There’s no regulatory or international standard that asks for it. Wolfsberg’s 2015 FAQ on risk assessments doesn’t require it.
So why am I about to take the time to convince you that control mapping is essential to any credible Business Wide Risk Assessment (BWRA)?
Because without it, your risk assessment is little more than words on a page. You might satisfy a regulator in the short term, but you won’t truly know if your business risks are being managed.
In over two decades in financial crime risk management and working on risk assessments, I’ve seen this many times: firms list their risks, give a subjective view of control effectiveness, and stop there.
What’s missing is the proof that every risk is adequately covered by a control. If you’re not mapping risks to controls, you’re missing out on the strongest way to demonstrate that your framework is effective – and storing up problems for the future.
-1.png)
Even if the regulator doesn’t ask about your controls directly, Skilled Persons, Independent Experts or Monitors (depending on your regulatory regime) almost certainly will. Their first line of questioning is nearly always the same: how do you know you have managed all your risks?
Without a structured risk and control assessment, you’ll be left making assertions rather than providing assurance.
That evidence can take different forms. A single control may mitigate several risks, or a single risk may need multiple controls. In practice, the relationships are often many-to-many. Mapping is about making those links explicit so you can show that every material risk is covered.
For the purposes of this discussion, let’s leave to one side independent assurance of each control. Important as it is, expecting it to happen annually is just impracticable.
The irony is that many firms avoid control mapping because they see it as too complex or too resource intensive. In reality, the absence of control mapping is what makes risk assessments so manual and unwieldy. Each cycle ends up relying on teams stitching together subjective judgements in Excel, with limited challenge or consistency.
When you invest in proper control mapping, you remove much of that subjectivity. Risks are linked to controls in a structured way, overlaps and gaps become clear, and assurance work can focus on testing rather than interpretation. It may be painful to get started and expensive to do it properly, but once embedded it saves time, reduces cost, and produces outcomes that are far more robust. Of course, in ‘group company’ situations there is a good deal of work in definitions and alignment to do, but bear with me in the benefits of the concept more broadly.
Take sanctions risk. A poor BWRA will just state: “We screen customers against sanctions lists and consider this effective.” That tells you nothing. A proper mapping sets out the risk – onboarding a sanctioned individual or entity – and links it to the actual controls in place, like real-time screening at onboarding and daily batch screening of the customer base. It then shows how those controls are tested: hit-rate analysis, sample testing, and MI on false positives and true matches. That is the difference between making an assertion and showing evidence that the risk is genuinely managed.
The technology now exists to support this. Vendors like Arctic Intelligence have built platforms that allow firms to configure control mapping more efficiently. But they are not silver bullets. Every platform still needs configuration, integration and advisory input to make it fit the institution’s operating model. The value of these tools is that they make that process faster, repeatable and easier to embed into business-as-usual.
What’s true for BWRAs can also apply to Risk and Control Self-Assessments (RCSAs). In principle, an RCSA is designed to address control issues by creating a control library, linking it to risks, and testing systematically whether the controls are effective.
However, in practice, many institutions fall short with their RCSAs. Some banks do not include financial crime in their RCSA at all, assuming the BWRA will cover it separately. That approach leaves a blind spot, because it means the financial crime framework never benefits from the same control mapping discipline applied elsewhere.
I once worked with a bank where the RCSA amounted to little more than a tick-box exercise, effectively asking “Do you have financial crime controls – yes or no?”. It didn't give anybody any comfort. When we tried to go deeper, the process stalled. Line 1 drafted controls, Line 2 rejected them, and everything had to be restarted. It eventually took four attempts and the secondment of staff across both lines before the bank could agree on definitions and move forward. Painful, expensive, and politically fraught – but once it was finally done properly, senior management had a reliable picture of whether their top risks were genuinely being managed.
I will be honest. In the same way RCSAs are a pain to get right, so too are well structured BWRAs. They take time, money and, sometimes, political capital. But when they are done properly, the results are worth it. They cut through subjectivity and provide evidence that stands up to scrutiny.
Without mapping (whether via the RCSA-style approach or separately catalogued), BWRAs fall back on subjective assessments that sit in silos. For example, a KYC process might be judged as effective because it verifies a primary customer’s identity, but that does not mean it mitigates the risk of hidden beneficial ownership. The connection between risk and control might exist, but it’s fragile, inconsistent and difficult to maintain across multiple siloed spreadsheets. Even experienced assessors can miss obvious connections or misinterpret the evidence, which is why many BWRAs end up as fragile and hard to defend.
Control mapping is not about satisfying a line in regulatory guidance. It’s about doing the job properly.
If you want assessments that stand up to challenge, that avoid the waste of stale data and subjective judgements, and that give leaders confidence they are not missing the obvious, then control mapping should not be optional.
If you would value an independent view on your current approach, I’d happy to help with a free peer review call. A fresh perspective often highlights gaps that are easy to miss from inside the process. You can book a slot here: https://meetings.hubspot.com/edgar-noden/risk-assessments.
-1.png)