Blogpost

AMLR Redefines Risk Assessment: Blueprint for an Auditable Risk Assessment

Despite the clear direction set by AMLR, many institutions are asking the same question: How can risk assessment become continuous, data-driven, and auditable at all times?

Blueprint, triggers, governance, and report readiness – Part 3 of our blog series outlines the blueprint and explains why software plays a key role in creating a stable operating model.

AMLR Risikoanalyse

Included in this collection:

Open collection

In the second part of this series, we looked at why many risk assessments struggle in practice: data is scattered across the organization, Excel becomes the de facto system, and processes turn into annual projects. As a result, institutions often lack the one thing supervisors will increasingly expect in the future: auditability.

The good news is: the target state is clear. And it is surprisingly straightforward—if institutions stop thinking of risk assessment as a document and start treating it as a continuous, operational system.

Auditability Under AMLR: The Benchmark Is Changing

The AMLR is very clear on this point: the enterprise-wide risk evaluation must be documented, kept up to date, reviewed regularly, and made available to supervisors upon request (see Regulation (EU) 2024/1624, Article 10(2)).

This changes the benchmark: Auditability is not achieved through “more text”, it comes from a risk assessment that can be reproduced at any time—including the underlying data, assessment logic, changes made, and approvals granted.

What does that mean in practice? An auditable risk assessment needs to always be able to answer three questions—without requiring a special effort:

  1. What risks have we identified, and why?
  2. Which data, sources, and assumptions support the evaluation?
  3. What has changed since the previous version, and who approved those changes?

Target Operating Model: What an AMLR-Compliant Risk Assessment Should “Feel Like” in Practice

A realistic target operating model consists of five key characteristics—not as theoretical concepts, but as a tangible way of working.

  1. Continuous Rather Than Annual

Risk assessment should not be driven by the calendar—it should be driven by the business. When internal or external events significantly affect risk exposure, the assessment is updated—not at “some point during the next review cycle”. This creates a trigger-based mindset: New products, new customer segments, new geographic exposures, and even new suspicious activity reports are no longer treated as exceptions. They become natural triggers for reassessing risks and updating the risk assessment accordingly.

  1. Data-Driven Rather Than Manual

The objective is that risk assessment is built on data. This does not mean launching a large-scale “data lake initiative”. It means having a reliable foundation that makes assessments reproducible. This is exactly where many organizations struggle today – data remains trapped in silos, and manual consolidation does not create a stable or sustainable operating model.

  1. Methodologically Transparent Rather Than a Black Box

Across the EU, pressure to harmonize risk assessment methodologies continues to increase: AMLA is currently developing Regulatory Technical Standards (RTS) that will establish a common framework for how supervisors classify inherent (gross) and residual (net) risk profiles and how frequently those profiles should be reviewed. For institutions, this means: assessment methodologies must remain consistent, transparent, and explainable—even as data points, weightings, or scales evolve over time.

  1. Embedded in Governance Rather Than Managed as a Project

AMLR explicitly links accountability and approval responsibilities: The AML Officer is responsible for preparing the risk evaluation, while the management body is responsible for approving it. This means that governance is not just a “nice-to-have”, it is a core component of auditability: Who provides the data? Who performs the assessment? Who reviews it? Who approves it?

  1. Always Report-Ready Rather Than a Last-Minute Exercise

“Upon request” means being able to provide the information at any time. In the goal vision, reports are not produced through manual copy-and-paste exercises or last-minute efforts. They are simply an output of a process that is already being managed correctly. Report readiness becomes a permanent state rather than a recurring project. This is particularly valuable when supervisors request evidence, consistency checks, or historical records on short notice.

 

The Goal Vision: The Building Blocks Behind the Target Operating Model

Does achieving this goal vision require software? Not necessarily as an end in itself. However, the target operating model does require system capabilities, so auditability does not depend on “heroism of individuals”, but rather emerges as part of normal operations.

This is where software-supported approaches create significant value: They do not simply make risk assessment “more digital”. They make it operationally sustainable by providing version control, audit trails, role-based permissions, workflows, validations, and consistent data management as standard capabilities rather than manual tasks. This is precisely where Excel-based environments typically reach their limits, because they can only provide these system capabilities through additional manual controls – making processes more error-prone, less transparent, and more difficult to defend during audits.

These building blocks can be viewed as the blueprint for the target operating model—not as a project plan, but as the architecture required to support it:

AFC Risk Assessment Blueprint

Figure: Blueprint and Architecture of the Target State

AFC Risk Assessment Reporting Capability

Figure: Permanent Reporting Capability

Why this goal vision makes sense not only from a regulatory perspective—but also pays off financially

The same applies internationally: A robust understanding of risk is an ongoing, dynamic process that continuously incorporates new information and adapts to changing environmental factors. This is precisely what creates benefits that go beyond mere “compliance”:

  • Better Management, Less Reporting Stress: When timeliness and consistency become part of normal operations, risk assessment becomes a tool for prioritization and planning—not just a periodic snapshot.
  • Greater Transparency Into Risk Drivers: Management gains a clearer understanding of why risks increase or decrease and can focus mitigation efforts where they will have the greatest impact.
  • Stronger Link Between Risks and Controls: The goal vision makes it easier to demonstrate which controls address which risks, supporting discussions around both appropriateness and effectiveness.
  • Report Readiness as a Productivity Driver: When responding “upon request” is no longer a special effort, manual workload decreases and resources can shift from documentation to actual risk management.
  • Less Friction, More Consistency: Consistent assessment methodologies and a clear historical record reduce coordination efforts, make changes easier to explain, and improve the organization’s ability to respond to supervisors and internal stakeholders.
Sources