The face of the moon was in shadow
You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. your website by double clicking on a text box on your website. Alternatively, when you select a text box.
This is a Heading
When it comes to Anti-Money Laundering (AML), every regulated firm must grapple with risk — understanding it, managing it, and documenting it.
But two types of risk are central to effective AML: inherent risk and residual risk.
Both matter. But one is often harder to assess — and more easily overlooked.
Let’s break it down.
🧩 What Is Inherent Risk?
Inherent risk is the level of risk present before you apply any mitigation. It’s your starting risk position, based on:
The nature of your services (e.g., high-value conveyancing, trust or company formation)
Your client base (e.g., PEPs, overseas entities)
Your geographical reach (e.g., sanctioned or high-risk jurisdictions)
Transaction (e.g., unusual, large, complex)
Delivery channels (face-to-face vs remote onboarding)
Inherent risk answers the question:
“How risky is this before we do anything to control it?”
🔒 What Is Residual Risk?
Residual risk is what remains after your firm has applied its controls and procedures — such as:
Due diligence and EDD processes
Sanctions screening
Ongoing monitoring
Internal approvals and checks
Residual risk asks:
“How much risk is left after we’ve applied our controls?”
⚖️ So… Which Is Harder to Assess?
Inherent risk is usually much harder to assess accurately — and here’s why:
1. 🚫 You Can’t Lean on Your Controls
Firms are often tempted to rate a risk as “low” simply because their systems and policies seem strong.
But that’s residual risk thinking. Inherent risk asks you to strip all that away and make an unfiltered assessment — which takes deeper industry insight and objectivity.
Many firms blur the lines and fall into the trap of “marking their own homework.”
If your Firm-Wide Risk Assessment (FWRA) doesn’t clearly distinguish between the two, your AML framework could be fundamentally flawed.
2. 🧠 Inherent Risk Requires Industry Awareness — Not Just Internal Confidence
You need to look outward — not just inward. That includes:
Keeping up with how criminals exploit legal services
Understanding emerging red flags and trends
Recognising when your risk profile has shifted (e.g., taking on new client types or services)
It’s not about how well you feel you’re doing — it’s about knowing how exposed you’d be without your controls.
3. 📃 Well-Written PCPs ≠ Real-World Implementation
Even if your firm has solid Policies, Controls, and Procedures (PCPs), the question is:
Do your staff truly understand them?
Can they explain them confidently in an interview?
Are they implementing them consistently?
Will two team members apply them in the same way on different files?
Consistency and clarity in application matter just as much as the written document. Because ultimately, controls don’t function on paper — they function through people.
And human judgment can be powerful — but it can also be inconsistent or prone to error under pressure.
That’s why file reviews, staff interviews, and focused audits can help firms test whether their controls are genuinely embedded — or just aspirational.
4. 🧍🏽♀️ Human vs. Systemic Risk Judgement
There’s growing tension between human-led decision-making and system-based compliance tools.
Tech can assist — flagging PEPs, running checks, identifying anomalies.
But AML risk isn’t just about data points. It’s about judgment — understanding client context, transaction purpose, and legal nuance.
A system might not spot a solicitor-client relationship that feels “off”
A human might overlook a red flag the system caught
This balance is what makes assessing inherent risk harder — it involves subjective reasoning and a degree of professional scepticism.
📈 Residual Risk Is Easier… But Only Meaningful with a Solid Start
Assessing residual risk is often simpler. You list your controls and procedures, show what you’re doing, and assign a rating.
But this only matters if you’ve started from an honest, robust understanding of inherent risk.
Without that, your “residual risk” may be based on a false premise.
✅ Final Thoughts: Use Proactive Insight, Not Retrospective Panic
To build a compliant, resilient AML framework, firms must regularly:
Revisit their inherent risk exposure
Test the implementation of their PCPs in real life
Clarify the difference between theory and practice
Mock audits, staff interviews, and focused reviews help firms stay honest, adaptive, and regulator-ready.
💬 Need a Second Set of Eyes?
At Alexander Christian, we help firms make AML risk meaningful — not just mechanical.
Our services include:
Firm-Wide Risk Assessment Reviews
Independent AML Audits (Reg 21)
Staff Interviews & File Reviews
Focused Implementation Checks
📞 Book a free 15-minute chat or a fixed-fee consultation.
Let’s make your risk assessments a strength — not a weak link.