RAG Risk Assessment
Legislators and regulators love a risk assessment. So, much so, that they insist that entities they supervise have at least one, maybe even two.
If you are overseen by the Financial Conduct Authority (FCA), so Payment Institutions and Pawnbrokers for example, then you are required to have a “Business-Wide Risk Assessment” AND an “Anti Money Laundering (AML) Risk Assessment.”
If you are overseen by His Majesty’s Revenue and Customs (HMRC), so Money Service Businesses, High Value Dealers, or Estate Agents, then you must have the latter, although having both is no bad thing.
Most people understand the words “Risk Assessment”, but not everyone can immediately envisage what one looks like.
At this point, I should flex my fingers, and begin furiously typing a five thousand word explanation, complete with tables and diagrams. Then, draw up a chunky invoice and send both to you. However, Lime delivers AML Compliance in plain English, so I’ll explain it simply, and for free.
Workflow for AML Risk Assessment
Step 1
Money Laundering Regulations specify that you must identify the risks of money laundering and terrorist financing that are relevant to the business including risks posed by:
A. Customers
B. Services
C. Financing methods
D. Delivery channels
E. Geography
The best way to do this is with a spreadsheet. Just brainstorm them out. Include everything, you can edit later. Type each risk down the left hand side of the sheet, and a brief explanation in the next column.
Step 2
Not all risks are created equal. In the next column, assess how likely it is that the risk will arise, where 1 is “vanishingly unlikely” and 5 is “extremely likely”. (Note - this is the raw risk BEFORE considering measures you take to minimise or mitigate.)
Then, rate the risk in terms of its impact on the business. Where 1 “insignificant” and 5 is could “severe”.
Step 3
Add the two numbers to get a total between 2 and 10.
2,3 & 4 are green. 5,6 & 7 are amber. 8,9 & 10 is red. Boom! You just created a “RAG Risk Assessment”. RAG being Red, Amber, Green. Go wild with some cell or text colouring.
Step 4
What do you do about these risks? The next column explains how you manage them. You might limit the amount of cash you accept from a customer, for example. List how your systems manage and mitigate each risk.
Step 5
Now, repeat Steps 2 & 3, assessing the risk AFTER you have accounted for your systems and controls. Hopefully, some of the higher scores are now lower numbers, and may have moved away from red and amber towards green.
That’s it. In Plain English.
A business-wide risk assessment is exactly what it sounds like, just with a broader scope. List EVERY risk that impacts the business. The AML Risk Assessment is a subset of the business-wide.
Lime recommends that every business complete a business-wide risk assessment whether required by regulation or not. It’s a sensible thing to do when running a business.
Caveat
Risks move. As legislators get excited, they begin to address a wider and wider scope. Anti money laundering became anti money laundering and terrorist financing, which then became anti money laundering, terrorist financing and tax evasion. Lately, proliferation financing has become de rigeur too. AML Risk assessments in 2026 should include terrorist financing, proliferation financing and tax evasion.
Support
Lime is on a mission to demystify anti money laundering compliance and explain it in plain English. Each month, we send a brief e-mail pointing to these posts and providing tips on effective compliance. It’s completely free, and every mail comes with an unsubscribe link. We don’t sell your contact details to anyone.
Being subscribed is like having an AML geek on call.