The Enterprise-Wide Risk Assessment (EWRA) or Overall Risk Assessment has become a regulatory obligation from an EU and Belgian perspective for all credit institutions, stockbroking firms, licensed insurance companies and banking industries submitted to the Anti-Money Laundering regulation.

The overall assessment of the risks (EWRA) that financial institutions are required to perform in this context is an instrument that enables obliged entities to identify and appropriately manage the ML / FT risks to which they are exposed, or where appropriate, to limit them.

In a broader context, Enterprise Risk Assessment (ERA) or Enterprise Risk Management (ERM) programs help entities to adapt their approach of managing risks to meet the demands of the evolving financial corporate standards.

➪ How to carry out an effective AML risk assessment?

Conducting an AML risk assessment is not a single task. It implies defining an AML risk rating methodology and the creation of an AML risk assessment model in line with your business. Financial institutions manage their AML risk exposure by defining sound processes and risk-based vigilance efforts.

The multiple benefits of an effective AML assessment system can only result if a proper understanding of the AML EWRA regulation and the experience of your company and business industry work together.

🔎 What is EWRA Compliance and the Risk-Based Approach (RBA) ?

An appropriate risk-based approach begins with the acquisition of an in-depth and up-to-date awareness of the institution's risk exposure and an understanding of those risks.

A Risk-based approach (RBA) is an essential part of Risk Management and the AML/CFT framework. RBA was highlighted in the 2012 FATF Recommendations:

“...countries should apply a risk-based approach (RBA) to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified.”

It was also a major topic implemented in the fourth European AML Directive.

RBA is a methodology that allows prioritising the company's activities based on a previous analysis of data.
According to RBA, dependingthe number of actions that need to be taken depends on how high the risk is. This means that RBA in low-risk situations allows for fewer actions to be taken, and emphasis to be given to high risks where enhanced measures are mandatory. Thanks to this method the allocation of available resources can be optimised.

📘 AML EWRA Enterprise-Wide Risk Assessment Methodology

A successful EWRA methodology is consistent across domains and is commonly built through three main stages: the risk identification, the gap analysis (controls) and the adjustment phase (corrections-mitigation).

EWRA compliance methodology

The overall risk assessment (EWRA) exercise is carried out under the responsibility of the AMLCO that ensures related procedures and processes are formalized and executed in a manner that reflects the results of this permanent exercise. The firm identifies and classifies the ML/TF risks. The professionals conducting the risk assessment should have a clear understanding of the entity's operations and working environment and the possible problems that may arise.

According to the regulation in place, obliged entities must take at least into account the characteristics of their customers, the products, services or operations they offer, the countries or geographical areas concerned, as well as the distribution channels they use.
In addition to the characteristics, international and relevant sectorial standards, and reviews (European Supervisor Authorities,...) should also be considered by companies to identify their AML risk exposure.

The inherent risk scoring must be calculated using a defined methodology.
Frequently, a ponderation factor is added to the classified risks in order to bring balance and precision when having a full view of the risk category.
The inherent risk scoring takes place before the consideration of (internal) controls and evaluates the nature, complexity, and volume of the activities giving rise to the risk identified.
It is the analysis and assessment of the adequacy of the existing relevant risk management measures. This may include policies, procedures, KYC and transaction monitoring software, and other tools that the company uses for compliance or risk purposes. Companies are required to objectively evaluate whether risk management measures in place are deemed sufficient (design) or if additional measures are required to cover the risk identified. Ultimately, the operational (execution) evaluation of how these risk control measures are actually applied and complied with in practice, will complete the controlling measure evaluation.
The residual risk score provides a final vision of the risk after the findings and internal controls.
If it is deemed necessary, the adjustment phase proposes new or additional risk management measures to control the risks that are not adequately covered. In this phase, a well-described corrective action plan is often provided.
The AMLCO needs to ensure that appropriate corrections are timely, efficient and involve the means necessary. In this context, a foreseen due date and an estimation of the completion of the requirements are indicated in the corrective actions or remediation plan, together with the appropriate means for completing the task.
The action priorities are justified by the final residual risk scoring.

📄 Documentation and updating of an EWRA

In general, the AML Overall Risk Assessment shall be documented, updated and kept at the disposal of the supervisory authorities (the National Bank for Belgium). It will be updated every time that an event occurs and can have a significant impact on the ML risk profile of the entity. The entity should have, at any time, a clear understanding of how its ML risks are evolving.
In general, the AML Overall Risk Assessment should be documented, updated and kept at the disposal of the supervisory authorities (the National Bank for Belgium). It will be updated every time that an event occurs and can have a significant impact on the ML risk profile of the entity.

It is not a process that takes place once per year, but an on-going process that occurs every time a major situation arises. The entity should have, at any time, a clear understanding of how its ML risks associated with the business relationship are evolving.
ewra - entreprise wide risk assessment - framework

In addition to the EWRA report, a document describing the process for the completion of the assessment is expected. In this record, the applicable legal framework and sectorial guidance are specified. Moreover, it should mention the methodology used, how this has been integrated into the assessment, a description of the procedures for monitoring and a timely update of the risk assessment process, together with a reference to the extent to which the Anti-Money Laundering Compliance Officer (AMLCO), the compliance officer, senior management, and any other parties have been involved in all the phases of the process.

