It doesn't reflect your firm
A template can't capture your specific clients, services, jurisdictions, and delivery methods. When the FWRA doesn't match the firm's actual risk profile, it signals that risk hasn't really been assessed — and the rest of the framework rests on a weak foundation.
It goes out of date
The SRA frequently finds FWRAs that aren't updated to reflect changes in clients, services, jurisdictions, or delivery methods. A risk assessment is a living document; if your practice has changed and the assessment hasn't, that gap will show.
It contradicts your controls and files
A key concern is inconsistency between the FWRA, day-to-day controls, policies, and client files. If the assessment says one thing and the files show another, the firm can't evidence that its framework actually works in practice.
What a credible FWRA looks like
- Specific to your clients, services, jurisdictions, and delivery methods
- Updated as the firm's risk profile changes, with version history
- Linked to the policies and controls meant to mitigate each risk
- Consistent with matter-level risk assessments and files
Reglo helps firms keep this evidence organised and audit-ready — humans approve every change. AI drafts and organises; your compliance team decides.
This guide is general information for compliance teams, not legal or regulatory advice. Always refer to the SRA's current guidance and take your own professional advice where needed.