As the financial services landscape grows more dynamic, the stakes have never been higher. The importance of robust financial crime risk management frameworks cannot be overstated. Enterprise- wide risk assessments (EWRAs) are a North Star for these, playing a critical role in supporting a risk-based approach and ensuring regulatory compliance.

However, their efficacy is increasingly put under the microscope. We need innovative approaches that differentiate organizations from competitors and technology vendors. Assessments should not be merely a tick-box exercise. They are a strategic cornerstone to a risk-based approach to financial crime. EWRAs must evolve and do so with enabling capabilities present, which we will explore within this article.

Challenging the Risk Assessment Status Quo

While EWRAs often meet regulatory requirements, their impact may be limited by outdated methodologies and inadequate integration into broader governance and risk management frameworks. They must awaken from being static, compliance-driven routines toward being dynamic, actionable tools that drive real value.

1. Actionable: Risk assessments must produce outcomes that can be directly integrated into governance, risk management and change plans. It is also essential to orient managerial action based on inherent and residual risk for effective resource allocation. Embedding these insights within control frameworks ensures they inform and enhance organizational decision-making and allow control effectiveness to be tracked.
2. Aligned: Effective EWRAs must satisfy risk management and compliance objectives. Integrating them with other financial crime controls, such as control testing and monitoring (by having common control libraries, EWRA output used to prioritize control testing, control testing output factored in forthcoming EWRA assessments), provides a coherent view of risk across the enterprise.
3. Deep: A robust EWRA must address a broad spectrum of regulations, guidance and national risk assessments. By drilling down into specific risks, these assessments can inform the design and testing of precise controls.
4. Timely: For risk assessments to remain relevant, they need to be more frequent and adaptive. A dynamic approach allows organizations to respond proactively to emerging risks.
5. Measurable: Regulators increasingly expect EWRAs to be data-driven, quantitative exercises. Quantification also enables organizations to measure progress against risk appetite metrics.

Key Innovation Trends

Financial crime EWRAs should be designed and structured to meet regulatory requirements with a clearly documented methodology. Innovation is being seen in the following three main areas.

1. 1. Integration of Financial Crime Risks: Important synergies emerge from combining various risk types under the same risk-assessment effort. Combining assessments for different financial crime types—money laundering, terrorist financing, sanctions evasion, tax evasion and bribery—enhances efficiency and provides an aggregate but more comprehensive view of risk.Of course, further specialization is required in each of these risk types. For the inherent risk drivers, specific controls and subject matter expertise are still necessary; these can be contained within a common financial crime EWRA.

      Running an overarching risk assessment will leverage resources more efficiently—human resources, stakeholders’ attention, time and budget—and provide a more holistic view of financial crime risk exposures. The controls’ transformation and action plans will have greater cohesion.

1. Data and Technology Enablement: Leading organizations are assessing inherent risk and controls in their EWRA based on data, as an increasingly quantitative-data-led exercise albeit balanced with qualitative input like subject matter expertise and business knowledge.They are enjoying cost efficiencies by having their inherent risk assessment based on data points. They can extract and produce substantial data for the EWRA, enabling a data-driven assessment of the majority of regulatory requirements. This is an iterative journey. During initial iterations data availability is likely a challenge, but this can be overcome with appropriate tools and techniques—such as using proxies or combining with qualitative input.

   Advanced tools allow organizations to automate data collection and risk assessment calculations, enabling near real-time insights and reducing manual effort.

   By leveraging automation and data analytics, organizations can shift from annual assessments to continuous monitoring, a stage we call “continuous EWRA.”

   This renders risk insights more relevant and actionable. At this level of maturity, long-form report production can be accelerated with generative artificial intelligence (GenAI). EWRA execution transforms from a costly, intense and slow manual or semi-automated exercise once a year into a swift, frequent process running in mere weeks, providing a near real-time view of the financial crime risks and controls in the business.

2. Enhanced Governance Controls: Technology integration also creates synergies and strengthens two other governance controls.
   • • Management Information and Reporting: Timely access to actionable information empowers decision-makers to respond promptly to changes in risk exposure.
     • Risk Appetite Quantification: Granular risk appetite metrics allow organizations to set and monitor thresholds effectively, translating abstract statements into measurable outcomes.

Enabling Capabilities for Future-Ready Financial Crime EWRAs

With the unpredictability of financial crime, organizations must be agile and forward-thinking in managing risk. Transforming financial crime EWRAs requires certain enabling capabilities within the organization, ensuring they not only meet regulatory expectations but also harness the full potential of risk insights. The following capabilities are critical in empowering organizations to innovate.

1. Intelligence and Insights: Access to regulatory threat intelligence, risk typologies and trends enhances an organization’s ability to anticipate and mitigate risks. To effectively achieve financial crime compliance, we must integrate human resources with this regulatory expertise, advanced technology and robust processes. This synergy allows for a meaningful continuous assessment of emerging changes to the financial crime landscape.
2. Data Quality: Reliable, high-quality data is foundational to accurate risk assessment. Organizations that invest in robust data governance frameworks will ensure data integrity as well as leverage existing technological capabilities, such as network analytics, dynamic entity resolution and reliable external data sources.
3. Automation: By adopting mission-specific financial crime EWRA applications, data analytics and GenAI, financial institutions (FIs) can cut assessment times and boost overall efficiency. The new generation of governance, risk and compliance solutions provides risk assessment automation capabilities, better aligned to the specific needs of financial crime risk assessments.
4. Senior Leader Sponsorship: This final enabler is crucial for successfully transforming financial crime EWRAs. The extent of senior leaders’ active involvement is make-or-break. They can allocate necessary resources, both financial and human, to these initiatives. They set the tone from the top, potentially throwing a spotlight on robust financial crime risk management and fostering a healthy culture of accountability and compliance.

Redefining Operating Models

To embed EWRAs into governance and risk management frameworks, most forward-focused organizations are rethinking their operating models:

• They are enhancing stakeholder collaboration across the first and second lines of defense.
• They are developing scalable solutions that leverage emerging technology to cater to the complexity of global financial services groups.
• They ensure that insights from EWRAs are seamlessly integrated into strategic decision-making processes.

By adopting these innovative approaches, FIs can transform financial crime EWRAs into dynamic, value-adding tools that not only meet regulatory expectations but also drive strategic differentiation.

Pedro Arevalo, director, Financial Crime, Cyber & Forensics, PwC UK, London, United Kingdom, pedro.arevalo@pwc.com,

Disclaimer: The views expressed in this article are solely those of the author and are not meant to represent the opinions of his employer.