CISI Combating Financial Crime study guide for risk identification and assessment, with learning objectives, UK control cues, and exam traps.
Risk identification and assessment belongs to the CISI Combating Financial Crime Financial Crime Risk Management exam topic, weighted at 8%. Study this page as the assessment-method lesson. The exam can test whether you can separate inherent risk from residual risk, use national and external risk inputs correctly, identify the right risk dimensions, assess control effectiveness with evidence, and explain why a risk assessment must be refreshed when facts change.
| Concept | What to know for CISI CFC review |
|---|---|
| National risk assessment | A high-level public-sector view of threats and vulnerabilities that should inform, but not replace, the firm’s own assessment. |
| Firm-wide risk assessment | The firm’s documented view of financial-crime exposure across customers, products, geographies, channels, transactions, and controls. |
| Inherent risk | Exposure before considering the effectiveness of controls. |
| Residual risk | Risk remaining after controls are applied and assessed. |
| Control effectiveness | Evidence that controls are designed well and operating in practice, not merely written in policy. |
| Management information | Data, alerts, breaches, typologies, audit findings, and trends used to refresh the risk view. |
A financial-crime risk assessment identifies where the firm is exposed, why that exposure matters, how strong the controls are, and what risk remains. It should not be a generic template copied from another business. A wealth manager, payments firm, brokerage, trade-finance business, and cryptoasset service provider can face different patterns of AML, sanctions, fraud, bribery, tax, terrorist financing, proliferation financing, and market-abuse risk.
National risk assessments, typology reports, regulator publications, sanctions developments, law-enforcement alerts, audit findings, and industry notices are inputs. They help the firm ask better questions, but the firm still needs to map its own customers, products, geographies, channels, transactions, systems, governance, and control weaknesses.
For exam purposes, a good risk assessment has four features:
| Feature | What it means |
|---|---|
| firm-specific | it reflects the firm’s actual business model, not a generic industry summary |
| evidence-based | it uses data, cases, alerts, file reviews, audit findings, and external typologies |
| risk-based | it distinguishes higher, standard, and lower risk with rationale |
| actionable | it leads to controls, remediation, monitoring, senior attention, or risk acceptance |
An assessment that lists risks but does not change controls is weak. An assessment that gives precise-looking scores without explaining the evidence is also weak. The exam usually rewards answers that connect assessment to action.
National risk assessments are useful because they identify broad threats and vulnerabilities in the economy or financial system. They may highlight sectors, products, professions, crime types, jurisdictions, or control weaknesses that firms should consider. They are not a substitute for the firm’s own risk assessment.
| National-risk input | Firm-level question |
|---|---|
| cash-intensive sectors are higher risk | does the firm serve customers with cash-heavy revenue or unexplained cash flows? |
| trade-based laundering typologies are increasing | does the firm provide trade finance, payments, or services to import/export clients? |
| high-end property is vulnerable | does the firm handle client wealth, lending, trusts, or investment proceeds linked to property? |
| professional enablers are a concern | does the firm rely on introducers, lawyers, accountants, agents, or nominee structures? |
| fraud proceeds are a major predicate source | does the firm monitor account takeover, mule activity, payment diversion, and suspicious withdrawals? |
| sanctions evasion is evolving | do screening and ownership controls capture indirect ownership and new evasion routes? |
The exam trap is to quote a national risk assessment as if it automatically proves the risk level of one customer. It does not. It tells the firm what to consider; the firm still assesses customer facts, product use, channel, geography, transactions, and controls.
Inherent risk is the risk before controls. Residual risk is the risk after controls. CISI questions often test whether the candidate separates those ideas. A high-risk product does not automatically become low risk because a policy exists; the firm must show that controls are designed well and operating effectively.
| Assessment step | Exam meaning |
|---|---|
| Identify inherent risk | What could go wrong given the customer, product, geography, channel, and transaction profile? |
| Assess controls | Are CDD, EDD, screening, monitoring, escalation, training, and governance designed and operating effectively? |
| Determine residual risk | What risk remains after considering control strength and control gaps? |
| Prioritise action | Which residual risks need remediation, senior acceptance, enhanced monitoring, or exit? |
| Refresh assessment | What new data, typologies, products, or incidents require the risk view to change? |
The most common exam mistake is allowing controls to erase inherent risk without evidence. A firm may have a sanctions-screening system, but residual risk may still be high if customer data is poor, beneficial ownership is not captured, alert backlogs are large, or staff close alerts without rationale.
