Governance, Risk & Compliance

Enterprise-Wide Risk Assessment for Financial Firms

A UK guide to the enterprise-wide risk assessment under SYSC 4 and SYSC 7: risk categories, appetite, inherent vs residual risk and the three lines.

10 min read Published 17 Jul 2026
Enterprise-Wide Risk Assessment for Financial Firms

An enterprise-wide risk assessment is the single, firm-level view of every material risk your business faces, scored against your appetite and your controls. It is what allows a board to see credit, market, operational, conduct, financial crime, prudential and strategic risk in one place, rather than in a dozen disconnected spreadsheets. The FCA does not use the phrase 'enterprise-wide risk assessment' as a defined term, but the underlying obligation is unambiguous. SYSC 4.1.1R requires a firm to have robust governance arrangements, which include effective processes to identify, manage, monitor and report the risks it is or might be exposed to.

That firm-wide duty is broader than the financial-crime risk assessment many compliance teams already run. Regulation 18 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires a relevant person to identify and assess the risks of money laundering and terrorist financing to which its business is subject. That is one important input, but it is only one risk type. An enterprise-wide assessment sits above it and pulls every category together so that senior management can allocate capital, attention and controls to where the risk actually is.

This guide sets out how to build an assessment that holds up to scrutiny: what SYSC 4 and SYSC 7 require, how an enterprise-wide view differs from a financial-crime-specific one, the main risk categories to cover, the inherent-risk to residual-risk method, how risk appetite frames the whole exercise, and the three-lines governance that keeps it honest. Every rule and framework cited here comes from the FCA Handbook, MLR 2017 or the Institute of Internal Auditors.

What SYSC 4 and SYSC 7 actually require

The starting point is SYSC 4.1.1R. It requires a firm to have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems. The words 'the risks it is or might be exposed to' are the whole point: the duty is enterprise-wide, not confined to any single risk type.

SYSC 7 turns that into a risk-control programme. SYSC 7.1.2-AR requires a common platform firm to establish, implement and maintain adequate risk management policies and procedures which identify the risks relating to the firm's activities, processes and systems and, where appropriate, set the level of risk tolerated by the firm. SYSC 7.1.3R then requires the firm to adopt effective arrangements, processes and mechanisms to manage that risk, in light of the level of risk tolerance the firm has set. Identify the risks, set the tolerance, then manage against it: that is the spine of an enterprise-wide assessment.

Governance sits on top. SYSC 7.1.4R requires the management body to approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the firm is or might be exposed to, including those posed by the macroeconomic environment. SYSC 7.1.5R requires the firm to monitor the adequacy and effectiveness of its risk management policies and procedures and the level of compliance with them. Where appropriate and proportionate to the nature, scale and complexity of its business, SYSC 7.1.6R requires the firm to maintain a risk management function that operates independently. These rules apply as guidance for many smaller firms, but the expectation to identify and manage firm-wide risk in a proportionate way runs across the population.

Enterprise-wide versus a financial-crime risk assessment

Firms often conflate the two, and supervisors notice when they do. A financial-crime risk assessment is a specialist, legally mandated document with a defined scope. Regulation 18 of MLR 2017 requires a relevant person to take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject, taking into account information made available by its supervisory authority and risk factors relating to its customers, the countries or geographic areas in which it operates, its products or services, its transactions and its delivery channels. The firm must keep an up-to-date written record of the steps taken and provide the assessment to its supervisor on request.

An enterprise-wide risk assessment is wider in scope and different in purpose. It covers financial crime as one category among several, and its job is to give the board a consolidated picture across credit, market, operational, conduct, prudential, strategic and financial-crime risk. The FCA's Financial Crime Guide reinforces the relationship: FCG 2.2.1 expects senior management to take clear responsibility for managing financial crime risks, which should be treated in the same manner as other risks faced by the business. In other words, financial crime is not a silo; it belongs inside the same enterprise-wide framework as everything else.

