Effective, Not Just Compliant: What Wolfsberg Means for Business-Wide Risk Assessment 

Written By Stefania Cirignano

Earlier this month, the Wolfsberg Group reaffirmed its commitment to the Risk-Based Approach (RBA), calling it “a key enabler to the concepts of effectiveness and effective outcomes that are core to its work.” On the face of it, this might seem unremarkable, after all, the RBA has been enshrined in FATF standards since 2003. But scratch the surface and there’s a subtle provocation here: a call to rethink what we mean by “effective” financial crime compliance. 

This shift, away from narrow technical compliance toward demonstrable outcomes, is not just semantic. It demands a different mindset, different metrics, and in our view, a fundamentally different approach to Business-Wide Risk Assessment (BWRA). And it’s why the philosophy behind Wolfsberg’s effectiveness agenda is so aligned with the purpose of the methodology we are developing. 

The Wolfsberg Factors: A Practical Framework for Effectiveness 

Wolfsberg’s definition of effectiveness centres around three outcomes, now widely known as the Wolfsberg Factors: 

  • Comply with AML/CTF laws and regulations 

  • Provide highly useful information to relevant government agencies 

  • Establish a reasonable and risk-based set of controls to mitigate illicit finance risks 

These are not abstract aspirations. They are a pragmatic lens through which both regulators and institutions can evaluate whether an AML/CTF programme is working, not whether it exists, but whether it matters. 

Wolfsberg is also clear that effectiveness is not something that can be demonstrated through length, complexity, or documentation alone. In fact, they explicitly criticise the industry’s tendency to focus on “data, documentation, and process rather than outcomes.”  

Why This Matters for Business-Wide Risk Assessments 

The BWRA is supposed to be the organising logic of a firm’s financial crime risk management strategy, the bridge between risk understanding and control execution. And yet, in too many cases, it’s still treated as a static compliance artefact. It satisfies an obligation, but doesn’t shape decisions. It lists risk factors, but doesn’t test assumptions. It includes controls, but rarely challenges whether those controls are doing what they are supposed to do. 

What Wolfsberg reminds us is that the purpose of a BWRA isn’t to document risk factors; it’s to drive risk mitigation. 

That means a different kind of assessment, one that: 

  • Starts with risk events, not generic factors 

  • Maps each event to a discrete set of controls 

  • Tests those controls not just for presence, but for effectiveness 

  • Uses results to reallocate resources and improve outcomes 

This is the foundation of the methodology we are developing. 

From Control Presence to Control Purpose 

Wolfsberg’s 2021 paper on Demonstrating Effectiveness put it plainly: “Supervisors and FIs would instead focus on the practical element of whether the controls are making a material difference.” 

That might sound obvious, but it’s radically different from the box-ticking mentality that still shapes many control evaluations today. In our methodology, control effectiveness is assessed in terms of how well it addresses the risk event it’s designed to mitigate. This often requires looking beyond the written policy to actual data on design quality, implementation consistency, operational performance and mitigation outcomes. 

Wolfsberg’s updated auditing principles from 2024 reinforce this idea. Internal Audit teams are encouraged to “highlight where controls are not producing the intended risk management outcome or are simply no longer relevant.” This is as close as we’ve seen to an industry-wide endorsement of decommissioning controls that don’t work, a theme central to our methodology’s design. 

A Risk-Based Approach That Actually Prioritises Risk 

Another undercurrent of Wolfsberg’s position is the idea that not all risk is created equal. Their 2025 RBA statement calls for institutions to not only design controls proportionate to their business model, but to prioritise effort and resources toward the areas that matter most, especially in terms of threats defined by national or supra-national authorities.  [add link to our Strategic System Priorities blog] 

Our methodology builds this idea in at the core. Rather than starting with a fixed matrix of factors, we start with defined risk events, tailored to the firm’s context but aligned to national priorities, and evaluate them based on exposure and consequence. This allows us to highlight where the real vulnerabilities lie, and to direct assurance activities toward the controls that matter most. 

In short, it’s risk-based in practice, not just in name. 

Why This Isn’t Just About Regulators 

Some might argue that until regulators start assessing effectiveness consistently, there’s little incentive for firms to change their approach. Wolfsberg disagrees, and so do we. 

Yes, national supervisors still lean heavily on technical compliance. But the direction of travel is clear. FATF’s emphasis on “immediate outcomes” has reshaped mutual evaluations. Wolfsberg’s guidance is explicitly endorsed by global banks. And the next wave of regulatory reform, especially in jurisdictions like the US and UK, will increasingly be tied to questions of effectiveness. 

But even beyond compliance, the case is compelling: focusing on what actually works improves risk mitigation, reduces false positives, enables better strategic decision-making, and fosters stronger governance. It’s also more defensible when things go wrong. 

Conclusion: Time to Move from Theatre to Outcomes 

In a world where regulators are still asking firms to justify the size of their risk assessments and the number of pages in their policy documents, Wolfsberg’s message feels quietly revolutionary: stop measuring inputs, and start demonstrating outcomes. 

That’s not just a challenge to regulators, it is a challenge to all of us. And it is why we are not just building a BWRA methodology. We are helping clients build an effectiveness engine, one that helps firms understand their risks, evaluate the controls that actually matter, and adapt their defences to a rapidly changing threat landscape. 

As Wolfsberg rightly notes: “Each FI should be able to demonstrate effectiveness by telling its unique story.” 

We think it is time we gave them the tools to do so. 

Stefania Cirignano
Previous

Motor Finance Commission: The State of Play
Next

Building a Fairer Financial Future: The Push for Inclusive and Ethical Islamic Finance