Contact Us

Transformation, true expertise, measured impact.

Contact Our Experts

Business-Wide Risk Assessment: Insights, Expectations and Practical Execution

Context

A lot of people understand the importance of good compliance and risk management. When nothing happens (no fines, no complaints, no emergencies), most people within a business rarely have insight into the compliance and risk team functions and to-do lists. Good risk prevention is often quiet. However, there is a hard lesson the industry keeps relearning: risk does not tend to move gradually. Roman Abramovich went from a decades-long low-touch client profile to an instant global sanctions case. Overnight, he demonstrated what many firms still underestimate, that client risk profiles can change without warning, and that only a genuinely dynamic business-wide risk assessment (BWRA) framework can catch the shift in time.

The FCA’s recent multi-firm review of BWRAs and Customer Risk Assessments (CRAs) reinforces that static frameworks, weak analysis and generalised risk statements are not acceptable. Though the review focussed on a subset of firms, the FCA’s expectations, as ever, is that this is relevant for all firms and MLROs. Regulated firms that treat the BWRA as an annual formality rather than a living risk radar will struggle to remain compliant, commercially resilient and operationally safe. The FCA expects rigorous analysis, clear logic, robust evidence and real-time responsiveness.

Why a BWRA matters is not a regulatory box-ticking question, it underpins the financial services regulatory structure. Under the Money Laundering Regulations 2017, the Financial Crime Guide, SYSC, JMLSG guidance and FATF expectations, firms must understand and evidence how their business model generates financial crime, fraud, market conduct and regulatory risks. For asset managers, this obligation is amplified: diverse client segments, complex products, delegated arrangements and third-party distribution create layered vulnerabilities. When the business model shifts (new markets, new strategies, new investors, new channels), the risk profile shifts with it. An agile BWRA is the mechanism that detects those shifts before they metastasise into regulatory failure.

The FCA’s recent publication documents that many firms do technically produce BWRAs, but too few can plausibly explain why the resulting risk ratings are what they are, or how they connect to the real business environment. The regulator specifically criticised firms that rely on broad narrative descriptions, generic AML statements or recycled text that does not differentiate between divisions or business lines. When firms could not articulate their inherent risks, could not provide data to support their weightings, or could not show how risk appetite and CRAs interconnect, the FCA concluded that the BWRA was superficial.

 

Good and poor practice summary

Strong firms that demonstrated BWRA as a core business management tool were able to:

  • describe a clear relationship between their risk appetite, their BWRA, their CRA model and the controls they operate,
  • demonstrate, quantitatively and qualitatively, where the risks areas are,
  • understand the nuances between inherent, control and residual risk.
  • produce MI to justify risk-taking positions, including supporting technology upgrades or automation decisions,
  • integrate financial crime considerations into strategy, product development, sales and operational planning, hiring strategy and budgets,
  • explain how risk changes when the business grows.

 

Firms that demonstrated poor practice:

  • relied on unsubstantiated “low risk” assessments,
  • lacked metrics, data inputs, or any evidence of internal challenge,
  • could not show how inherent risks were identified,
  • made risk conclusions without analysis,
  • did not track BWRA actions or assign owners,
  • expanded products or client types without adjusting controls,
  • demonstrated ‘hollow’ governance: boards claimed to understand fraud but could not articulate where it could emerge in their own processes,
  • trigger events did not prompt updates,
  • did not operate a dynamic BWRA.

 

Summary

The BWRA is not only about financial crime, though it’s important to incorporate the evolving risks around financial crime. Fraud is now a prosecutable failure-to-prevent offence. Conduct risk is a central regulatory priority. Consumer Duty requires forward-looking risk assessments of client outcomes and prevention of foreseeable harms. Market abuse risks evolve with trading models, new asset classes and expanded communication networks, while cross-border exposure, including ESG-related and AML-related requirements, introduces additional regulatory complexity. These risks intersect with incentives, operational processes, reporting accuracy and product governance. Fraud emerges where controls fail, where oversight is inconsistent, or where incentives misalign. Conduct failures emerge where culture weakens or where employees feel pressure to deliver numbers. These are business risks, not only compliance risks.