The practical consequence is that the financial-crime assessment should feed the enterprise view rather than duplicate it. FCG 2.2.4 states that a business-wide risk assessment should be comprehensive, draw on a wide range of relevant information, and be proportionate to the nature, scale and complexity of the firm's activities. Those same qualities define a credible enterprise-wide assessment. Our Control module is designed to hold both layers so the specialist assessment rolls up into the firm-wide view without being re-keyed.

DimensionFinancial-crime risk assessmentEnterprise-wide risk assessment
Legal basisRegulation 18 of MLR 2017; FCA Financial Crime GuideSYSC 4.1.1R and SYSC 7.1 risk-control rules
ScopeMoney laundering, terrorist financing and proliferation financingAll material risk types across the firm
Risk factorsCustomers, countries, products, transactions, delivery channelsCredit, market, operational, conduct, financial crime, prudential, strategic
Primary audienceMLRO, supervisor on request, senior managementBoard and senior management as a single view
RelationshipOne input into the enterprise-wide viewConsolidates the financial-crime assessment with all others
The financial-crime risk assessment is a mandated specialist input; the enterprise-wide assessment consolidates it with every other risk category. Sources: MLR 2017 reg 18; FCA SYSC 4 and SYSC 7; FCA Financial Crime Guide.

The main risk categories to cover

An enterprise-wide assessment is only credible if it covers the full risk taxonomy relevant to the firm. The categories below are the ones commonly used across regulated firms and reflected in the FCA Handbook's risk-control framework. Not every firm carries every category in material size, and proportionality applies, but the assessment should consciously consider each and record why any are out of scope. SYSC 7.1.2-AR frames the task as identifying the risks relating to the firm's activities, processes and systems, which forces a business-model lens rather than a generic checklist.

For each category you name the specific exposures your business model creates, then assess likelihood and impact before and after controls. The table sets out the categories with example risks. Treat it as a prompt list, not a limit; your own products, customers, markets and outsourcing arrangements will suggest others. Where a category such as financial crime already has a dedicated assessment under Regulation 18, the enterprise view should reference and summarise it rather than repeat the detail.

The point of the taxonomy is comparability. When every category is scored on the same likelihood-and-impact basis, the board can rank them against each other and against appetite, and decide where mitigation spend does the most good. That comparability is what turns a pile of individual assessments into a genuine enterprise-wide picture.

Risk categoryWhat it coversExample risks
CreditLoss from a counterparty failing to meet obligationsBorrower default, concentration to a single sector, counterparty settlement failure
MarketLoss from movements in market prices and ratesInterest-rate moves, foreign-exchange exposure, spread widening on held assets
OperationalLoss from failed internal processes, people, systems or external eventsSystem outage, key-person dependency, third-party or outsourcing failure, cyber incident
ConductRisk of poor customer outcomes or market integrity harmUnsuitable advice, mis-selling, unclear disclosures, unfair treatment of vulnerable customers
Financial crimeRisk the firm is used to further money laundering, terrorist financing or sanctions breachesHigh-risk customers, opaque ownership, sanctions exposure, weak transaction monitoring
PrudentialRisk the firm cannot meet capital or liquidity requirementsInsufficient own funds, liquidity shortfall, inability to wind down in an orderly way
StrategicRisk to the business model and objectivesLoss of a major client or partner, regulatory change, competitive or technological disruption
Common enterprise-wide risk categories with example risks. The financial-crime row summarises the separate Regulation 18 assessment rather than replacing it.

Inherent risk, controls and residual risk

A defensible assessment scores each risk twice. Inherent risk is the exposure before any controls are applied, judged on likelihood and impact. Residual risk is what remains after your controls operate as designed. The gap between the two is the measurable value of your control environment, and it is exactly what SYSC 7.1.5R asks you to monitor when it requires firms to check the adequacy and effectiveness of their risk management policies and procedures and the level of compliance with them.

Score inherent risk first, on a consistent scale, without giving yourself credit for controls. Then assess control effectiveness honestly: a control that exists on paper but is untested, poorly staffed or routinely overridden should not reduce the score much. Residual risk is the output, and it is the number the board compares against appetite. If residual risk sits above appetite, you have a gap that needs a remediation action with an owner and a date; if it sits well below, you may be over-controlling and spending resource that could move elsewhere.

