Financial crime audit

Business-wide risk assessment review

An independent challenge of your business-wide AML risk assessment, the SIRA in the Netherlands, tested for completeness, method and the link between the risks you have identified and the controls meant to mitigate them. Senior-led, vendor-neutral, and mapped to how DNB supervises.

Book a free consultation See all services

Your business-wide risk assessment is the cornerstone of your entire AML control framework. Every policy, every control threshold and every resourcing decision should trace back to it, which is exactly why supervisors examine it first. In the Netherlands, DNB expects a SIRA (systematische integriteitsrisicoanalyse) that is specific to your business model, methodologically sound and genuinely current, not a template inherited from a peer or refreshed once a year without challenge. When the assessment is thin, the gaps cascade: controls are calibrated to risks you never properly sized, and residual risk drifts beyond your stated appetite without anyone noticing.

Alsina Advisory delivers an independent business-wide risk assessment review as a focused, senior-led boutique. We challenge the inherent risk picture across customers, products, channels, geographies and transactions, test whether your scoring actually holds together, and confirm that the risks you have identified map to real, operating controls. We are independent of any software vendor or remediation provider, so our findings carry weight with your board, your audit committee and your national competent authority. We are rooted in the Netherlands and work across the EU, and we frame every finding against the framework that supervises you.

What a business-wide risk assessment review covers

We test the assessment end to end, because a SIRA only works when the risk picture, the method and the controls hang together. A typical engagement covers six areas, scoped to your business model and risk profile.

Inherent risk identification

Whether the assessment captures the full inherent risk picture across customers, products, services, delivery channels, geographies and transaction types, before any credit is taken for controls.

Methodology and scoring

How you score, weight and aggregate risk, and whether the method is documented, repeatable and defensible rather than a matter of individual opinion.

Control effectiveness

Whether the mitigating controls are assessed on real operating effectiveness, not just their existence on paper, so the residual position reflects reality.

Residual risk and appetite

Whether residual risk is calculated honestly and tested against your stated risk appetite, with clear treatment of any exposures that sit outside it.

Data, inputs and assumptions

The quality of the data feeding the assessment, the sources behind the figures, and whether the key assumptions are evidenced rather than asserted.

Governance and refresh

Ownership, board and senior-management challenge, the trigger and cadence for refresh, and whether the SIRA actually drives your control framework and resourcing decisions.

How the review works

Scoping

We start with a short scoping conversation about your business model, regulatory context and the version of the assessment in scope, then agree the timeline and a fixed fee or day rate in writing up front.

Document and data review

We examine the assessment itself, its underlying methodology, the data and assumptions behind the scores, and the governance and approval trail that sits around it.

Challenge and testing

We interview the risk owners and the first and second lines, pressure-test the scoring on sample risk types, and trace whether identified risks actually map to operating controls.

Assessment against expectations

We benchmark what we find against DNB expectations for the SIRA, the Wwft, the EU AML framework and good industry practice, rating completeness, method and control linkage.

Reporting

You receive a clear, prioritised report that any board member or supervisor can follow: findings, root causes, risk ratings and pragmatic recommendations to strengthen the assessment.

What you get

A board-ready review report with a clear executive summary and an at-a-glance view of the assessment's strengths and gaps.
Prioritised findings with root-cause analysis, risk ratings and practical recommendations to improve completeness, methodology and control linkage.
An explicit view of whether your residual risk sits within your stated risk appetite, with any exposures that fall outside it clearly flagged.
A direct mapping of every finding to DNB expectations for the SIRA, the Wwft and the incoming AML Regulation (AMLR).
A remediation roadmap your team can act on, sequenced by risk, plus independent re-review of the updated assessment where required.

Why an independent review

Independence is the point. A business-wide risk assessment written and signed off entirely in-house is hard to challenge from the inside, because the people who built it share the same assumptions and blind spots. An external review reassures a board and a supervisor precisely because the reviewer has nothing to sell you afterwards. We are not a software vendor, a managed-service provider or a remediation shop, so we have no incentive to inflate a finding or steer you toward a product.

As a senior-led boutique, your engagement is run by an experienced financial crime auditor who has tested SIRAs and enterprise-wide AML risk assessments across Tier-1 banks, global payments businesses and fintechs, not handed to a bench of juniors. That means sharper challenge, fewer people in your environment, and a report you can stand behind. The bar is rising: the AML Regulation tightens expectations from 2027, and a thin or stale assessment will be far more exposed under direct EU-level scrutiny.

Whether you need a one-off independent challenge before a DNB review, assurance ahead of a board sign-off, or a recurring check on each refresh, we can usually scope and start within weeks.

Related services

Service AML/CFT framework audit An end-to-end audit of your AML/CFT framework against the EU rulebook. Service Transaction monitoring review Coverage, tuning and alert quality tested against your risk profile. Service KYC and CDD file review File-level testing of onboarding, due diligence and ongoing monitoring. Service Wwft audit An independent audit against the Dutch Wwft and DNB expectations.

Related insights

Insight The business-wide risk assessment The foundation regulators test first, and how to make yours defensible. Insight Transaction monitoring effectiveness Why coverage and tuning matter more than alert volume. Insight KYC, CDD and EDD Getting the due-diligence tier right for each customer.

Put your business-wide risk assessment to an honest, independent test.

Book a free, no-obligation consultation to scope your business-wide risk assessment review. You will speak directly with a senior specialist, never a junior or a sales team.

Book a free consultation