What is missing industry-wide is integration. Too many BWRAs sit in isolation, disconnected from the compliance monitoring plan, the conduct risk framework, the SMCR accountability map, operational resilience mapping, vendor oversight, product governance and the fraud prevention programme. A BWRA that does not directly shape monitoring, training, control enhancement and resource allocation is not credible. Likewise, a BWRA that does not feed into MI and board reporting is simply not being used.

To build agility, firms need to start with mapping their business model, business lines, client types, revenue drivers, outsourced dependencies and core processes before identifying risks. They should assess each division across operational, financial crime/fraud, conduct/compliance and regulatory change domains iteratively. Every division should articulate its actual activities, its real scenarios and the control environment supporting them, which should then be consolidated into a firm-wide view.

Practical base checklist for firms

a) Foundation: Understanding the Business

  • Map core business lines, products and revenue drivers
  • Map client segments and investor profiles
  • Identify critical third parties and outsourced processes
  • Document core workflows in front, middle, back office and control functions
  • Confirm where financial crime, conduct and fraud risks can emerge in each activity

 

b) Inherent Risk Identification

  • Evidence how inherent risks were identified (data sources, MI, incident logs, horizon scanning)
  • Ensure each division has articulated specific risk scenarios (not generic categories)
  • Confirm risks are both qualitative and quantitative
  • Validate fraud-adjacent exposures (valuation, reporting, payments, data access, distributor behaviour)
  • Confirm coverage of cross-cutting risks: conflicts, cyber, third-party risk, incentives, model risk, outsourcing

 

c) Control Environment Assessment

  • Map preventive, detective and supervisory controls to each risk scenario
  • Assess design and operating effectiveness with evidence (testing results, KPIs, incidents, thematic reviews)
  • Identify controls originally built for AML/ABC that also mitigate fraud, ensuring gaps are captured
  • Assess whether compliance and financial crime teams have capacity for current and future business scale
  • Challenge whether controls keep pace with product, client or geographic expansion

 

d) Residual Risk Evaluation

  • Use consistent metrics: inherent risk, control strength, residual risk
  • Add a Failure-to-Prevent Fraud impact flag for relevant risks
  • Include regulatory exposure and client detriment exposure
  • Ensure no residual risk is labelled “low” without data or supporting rationale
  • Conduct benchmarking against peer expectations and FCA commentary

 

e) Governance and Oversight

  • Confirm board challenge is documented and substantive
  • Review minutes for risk assessment discussions, approvals and escalations
  • Ensure the head of compliance/MLRO participates in product, strategy, sales and change committees
  • Check clear ownership of BWRA actions and deadlines
  • Validate that senior managers understand financial crime, conduct and fraud risks in context of their functions

 

f) Integration With the Wider Framework

  • BWRA must feed into the compliance monitoring plan
  • BWRA must influence conduct risk dashboards and SMCR accountability
  • Outputs should link to financial crime processes (CDD, transaction monitoring, surveillance)
  • Confirm alignment with product governance assessments and distribution oversight
  • Ensure operational resilience, third-party oversight and change management processes reflect BWRA outcomes
  • Cross-reference with the fraud prevention programme, training plan and resource allocation

 

g) Dynamic Review Triggers

  • Establish triggers for interim updates (new clients, new markets, operational incidents, regulatory publications, thematic findings)
  • Evidence responsiveness to trigger events
  • Conduct periodic refresh of methodology to reflect emerging risks
  • Integrate scenario analysis and thematic stress tests

 

h) Evidence, Documentation and MI

  • Maintain version control and a clear methodology document
  • Record data inputs, MI sources and analysis steps
  • Ensure action tracking is systematic and periodically reviewed
  • Provide MI to the board that reflects residual risk, control gaps and planned enhancements
  • Ensure the BWRA is accessible, understood and updated by relevant stakeholders

 

i) Validation and Assurance

  • Ensure internal audit (or independent assurance) assesses BWRA design and effectiveness
  • Check for alignment with regulatory requirements and expectations
  • Validate that the BWRA is consistent with the firm’s overall risk appetite
  • Confirm that rectification plans are realistic, funded and monitored

 

This checklist is not exhaustive. For bespoke support, please contact the Elira Solutions team.