A risk heatmap makes this legible for a board. Plotting residual risks by likelihood and impact turns a long register into a single picture of where the firm is most exposed. The heatmap below is illustrative of the cell structure, not a statement about any particular firm; each cell is a likelihood-and-impact combination with a colour that signals priority.

Illustrative residual-risk heatmap

Residual risks plotted by likelihood and impact. Red cells demand board attention and remediation; amber cells need monitoring; green cells are within appetite. Illustrative structure only, not firm-specific data.

High likelihood / High impact

9

High likelihood / Medium impact

6

High likelihood / Low impact

3

Medium likelihood / High impact

6

Medium likelihood / Medium impact

4

Medium likelihood / Low impact

2

Risk appetite frames the whole exercise

Scoring risk is only useful if you can say whether the level is acceptable, and that is the job of risk appetite. Appetite is the amount and type of risk the firm is willing to take in pursuit of its objectives, set by the board and expressed for each material category. SYSC 7.1.2-AR anchors this in rule: firms must, where appropriate, set the level of risk tolerated by the firm. Without a stated appetite, a heatmap is just colours; with one, every residual score becomes a pass, a watch or a breach.

A workable appetite statement is specific enough to test against. For credit risk it might cap exposure to a single sector; for operational risk it might set a tolerance for system downtime; for conduct it might state that certain customer-harm outcomes are simply not acceptable. SYSC 7.1.3R connects appetite to action by requiring firms to adopt effective arrangements, processes and mechanisms to manage risk in light of the level of risk tolerance set. Appetite that is never used to trigger a control or an escalation is decorative.

Appetite also has to be owned at the top and reviewed. SYSC 7.1.4R requires the management body to approve and periodically review the strategies and policies for managing the risks the firm is or might be exposed to. In practice that means the board signs off the appetite, sees the enterprise-wide assessment measured against it, and revisits both when the business model, the market or the regulatory environment changes.

How to run an enterprise-wide risk assessment

The mechanics matter as much as the framework. A repeatable process keeps the assessment current, defensible and useful to decision-makers rather than a once-a-year artefact. SYSC 7.1.4R expects the management body to review risk strategies periodically, and FCG 2.2.4, though written for financial crime, captures the wider expectation well: assessments should be comprehensive, draw on a range of information and be proportionate to the firm's activities. The steps below turn those expectations into a working cycle.

Work through the taxonomy category by category, score inherent and residual risk consistently, compare against appetite, and route the output to the board with clear owners for any gaps. Then schedule the refresh and the triggers that force an out-of-cycle update, such as a new product, a major outsourcing arrangement or a significant regulatory change. If you want to see how this runs inside a live workflow, request a demo and walk through a worked assessment.

1
Define scope and taxonomy
List every material risk category for your business model and record any excluded as out of scope.
2
Set risk appetite
Board agrees the level of risk tolerated per category, in testable terms.
3
Score inherent risk
Rate likelihood and impact before controls, on one consistent scale.
4
Assess controls
Judge how effectively existing controls operate, not just whether they exist.
5
Score residual risk
Rate the exposure remaining after controls and plot it on the heatmap.
6
Compare to appetite
Flag every residual score that sits above the agreed tolerance as a gap.
7
Remediate gaps
Assign each gap an owner, an action and a date, then track to closure.
8
Report and refresh
Take the view to the board and refresh on cycle or on trigger events.

Governance and the three lines of defence

An enterprise-wide assessment only works if responsibility for it is clear, and the three-lines model is the standard way UK firms organise that. The Institute of Internal Auditors updated the model in July 2020 as the Three Lines Model, an evolution of the older Three Lines of Defence. It maps who owns risk, who oversees it and who provides independent assurance, which is exactly the clarity SYSC 4.1.1R demands when it requires well defined, transparent and consistent lines of responsibility.

In the model, first line roles are most directly aligned with the delivery of products and services to clients, and responsibility for managing risk remains a part of those first line roles. Second line roles assist with managing risk, providing complementary expertise, support, monitoring and challenge, and can span a broader responsibility such as enterprise risk management. The internal audit function forms the third line, providing independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management, and reporting its findings to management and the governing body.

