What a readiness assessment is for
The term is used loosely. In its useful sense, a readiness assessment is a targeted diagnostic exercise designed to answer one question: if the firm's principal supervisor reviewed the framework tomorrow, using the methodology current inspection teams apply, what would they find and what would they conclude.
That question is different from the questions asked by internal audit, by external assurance, by policy review or by the annual MLRO report. Each of those has its place. None of them, by themselves, answers the readiness question. A readiness assessment sits closest to the inspection lens, and its methodology should mirror the inspection methodology described in Perspective 005.
A readiness assessment is not a maturity model exercise. Maturity scoring produces a comfortable narrative and rarely produces action. A readiness assessment is intentionally uncomfortable. Its purpose is to identify, quickly and honestly, where the firm would come under pressure if scrutiny began next week.
Getting the scope right
Scope is the single most important design decision. A readiness assessment that tries to cover the whole framework will produce a report that covers nothing well. A readiness assessment that concentrates on the small number of items on which supervisors consistently conclude will produce a report the Board can act on.
For most European regulated firms, the useful scope covers four areas:
Sanctions, adverse media, SAR quality and specific product or channel risks may be added to scope where the firm's risk profile warrants it. What should not happen is a comprehensive review of every element of the framework as a default position. That approach consistently produces reports of one hundred pages that change nothing.
The evidence base
A readiness assessment concludes on the evidence it gathered. Its credibility rises and falls on that evidence.
Interviews and document review are necessary but not sufficient. They tell the assessor what the framework believes about itself. Only file sampling, meeting observation and MI walk-through test whether the belief matches the reality.
A defensible readiness assessment for a smaller regulated firm typically includes file samples of between forty and eighty cases, stratified by risk band and product, drawn from the current active book and from the legacy book. It includes at least one observed operational meeting, most commonly an alert review or a case escalation forum. It includes a structured MI walk-through with a member of executive or Board management, testing whether the pack answers the questions a supervisor would ask.
Reporting the results
A readiness assessment succeeds or fails at the reporting stage. The most rigorous fieldwork can be diluted into inaction by a report that softens findings, buries recommendations or presents the framework as more defensible than the evidence supports.
An effective report has the following properties. It is short, typically twenty to forty pages including appendices. It opens with a plain-language statement of the firm's current readiness position and the specific items that would come under pressure in an inspection. It distinguishes clearly between issues requiring a decision at Board level and issues requiring a change in operational practice. It attaches evidence, either as anonymised file excerpts or as MI extracts, that supports the material findings.
The report is presented to the Audit or Risk Committee alongside the executive response. The response should itself be brief, name accountable owners and specify the evidence that will demonstrate closure. Where the executive disagrees with a finding, the disagreement is minuted. Silence on the record about a substantive disagreement is a governance risk in itself.
Common failure modes
Readiness assessments fail more often than they succeed, and the failure modes are predictable.
Scope inflation dilutes conclusions. Framing as reassurance produces a report designed to comfort rather than to challenge. Excessive reliance on interviews produces conclusions that reflect what the framework believes about itself. Softening for the executive audience produces action plans that never quite land on individual owners. Progress reporting in RAG status obscures the specific items on which supervisory engagement will turn.
None of these failures is caused by bad faith. Each is caused by design choices made early and adjusted too late. Naming them explicitly at scoping is the most effective prevention.
How Claritas approaches readiness assessments
A Claritas readiness assessment is designed to answer the single question above: what would happen if a supervisor reviewed the framework tomorrow. That framing shapes every design decision that follows.
Scope is agreed against the Business-Wide Risk Assessment and the firm's recent supervisory dialogue, and is deliberately narrow. Evidence is file-led, with interviews and document review positioned as context rather than conclusion. The reporting line is agreed with the Chair of the Audit or Risk Committee at the outset. The draft is shared with the Chair before it is presented, so that the discussion in Committee is about the response, not about the language.
For a smaller regulated firm, the assessment is typically executed in three to six weeks and produces a report of thirty pages or fewer. Its purpose is to give the Board a defensible baseline and a specific runway of improvements. It is not designed to accumulate on a shelf.
- 01The Board holds an honest, current view of the firm's readiness position, with specific items identified and dated.
- 02The remediation runway is sequenced by materiality, executable within the window before likely supervisory engagement, and owned by named individuals.
- 03The MI pack, redesigned in response to the assessment, answers a supervisor's questions in the order they would ask them.
- 04Independent readiness assessments recur on a defined cycle rather than as a response to supervisory pressure.
- 05The Committee record shows that findings translated into decisions and that decisions translated into evidenced change.
- SEPBLAC. Memoria 2025 (Annual Report, June 2026). www.sepblac.es/wp-content/uploads/2026/06/MemoriaSepblac2025_ES.pdf
- European Banking Authority, Risk-Based Supervision Guidelines (EBA/GL/2021/16).
- Central Bank of Ireland, Anti-Money Laundering Supervisory Priorities. www.centralbank.ie/regulation/anti-money-laundering-and-countering-the-financing-of-terrorism
- Financial Conduct Authority, Financial Crime Guide. www.handbook.fca.org.uk/handbook/FCG.pdf
- European Banking Authority, Guidelines on Policies and Controls for the Effective Management of ML/TF Risks (EBA/GL/2022/05).



