Perspectives
Perspective 006Practice

How to conduct an effective financial crime readiness assessment.

A readiness assessment is not another report. It answers one question: if a regulator reviewed the framework tomorrow, how confident would we be?

By Everett MorganAutumn 20267 min read
Elegant European operational dashboard environment
Executive brief

Reading time · 10 minutes  ·  Primary audience · MLROs, Heads of Compliance, Chief Risk Officers, Audit and Risk Committees

Why this matters

Readiness assessments have become a common item on the AML calendar. Many of them produce little that the firm did not already know. A readiness assessment is only useful when it is designed to answer one specific question, sampled against real evidence rather than documentation, and reported into governance in a form that requires decisions rather than notes. This Perspective sets out how to do that.

Key findings
  1. 01A readiness assessment is a diagnostic instrument, not an assurance opinion. Its purpose is to identify what would happen under supervisory scrutiny, not to grade the framework on a maturity scale.
  2. 02The most common failure mode is scope inflation. A useful readiness assessment concentrates on the small number of items on which inspections consistently turn.
  3. 03The evidence base has to be file-level. Document review and interviews inform, but they do not conclude. A readiness assessment that has not sampled files has not tested the question.
  4. 04The output should be short, honest and structured for decisions. A hundred-page report is almost always a sign that the assessment did not know what it was for.
Questions Boards should ask
  1. 01If we commissioned a readiness assessment tomorrow, do we know precisely which question we would ask it to answer?
  2. 02Would the assessment we last received have changed any decision if the report had gone missing, or was it treated principally as an assurance artefact?
  3. 03Are we willing to have the assessment reach conclusions the executive would rather not hear, and to record the response of the executive on the minute?

What a readiness assessment is for

The term is used loosely. In its useful sense, a readiness assessment is a targeted diagnostic exercise designed to answer one question: if the firm's principal supervisor reviewed the framework tomorrow, using the methodology current inspection teams apply, what would they find and what would they conclude.

That question is different from the questions asked by internal audit, by external assurance, by policy review or by the annual MLRO report. Each of those has its place. None of them, by themselves, answers the readiness question. A readiness assessment sits closest to the inspection lens, and its methodology should mirror the inspection methodology described in Perspective 005.

A readiness assessment is not a maturity model exercise. Maturity scoring produces a comfortable narrative and rarely produces action. A readiness assessment is intentionally uncomfortable. Its purpose is to identify, quickly and honestly, where the firm would come under pressure if scrutiny began next week.

Getting the scope right

Scope is the single most important design decision. A readiness assessment that tries to cover the whole framework will produce a report that covers nothing well. A readiness assessment that concentrates on the small number of items on which supervisors consistently conclude will produce a report the Board can act on.

For most European regulated firms, the useful scope covers four areas:

Sanctions, adverse media, SAR quality and specific product or channel risks may be added to scope where the firm's risk profile warrants it. What should not happen is a comprehensive review of every element of the framework as a default position. That approach consistently produces reports of one hundred pages that change nothing.

The evidence base

A readiness assessment concludes on the evidence it gathered. Its credibility rises and falls on that evidence.

Interviews and document review are necessary but not sufficient. They tell the assessor what the framework believes about itself. Only file sampling, meeting observation and MI walk-through test whether the belief matches the reality.

A defensible readiness assessment for a smaller regulated firm typically includes file samples of between forty and eighty cases, stratified by risk band and product, drawn from the current active book and from the legacy book. It includes at least one observed operational meeting, most commonly an alert review or a case escalation forum. It includes a structured MI walk-through with a member of executive or Board management, testing whether the pack answers the questions a supervisor would ask.

Reporting the results

A readiness assessment succeeds or fails at the reporting stage. The most rigorous fieldwork can be diluted into inaction by a report that softens findings, buries recommendations or presents the framework as more defensible than the evidence supports.

An effective report has the following properties. It is short, typically twenty to forty pages including appendices. It opens with a plain-language statement of the firm's current readiness position and the specific items that would come under pressure in an inspection. It distinguishes clearly between issues requiring a decision at Board level and issues requiring a change in operational practice. It attaches evidence, either as anonymised file excerpts or as MI extracts, that supports the material findings.

The report is presented to the Audit or Risk Committee alongside the executive response. The response should itself be brief, name accountable owners and specify the evidence that will demonstrate closure. Where the executive disagrees with a finding, the disagreement is minuted. Silence on the record about a substantive disagreement is a governance risk in itself.

Common failure modes

Readiness assessments fail more often than they succeed, and the failure modes are predictable.

Scope inflation dilutes conclusions. Framing as reassurance produces a report designed to comfort rather than to challenge. Excessive reliance on interviews produces conclusions that reflect what the framework believes about itself. Softening for the executive audience produces action plans that never quite land on individual owners. Progress reporting in RAG status obscures the specific items on which supervisory engagement will turn.

None of these failures is caused by bad faith. Each is caused by design choices made early and adjusted too late. Naming them explicitly at scoping is the most effective prevention.

How Claritas approaches readiness assessments

A Claritas readiness assessment is designed to answer the single question above: what would happen if a supervisor reviewed the framework tomorrow. That framing shapes every design decision that follows.

Scope is agreed against the Business-Wide Risk Assessment and the firm's recent supervisory dialogue, and is deliberately narrow. Evidence is file-led, with interviews and document review positioned as context rather than conclusion. The reporting line is agreed with the Chair of the Audit or Risk Committee at the outset. The draft is shared with the Chair before it is presented, so that the discussion in Committee is about the response, not about the language.

For a smaller regulated firm, the assessment is typically executed in three to six weeks and produces a report of thirty pages or fewer. Its purpose is to give the Board a defensible baseline and a specific runway of improvements. It is not designed to accumulate on a shelf.

What success looks like
  • 01The Board holds an honest, current view of the firm's readiness position, with specific items identified and dated.
  • 02The remediation runway is sequenced by materiality, executable within the window before likely supervisory engagement, and owned by named individuals.
  • 03The MI pack, redesigned in response to the assessment, answers a supervisor's questions in the order they would ask them.
  • 04Independent readiness assessments recur on a defined cycle rather than as a response to supervisory pressure.
  • 05The Committee record shows that findings translated into decisions and that decisions translated into evidenced change.
References
About the author
Everett Morgan
Founder & Principal Adviser, Claritas Risk Advisory

Everett has more than twenty years' experience in financial crime, AML governance, regulatory compliance and operational risk gained within Deutsche Bank, Morgan Stanley and BNP Paribas. He established Claritas Risk Advisory to provide smaller regulated financial institutions with experienced independent judgement, practical insight and proportionate recommendations.

Need an independent perspective?

Preparing for regulatory change starts with understanding where your organisation stands today.

If you would like to discuss your financial crime framework or explore how Claritas Risk Advisory can help, I would be pleased to arrange a confidential conversation.

Let's start with a conversation