Firms must be able to demonstrate to their regulator, on the basis of those documents, that their approach meet the obligations of the AML law of 20 July 2020 (Belgium).

Anti Money Laundering - Compliance Consultancy
EWRA Overall Risk Assessment

Are you looking for more detailed information on the EWRA Overall Risk Assessment ? Follow the article for more insights.

⚠️What are the risk factors to consider?

In order to conduct their EWRA, firms will have to consider specific risk factors and the principle of proportionality.

AML EWRA - List of risk factors to consider
The risk factors that must be considered are customers, countries or geographic areas, products, services, and transactions or delivery channels. All must be assessed proportionately, meaning according to the size and the nature of the entity. Firms that do not offer complex products or services and that have limited or no international exposure may not need an overly complex or sophisticated risk assessment.

The risk factors will be used in the analysis and in the final assessment as pillars that the firm will use to build on its evaluation. The risk factors cover specific domains that can include many sub-risks that have to be taken into consideration. For example, the risk factor of customers can include risks like working with the wrong counterparty, not having enough additional measures to take a founded decision, etc.

The entities that conduct an EWRA should weight the risk factors based on their relevance in the business relationship and transactions. The entities usually put different “scores” for various factors. According to EBA’s Risk Factors Guidelines (JC 2017 37) when weighing risk factors, the entities should consider various matters like the fact that profit considerations do not influence the risk rating and that the firm is ready to override any automatically generated risk scores where necessary, providing, of course, proper documentation for this decision.

⭐ The rationale behind the EWRA obligation

Conducting a business-wide risk assessment is one of the cornerstones for the battle against ML and TF. Decisions are taken in a more informed way towards risks. This effort leads to the protection of the market from another crisis and as a result the protection of society.

The competent national authorities can assess the adequacy of the firms' AML/CFT internal organisation framework and policies and procedures.
It allows firms to identify the ML / TF risks to which a business is exposed and to identify situations that generate higher ML / FT risks and the focus on which the efforts should placed on.

Furthermore, it gives firms a sound perspective on how to best estimate their customer AML risk scoring while also assessing single cases.

⚖️ The legal framework of an AML EWRA

The Belgian legal framework for the EWRA AML Overall Risk Assessment mainly consists of four legal documents: • The 5th AML Directive (2018/843); • The Belgian ML/FT Law of 20 July 2020; • The NBB Regulation of 21 November 2017; • Circular 02/2018 / Overall assessment of money laundering and terrorist financing risks.

There are also useful documents published from the Authority of Services and Financial Markets (FSMA):

It is a chance for companies to gain a clearer picture of their business and to anticipate the ML/TF risks before they become unbearable burdens for the entity.

Requiring Assistance ?

Pideeco conducts independent Compliance reviews to provide financial institutions greater insights on their regulatory performance. We can assist you in your business Risk Assessment and ensure that all regulatory requirements are appropriately covered.
Oscar Canario da Cunha - Pideeco Network Partner
Oscar Canario da Cunha Managing Director
  • Pideeco country: PK
    Wednesday 04th of November 2020, 13:08

    The way in which you are describing how to conduct AML risk assessment is very appropriate, the definitions and explanations are perfect, i really like this blog i want to say Thank alot for this blog.

  • Pideeco country: AE
    Friday 15th of July 2022, 06:32

    I am looking for an automated tool / solution to perform EWRA for a Bank. Essentially risk rating engine to calculate inherent and residual risks of AML, Sanctions and Anti-Bribery and corruptions (ABC).

    Pideeco country: BE
    Friday 15th of July 2022, 10:13

    Dear, I suggest you address your enquiry through our contact section. Kind regards,

Add your comment

Related articles

What is the EU’s Whistleblower Directive? Learn what a whistleblower is and how they are protected with the new Europ...

Financial firms Wed 08 May 2019

What are AML regulations concerning the cryptocurrency sector? Learn about why we need regulations, who is concerned, an...

Compliance Wed 15 February 2023

The 5th AML Directive has been adopted by the Council of the European Union. Learn the history of the directives and wh...

EU Sat 12 May 2018

What is a lookback and why are they important? Learn facts and tips on how to execute a correct lookback project and how...

Audit Findings Mon 06 April 2020
Experts in risk management and regulatory compliance

Pideeco is a consultancy firm providing legal services, business solutions, operational assistance and educational material for professionals in the financial industry.

We are based in Brussels and we specialize in regulatory risk compliance services covering the Eurozone.

Pideeco combines professional Regulatory knowledge and technical expertise to safeguard your business’ reputational and operational risk. Our unique customer-centric approach helps us build strategical and legitimate cost-efficient remedies.

Working with us means reaching out to complementary people, allowing for original thinking and innovative vision.

Our Network Learn more about us