How to Build a Sanctions Risk Score: The Methodology Behind a Defensible Compliance Risk Assessment

A sanctions risk score is only as useful as the methodology that produces it. Too many organisations assign risk ratings to customers and counterparties without a documented, auditable framework, relying instead on operational instinct or template-driven checklists that cannot withstand regulatory scrutiny. When an enforcement action arrives, the question is not simply whether screening was performed, but whether the organisation can demonstrate that its risk assessments were structured, consistently applied, and grounded in a defensible methodology. 

This article sets out the four core dimensions of a sanctions risk assessment, explains how inherent and residual risk interact, and identifies the design choices that determine whether an assessment will hold up under audit. Organizations that want to benchmark their current exposure can use the sanctions.io Global Risk Exposure Calculator as a practical starting point.

{{snippets-guide}}

Why Sanctions Risk Scoring Is Its Own Discipline

Sanctions compliance and AML compliance share structural similarities but are not the same discipline. In an AML framework, the central question is whether a customer might be laundering proceeds of crime. In a sanctions framework, the question is whether the organisation might engage in a transaction or relationship that is prohibited by law, regardless of whether any predicate crime has occurred.

While there is no one-size-fits-all risk assessment, the exercise should generally consist of a holistic review of the organisation from top to bottom, assessing its touchpoints to the outside world, to identify potential areas in which it may, directly or indirectly, engage in a transaction or relationship prohibited by OFAC or other applicable sanctions authorities. That principle applies equally to organisations subject to EU, UN, or UK sanctions regimes. The underlying logic, assessing exposure across customers, products, geographies, and transactions, is consistent with what regulators and auditors will look for everywhere. 

The Four Dimensions of a Sanctions Risk Assessment

Customer Risk

Customer risk asks, for each customer or segment, what the probability is that the relationship could result in a prohibited transaction. The factors that drive it include nationality, country of residence, business type, ownership structure, PEP status, and whether transaction behaviour is consistent with the customer's stated purpose.

PEP status matters in a sanctions context beyond the AML context because certain politically exposed persons are connected to designated governments, state-owned enterprises, or sanctioned jurisdictions. A clean screening result against the SDN list or the EU consolidated list does not mean a customer presents no sanctions risk. It means they are not currently designated, which is a different assessment. Customer risk is also not static: high-risk customers require quarterly reassessment or more frequent automated re-screening, since designation status can change with no prior notice.

Geographic Risk

Geographic risk evaluates exposure from where the organisation operates, where customers are based, and what jurisdictions intermediate the flow of funds. It is often the most heavily weighted component in a sanctions risk score because the link between geography and regulatory prohibition is more direct than for other dimensions.

The clearest indicators are connections to comprehensively sanctioned jurisdictions: Cuba, Iran, North Korea, Syria, Russia under various regimes, and the Crimea, Donetsk, and Luhansk regions of Ukraine. These are not high-risk jurisdictions in the AML sense. They are jurisdictions where most transactions are prohibited by law regardless of intent. Beyond these, geographic risk covers countries subject to targeted sanctions, regions with elevated evasion activity, and transshipment jurisdictions. 

OFAC encourages financial institutions to allocate compliance resources towards the areas of greatest risk, such as products, services, business lines, and locations most likely to be used to facilitate activity involving sanctioned entities. For organizations with Russia exposure, this means particular vigilance around Central Asian and Caucasus transshipment routes identified in OFAC and EU guidance. 

Product and Service Risk

Product risk addresses which of the organisation's activities are most susceptible to sanctions evasion. This dimension is frequently underweighted, particularly by FinTechs who concentrate compliance energy on customer-level screening without examining how product design affects overall exposure.

High-risk products share certain characteristics: fast settlement that reduces the screening window, cross-border reach, anonymisation features, and structural complexity that obscures the origin and destination of value. Cryptocurrency products, instant payment rails, prepaid cards, and cross-border remittance services all appear regularly in OFAC enforcement actions. 

Common compliance programme breakdowns are tied to limitations in screening software or filters, improper due diligence on customers, and utilising non-standard payment or commercial parties, each of which maps directly onto product design decisions. Where a product's inherent risk is high and available controls are limited by its design, the right response may be reconsidering the product's parameters, not simply accepting a high residual risk. 

Transaction Risk

Transaction risk captures exposure from specific payment patterns, regardless of the customer's baseline risk rating or the product's general profile. It operates as a dynamic overlay on static onboarding scores, catching anomalies that emerge only through observed behaviour.