Control effectiveness asks whether a control is designed well and works in practice. A policy, system, or committee name is not enough.
| Weak evidence | Stronger evidence |
|---|---|
| policy says CDD is required | file testing shows identity, ownership, purpose, and risk rating are documented |
| screening tool exists | list updates, match logic, alert handling, and quality review are evidenced |
| transaction monitoring is installed | scenarios are tuned, alerts are reviewed, and unusual activity is escalated |
| staff receive training | training is role-specific and testing shows staff understand escalation duties |
| committee reviews MI | MI includes trends, breaches, backlogs, overrides, and remediation status |
| audit raised findings | findings have owners, deadlines, root-cause analysis, and retesting |
For scenario questions, look for clues that a control exists only on paper: verbal approvals, missing rationale, unchanged review cycles, alert backlogs, unsupported exceptions, stale data, identical file notes, or audit findings that repeat. Those clues point to higher residual risk even if inherent risk was originally assessed as manageable.
A practical assessment looks across several dimensions together. A customer from a lower-risk jurisdiction may still be high risk if ownership is opaque and transactions are unusual. A product may be ordinary in one channel but higher risk when delivered remotely or through intermediaries.
| Dimension | Examples of risk indicators |
|---|---|
| Customer | PEP status, cash-intensive business, complex ownership, adverse media, unusual wealth source |
| Product or service | liquidity, transferability, anonymity, third-party payments, leverage, trade finance, cryptoasset exposure |
| Geography | sanctions exposure, corruption indicators, weak AML supervision, secrecy, conflict or terrorism-financing risk |
| Channel | remote onboarding, introducers, digital delivery, intermediated relationships, outsourced processes |
| Transaction | speed, value, frequency, circularity, unusual counterparties, mismatch with profile |
| Internal control | alert backlogs, training gaps, override rates, poor record keeping, weak assurance findings |
Risk dimensions should be read together. A high-net-worth customer is not automatically suspicious, but high wealth plus opaque ownership, adverse media, cross-border funds, third-party payments, and weak source-of-wealth evidence creates a different risk picture. A low-value account may still matter if it is part of a mule network or terrorist-financing pattern.
Firms often use scoring models or matrices, but the score is only useful if the rationale is clear. A scoring model should help organise judgment, not replace it. The firm should be able to explain why a risk is high, medium, or low and what action follows.
| Scoring issue | Exam concern |
|---|---|
| one high-risk factor is hidden by many low-risk factors | aggregation may understate material risk |
| scores are changed manually without rationale | override governance is weak |
| customers are all rated medium | model may not distinguish risk usefully |
| scoring ignores product or channel changes | assessment may be stale |
| no link from score to control intensity | risk rating does not drive action |
| country score is used alone | customer, product, channel, and transaction risk are ignored |
The stronger answer usually asks for documented rationale, model governance, override review, and a clear link between score and control response. If a high-risk customer receives standard controls without explanation, the risk assessment is not operating as a management tool.
A risk assessment is only as good as the evidence behind it. Useful inputs include onboarding data, customer risk ratings, PEP and sanctions hits, alert volumes, SAR trends, fraud losses, complaints, audit findings, breaches, declined business, law-enforcement requests, typology reports, and remediation status.
Data gaps are themselves risk indicators. If the firm cannot identify beneficial owners, cannot link alerts to customer risk ratings, cannot explain why exceptions were approved, or cannot see activity across systems, residual risk may be higher than management believes.
| MI or evidence source | What it may reveal |
|---|---|
| customer-risk-rating distribution | whether risk ratings are concentrated or not meaningfully differentiated |
| overdue periodic reviews | stale CDD and unmanaged changes in customer risk |
| sanctions and PEP alert volumes | screening pressure, data quality issues, or exposure changes |
| SAR and internal escalation trends | emerging typologies, business-line risk, or under-reporting concerns |
| fraud losses and attempted fraud | control gaps in channels, payments, or authentication |
| audit and compliance monitoring findings | design or operating weaknesses |
| exception and override reports | pressure points, weak governance, or repeat approvers |
| training completion and test results | whether staff understand red flags and escalation |
| third-party quality reviews | introducer, outsourcing, or respondent-bank control weaknesses |
The exam may describe management information as incomplete or ignored. That is an assessment weakness because senior management cannot make informed risk-appetite, resourcing, remediation, or business-change decisions without reliable information.
