Enterprise-Wide AML Risk Assessment Template

What is the Enterprise-Wide AML Risk Assessment?

Under FATF Recommendation 1, every financial institution must identify, assess, and understand its money laundering and terrorist financing risk. The enterprise-wide AML risk assessment is the formal output of that obligation. It's a structured analysis across all business lines, customer segments, products, delivery channels, and geographies, producing an aggregate residual risk rating the board can approve and regulators can examine.

This isn't a box-checking exercise. Examiners from FinCEN, the OCC, the FCA, and equivalent bodies read these documents looking for three things: completeness (did you cover every material product and channel?), methodology (how did you weight each risk factor?), and honesty (did you acknowledge where controls fall short?). An assessment that shows only green ratings raises flags immediately.

The template structures this work as a spreadsheet so teams can document inherent risk scores, control ratings, and residual risk calculations in a format that's easy to review, update annually, and hand to an examiner without additional translation.

Customer Due Diligence gaps, weak transaction monitoring coverage, and concentration in high-risk geographies are the three areas that most commonly produce a "needs improvement" finding in BSA/AML exams. A well-maintained enterprise-wide assessment surfaces all three before an examiner does.

The FFIEC BSA/AML Examination Manual spells out exactly what examiners evaluate when reviewing an institution's risk assessment process. It's worth reading alongside this template before your next examination cycle.

Who needs the Enterprise-Wide AML Risk Assessment?

The primary owner is the BSA officer or MLRO. They sign it, defend it to examiners, and update it when the business changes. But filling it in accurately requires input from several functions: product managers (what's the actual transaction volume on that new product?), the fraud team (where are the customer risk concentrations?), model risk (how effective is the transaction monitoring model, really?), and legal (which jurisdictions are we operating in now?).

The trigger for pulling this template out comes at predictable moments. Annual review cycles are the obvious one. But institutions also update their enterprise-wide assessment when they launch a new product, enter a new geography, acquire a business, or receive an MRA from a regulator. Exam preparation is another trigger. The OCC, FinCEN, and the FCA all expect a current, board-approved risk assessment as a foundational document.

Smaller community banks and credit unions use it to establish a baseline. Tier 1 banks use it to aggregate risk across dozens of subsidiaries and business lines. The same template structure works for both because the core risk dimensions are identical: customers, products, channels, geographies.

Compliance analysts doing the data gathering will find the structured scoring methodology saves time over building from scratch. Chief compliance officers preparing board presentations will value the summary tab. Model risk teams validating monitoring effectiveness will find a ready home for their control ratings.

What's inside the Enterprise-Wide AML Risk Assessment

The spreadsheet has seven tabs. Here's what each one contains.

Tab 1: Scope and Institutional Profile Business lines covered, legal entities included, reporting date, version number, and the names of contributors and approvers. This tab defines what the assessment covers and, just as important, what it doesn't. Any examiner reading the document starts here.

Tab 2: Inherent Risk – Customers Rows for each customer segment: retail, commercial, private banking, correspondent banking, MSBs, NGOs, and high-net-worth individuals. Columns for risk factors: PEP exposure, high-risk country customers, politically sensitive industries, shell company relationships, and cash-intensive businesses. Each cell takes a score from 1 to 5 with a defined weighting. The tab totals to a weighted inherent customer risk rating.

Tab 3: Inherent Risk – Products and Services The same scoring structure applied to products: wire transfers, trade finance, digital banking, ATMs, prepaid cards, and cross-border payment corridors. FATF Recommendation 10 requires institutions to apply CDD based on product risk. This tab provides the documented evidence that you've completed that analysis.

Tab 4: Inherent Risk – Geographies and Channels Country risk ratings based on FATF grey and black lists, EU high-risk third country designations, OFAC sanctions classifications, and Transparency International CPI scores. Delivery channel risk rows cover online banking, mobile, agent banking, and cross-border remittance.

Tab 5: Control Effectiveness For each risk area above, a parallel rating column assesses the strength of existing controls: sanctions screening, PEP screening, transaction monitoring coverage, CDD and enhanced due diligence procedures, and record-keeping practices under FATF Recommendation 11. Ratings run from "strong" to "weak," each with a numeric equivalent the formula tab picks up automatically.