Red flags include payments to jurisdictions not disclosed at onboarding, unusual routing that introduces unexplained intermediaries, volumes inconsistent with the customer's stated purpose, structured payments designed to stay below thresholds, and third-party payers or beneficiaries with no clear relationship to the account holder. Critically, the response in a sanctions context must be faster than in AML: where an AML alert might justify enhanced monitoring over days, a sanctions alert may require immediate transaction interdiction.

{{snippets-case}}

Inherent Risk, Control Effectiveness, and Residual Risk

Once the four dimensions are assessed, they must be combined into a score that reflects not just raw exposure but the effectiveness of controls in place. This requires a clear distinction between inherent and residual risk.

Inherent risk is the exposure the organisation would face with no controls at all. Residual risk is what remains after controls are applied and verified as effective. The formula is straightforward: residual risk equals inherent risk minus control effectiveness. The practical challenge is that control effectiveness is not self-certifying. 

A screening system covering only the OFAC SDN list, or running on a 24-hour batch cycle, reduces inherent risk by a fraction of what a comprehensive real-time system achieves. The control effectiveness score must reflect what the control actually does, not what it is designed to do in theory.

Why the Story Behind the Score Matters

Two risk areas can land on the same medium residual rating for entirely different reasons: one because strong controls brought a high inherent risk down, another because a moderate inherent risk has almost no mitigation at all. If these are collapsed into a single score without explanation, the story behind the number is lost, and that story is what should drive testing priorities, resource allocation, and board reporting. A "medium" residual risk backed by well-tested controls on a high inherent risk exposure is fundamentally different from a "medium" rating sitting on top of weak controls, even if the number is the same.

Weighting the Risk Dimensions

The four dimensions are not equally weighted in every business context, and a methodology that assigns identical importance to each regardless of business model will produce scores that do not reflect actual exposure. Geography and customer risk tend to carry higher weights in most sanctions contexts. Product risk weight should increase where the portfolio includes high-speed or anonymous payment mechanisms. Transaction risk is often treated as a dynamic adjustment applied through monitoring rather than a fixed component of the base score.

Whatever weights are chosen, they must be documented, reviewed periodically, and updated when the business model changes materially. A methodology built for a domestic customer base is not fit for purpose after international expansion. A methodology calibrated for fiat payments must be revisited when a crypto product is launched.

Building and Maintaining an Auditable Score

The practical output of a sanctions risk assessment is not just a rating. It is a documented record of how that rating was reached, what data was used, what controls were applied, and what residual exposure remains. Regulators do not simply check whether a score exists; they test whether the process that produced it is consistent, rational, and current.

At minimum, the documentation must cover: the risk factors assessed for each dimension, the data sources used, the scoring scale, the control effectiveness evaluation for each relevant control, the resulting inherent and residual scores, the rationale for any deviation from the standard methodology, and the sign-off chain. Where the assessment feeds into an automated scoring system, the logic embedded in that system must be documented separately from the output, so a reviewer can verify the tool is implementing the intended methodology.

A risk assessment that was accurate in 2023 but has not been updated since a market expansion or new product launch is not an accurate reflection of current exposure. Regulators treat a stale assessment as evidence that the compliance programme is not functioning as designed.

Connecting the Score to Screening Infrastructure

A risk score is only operationally useful if it drives the screening and monitoring infrastructure that acts on it. A high-risk customer should trigger screening against a broader set of lists, more frequent re-screening, and manual review of fuzzy matches. A low-risk customer in a non-sensitive jurisdiction may appropriately receive a lighter screening profile, provided that decision is documented and justified.

The same logic applies to transaction monitoring. High transaction risk indicators should feed directly into alert generation rules, with thresholds calibrated to the organisation's documented risk appetite. A risk score that sits in a document but does not change how the organisation screens, monitors, or makes decisions about customer relationships is not a compliance programme. It is a record.

The sanctions.io Global Risk Exposure Calculator provides a structured way to apply this methodology and benchmark exposure across all four dimensions before beginning the formal assessment process.

sanctions.io is a highly reliable and cost-effective solution for real-time screening. AI-powered and with an enterprise-grade API with 99.99% uptime are reasons why customers globally trust us with their compliance efforts and sanctions screening needs.

To learn more about how our sanctions, PEP, and criminal watchlist screening service can support your organisation's compliance program: Book a free Discovery Call.

We also encourage you to take advantage of our free 7-day trial to get started with your sanctions and AML screening (no credit card is required).

‍