Enterprise-Wide Risk Assessment (EWRA) or simply Enterprise Risk Assessment (ERA) or Overall Risk Assessment or Enterprise Risk Management (ERM) are all terms that describe the same process: the identification, appraisal and supervision of risks of an entity. An assessment helps businesses to adapt their approach of managing risks to meet the demands of the evolving financial corporate standards.
💰 Why Financial Institutions conduct overall risk assessments?
Using ERM programs is a way for companies to gain a competitive advantage. It is not solely pursuant to a regulatory obligation. Understanding which areas of a business are the most exposed to risks is a way for entities to take preventive measures, prioritise actions and protect their business from unforeseen hazards.ERM plays a fundamental role in the prioritisation of the risks (i.e. governance, operational, reputational, strategic, financial, regulatory) and hence it can be considered an essential step in the overall business strategy and company performance. Risk assessment assists companies to grasp business opportunities in changing environments.
👩💼 EWRA and the Risk-Based Approach (RBA)
Risk-based approach (RBA) is an essential part of Risk Management. RBA was highlighted especially for money laundering risks in the 2012 FATF Recommendations:
“...countries should apply a risk-based approach (RBA) to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified.” and was also a major concern implemented in the fourth European AML Directive.
The RBA is a methodology that allows prioritizing the company's activities based on a previous analysis of data. According to RBA, there is proportionality of actions taken, depending on how high the risk is. This means that RBA in low-risk situations allows for fewer actions to be taken, and emphasis to be given to high risks, where enhanced measures are mandatory. Thanks to this, the allocation of available resources can be optimized.
🔑 How to efficiently conduct Enterprise-Wide Risk Assessments?
The firm identifies and classifies the risks. The inherent risk scoring must be calculated. The professionals conducting the risk assessment should have a clear understanding of the entity's operations and working environment and the possible problems that arise. A risk can originate in one part of the entity but have an impact on many business units. Hence why we talk about Enterprise "Wide" Risks.

Risk types
The entity will have to classify the different types of risks. The risks cover business domains like Compliance, Governance, Strategy, Planning, and Infrastructure. These general categories are split into different sub-categories and the risks are detected for each one. For example, compliance risks will be analysed further in compliance culture, reporting, management risks. Infrastructure includes subcategories like human resources, training, communication, IT systems and marketing risks.
When the business examines its risks taking into account the existing applicable controls, we are faced with a “Residual risk”. By examining these two calculated levels of risk, a business can assess its existing controls and evaluate if they are sufficient or not.
The deep understanding of the company and the risks that the company faces is key to determine if the company can achieve its overall goal or extra measures are needed. An EWRA is more efficient for an entity if the risks are prioritised to more or less urgent, according to their importance for the entity.

Are you looking for more detailed information on the AML overall risk assessment obligation ? Follow the article for more insights.
🧐 What is Risk Appetite and Risk Tolerance?
Risk tolerance is more specific in an operational sense and represents the application of risk appetite to particular objectives. It is the level of risk that an entity can handle per individual risk. A company sets its risk appetite, but the risk tolerance is the acceptable action that will be taken based on the appetite.
📁The necessity to document and continuously update the EWRA
It is not a process that takes place once per year, but an on-going process that occurs every time a major situation arises. The entity should have, at any time, a clear understanding of how the risks associated with the business relationship are evolving.
In addition to the core document of EWRA, a framework describing the process for the completion of the assessment is required. In this document, the applicable legal framework will be mentioned. Moreover, it should state the methodology used, how this has been integrated into the assessment, a description of the procedures for monitoring and timely updating the risk assessment process and a reference to the extent to which the responsible staff, the senior management, and any other parties have been involved in all the phases of the process.
Concluding, risk professionals should not forget that risk management is not a "tick-the-box" process. It is a whole system for improving the performance of a business. It is a continuous process that requires a deep understanding of the entity business model and its functioning in the specific business and legal environment.