Teaming up with... AVIVA

Welcome to the UKGI weekly regulation update service for Aviva ABC brokers

We hope you find the Updates useful. If you are
interested in subscribing to our affordable
ABC compliance support package, please
email us at ABC@ukgigroup.com or
call UKGI on our dedicated ABC
contact line 01925 767893.

FCA publishes findings from review of risk assessment processes and controls in firms

Nov 13, 2025 | FCA

Link(s):Risk assessment processes and controls in firms: our findings | FCA

Context

The FCA has shared findings and has highlighted good and poor practice to help firms decide whether they are meeting existing risk assessment requirements. In 2025, the FCA carried out a multi-firm review focusing on business-wide risk assessment (BWRA) and customer risk assessment (CRA) processes. Key findings centred around how firms: identify, understand and assess risk, appropriately mitigate risk and effectively manage risk.  The FCA evaluated firms controls against

Key points to note and next actions

  • The FCA found that most firms reviewed have a BWRA, but few are identifying relevant risks and tailoring the BWRA to the specific business. Several consider qualitative and quantitative data to assess and score inherent risks, mitigating controls and residual risk.
  • Larger firms were seen to be integrating risk assessment activities into business functions and forming aggregated views across the firm.
  • The FCA is concerned that some firms could not explain sufficiently how they are managing and mitigating identified risks.
  • Some firms have used sub-factors and weightings to tailor their CRA process to the business and specific risks they face.
  • The FCA is encouraged that some firms can show how risk appetite, BWRA and CRA processes work together to identify and assess risk.

Examples of good practice included comprehensive risk assessments; annual detailed review; tailored assessments; plan for compliance alongside growth; risk assessments feeding into firms work; tracking actions to reduce risk; risks considered throughout the business; senior oversight and challenge; continuity plans; clear, consistent methods to assess risk; regular review and joined up assessments.

Examples of poor practice were lack of detail; missing quantitative analysis; unclear processes; lack of evidence; growth outpaces risk assessment; lack of records; rapid expansion; lack of evidence of senior oversight; narrow focus; lack of testing and static approach to assessment.

The FCA expects firms to already be complying with existing requirements, specifically, to understand the risks your business is exposed to and to have robust financial crime systems and controls to manage and mitigate those risks.

Firms are encouraged to consider the FCA’s findings and suggestions within the context of their firm and continue to review their risk-based approach to systems and controls. Where weaknesses have been identified, the FCA is working with firms to make improvements. Firms will continue to be monitored through the FCA’s supervisory work to drive improvements and reduce risk across the industry.