The business profile: The missing link in risk assessments
Introduction: Using the FCA’s Own Reviews as a Lens
Over the past few weeks, I have been looking carefully at the FCA’s most recent pronouncements that make explicit reference to business-wide risk assessments (BWRAs). One in particular caught my attention, the January 2025 Money Laundering Through Markets review. Among its observations, the FCA stressed that firms must “consider and appropriately document the MLTM risk posed to and by the firm, ensuring it is reflected in their business-wide risk assessment (BWRA).”
It is a reminder that the BWRA is not simply about scoring abstract factors, or creating another colourful heatmap for the regulator’s file. At its core, it is meant to be a diagnostic, a way for firms to show that they understand how their own business creates exposure to financial crime, and what they are doing about it.
But in our experience, this is exactly where many institutions fall down. They don’t begin with a robust, structured business profile. And without that foundation, the rest of the assessment is left floating in the air, disconnected from the business model, unconvincing to supervisors, and of little practical use to management.
Why Business Profiles Are the Missing Link
When I say “business profile,” I don’t mean the cursory tables you sometimes see in BWRA reports, a couple of bullet points on customer types, or a quick list of jurisdictions. I mean a structured, data-driven portrait of how the firm really operates. That includes:
Customers: Active, dormant, gone-away, PEPs, corporates, trusts, high-risk segments, retail flow.
Products & Services: Payments, securities, lending, crypto interfaces, custody, correspondent lines.
Geographies: Not just where clients are based, but where transactions actually flow.
Transactions: Volumes, values, patterns, corridors, anomalies.
Delivery Channels: Digital, in-person, intermediated.
Internal Environment: Governance structures, outsourcing arrangements, staff incentives, tax profile, corporate structure.
This is not administrative overhead. It is the diagnostic lens through which all risk events must be viewed. Crucially, it is also what informs the likelihood associated with each risk event, providing the rationale and justification that most existing BWRAs lack. Too often, likelihood scores are assigned arbitrarily, with little explanation beyond “high/medium/low.” A well-structured business profile grounds those judgements in the actual characteristics of the firm.
Without it, firms end up applying generic assumptions: “All corporates are medium risk,” “All customers from Country X are high risk,” “Digital delivery is lower risk than physical.” That kind of thinking leads to tick-box outputs and predictable regulatory findings.
The Current Shortcomings We See Across the Industry
Reading across enforcement cases, supervisory letters, and multi-firm reviews, a few themes repeat themselves:
Generic categorisation: Most BWRAs contain high-level labels, “retail customers,” “offshore jurisdictions,” “payments activity.” These categories are so broad they mask meaningful differences. A retail customer dormant for two years is not the same as an active one with complex international flows.
Assumptions instead of evidence: Too often, firms jump from “X% of our customer base is offshore” to “Therefore we are exposed to high inherent risk.” The step in the middle (how those offshore customers actually interact with the firm’s services) is missing.
Fragmented data: Business profile information often exists somewhere in the institution; in KYC files, product catalogues, transaction monitoring, HR systems. But it is rarely pulled together in one coherent, structured place.
Disconnected from controls: When firms do attempt to describe their business, it is rarely linked to specific control measures. The result is a separation between “what we do” and “how we manage the risk it creates.”
The FCA’s critique in its January 2025 review reflects exactly this gap: Firms are not adequately documenting the risks posed to and by the firm. They are either ignoring the business profile, or treating it as window dressing.
What Our Enhanced Approach Does Differently
In developing our own enhanced BWRA, we started with this missing link. If the business profile is weak, everything else will be weak. So we designed a structured approach that does three things differently:
1. Profiles Are Structured Wherever Possible, Narrative Only Where Necessary
We have developed a standardised business profile questionnaire that covers all the critical dimensions; customers, products and services, geography, transactions, delivery channels, and internal environment. The intent is to produce quantifiable inputs wherever possible, for example, the proportion of dormant vs active accounts, a breakdown of transaction corridors by volume and value, or the percentage of outsourced activities.
