The Create Risk Assessment wizard guides you through building your firm's AML/CTF risk assessment in Firm Verify. It covers all areas required by AUSTRAC: services, clients, delivery channels, and country risk.
How to start
1 | Go to Firm > Program. |
2 | Click Generate. The Generate Documents modal opens. |
3 | Click Generate on the Risk Assessment card. |
4 | The Create Risk Assessment wizard opens. Work through each step using the left-hand sidebar. Use Previous and Next to move between steps, or click any sidebar item to jump directly to it. |
Wizard steps
The sidebar shows eight steps across four sections. Services, Client, and Delivery Channel each have two sub-steps (Identify + Risk Factors). Country Risk is a single combined step.
| Section | Sidebar steps | What you do |
|---|---|---|
| Services Risk | Identify Services Services Risk Factors |
Identify Services: Select the designated services your practice provides. Each service has an ML/TF/PF Vulnerability text field — describe how the service could be exploited for financial crime. Services Risk Factors: Assess the inherent risk (High / Medium / Low) of each risk factor and document your mitigation controls. |
| Client Risk | Identify Clients Client Risk Factors |
Identify Clients: Select the types of clients your firm serves and describe their ML/TF/PF vulnerabilities. Client Risk Factors: Assign a Risk Level to each factor and document mitigation controls. Factors include PEPs (domestic, international organisations, foreign), suspected criminal clients, and complex legal structures. |
| Delivery Channel Risk | Identify Delivery Channels Delivery Channel Risk Factors |
Identify Delivery Channels: Select how your firm delivers services (in person, email, video conferencing, AI tools, etc.) and describe ML/TF/PF vulnerabilities. Delivery Channel Risk Factors: Assign a Risk Level and document mitigation controls for each channel type. |
| Country Risk | Country Risk Assessment | A single combined step. List every country relevant to your practice. For each, complete all columns (see below). Australia is pre-loaded as a default. Click Restore Defaults to reset to the default country list. |
| Finish | Finalise Risk Assessment | Enter Title and Version, add an optional Summary of Changes, then click Generate Risk Assessment. |
Identify steps — ML/TF/PF Vulnerability
On each Identify step, the default list of services, client types, or delivery channels is pre-loaded. Expand any row to reveal the ML/TF/PF Vulnerability text field. Describe how this item could be exploited for money laundering, terrorism financing, or proliferation financing.
Risk Factors steps — Risk Level and Mitigation Controls
On each Risk Factors step, each item shows a Risk Level dropdown (High / Medium / Low). Expand any item to reveal:
- Assessed Risk — a description of why this factor creates ML/TF risk. Pre-filled with default content; editable.
- Mitigation Controls (required) — describe the specific controls your firm applies to manage this risk. This field is mandatory and must be completed before the step can be marked complete.
Country Risk Assessment
The Country Risk Assessment step uses a table format. Complete all fields for each country relevant to your practice.
| Column | What to enter |
|---|---|
| Country | Select from the dropdown. Include every country where you provide services, where clients are based, or where entities are registered or incorporated. |
| Proportion of Clients % | The approximate percentage of your client base associated with this country. All country rows must total 100% — shown in the Total row at the bottom. |
| Basel AML Index | Pre-filled score from the Basel Institute on Governance AML Index (0–10, higher = greater risk). Highlighted red for high-scoring countries. |
| High Risk Listed | Select Yes or No. Indicates whether the country is on FATF's grey or black list or subject to DFAT sanctions designations. |
| Final Rating | Your overall risk rating for this country (Low / Medium / High). Based on the Basel Index score, High Risk Listed status, and your professional judgment. |
| Mitigation Controls | Required. Expand the country row to enter the controls your firm applies for clients or entities in this country. |
Adding, editing, and removing items
- Edit any item's vulnerability description, risk level, assessed risk, or mitigation controls.
- Add custom items using the Add + button.
- Delete items using the bin icon. A confirmation is shown before removal.
- Restore deleted defaults via Add + and selecting from the restore list, or use Restore Defaults on the Country Risk step.
Sidebar status indicators
| Icon | Meaning |
|---|---|
| ✅ | Step visited and complete — no errors. |
| ⚠ | Step has an error or required field not completed. The step name turns red. |
| ? | Step not yet visited. |
Completing the risk assessment
On the Finalise Risk Assessment step, once all sections have been visited and there are no outstanding errors, the Generate Risk Assessment button is enabled. An attention bar lists any unvisited or incomplete steps.
Click Generate Risk Assessment. Firm Verify generates your document and immediately asks whether you want to send it for review.
- Select Send for Review to assign a reviewer — status moves to Under Review.
- Select Cancel to return to the Program screen — document is saved as Draft.
Document statuses
| Status | When it applies | Available actions |
|---|---|---|
| In Progress | Saved using Save for later, before generating. | Edit, Delete |
| Draft | Generated but not yet sent for review. | Edit, Delete, Send for Review |
| Under Review | Sent to a reviewer, awaiting decision. | Reviewer: Review. Others: View, Cancel Review |
| Approved | Reviewer has approved. Next review date auto-set to 3 years from today. | View |
| Rejected | Reviewer has rejected with a comment. | Edit, Delete |
Saving and cancelling
| Button | Behaviour |
|---|---|
| Save for later | Saves your progress regardless of validation. Title and Version are required. Status set to In Progress. |
| Generate Risk Assessment | Available on the Finalise Risk Assessment step only, when all steps are visited and complete. Generates the document and prompts Send for Review. |
| Cancel | If no changes have been made, returns to the Program screen. If changes exist, shows a Discard confirmation. |
Frequently asked questions
Do I have to complete all steps in order?
No. You can jump to any step using the sidebar. However, you must visit every step at least once before the Generate Risk Assessment button is enabled.
Why is the Generate Risk Assessment button showing a warning or not enabling?
Check the sidebar for any steps marked with a red warning icon. The most common cause is a Mitigation Controls field left empty, or Country Risk proportions that do not total 100%.
Can I customise the default risk assessment content?
Yes. All default items are editable. You can update vulnerability descriptions, change risk levels, edit mitigation controls, add new items, and delete items that do not apply to your firm.
Who can review the risk assessment?
Any current user can be selected as a reviewer.