The alchemy gap: Why external intelligence isn’t changing your BWRA (and what to do about it)

Each year, the National Crime Agency’s Strategic Assessment is read, summarised, and referenced across the industry. Yet, despite the volume and quality of intelligence produced, most Business-Wide Risk Assessments remain largely unchanged. That is the real gap, not a lack of information, but a failure of transformation.

In practice, many BWRAs evolve by accumulation. New risks are added, language is updated, but very little is ever removed or fundamentally rethought. The result is not a sharper view of risk, but a longer document. If your BWRA looks broadly the same year after year, it is very unlikely to be reflecting how financial crime risk is actually evolving.

Intelligence, in its raw form, is simply input, valuable, but inert. The role of the BWRA is to act as a kind of alchemy: transforming that raw material into something more useful. If nothing changes as a result, it is not insight; it is theatre. In practice, that transformation rarely happens in a meaningful way.

What has changed (and why it should matter)

The 2026 assessment contains exactly the kind of signals that should move a risk assessment. Organised immigration crime is now digitally mediated at scale, with around 80% of migrants facilitated via small boats using social media, platforms such as TikTok acting as central coordination mechanisms.

At the same time, sanctions evasion is adapting, with activity shifting towards Russia-aligned crypto platforms and increasingly layered ownership structures. Generic “crypto risk” assessments are increasingly out of date as activity fragments across specific, sanctions-sensitive ecosystems. Drug supply chains are also evolving, with UK-based cocaine extraction signalling a move from importation to domestic processing.

These are not incremental updates; they reflect changes in how crime is executed. If the underlying mechanics of crime are shifting, then a BWRA that remains static is not ingesting intelligence, it is simply archiving it.

From intelligence to insight: The three moves

Turning intelligence into insight requires three deliberate steps.

First, define risk events, not themes. It is easy to conclude that fraud risk is increasing or that geographic exposure has shifted, but that is not actionable. The more useful question is what could now happen in your business. For example, criminal networks coordinating payments via social media, or value being transferred through specific crypto ecosystems to bypass sanctions controls.

Second, recalibrate exposure. Generic labels such as “online” or “crypto” are no longer sufficient. What matters is which platforms, corridors, and behaviours now drive risk. If social media is central to certain typologies and your model includes digital onboarding and fast payments, your exposure has changed, whether or not it is explicitly recognised.

Third, translate that into actual change. This is where most BWRAs fall short. Risks are refreshed, but controls remain static and the document simply becomes longer. A better approach is refinement, not expansion. Every new signal should force a trade-off: if one risk becomes more relevant, something else should become less so.

In practice, this does not require wholesale redesign. It may be as simple as introducing one new risk event, adjusting one exposure driver, and tuning one control or monitoring scenario, while removing or downgrading something that no longer reflects how risk actually manifests.

For example, a firm might replace a generic “high-risk geography” statement with a specific risk event linked to Russia-aligned crypto platforms, adjust its exposure assessment to reflect interaction with those ecosystems, and tune monitoring around wallet provisioning or rapid dispersal of inbound funds. The change is small, but the assessment becomes materially more precise and defensible.

What this looks like in practice

If external intelligence is functioning properly within a BWRA, the outputs should be tangible. A firm should be able to point to the specific risk events that have been added, the areas that have been deprioritised, the exposure assessments that have been adjusted, and the controls that have been recalibrated.

Absent that, it is difficult to argue that anything meaningful has changed. Increasingly, this is where regulatory scrutiny is focused. Not on whether a BWRA exists, but on whether it is decision-useful, evidence-based, and capable of being defended under challenge.

The NCA has done the hard part. The intelligence is clearer, more specific, and more operational than in previous years. The remaining question is whether firms are prepared to act on it.

If intelligence goes in and nothing comes out (no new risks, no removed risks, no adjusted exposures, no recalibrated controls) then the issue is not the quality of the input.

It is the absence of alchemy: the failure to turn raw intelligence into something materially more valuable.