We specialize in compliance consultancy, due diligence, and audit services to help businesses meet regulatory standards with confidence. Our experienced team provides tailored solutions to identify and manage risks, ensuring you operate responsibly and securely in today’s complex landscape. We are committed to integrity, excellence, and empowering our clients with the insights they need for sustainable growth.
A regulator rarely asks for your business risk assessment (BRA) because they are curious. They ask because something has already made them doubt whether your controls match your real-world exposure – your customer base, your delivery channels, your geographies, your products, and the way your teams actually make onboarding decisions.
If you are a compliance officer, MLRO, risk lead, or operations director in a regulated environment, the BRA is not a document you “complete”. It is the backbone of the risk-based approach that justifies why you apply Enhanced Due Diligence here, why you set certain thresholds there, and why your monitoring is proportionate rather than performative.
Below is a practical, audit-defensible way to approach how to write a business risk assessment, with the judgement calls made explicit. That is what stands up under scrutiny.
What a business risk assessment is (and what it is not)
A BRA is your organisation-level view of inherent risk and residual risk across the business, and the rationale for how you allocate controls and resources. In AML terms, it is the bridge between external obligations (laws, guidance, supervisory expectations) and internal execution (CDD, transaction monitoring, screening, training, governance, escalation).
It is not the same as a client risk assessment. Client risk assessments decide whether a specific customer is low, medium, or high risk and what due diligence to apply. The BRA should inform those decisions by setting the risk factors, weightings, escalation triggers, and what “high risk” means in your context.
It is also not a “risk register” of every operational issue. You can reference operational risks where they affect AML and regulatory outcomes (for example, resourcing gaps that lead to overdue reviews), but the BRA should remain focused on the risks that your compliance framework is designed to manage.
Start with scope that mirrors how the business actually operates
Most weak BRAs fail at the first hurdle: scope that reads like an organisational chart, not an operating model. Define what you are assessing in terms a reviewer can map to your day-to-day reality.
Be clear on your business lines, legal entities, and jurisdictions. If you operate across multiple group companies, decide whether you are writing a group BRA with appendices per entity, or separate BRAs. A single group BRA can work if controls are genuinely centralised and consistent; it becomes fragile when entities have different products, customer segments, or local regulatory expectations.
Document your assumptions upfront. If you rely on third parties for onboarding, if certain services are “introduced only”, or if you accept clients solely via intermediaries, say so. These assumptions often explain why your channel risk looks the way it does.
Describe your risk universe in business language
The most useful BRA sections read like a controlled description of how money and value move through your firm.
Write a concise narrative of your products and services, typical transaction sizes, payment rails, and how you make money (fees, commissions, spreads). Explain your onboarding model (fully digital, hybrid, face-to-face), and your typical customer journey from initial enquiry to ongoing monitoring.
Avoid generic descriptions. If you are a payment business, “we facilitate payments” is not informative. A regulator will want to understand what types of merchants you service, whether you offer virtual IBANs, whether funds are held, how chargebacks are handled, and where you have limited visibility.
This narrative is not filler – it sets the context for your inherent risk assessment.
Identify the inherent risk drivers that matter
Inherent risk is your exposure before controls. In AML and broader regulatory compliance, the classic categories still work, but they need to be tailored to your model.
Customers and counterparties
Break down your customer types in a way that reflects onboarding decisions. Individuals vs corporates is rarely enough. Consider categories such as SMEs, complex corporate structures, trusts, charities, regulated financial institutions, PSPs, gaming operators, or professional intermediaries.
Call out characteristics that raise risk: cash-intensive activity, opaque beneficial ownership, frequent changes in directors, nominee arrangements, high volumes of third-party payments, or clients operating in sectors with known predicate offence exposure.
Products and services
Assess which offerings increase velocity, anonymity, or complexity. Products that enable rapid movement of funds, cross-border flows, pooling, or limited information on underlying parties tend to increase inherent risk.