Risk assessment should not wait for an annual calendar date when risk has already changed. Event-driven refresh is central to a credible framework.
| Trigger | Why reassessment is needed |
|---|---|
| new product or service | product features may change liquidity, transferability, anonymity, or monitoring needs |
| new jurisdiction | geography, sanctions, corruption, and cooperation risks may change |
| new delivery channel | remote onboarding, digital channels, or intermediaries may change verification and fraud risk |
| new customer segment | expected activity, source of wealth, and typologies may differ |
| acquisition or merger | inherited customers, systems, data, and controls may be inconsistent |
| external typology alert | monitoring, training, and review priorities may need adjustment |
| regulatory finding | control effectiveness or governance may be weaker than believed |
| major incident or near miss | the risk may be real even if no loss or SAR has yet occurred |
| alert backlog or system failure | residual risk may increase because detection is impaired |
For CISI CFC, a business change plus unchanged controls is a common exam signal. The right answer is usually to reassess inherent risk, test control effectiveness, update residual risk, and adjust governance or safeguards before scaling the activity.
Some risks may be infrequent but severe. Sanctions breaches, terrorist financing, proliferation financing, major market-abuse failures, or systemic bribery exposure may not produce large daily alert volumes. They still require attention because the legal, regulatory, reputational, and harm consequences can be severe.
| Risk type | Why volume alone can mislead |
|---|---|
| sanctions | one prohibited transaction or asset-freeze failure can be serious |
| terrorist financing | amounts may be small and patterns may not look like ordinary laundering |
| proliferation financing | trade, goods, ownership, and shipping indicators may be specialised |
| market abuse | harm may affect market integrity rather than a direct customer loss |
| senior-management misconduct | low count but high governance and reputation impact |
| correspondent failure | indirect exposure can be broad even if direct customers appear few |
Do not treat low frequency as low risk without considering impact, detectability, and control confidence. The assessment should consider both likelihood and impact, plus whether the firm can detect and respond to the risk.
Poor risk assessment can lead to under-resourced controls, weak onboarding, missed sanctions exposure, poor monitoring, unsupported high-risk acceptance, regulatory enforcement, remediation cost, customer harm, market harm, and reputational damage.
| Assessment failure | Likely consequence |
|---|---|
| generic template copied from another firm | controls do not match actual business activity |
| stale risk view after product launch | monitoring and screening may be under-designed |
| poor beneficial-ownership data | sanctions, PEP, tax, and AML exposure may be hidden |
| weak MI | senior management cannot see worsening trends or backlogs |
| no residual-risk analysis | high inherent risk may be assumed controlled without proof |
| no action plan | known weaknesses continue without ownership or deadline |
The exam often frames this as “what is the strongest criticism?” The answer usually focuses on the missing risk-assessment step and its control consequence, not on a generic statement that the firm needs better compliance.
A firm expands from domestic advisory work into remote onboarding for overseas high-net-worth clients. It keeps the same customer risk assessment and review cycle because no suspicious activity reports have yet been filed. What is the strongest criticism?
A. The firm can wait for a confirmed SAR before updating its risk assessment. B. Remote onboarding, new customer types, and cross-border exposure change inherent risk and should trigger reassessment of controls and residual risk. C. All overseas clients must be rejected automatically. D. Risk assessment applies only to AML, not sanctions, fraud, tax, or bribery.
Answer: B. A material change in customer base, channel, and geography should refresh the firm-wide risk assessment. The firm should assess inherent risk, control effectiveness, residual risk, and any remediation or enhanced monitoring needed.
For final review, memorise the sequence: identify risk, assess controls, determine residual risk, prioritise action, refresh with evidence. Then practise separating inherent risk from control effectiveness in each scenario.
Use this exam sequence:
Return to the CISI Combating Financial Crime guide for the full exam-topic table, or use the CFC Cheat Sheet for threat classification, UK authority cues, and final review prompts.