5.4. Difficulties in assessing risks at the entity-level
126. In certain situations, an entity may not have developed a risk assessment, or the risk assessment that was developed may be overly broad and does not provide sufficient granularity or analysis.
127. Some sectors have a large number of (mostly smaller) active institutions and it is difficult to develop comprehensive risk profiles for each individual entity. In the case of newly established institutions or recently regulated sectors, there may not be in depth knowledge about the risks presented by those individual entities' business models and activities, and the results from the supervisory authority's own audits or other supervisory activities are not yet available.
128. Strategies to address this challenge:
• Undertake sectoral risk assessments as a first step. The sectoral risk analysis primarily provides a good overview of the risks to which an institution is exposed as a result of its business activities in this sector, and therefore important insights can be gained for the risk profile of the individual institution. It also makes it possible to provisionally apply the sectoral risk rating as a default rating to newly established or recently regulated institutions.
• Depending on the specificities of the regulatory population, develop clusters of entities that share common characteristics, where the risks of ML/TF affecting the entities in the cluster are very similar.