Tab 6: Residual Risk Summary A formula tab that multiplies inherent risk scores by control effectiveness discount factors to produce residual risk by category and in aggregate. Includes a heat-map summary by business line for board-level presentation.

Tab 7: Action Plan Gaps identified, owner assigned, remediation deadline, and current status. This is the tab regulators check to confirm you're acting on your own findings. An empty action plan is a finding in itself.

How to use the Enterprise-Wide AML Risk Assessment

Step 1: Define scope before you open the spreadsheet.

Decide which legal entities, business lines, and product sets this assessment covers. Document it in Tab 1. If you're a bank holding company with multiple charters, decide upfront whether you're producing one consolidated assessment or separate assessments per charter. Regulators expect consistency year over year, so establish that convention now.

Step 2: Gather source data first.

You need transaction volume by product, customer segment breakdowns, and geographic exposure before scoring anything. Pull these from your core banking system, your KYC database, and your transaction monitoring platform. The assessment is only as accurate as the numbers behind it. Scoring from memory produces ratings that don't survive examiner scrutiny.

Step 3: Score inherent risk independently of controls.

This is where most teams go wrong. Inherent risk is the exposure before any controls exist. Score it that way. Don't discount wire transfer risk because you have a strong monitoring system; Tab 5 handles that. The FFIEC BSA/AML Examination Manual is clear on this: inherent risk and residual risk are separate analytical questions and must be documented separately.

Step 4: Rate control effectiveness honestly.

For each risk area, rate whether controls are strong, adequate, or weak. Pull in your most recent model validation reports, screening audit results, and prior exam findings. If you've received MRAs, they belong in this column. Overrating controls here is the fastest way to undermine credibility with an examiner.

Step 5: Review residual risk outputs with the MLRO before board presentation.

The formula tab calculates residual risk from your scores. If residual risk in any category comes out as high, you need either a documented rationale for accepting it or a remediation plan in Tab 7. There's no right answer, but there has to be a written answer.

Step 6: Get board approval and maintain version history.

The board or a delegated risk committee must approve the assessment, and that approval must be documented in Tab 1. Compliance officers focused on staying continuously exam-ready often tie the annual refresh to the board's risk appetite statement cycle, which keeps the two documents aligned and reduces duplication.

Common mistakes to avoid

Conflating inherent risk and residual risk in the same column

This is the single most common structural flaw. Teams assign a single "risk score" that already reflects their controls, then wonder why examiners say the methodology lacks rigor. Score the world without controls first, rate control strength second, and let the formula derive residual risk from both inputs. The template enforces this with separate tabs.

Scoping out high-risk products because volumes are small

An MSB customer segment with $40 million in annual wire volume carries high inherent risk regardless of its share of the portfolio. Size doesn't determine risk category. A small correspondent banking book can carry outsized exposure. Every product on the inventory needs a score.

Using last year's data without updating

An assessment that's 18 months old, with transaction volumes from before a product launch or geographic expansion, is a liability. Examiners notice gaps between the assessment and the current business profile. Log mid-year trigger updates in Tab 7, and do a full refresh at minimum annually.

Rating every control as "strong" or "adequate"

If every control gets a strong rating, an examiner reads that as an absence of self-criticism. Real programs have gaps. The EDD Checklist for High-Risk Customers is a useful cross-reference: EDD coverage has holes in most programs that teams consistently understate.

Leaving the action plan tab blank

If the residual risk section identifies a gap and Tab 7 has no entries, that gap becomes a direct examiner finding. Assign owners, set deadlines, and update status quarterly at minimum.

Treating the assessment as a standalone document

The enterprise-wide risk assessment should drive your transaction monitoring tuning, your CDD risk tiers, and your SAR filing thresholds. If those operational systems don't reflect the risk ratings documented here, the AML program looks disconnected in an exam. Alignment between this assessment and day-to-day controls is also where genuine cost savings appear, without trading off coverage.

How FluxForce automates this

The manual work this template represents, scoring customer risk, rating control effectiveness, and tracking remediation gaps, is what FluxForce's AI agents handle continuously. Real-time transaction monitoring, automated sanctions and PEP screening, and audit-ready evidence for every decision mean the risk picture stays current rather than going stale between annual reviews. Control ratings get grounded in live operational data, not last year's recall. To see what that looks like in a live environment, book a demo.