Also note what you do not offer. Explicit exclusions can be a strong control signal, but only if they are implemented in procedures and enforced in onboarding.
Delivery channels
Channel risk is not just “online vs face-to-face”. The question is where impersonation, document fraud, and misrepresentation are most likely, and how quickly issues can scale.
If you use introduced business, agents, affiliates, or reliance arrangements, treat those as distinct channel exposures. The trade-off is efficiency versus direct control. Where you accept it, justify it with oversight and testing.
Geographies
Geography is often reduced to “high-risk countries list”, which is too shallow for a defensible BRA. Consider where clients are based, where beneficial owners reside, where funds originate, where services are delivered, and where counterparties sit.
A UK firm serving global clients may have exposure even if it is not physically present abroad. Explain how you assess country risk and how you handle mixed geographies (for example, a UK company with operations in a higher-risk jurisdiction).
Transaction and behavioural risk
If your model includes transactions, include typologies relevant to your sector: unusually structured payments, rapid in-and-out movement, unexpected third-party involvement, or activity inconsistent with the customer’s stated profile.
Even where you do not process payments directly (for example, corporate services), behavioural signals still matter: reluctance to provide ownership information, pressure to onboard quickly, or frequent changes to service scope.
Score risk in a way that can be defended
A BRA does not have to be mathematical, but it must be consistent. Choose a scoring approach that your organisation can maintain and explain.
A common method is to rate each risk driver by likelihood and impact, then determine an inherent risk score. The crucial point is not the formula – it is the calibration. Define what “high likelihood” means in observable terms (for example, based on historic cases, peer typologies, or exposure volumes), and what “high impact” means (regulatory breach potential, customer harm, reputational damage, financial loss).
Avoid false precision. If you cannot justify why a risk is “3.7”, use bands. What matters is that similar exposures are assessed similarly, and exceptions are documented.
Where you aggregate scores across business lines, be transparent about weighting. Overweighting geography, for example, can hide a product that is risky in a low-risk jurisdiction. Underweighting delivery channels can understate the fraud and impersonation risk inherent in fast digital onboarding.
Map controls to risks – and be honest about effectiveness
This is where BRAs either become credible or collapse into a checkbox exercise. A list of controls is not enough. You need to show that controls exist, are embedded, and reduce risk.
For each material inherent risk, identify the key controls that mitigate it: onboarding procedures, CDD standards, beneficial ownership verification, sanctions and PEP screening, adverse media checks, EDD triggers, approval authorities, transaction monitoring rules, ongoing review cycles, suspicious activity reporting processes, training, and independent testing.
Then assess control effectiveness. Do not mark everything as “effective” because it exists on paper. Use evidence: QA results, internal audit findings, remediation status, management information, sample testing, and known issues.
If a control is partially effective, say why. Perhaps the procedure is clear but adherence is inconsistent. Perhaps screening is configured but alert handling is under-resourced. These are uncomfortable admissions, but they make the residual risk conclusion credible.
Determine residual risk and link it to decisions
Residual risk is what remains after controls. It should drive decisions, not sit in a table.
If residual risk is high for a segment, what does that change? You might tighten acceptance criteria, require EDD as standard, reduce exposure limits, add second-line approvals, strengthen monitoring, or exit that segment entirely. If you accept the risk, document the governance rationale and the compensating controls.
This is also where “it depends” matters. A fintech with strong automated controls may accept a faster onboarding channel than a smaller firm with limited operational capacity. A corporate service provider may accept complex structures where it has specialist due diligence capability and robust escalation, but not where it relies on untested third parties.
The BRA should show that your risk appetite is operational, not aspirational.
Build governance into the assessment, not around it
A BRA is only as defensible as the governance that maintains it.
Set ownership (typically the MLRO or compliance function), the approval body (board or senior management), and review frequency. Annual reviews are common, but event-driven updates matter more: new products, new jurisdictions, material regulatory updates, onboarding model changes, or a spike in incidents.
