The hidden reason your BWRA isn’t reducing financial crime risk

Written By Stefania Cirignano
For our latest risk assessment insights, visit Complyse
 
Close up of woman's eye. Title reads "Risk assessment reframed - The hidden reason your BWRA isn't reducing financial crime risk

In recent posts I have been exploring a broader question: what should the Business-Wide Risk Assessment actually inform? Most regulated firms now produce a BWRA that is documented, approved and embedded within governance cycles. The process is often extensive and resource-intensive. Boards review it, committees approve it and regulators expect to see it. Yet once the document is finalised, the more interesting question is what happens next.

If the BWRA genuinely reflects the organisation’s understanding of financial crime risk, it should influence how the firm allocates its attention, its controls and its resources. In other words, it should shape decisions. One practical way of testing whether that is really happening is to look at training.

Most financial crime training programmes are well intentioned, diligently delivered and widely supported within organisations. But they are often fundamentally misaligned to risk. The issue is rarely effort. The issue is alignment. Annual AML refreshers are rolled out across entire populations, sanctions modules are repeated year after year with minimal variation and large groups of staff complete identical training regardless of the role they play in preventing or detecting financial crime. At the same time, firms invest significant time and energy producing a Business-Wide Risk Assessment intended to explain where their financial crime risks actually sit. Too often the two exercises barely connect.

Training is the control firms default to

When organisations begin mapping financial crime controls more explicitly (linking them to specific risks or risk events) a familiar pattern quickly emerges. Training appears everywhere.

Anyone who has ever mapped a financial crime control framework will recognise the phenomenon. Controls relating to monitoring, escalation or governance may appear intermittently, but training tends to appear repeatedly across multiple risks. Policies require it, regulators expect it and internal control libraries frequently reference it (as well as logic dictating it) as a standard mitigation.

In practice, this is often the moment when organisations realise how frequently “training” appears as the answer to very different risks.

In many respects this is unsurprising. Financial crime controls often rely on human judgement: recognising indicators of suspicious activity, interpreting alerts generated by systems, applying escalation thresholds or challenging behaviour that does not look quite right. Training therefore becomes a natural part of the control environment.

The difficulty arises when it becomes the default control, rather than a targeted one. Because training is a regulatory expectation, it is often applied broadly and generically across the organisation. Entire populations receive the same annual modules regardless of their exposure to risk or the role they play in mitigating it. Over time the connection between the specific risks identified in the BWRA and the training delivered across the organisation becomes increasingly diluted.

Supervisors are increasingly focused not simply on whether controls exist, but on whether they are understood, applied consistently and demonstrably effective. In that context, generic training programmes that bear little relationship to the firm’s risk profile can become difficult to defend. Many MLROs will recognise how difficult those programmes are to defend.

If training genuinely sits within the control framework, it should be treated like any other control: designed for a specific purpose, targeted at the roles that influence risk outcomes and calibrated according to the level of exposure. A risk-based approach to training therefore begins in the same place as the rest of the control framework, with a clear understanding of the risks themselves.

The BWRA already tells you where training matters

A well-constructed BWRA should already contain most of the information needed to determine training priorities. At its core the risk assessment identifies the financial crime risk events the firm is vulnerable to, the exposure drivers that make those events more or less likely and the controls relied upon to mitigate them.

Many of those controls are people-dependent. Frontline staff recognise unusual behaviour, operations teams interpret alerts and assess suspicious transactions, and managers apply escalation thresholds when risk sits close to the firm’s tolerance. Systems may generate alerts and policies may set expectations, but the final effectiveness of many controls ultimately depends on how consistently those judgements are applied in practice.

Seen in that light, capability becomes part of the control framework. Where mitigation relies on human judgement, training becomes one of the most direct ways of strengthening the effectiveness of those controls. If the BWRA concludes that particular risk events are driven by certain products, client types, geographies or delivery channels (and that mitigation relies on human decision-making) the training implications should in principle be clear. In many organisations, however, those implications remain implicit.

From BWRA insight to training decisions

Training Needs Analysis is often approached as a standalone exercise within organisations. Roles are grouped broadly, competencies are defined generically and the resulting training programmes often look very similar from one year to the next.

A BWRA-informed approach starts from a different point: risk. Instead of beginning with job titles or organisational charts, it begins by asking where the organisation is actually exposed. Which risk events are most material? Where is exposure concentrated? Which controls are most critical to preventing or detecting those risks, and where do those controls rely on human judgement?

When viewed through that lens, training priorities often become clearer than organisations expect. A BWRA might, for example, highlight elevated exposure to complex corporate structures during onboarding, increased sanctions risk through relationships with intermediaries and high alert volumes within transaction monitoring operations. Each of these exposures has clear implications for training. Onboarding analysts may require deeper understanding of beneficial ownership structures and concealment techniques, relationship managers may need practical guidance on recognising sanctions evasion indicators and escalating concerns appropriately, and operations teams responsible for alert handling may benefit from more focused training on typology recognition and consistent escalation decisions.

In this way training priorities emerge directly from the organisation’s risk profile. The BWRA indicates who needs training, clarifies what they need to understand and determines how deeply that training needs to go. Training becomes less of a population-wide compliance exercise and more of a proportionate risk treatment.

Making training risk-event specific

Consider again the example of sanctions exposure driven by certain jurisdictions and reliance on intermediaries. The formal control framework may include screening systems, escalation procedures and policies governing decision thresholds. Yet in practice the effectiveness of those controls may depend heavily on how individuals interpret alerts, challenge intermediaries and apply escalation criteria.

This often reveals another operational reality. Escalation decisions can depend disproportionately on the judgement of a small number of experienced individuals. When those individuals are unavailable, decisions may become inconsistent and risk appetite applied unevenly. Targeted training is often one of the most practical ways of reducing that fragility.

In that context the training requirement becomes clearer. Not everyone in the organisation requires deeper sanctions training, but the roles responsible for interpreting alerts or making escalation decisions almost certainly do. The content they require is not generic sanctions theory but practical understanding of how sanctions risk manifests in the firm’s business model, what evasion techniques look like in practice, how escalation decisions should be approached and where judgement is required. Those insights should emerge directly from the BWRA.

Turning risk insight into organisational capability

The broader point is simple. A BWRA that exists purely to satisfy a regulatory requirement is unlikely to shape training, decision-making or behaviour. It becomes a static document produced annually and revisited when necessary.

A BWRA treated as a genuine source of risk intelligence should influence how an organisation allocates its attention and resources. Training is one of the clearest places where that influence should be visible.

If the organisation’s understanding of risk does not shape who is trained, what they are trained on and how deeply they are trained, then the BWRA is not really informing how risk is managed. It is merely describing it.

And if training programmes look broadly the same year after year, despite changes in the firm’s risk exposure, it becomes difficult to argue that the BWRA is influencing them in any meaningful way.

How clearly could you explain the link between your BWRA and your training programme?

‍ ‍

Stefania Cirignano
Previous

FCA Motor Finance Scheme update: Positive news, but don’t skip these practical steps.
Next

Can the risk-based approach work in AML?