If you’re an MLRO or Head of Financial Crime, your year is probably a race between the Business-Wide Risk Assessment (BWRA), the MLRO report, and the REP-CRIM return - each one relying on the other’s outputs to be credible.
In theory, the BWRA should be done first. In reality, it often drags on so long that you’re already writing the MLRO report and submitting a “reasonable endeavours” REP-CRIM before the BWRA is anywhere near finished. That means resorting to outdated data, hurried estimates, or whatever numbers you can scrape together - and those unreliable inputs end up in front of the ExCo and Board.
It’s a broken cycle: half-finished assessments feed rushed reports, which then seed next year’s problems. The only way to fix it is to fix the BWRA itself - make it faster, better timed, and high enough quality to genuinely inform the rest, instead of undermining their accuracy and credibility.
- In 2023, ADM Investor Services International Limited was fined £6.4 million, with the FCA stating that “failed to implement a firm-wide financial crime risk assessment.”.
- Monzo’s recent £21 million fine for failings in their fincrime controls included FCA criticism that they “failed to design, implement and maintain... customer risk assessment... systems to mitigate the risk of financial crime”.
I’ve been there myself. I’ve built and defended risk frameworks inside banks. I know the pain of spreadsheet-based BWRAs and stressful looming deadlines.
A BWRA is a months-long, manual slog, chasing inputs from every business line and function, trying to pin down the information you need just to get the basics right. Pulling together endless data on country exposures, customer exits, PEPs, sanctions, SARs - often from systems that were never designed for this purpose. While all of this is going on, you’re expected to update risk appetite, finalise change programmes, evidence what’s improved (or quietly slipped) since last year, and somehow craft a coherent story of year-on-year progress.
What's worse is the goalposts never stay put. Boards change their meeting dates, teams miss deadlines, and the cycles you need to align (MLRO reports, REP-CRIM returns and risk assessments) rarely line up in practice. All these headaches inevitably lead to inconsistencies in the risk assessment process, such as poor control mapping, data gaps and conflicting narratives.
Given these issues, it's not uncommon to issue reports with noted exceptions - open actions, incomplete data, or caveats tucked into appendices. The hope is that this will buy another year, and that it’s ‘good enough’ for now.
But relying on exceptions is a risky habit. Each time a firm issues a report with open questions or unaddressed gaps, it’s creating a trail for regulators to follow - and to challenge. The more exceptions you carry forward, the harder it becomes to demonstrate control, progress or credibility.
Regulators have made it clear that vague or inconsistent risk assessments won’t survive scrutiny. Each gap, each unaddressed exception, is a smoking gun for supervisors:
Your Board will be alert to these risks, and will want to see evidence that you’re managing them effectively. You can expect awkward questions if your BWRA process isn’t up to scratch.
I often hear the same objections when I raise the issue of fixing the BWRA process:
“It’s not my top priority” / “there’s no budget to fix this” / “it’s not broken, it just takes time… ”
Regulators think otherwise. The Regulator often comments on the market’s poor approach to BWRA (see Dear CEO letter from 2021) as well as the fines noted above, and with new requirements like the Failure to Prevent Fraud offence and refreshed National Risk Assessment, the bar is rising. Waiting only widens the gap.
“We can muddle through on exceptions”
As I’ve explained above, stacked exceptions undermine credibility and invite a tougher review next time. Each temporary patch is a future landmine.
“We'll look at it in six months”
By then, you’ve missed the window. BWRA cycles take time to correct. Leaving it late risks running straight into the next reporting deadline with the same problems. Ad hoc or side-of-desk corrective actions simply undermine the ability to do a credible side-by-side analysis against previous years (assuming you did actually finish the previous year and it didn’t just blend into the current year process!)
A high-performing BWRA process is structured, digitised and aligned:
- Data flows in from across the business without endless manual collection.
- Controls are mapped clearly, with the evidence collected and reported automatically to demonstrate coverage and effectiveness.
- Reporting cycles - from MLRO reports to regulatory returns - are aligned, so the narrative is always consistent and credible.
You probably know that digitisation can streamline your risk assessment process. When done well, it delivers tangible benefits: faster cycles, fewer bottlenecks, and renewed board-level confidence. Most importantly, a well-structured BWRA process can turn a compliance chore into a driver of real performance improvement.
But even the best tools won’t fix a broken process or make control mapping magically clearer - and regardless, you may not have had the time or resources to make it happen.
The good news is that progress doesn’t require a two-year transformation. We’ve worked though these issues with many clients in recent years, and we know how to help you achieve a slicker BWRA cycle:
1. A focused diagnostic can quickly pinpoint where your risk assessment process is falling short - whether it’s data gaps, methodology flaws, or manual blockers.
2. The next step is to create a clear roadmap, showing what to digitise, automate, or simplify first. And it doesn’t all have to be done in one mammoth, expensive project.
3. Finally, it’s crucial to embed the fixes so the BWRA becomes a living tool rather than an annual headache.
This approach isn’t about finding fault. It’s about helping you build a risk assessment cycle that’s easier to manage year after year. For leaders under pressure to deliver more with less, it’s a pragmatic route: a clear, credible fix that stops today’s frustrations from becoming tomorrow’s damaging findings.
A broken risk assessment process is a liability. Every cycle you delay leaves you exposed, inefficient and reactive. Fixing it quickly restores control, saves time, and puts you on the front foot with regulators and the board.
If your BWRA process feels like an obstacle instead of an enabler, now is the moment to change it. Our diagnostic and pathway approach can take you from today’s manual pain to tomorrow’s best practice - and turn risk assessment into a real performance driver.
We know this is a challenge many of our clients face, so we’ve decided to focus on it over the coming weeks - sharing practical tips, guidance, and articles to help you get it right. Follow us on LinkedIn so you don’t miss out.