Define what management information you use to keep the BRA live: volumes by customer type, high-risk client count, EDD rates, screening alert metrics, overdue reviews, SAR trends, QA outcomes, and audit issues. If you do not have this MI, the BRA should highlight that as a gap – because it limits your ability to evidence a risk-based approach.
If you want a BRA that reads as both practical and supervisory-ready, a specialist partner like Complipal can add value by challenging assumptions, testing control effectiveness, and aligning your risk narrative with what auditors and regulators look for.
Make it usable by the first line
A BRA that cannot be used by onboarding and operations teams will not influence outcomes. Translate the assessment into clear operational consequences.
Your client risk assessment methodology should reflect BRA conclusions: what risk factors are mandatory, what weightings apply, what triggers EDD, and when cases must be escalated. Your procedures should mirror these decisions, and your training should explain the “why”, not just the steps.
If there is a mismatch – for example, the BRA says intermediaries are high risk but the onboarding workflow treats them as routine – fix the workflow or revise the BRA. A reviewer will test alignment by sampling files.
What regulators and auditors tend to test
A defensible BRA anticipates challenge. Reviewers often test whether your BRA is tailored, whether it is current, and whether it is evidenced.
They will look for consistency between your BRA, your policies, your file decisions, and your monitoring outcomes. They will also examine whether weaknesses identified in audits or QA are reflected in control effectiveness and residual risk. If you have known backlogs, weak adverse media handling, or inconsistent beneficial ownership verification, a BRA that still concludes “low residual risk” will not be persuasive.
Finally, they will test whether governance is real: board engagement, documented approvals, clear actions, and tracked remediation.
Closing thought
A strong business risk assessment is not the neatest document in your compliance folder – it is the one that forces clear choices. When you write it as a decision tool, with evidence and honest trade-offs, you give your business something more valuable than “coverage”: you give it a defensible way to grow without inheriting risks it cannot control.
Write a Business Risk Assessment That Holds Up
A regulator rarely asks for your business risk assessment (BRA) because they are curious. They ask because something has already made them doubt whether your controls match your real-world exposure – your customer base, your delivery channels, your geographies, your products, and the way your teams actually make onboarding decisions.
If you are a compliance officer, MLRO, risk lead, or operations director in a regulated environment, the BRA is not a document you “complete”. It is the backbone of the risk-based approach that justifies why you apply Enhanced Due Diligence here, why you set certain thresholds there, and why your monitoring is proportionate rather than performative.
Below is a practical, audit-defensible way to approach how to write a business risk assessment, with the judgement calls made explicit. That is what stands up under scrutiny.
What a business risk assessment is (and what it is not)
A BRA is your organisation-level view of inherent risk and residual risk across the business, and the rationale for how you allocate controls and resources. In AML terms, it is the bridge between external obligations (laws, guidance, supervisory expectations) and internal execution (CDD, transaction monitoring, screening, training, governance, escalation).
It is not the same as a client risk assessment. Client risk assessments decide whether a specific customer is low, medium, or high risk and what due diligence to apply. The BRA should inform those decisions by setting the risk factors, weightings, escalation triggers, and what “high risk” means in your context.
It is also not a “risk register” of every operational issue. You can reference operational risks where they affect AML and regulatory outcomes (for example, resourcing gaps that lead to overdue reviews), but the BRA should remain focused on the risks that your compliance framework is designed to manage.
Start with scope that mirrors how the business actually operates
Most weak BRAs fail at the first hurdle: scope that reads like an organisational chart, not an operating model. Define what you are assessing in terms a reviewer can map to your day-to-day reality.
Be clear on your business lines, legal entities, and jurisdictions. If you operate across multiple group companies, decide whether you are writing a group BRA with appendices per entity, or separate BRAs. A single group BRA can work if controls are genuinely centralised and consistent; it becomes fragile when entities have different products, customer segments, or local regulatory expectations.
