Residual Risk That Actually Means Something 

Written By Stefania Cirignano

Continuing the Conversation 

In last week’s blog, I explored the FCA’s January 2025 Money Laundering Through Markets review through the lens of the business profile, arguably the missing foundation in most business-wide risk assessments (BWRAs). The FCA’s demand that firms “consider and appropriately document the MLTM risk posed to and by the firm” only makes sense if the assessment starts from a structured understanding of the business. Without that, the BWRA is untethered from reality. 

But that same review raised another conceptual point that is just as important, and, in practice, just as poorly addressed. This week I want to focus on residual risk

Residual risk is the final output of any BWRA. It’s the point where inherent risks meet control effectiveness, where the “theory” of the business model collides with the “reality” of what the firm can actually manage. Yet across the industry, it is also the most neglected, opaque, and misunderstood part of the process. 

Why Residual Risk Is the Weak Link in Most BWRAs 

If you leaf through BWRA reports across different institutions, you see the same problems repeat themselves: 

  1. Tick-box mentality: Residual risk is treated as the final cell in a spreadsheet, the number you have to show the regulator. There is little sense that it should drive management action. 

  2. Opaque calculation: In most cases, residual risk is presented as the product of a simplistic formula: “inherent risk minus control effectiveness.” But how inherent risk was defined, and how control effectiveness was scored, is left unexplained. 

  3. False precision: Institutions present residual risk scores as if they were scientific. Yet they are usually based on subjective weightings, rough judgment calls, or untested assumptions. 

  4. Disconnection: Perhaps the biggest weakness; residual risk is rarely linked to the business model itself. It is abstracted away from the things firms can actually control, leaving management none the wiser about what exposures genuinely remain. 

It is not surprising that regulators are sceptical. The FCA’s Money Laundering Through Markets review sharpened the point: Residual risk isn’t optional or decorative, it must be documented, explained, and capable of being challenged. 

Why Regulators Care About Residual Risk 

There are two big reasons why residual risk has moved up the supervisory agenda. 

1. The FCA’s expectations are explicit. In its MLTM guidance, the FCA made clear that BWRAs must not only document inherent risks and controls, but also the residual risk that remains once controls are applied. That residual must be evidenced, not assumed. 

2. The 2025 UK National Risk Assessment (NRA) refresh. The new NRA sharpened typologies around mule networks, market abuse, and complex cross-border layering. It underscored that firm-level assessments should reflect systemic priorities. That means residual risk can’t just be a neat number; it has to stand up against the evolving threat landscape. 

Together, these developments are pushing firms towards a higher standard; residual risk as a real, defensible concept, not a placeholder. 

Our Alternative Approach to Residual Risk 

When we designed our methodology, we knew that residual risk would be the point of greatest scrutiny. It had to mean something. Here’s how we approached it differently: 

1. Event-Level Residuals, Not Aggregate Numbers 

Residual risk is assessed at the level of specific risk events (actor–action–process), not at a generic factor level. 

  • Example: “Criminal uses dormant accounts for mule activity” → what controls apply, what remains? 

  • Example: “Intermediary facilitates layering through cross-border payments” → what controls apply, what remains? 

This avoids the trap of broad aggregate scores, which hide more than they reveal. 

2. Controls Assessed for Type and Assurance 

We differentiate controls by type; preventive, detective, corrective, directive. Preventive controls, when evidenced, carry more weight. Detective or corrective measures, by definition, leave more risk behind. 

Crucially, we require assurance evidence wherever possible. A control without testing or oversight cannot be assumed effective. Where firms only have a narrative assessment, it must be structured and open to challenge. 

3. Residual Risk Is What You Can’t Control (Yet) 

We reframe residual risk as the diagnostic signal of what the firm cannot reasonably control today. That may be because: 

  • Controls exist but are partial or weak. 

  • Assurance is absent, so confidence is low. 

  • The risk is systemic, beyond the firm’s immediate reach. 

This makes residual risk actionable. It tells management, “here are the exposures that remain, and here’s why”. Some will need investment, some may be accepted as part of risk appetite, and some may need escalation at industry or regulatory level. 

The Value of Residual Risk That Actually Means Something 

So what difference does this make? I see four main sources of value: 

  1. Credibility with regulators: A transparent logic chain (business profile → risk event → controls → residual) makes supervisory challenge straightforward. Regulators can see how you got there. 

  2. Clarity for boards: Instead of abstract numbers, boards see a concrete picture; which risks remain, why they remain, and what the options are. 

  3. Decision support for management: Residual risk highlights where additional controls or investment would have the greatest impact, and where diminishing returns set in. 

  4. Contribution to industry intelligence: When firms can identify residual risks they cannot control, these insights become valuable inputs into NRAs, systemic intelligence databases, and collaborative industry responses. 

Pragmatism and Proportionality 

Not every firm will have perfect data for residual risk. And not every residual risk can be reduced to a number. That’s fine. 

What matters is structure. Whether the input is quantitative (assurance results, coverage statistics) or qualitative (narrative judgment), it must be transparent and capable of challenge. Structured where possible, narrative where necessary, the same philosophy we applied to business profiles. 

This pragmatic approach avoids the trap of false precision while still ensuring that residual risk has substance. 

Conclusion: Residual Risk as the True Output 

Residual risk is not a compliance afterthought. Done properly, it is the most meaningful output of a BWRA, the difference between theoretical risk and lived exposure. 

The FCA’s January 2025 review made the expectation clear, firms must evidence residual risk. The 2025 NRA added urgency by resetting the threat landscape. 

The industry should treat this not as another burden, but as an opportunity. If we can produce residual risk assessments that are credible, transparent, and actionable, then the BWRA finally becomes what it was always meant to be; a management tool, an intelligence source, and a platform for regulatory confidence. 

Because if your residual risk doesn’t actually mean something, then your whole risk assessment doesn’t either. 

Stefania Cirignano
Next

The business profile: The missing link in risk assessments