Skip to content
AuditFront
PROG.2 EU Sanctions DD

EU Sanctions DD PROG.2: Sanctions Risk Assessment

What This Control Requires

Is there a documented sanctions risk assessment covering customers, products, geographies, and delivery channels?

In Plain Language

A risk assessment is the foundation of any sanctions compliance programme. Without understanding where your sanctions risk is concentrated, you cannot allocate screening and due diligence resources effectively.

The EU Sanctions Compliance Helpdesk provides free tools and guidance for SMEs, and lists the risk assessment as one of six essential components of a sanctions compliance programme.

The assessment should cover four dimensions: who are your counterparties and where are they, what products or services do you provide and are any controlled, where do you operate and trade, and how do your delivery and payment channels work. Each dimension should be rated by risk level and proportionate controls assigned.

How to Implement

Map your sanctions risk across four dimensions:

1. Customers and counterparties - Who are they? Where are they based? Who owns them? Do any have links to sanctioned persons, entities, or governments? Are any in circumvention-hub jurisdictions?

2. Products and services - Are any products controlled under Regulation 2021/821 (dual-use) or listed in the Annexes to Regulation 833/2014? Do any have dual-use potential? Are any particularly attractive for circumvention (e.g., semiconductors, luxury goods, oil field equipment)?

3. Geographies - Do you trade with, through, or near sanctioned territories? Check the EU Sanctions Map (sanctionsmap.eu). Do your trade routes pass through circumvention hubs? Where are your operations, warehouses, and offices located?

4. Delivery and payment channels - Are your delivery and payment channels transparent or complex? Do payments route through multiple banks or jurisdictions? Are there intermediaries in the transaction chain?

Rate each area as low, medium, or high risk and allocate proportional controls. Higher-risk areas get more frequent screening, deeper due diligence, and closer transaction monitoring.

Revisit the risk assessment whenever: sanctions regimes change significantly, you enter new markets or product lines, you onboard a high-risk customer segment, or there is a material change in your business model. At minimum, review annually.

Evidence Your Auditor Will Request

  • Documented sanctions risk assessment covering all four dimensions
  • Risk ratings for each dimension with supporting analysis
  • Control measures allocated proportionally to identified risk levels
  • Evidence of periodic review and updates to the risk assessment
  • Management sign-off on the risk assessment and allocated resources

Common Mistakes

  • No formal sanctions risk assessment - relying on general compliance awareness
  • Risk assessment that is generic and not tailored to the specific business model
  • Assessing only one dimension (e.g., customer screening) while ignoring products and geography
  • Risk assessment performed once and never updated as the business or sanctions landscape changes
  • No link between risk assessment findings and operational compliance measures

Related Controls Across Frameworks

Framework Control ID Relationship
EU Sanctions DD EU Sanctions DD PROG.1 (related mapping) Related
EU Sanctions DD EU Sanctions DD PROG.3 (related mapping) Related
EU Sanctions DD EU Sanctions DD WHO.1 (related mapping) Related
EU Sanctions DD EU Sanctions DD GEO.1 (related mapping) Related

Frequently Asked Questions

How detailed should the risk assessment be?
Proportionate to your business. A small company trading exclusively within the EU in non-controlled goods needs a simpler assessment than a multinational trading dual-use items with counterparties in circumvention-hub jurisdictions. The key is covering all four dimensions (customers, products, geographies, channels) with enough specificity to identify where your actual risks lie. A two-page risk assessment that accurately maps your risk is better than a fifty-page document that is generic boilerplate.
Do we need external help to conduct the risk assessment?
Not necessarily. For straightforward businesses, the designated compliance officer can conduct the assessment internally using publicly available guidance from the EU Sanctions Compliance Helpdesk. For more complex situations - multinational operations, dual-use products, or exposure to multiple sanctioned jurisdictions - external legal or compliance advisory support may be valuable. The EBA Guidelines do not require external assessment but do require that the assessment is adequate for the business's risk profile.
How does the sanctions risk assessment relate to AML risk assessment?
They are related but distinct. AML risk assessments focus on money laundering and terrorist financing risks; sanctions risk assessments focus on EU restrictive measures compliance. There is overlap - sanctions circumvention often involves money laundering techniques - and many organisations combine them into a single financial crime risk assessment. If combining, ensure that sanctions-specific risks (controlled goods, geographic restrictions, designated person exposure) receive explicit attention and are not subsumed under generic AML categories.

Track EU Sanctions DD compliance in one place

AuditFront helps you manage every EU Sanctions DD control, collect evidence, and stay audit-ready.

Start Free Assessment