Document your assumptions upfront. If you rely on third parties for onboarding, if certain services are “introduced only”, or if you accept clients solely via intermediaries, say so. These assumptions often explain why your channel risk looks the way it does.
Describe your risk universe in business language
The most useful BRA sections read like a controlled description of how money and value move through your firm.
Write a concise narrative of your products and services, typical transaction sizes, payment rails, and how you make money (fees, commissions, spreads). Explain your onboarding model (fully digital, hybrid, face-to-face), and your typical customer journey from initial enquiry to ongoing monitoring.
Avoid generic descriptions. If you are a payment business, “we facilitate payments” is not informative. A regulator will want to understand what types of merchants you service, whether you offer virtual IBANs, whether funds are held, how chargebacks are handled, and where you have limited visibility.
This narrative is not filler – it sets the context for your inherent risk assessment.
Identify the inherent risk drivers that matter
Inherent risk is your exposure before controls. In AML and broader regulatory compliance, the classic categories still work, but they need to be tailored to your model.
Customers and counterparties
Break down your customer types in a way that reflects onboarding decisions. Individuals vs corporates is rarely enough. Consider categories such as SMEs, complex corporate structures, trusts, charities, regulated financial institutions, PSPs, gaming operators, or professional intermediaries.
Call out characteristics that raise risk: cash-intensive activity, opaque beneficial ownership, frequent changes in directors, nominee arrangements, high volumes of third-party payments, or clients operating in sectors with known predicate offence exposure.
Products and services
Assess which offerings increase velocity, anonymity, or complexity. Products that enable rapid movement of funds, cross-border flows, pooling, or limited information on underlying parties tend to increase inherent risk.
Also note what you do not offer. Explicit exclusions can be a strong control signal, but only if they are implemented in procedures and enforced in onboarding.
Delivery channels
Channel risk is not just “online vs face-to-face”. The question is where impersonation, document fraud, and misrepresentation are most likely, and how quickly issues can scale.
If you use introduced business, agents, affiliates, or reliance arrangements, treat those as distinct channel exposures. The trade-off is efficiency versus direct control. Where you accept it, justify it with oversight and testing.
Geographies
Geography is often reduced to “high-risk countries list”, which is too shallow for a defensible BRA. Consider where clients are based, where beneficial owners reside, where funds originate, where services are delivered, and where counterparties sit.
A UK firm serving global clients may have exposure even if it is not physically present abroad. Explain how you assess country risk and how you handle mixed geographies (for example, a UK company with operations in a higher-risk jurisdiction).
Transaction and behavioural risk
If your model includes transactions, include typologies relevant to your sector: unusually structured payments, rapid in-and-out movement, unexpected third-party involvement, or activity inconsistent with the customer’s stated profile.
Even where you do not process payments directly (for example, corporate services), behavioural signals still matter: reluctance to provide ownership information, pressure to onboard quickly, or frequent changes to service scope.
Score risk in a way that can be defended
A BRA does not have to be mathematical, but it must be consistent. Choose a scoring approach that your organisation can maintain and explain.
A common method is to rate each risk driver by likelihood and impact, then determine an inherent risk score. The crucial point is not the formula – it is the calibration. Define what “high likelihood” means in observable terms (for example, based on historic cases, peer typologies, or exposure volumes), and what “high impact” means (regulatory breach potential, customer harm, reputational damage, financial loss).
Avoid false precision. If you cannot justify why a risk is “3.7”, use bands. What matters is that similar exposures are assessed similarly, and exceptions are documented.
Where you aggregate scores across business lines, be transparent about weighting. Overweighting geography, for example, can hide a product that is risky in a low-risk jurisdiction. Underweighting delivery channels can understate the fraud and impersonation risk inherent in fast digital onboarding.