But we also recognise that not every firm has the same depth of data at its fingertips. In those cases, narrative inputs are still valuable, provided they articulate a clear, subjective assessment that can be interrogated and challenged. By combining structured data with structured narrative, we avoid the trap of vague descriptions and instead create a profile that is both evidence-driven and judgment-aware.
2. Profiles Drive Event-Level Risk Assessment, Not Just Labels
Whether expressed in numbers or in words, the business profile is never an end in itself. Each data point or narrative judgment feeds directly into specific risk events. For example:
A high proportion of dormant accounts → elevated risk of mule activity and layering.
Heavy reliance on intermediaries → heightened risk of third-party facilitation of ML/TF.
Complex cross-border securities trades → systemic risk of market abuse and layering.
This means the profile doesn’t sit on the shelf as background information. Instead, it becomes the bridge between the business model and the risk assessment, showing how the business actually gives rise to exposure.
3. Profiles Link Directly to Controls and Residual Risk
Once risk events are identified, they are tested against the controls in place. Preventive, detective, corrective, and directive measures are all considered, with greatest emphasis placed on preventive controls, diminishing to directive controls, and with their credibility shaped by the level of assurance behind any assessment of their effectiveness.
Here again, both data and narrative have a role. Some firms will be able to evidence control coverage and assurance results quantitatively; others may need to articulate their assessment qualitatively. The key is that the link between the business profile, the risk event, and the control environment is made explicit.
This ensures that residual risk is no longer an abstract score or regulator-pleasing number. Instead, it becomes a reflection of two things; the realities of the business model, and the effectiveness of the controls that are meant to mitigate its risks.
The Value This Adds
So what difference does this make? I see four main sources of value:
Credibility with regulators: When the FCA asks, “Show us how you’ve considered the risks posed to and by the firm,” you have a structured, evidence-based profile to hand. Not a heatmap, but a data-driven explanation of how the business actually operates.
Clarity for senior management and the board: A business profile translates financial crime risk into terms that non-specialists can understand. It shows how customers, products, and geographies combine to create vulnerabilities. That makes it easier to link risk appetite, strategy, and investment.
Actionable intelligence: Because the profile is structured, it can generate insights over time. Which transaction corridors are driving most residual risk? Which customer segments create systemic weaknesses? This is intelligence that can inform strategic decisions, not just compliance reporting.
Benchmarking potential: With structured profiles across firms, regulators and industry groups could benchmark risk more effectively. Which segments are consistently problematic? Where are outliers? Our methodology is designed to enable this kind of comparative analysis.
From Regulatory Chore to Management Tool
What I find most striking in the FCA’s January 2025 review is the implicit frustration: Too many firms still treat the BWRA as a compliance exercise. The business profile is either ignored or produced as a generic appendix, with little analytical value.
Our argument is simple: If you don’t start with a structured business profile, you are not really doing a risk-based assessment at all. You are doing assumption-based assessment. And regulators, boards, and operational teams can all see through it.
By contrast, when you start with a structured profile, the whole exercise shifts. It becomes a tool for management, a source of intelligence, and a platform for demonstrating regulatory credibility.
Conclusion: Pragmatism Over Purism
The FCA’s January 2025 review was clear: Firms must document the risks posed to and by the firm and show how they are reflected in the BWRA. That is not possible without a business profile.
But let’s be realistic, not every firm has perfect data. What matters is not whether every input is quantitative, but whether every input is structured, transparent, and capable of being challenged. Where the data exists, use it. Where it doesn’t, provide a clear narrative that articulates judgment in a way others can interrogate.
That hybrid approach (structured where possible, narrative where necessary) is what makes a business profile credible. It shifts the BWRA from a compliance artefact to a management tool, from a box-tick to a genuine diagnostic.
Because at the end of the day, if your BWRA doesn’t start with a clear, structured understanding of your business, whether in numbers or in words, it isn’t risk-based. It’s assumption-based. And in today’s environment, regulators, boards, and frontline teams all deserve better.