Why the Industry’s Use of the BWRA Remains Critically Ineffective

The Business-Wide Risk Assessment (BWRA) should be the backbone of every firm’s financial crime framework. It is designed to help identify, prioritise, and mitigate money laundering, terrorist financing, and wider financial crime threats. Yet enforcement cases, thematic reviews, and regulatory findings continue to show that the BWRA is too often reduced to a compliance artefact: polished on paper, hollow in practice. 

The Illusion of Control: A Decade of Déjà Vu 

The FCA’s first thematic review on firm-wide risk assessments, TR14/16, in 2014 highlighted that firms were not stepping back to assess systemic risks. Instead, many relied narrowly on customer-level assessments, missing the bigger picture of how risks accumulate across the business. 

A decade on, the same issues persist. Monzo’s fine revealed a framework that assumed controls existed and were effective, while in reality enhanced due diligence was patchy, beneficial ownership checks were delayed for years, and some customers were defaulted to “no risk.” The BWRA documented risks but failed to capture vulnerabilities or drive improvements. 

The Barclays fine underscored a different but related weakness. Despite years of red flags — including adverse media and law enforcement alerts — its BWRA does not appear to have influenced customer risk ratings, monitoring, or escalation decisions. Risks were known but not acted upon, leaving the framework disconnected from reality. 

The lesson is clear: a BWRA must do more than catalogue risks and list controls. It must: 

• Be explicit about the risks faced — not just broad categories, but real typologies and scenarios. 

• Test controls for effectiveness — distinguishing between presence, absence, and performance. 

• Feed into customer risk assessments (CRAs) — ensuring that enterprise-wide intelligence informs individual risk ratings and vice versa. 

Until firms embed these principles, BWRAs will continue to fail, repeating the same problems highlighted over a decade ago. 

Common Industry Failings 

Thematic reviews and enforcement continue to highlight a familiar pattern: 

• Retrospective and static – BWRAs written once a year, focusing on known risks rather than emerging threats. 

• Box-ticking methodologies – Risk factors listed, controls assumed effective, residual risk left untested. 

• Disconnect from operations – Declared risk appetites not reflected in real onboarding or monitoring outcomes. 

• Failure to integrate intelligence – External sources (NRA, FATF, law enforcement) and internal data rarely feed into the assessment. 

• Outdated frameworks – Assessments not refreshed to reflect new products, markets, or typologies. 

From Artefact to Operating System 

If the BWRA is to serve its true purpose, it must be transformed into a living operating system for financial crime risk management. That means: 

• Starting with real-world risk events, not generic categories. 

• Validating controls for effectiveness, not assuming coverage. 

• Closing feedback loops so operational failures and external intelligence reshape the BWRA. 

• Aligning risk appetite to practice, surfacing breaches quickly. 

• Refreshing continuously as threats and business models evolve. 

Regulators and industry groups such as Wolfsberg are clear: effectiveness is not about documentation, it’s about outcomes. The BWRA must become the tool that connects risk understanding, control performance, and strategic decision-making. Anything less risks repeating the same enforcement headlines we’ve seen for over a decade.

Have you yet looked at your Risk Assessment and reviewed it against the new National Risk Assessment (NRA)? Have you captured and assessed the new risks highlighted? If not, now is the time to act. 

Key Takeaways for MLROs 

For MLROs, the message is urgent: regulators are no longer satisfied with “tick-box” risk assessments. 

• Challenge assumptions – Don’t just record that a control exists; test whether it actually works. 

• Align risk appetite with reality – If your BWRA states low tolerance, ensure monitoring and onboarding decisions uphold that. 

• Integrate intelligence – Feed in national risk assessments (including the latest 2025 UK NRA), FATF grey list changes, and law enforcement alerts. 

• Model real events – Design assessments around how criminals actually exploit systems. 

• Refresh dynamically – Update continuously, not just annually, to ensure the BWRA reflects new threats and regulatory expectations. 

The true test is whether your BWRA tells a credible story — one that aligns stated risk appetite with actual customer behaviour and operational outcomes. If it doesn’t, regulators will spot the gaps before you do. And with the new NRA setting out the most current national priorities and risks, MLROs must ensure their assessments are aligned now, not later.

LensIQ: Smarter Risk Assessments, Done Digitally

With regulators expecting more transparency, adaptability, and evidence of control, now is the time to modernise how you approach your FWRA or BWRA.

LensIQ is a digital platform purpose-built to support intelligent, agile BWRA. It replaces clunky spreadsheets and siloed documentation with a structured, dynamic interface that tracks risk evolution over time — ensuring your risk profile reflects real-world change.

From streamlined evidence capture and audit-ready reporting, to heatmaps and real-time collaboration, LensIQ allows compliance teams to focus less on admin and more on actionable insight.

Next Steps

Ready to discuss how the LensIQ platform can help your organisation put an agile, intelligent risk assessment solution in place – click here to contact our team today, or alternatively you can sign up for a 7-day free trial below.