose certain assessable units, whether you ran workshops or used questionnaires, what questions you asked, what scoring approach you took – it all matters. If anything is challenged down the line, your documentation (aka methodology) becomes your defensible position. It’s not just about transparency; it’s about being able to stand behind your conclusions with confidence.

The control assessment stage of the process will help you understand how the inherent risks are currently being managed. You can do this in a couple of ways.  

If your organisation has a formal control library, start there. Ask each assessable unit to map the controls they use against the inherent risks identified. The goal is to see not just whether there are controls in place (if there’s a control library, there clearly are!), but to assess whether these are the right controls for the risks you’re facing. 

Without a control library, this stage can be conducted through either another questionnaire or in a workshop setting. 

In any case, the key is to ask lots of questions to gather as much information as possible about how the controls are working. When was the control last tested? What was the outcome of that testing? 

Importantly, don’t take the answers to these questions at face value. Cross-reference your data with audit findings or compliance monitoring reports. This step isn’t about catching people out – it’s about getting an accurate picture of where your control environment is strong, and where it needs work. 

With your inherent risks identified and your controls assessed, the next step is to bring it all together in a useful piece of analysis. 

At this point, it's worth highlighting that consistency between EWRAs is crucial. Don’t keep reinventing the process – that will only make it harder for you to spot changes between assessments. Equally, things change from year to year, but with a well-defined, documented methodology capturing updates and being able to make a comparative analysis to previous conclusions is possible (note: not necessarily “easy”, but doable).

One way to make it easier to compare EWRAs year-on-year is to move away from delivering them through spreadsheets, and instead adopt a tech-led approach with risk assessment tooling. The platforms that are now available offer advanced data integration, configurable scoring models, auditable decision trails and the ability to recut data through different risk lenses without rewriting formulas. They also make it easier for you to document the methodology used, and to generate heat maps and reports at the right level of granularity for different stakeholders. I've found that a good risk assessment tool, if set up optimally, can reduce the time it takes to run an EWRA significantly.

Whether you use a spreadsheet or a risk assessment tool, when scoring your risk exposure you will take your raw data and applying a scoring methodology. Your methodology can be simple or complex. I’ve seen everything from basic high/medium/low ratings through to 0-100 models with weighted criteria. The important thing is to agree upfront on your methodology with key stakeholders, to document how you came to that methodology, and to apply it consistently throughout. 

Once you have your data and scores, you can plot each assessable unit (whether that’s a business line, country or product) onto a risk matrix. Most organisations use a 3x3 or 6x6 grid, with probability on the X-axis and severity on the Y-axis. 

Top right is your danger zone: high likelihood, high impact. This exercise shows where your highest residual risks still pose a threat, after existing controls have been taken into account.