Map controls to risks – and be honest about effectiveness
This is where BRAs either become credible or collapse into a checkbox exercise. A list of controls is not enough. You need to show that controls exist, are embedded, and reduce risk.
For each material inherent risk, identify the key controls that mitigate it: onboarding procedures, CDD standards, beneficial ownership verification, sanctions and PEP screening, adverse media checks, EDD triggers, approval authorities, transaction monitoring rules, ongoing review cycles, suspicious activity reporting processes, training, and independent testing.
Then assess control effectiveness. Do not mark everything as “effective” because it exists on paper. Use evidence: QA results, internal audit findings, remediation status, management information, sample testing, and known issues.
If a control is partially effective, say why. Perhaps the procedure is clear but adherence is inconsistent. Perhaps screening is configured but alert handling is under-resourced. These are uncomfortable admissions, but they make the residual risk conclusion credible.
Determine residual risk and link it to decisions
Residual risk is what remains after controls. It should drive decisions, not sit in a table.
If residual risk is high for a segment, what does that change? You might tighten acceptance criteria, require EDD as standard, reduce exposure limits, add second-line approvals, strengthen monitoring, or exit that segment entirely. If you accept the risk, document the governance rationale and the compensating controls.
This is also where “it depends” matters. A fintech with strong automated controls may accept a faster onboarding channel than a smaller firm with limited operational capacity. A corporate service provider may accept complex structures where it has specialist due diligence capability and robust escalation, but not where it relies on untested third parties.
The BRA should show that your risk appetite is operational, not aspirational.
Build governance into the assessment, not around it
A BRA is only as defensible as the governance that maintains it.
Set ownership (typically the MLRO or compliance function), the approval body (board or senior management), and review frequency. Annual reviews are common, but event-driven updates matter more: new products, new jurisdictions, material regulatory updates, onboarding model changes, or a spike in incidents.
Define what management information you use to keep the BRA live: volumes by customer type, high-risk client count, EDD rates, screening alert metrics, overdue reviews, SAR trends, QA outcomes, and audit issues. If you do not have this MI, the BRA should highlight that as a gap – because it limits your ability to evidence a risk-based approach.
If you want a BRA that reads as both practical and supervisory-ready, a specialist partner like Complipal can add value by challenging assumptions, testing control effectiveness, and aligning your risk narrative with what auditors and regulators look for.
Make it usable by the first line
A BRA that cannot be used by onboarding and operations teams will not influence outcomes. Translate the assessment into clear operational consequences.
Your client risk assessment methodology should reflect BRA conclusions: what risk factors are mandatory, what weightings apply, what triggers EDD, and when cases must be escalated. Your procedures should mirror these decisions, and your training should explain the “why”, not just the steps.
If there is a mismatch – for example, the BRA says intermediaries are high risk but the onboarding workflow treats them as routine – fix the workflow or revise the BRA. A reviewer will test alignment by sampling files.
What regulators and auditors tend to test
A defensible BRA anticipates challenge. Reviewers often test whether your BRA is tailored, whether it is current, and whether it is evidenced.
They will look for consistency between your BRA, your policies, your file decisions, and your monitoring outcomes. They will also examine whether weaknesses identified in audits or QA are reflected in control effectiveness and residual risk. If you have known backlogs, weak adverse media handling, or inconsistent beneficial ownership verification, a BRA that still concludes “low residual risk” will not be persuasive.
Finally, they will test whether governance is real: board engagement, documented approvals, clear actions, and tracked remediation.
Closing thought
A strong business risk assessment is not the neatest document in your compliance folder – it is the one that forces clear choices. When you write it as a decision tool, with evidence and honest trade-offs, you give your business something more valuable than “coverage”: you give it a defensible way to grow without inheriting risks it cannot control.
Recent Post
8 Most Common AML Control Failures
March 26, 2026Outsourced AML Compliance for Fintech
March 24, 2026How to Conduct Source of Funds Checks
March 22, 2026Categories