Above the three lines sits the board. The IIA model states that the governing body delegates responsibility and provides resources to management while ensuring legal, regulatory and ethical expectations are met, and establishes and oversees an independent internal audit function. That mirrors SYSC 7.1.4R, under which the management body approves and periodically reviews the firm's risk strategies. For firms still building this structure as part of an authorisation application, mapping governance and risk ownership clearly before you submit avoids a common source of FCA challenge.

Conclusion

An enterprise-wide risk assessment is not a compliance document to be filed and forgotten. It is the mechanism by which a board sees every material risk in one comparable picture, scores it against a stated appetite, and directs mitigation to where it matters most. SYSC 4.1.1R requires the effective processes to identify, manage, monitor and report the risks the firm is or might be exposed to, and SYSC 7 turns that into a programme of setting tolerance, managing against it, monitoring effectiveness and reviewing at board level. The financial-crime risk assessment under Regulation 18 of MLR 2017 is an important input, but it is one category inside this wider view, not a substitute for it.

Build the assessment on a clear taxonomy, score inherent and residual risk consistently, frame everything with a testable risk appetite, and hold it inside a three-lines governance structure with genuine board ownership. Refresh it on cycle and whenever the business or its environment changes materially. Done that way, the enterprise-wide risk assessment becomes what the FCA's rules intend: a living tool that makes the firm's risks visible and manageable, rather than a snapshot that ages the day it is signed.

Frequently asked questions

Is an enterprise-wide risk assessment a regulatory requirement?

The FCA does not use that exact phrase as a defined term, but the substance is required. SYSC 4.1.1R requires robust governance arrangements including effective processes to identify, manage, monitor and report the risks the firm is or might be exposed to, and SYSC 7.1.2-AR requires firms to maintain risk management policies and procedures that identify the risks relating to their activities, processes and systems. An enterprise-wide assessment is how firms meet those firm-wide duties.

How is it different from a financial-crime risk assessment?

A financial-crime risk assessment is a specialist document mandated by Regulation 18 of MLR 2017, covering money laundering and terrorist financing risk across customers, countries, products, transactions and delivery channels. An enterprise-wide assessment is broader: it consolidates financial crime with credit, market, operational, conduct, prudential and strategic risk into a single board-level view. The financial-crime assessment feeds the enterprise view rather than replacing it.

What risk categories should it cover?

Cover every material category for your business model. Commonly these include credit, market, operational, conduct, financial crime, prudential and strategic risk. Proportionality applies under the FCA rules, so a smaller firm may carry some categories in negligible size, but the assessment should consciously consider each and record why any are out of scope rather than silently omitting them.

What is the difference between inherent and residual risk?

Inherent risk is the exposure before any controls are applied, scored on likelihood and impact. Residual risk is what remains after controls operate as designed. The gap between them measures the value of your control environment. SYSC 7.1.5R requires firms to monitor the adequacy and effectiveness of their risk management policies and procedures, which is a check on whether that gap is real.

How does risk appetite fit in?

Risk appetite is the amount and type of risk the firm is willing to take, set by the board per category. SYSC 7.1.2-AR requires firms, where appropriate, to set the level of risk tolerated, and SYSC 7.1.3R requires arrangements to manage risk in light of that tolerance. Appetite is what turns a residual-risk score into a pass, a watch or a breach, so the board can decide where action is needed.

Who owns the enterprise-wide risk assessment?

Ownership follows the three-lines model. First line business roles manage the risk they create, second line functions such as risk and compliance provide oversight, expertise and challenge, and internal audit provides independent assurance as the third line. Above them, SYSC 7.1.4R requires the management body to approve and periodically review the firm's risk strategies, so the board carries ultimate ownership.

Ready to move money with confidence?

Nasara Control helps UK firms send and control payments with lower fees, better rates and full visibility.

Talk to an expert
Keep reading

More insights you will like.

Stay ahead of the curve

Practical guides and updates for UK firms, straight to your inbox.

Secure by designBank-grade security and encryption
Built for UK firmsMade for FCA-regulated businesses
Data protectedYour data stays private and controlled
Global reachCross-border payments worldwide