EN ES
Request a consultation

Practice area

Risk assessments.

Risk assessments across AML, operational, cyber, fraud, and more. Built to serve the full enterprise — typology-based, control-mapped, and maintained as risk evolves, not revisited once a year.

The practice

Risk assessed before your examiner arrives.

A useful risk assessment names the exposure, maps the control gap, and produces a number the committee can act on.

Risk assessment is how institutions find out where they actually are before the examiner tells them. Our practice is built on a typology-based methodology — we start with what actually fails at institutions like yours, not a generic risk library — and we map each exposure to the specific controls that are supposed to catch it.

We assess across the full enterprise risk landscape: AML and sanctions exposure, operational risk, cyber and technology risk, fraud risk — wire fraud, ACH origination, internal collusion, application fraud, synthetic identity — and model risk. The scope is set by what your institution's risk profile actually requires, not by a standard template.

Each assessment produces three things: a control map showing where the gaps are, a residual risk rating calibrated to your examiner's expectations, and a remediation roadmap with sequencing, owners, and dates. A heat map without a control map behind it is not a risk assessment — it is a decoration.

The work

The work in this practice, named.

  1. Enterprise risk assessment Full-scope or targeted assessment across AML, operational, cyber, fraud, and model risk dimensions.
  2. AML risk assessment Typology inventory, customer risk scoring, transaction monitoring calibration, SAR/CTR exposure.
  3. Operational risk assessment Process-level risk identification, loss event analysis, control effectiveness testing.
  4. Cyber & technology risk assessment FFIEC-aligned IT risk review, third-party/vendor risk, incident response posture.
  5. Fraud risk assessment Typology inventory, loss data analysis, segregation of duties, dual-control governance, synthetic identity exposure.
  6. Remediation roadmap Control gap sequencing, owners, dates, and committee-ready reporting.
A typical engagement

An enterprise risk assessment, end to end.

Phase Deliverable
Scoping Risk universe defined; prior assessments, exam findings, and loss data reviewed.
Assessment Typologies inventoried; controls mapped; inherent risk rated across all dimensions.
Residual risk Inherent risk × control effectiveness = residual; calibrated to the committee's appetite.
Roadmap Control remediation plan, sequencing, owners, dates.