The business-wide risk assessment: what good looks like

Every control you build should trace back to a risk you have identified. That is why the business-wide risk assessment (BWRA, known as the SIRA in the Netherlands) sits at the foundation of an AML framework, and why examiners start there. Get it wrong and everything above it is built on sand.

1. What it is

The BWRA is your structured, enterprise-wide view of the money-laundering and terrorist-financing risk your business is exposed to. It is not a policy and not a tick-box form. It is the analysis that justifies where you focus effort and spend.

2. The building blocks

• Risk factors across customers, products and services, delivery channels, and geographies.
• Inherent risk (before controls) assessed honestly, then residual risk after the controls that actually exist.
• A documented methodology: how you score, weight and aggregate, so the conclusions are repeatable rather than a matter of opinion.

3. The weaknesses I see most often

• Generic, copy-paste assessments that could belong to any firm.
• No clear link between an identified risk and the control meant to mitigate it.
• A document that was written once and never refreshed.
• Scores with no rationale, so no one can explain why a risk is "medium".

4. Linking risk to controls

This is the part examiners probe hardest. For each material risk, you should be able to point to the specific control that addresses it, and to evidence that the control works. A risk-and-control matrix that makes those links explicit is worth far more than pages of narrative.

5. Keeping it alive

A good BWRA is reviewed on a defined cycle and re-run when something material changes: a new product, a new market, a new typology, or a regulatory shift such as the incoming EU AML rulebook. It should be approved at the right level and visible to the board.