Read, reflect, but don’t overreact: What the FCA’s BWRA review really tells us

Written By Stefania Cirignano
A close-up image of a woman's eye , overlaid with the title of the blog. Read, reflect, but don't overreact: What the FCA's BWRA review really tells us

When the FCA issues feedback on firms’ risk assessments, it rarely breaks new ground.

But this time, there’s a quiet acknowledgement that something deeper is wrong, that the way most firms approach the Business-Wide Risk Assessment (BWRA) and Customer Risk Assessment (CRA) simply isn’t delivering the insight it’s supposed to.

We welcome that recognition.

Because for all the talk of “risk-based approaches,” the industry has spent years circling the same problems, inconsistent methodologies, superficial analysis, and a disconnect between assessment and action.

Yet once again, the FCA’s latest paper stops short of telling firms how to do it differently.
It identifies the illness but offers little in the way of treatment.

So before the industry rushes to “fix” its BWRAs in response, a word of caution:

read and reflect — but don’t overreact.

You can’t transform overnight.

You need a plan.

The diagnosis we already knew

If the findings feel familiar, it’s because they are.

The FCA notes that too many firms still treat the BWRA as a compliance artefact rather than a decision tool; that assessments often lack a clear link between identified risks and mitigating controls; that customer-level risk ratings bear little relationship to the firm-wide view; and that management information rarely connects the two.

We’ve seen this movie before.

The same themes surfaced in enforcement notices from Barclays, Monzo, and Santander, and more recently in HMRC’s Trade-Based Money Laundering (TBML) handbook, which laid bare the industry’s inability to turn intelligence into insight.

In our November blog, You Can’t Handle the Truth,” we described how firms confuse the process of being risk-based with the practice of understanding risk. The FCA’s findings echo exactly that tension: Processes are in place, but understanding is not.

It is not that firms don’t care. It is that the current framework doesn’t make understanding easy.

Risk assessments as performance, not process

Most risk assessments have become performative.

They describe risks in abstract terms (“high-risk customers,” “geographies of concern”) and then list the controls in place, but they don’t articulate the relationship between the two.

That’s why, in Risk Assessment Reframed: From Risk Factor to Risk Actor,”  we argued that risk assessments should be built around risk events, not risk factors.

Who’s the actor? What’s the act? Which process is being abused? What’s the outcome, and who benefits?

Only by framing risk this way can firms understand what their controls are actually trying to prevent.

The FCA’s report highlights that firms often can’t explain why certain controls exist or how they mitigate specific risks. That’s not poor documentation, it’s poor design. It’s the inevitable result of building assessments from a checklist rather than from an understanding of how financial crime actually happens.

In Behind the Barclays Fines,” we said configuration wasn’t the cause, it was the consequence. The same logic applies here: The deficiencies in BWRAs and CRAs are symptoms of a flawed conceptual model.

Appetite and understanding – the emperor’s new clothes

Among the FCA’s observations is a subtle but important one: Firms’ risk appetite statements are rarely aligned to their risk assessments, and often fail to inform business decisions.

That’s hardly surprising. In Risk Appetite: The Emperor’s New Clothes, Revisited,” we argued that many firms mistake documentation for direction. They produce elaborate appetite statements that no one could use to make a real-world decision, least of all in the fast-moving context of financial crime risk.  Lee Hale’s original analysis was timely.

The FCA’s feedback makes clear that this disconnect persists. Firms talk about “risk tolerance” and “risk limits,” but can’t show how these notions drive the calibration of controls or the interpretation of risk ratings.

In practice, risk appetite should be the bridge between the BWRA and the control environment. It should answer the question: how much residual risk are we prepared to accept, and what does that mean for the strength, automation, or frequency of our controls?

Until that connection exists, appetite will remain what it so often is, a noble statement of intent with no operational relevance.

The FCA’s silence on the ‘how’

To its credit, the FCA’s review doesn’t just criticise. It again lists examples of good practice: Firms that use data to refresh risk assessments dynamically; those that connect risk assessments to assurance findings; those that use MI to drive targeted enhancements.

But these examples remain descriptive, not instructive.

The review identifies the gaps (inconsistent taxonomies, weak governance, limited feedback loops) but offers no roadmap for closing them. It recognises that firms’ methodologies are too static but doesn’t outline how to structure a dynamic one. It says risk factors aren’t well understood but doesn’t suggest reframing them in the context of threat intelligence or risk events.

That’s the real problem.

Firms don’t need more criticism. They need a model to work towards.

In The Path to Effectiveness,” we said effectiveness begins with structure and language. Without a shared taxonomy of risks, risk events, and controls, even the most sincere efforts will collapse under their own inconsistency.

So when the FCA tells firms to ensure “clearer linkage between risk and control,” we agree wholeheartedly, but we also know that clarity doesn’t happen by accident. It happens by design.

What firms should do next

The temptation, of course, will be to react.

To commission a “refresh” of the BWRA, convene a steering group, and produce yet another spreadsheet or PowerPoint that looks impressive but changes nothing.

Don’t.

If the FCA’s review confirms anything, it’s that meaningful change requires more than cosmetic repair.

So instead of rushing to rewrite, take a step back.

Read and Reflect

Start by understanding why your current assessment looks the way it does. Is it built around inherited templates or genuine analysis? Does it describe the business you run today, or the one you inherited five years ago?

Reconnect

Move from risk factors to risk events. Anchor your assessment in how financial crime actually manifests in your business. A well-structured risk-event library (actor–act–process–outcome–victim/beneficiary) forces clarity,  and it’s the only way to ensure controls map meaningfully to the risks they mitigate.

Rebuild

Use your business profile as the foundation, not the afterthought. In The Missing Link in Risk Assessments,” we showed how the business profile provides the context that makes risk factor ratings meaningful, linking products, customers, delivery channels, and geographies in a way that drives proportionality.

Reframe

Treat residual risk as a measure of control design, not as leftover risk. In Residual Risk That Actually Means Something,” we argued that residual risk should tell you something about control effectiveness — preventive, detective, corrective, directive — not simply repeat the inherent risk score with a discount.

Reinforce

Link the BWRA, CRA, and risk appetite through data. If your BWRA says customer complexity is a key exposure, that should be visible in your customer segmentation and monitoring scenarios. MI should reflect not just activity but understanding, the degree to which risk appetite is being consumed in real time.

Read, reflect… then plan

The FCA’s paper may not offer a roadmap, but it does offer an opportunity.

It signals that the regulator understands the limitations of the current approach, and that the industry’s fixation on documentation over diagnosis must end.

But progress won’t come from panic. It will come from planning, from firms that are willing to rebuild their methodologies from the ground up, not just repaint the surface.

That means defining risk in operational terms, not theoretical ones.

It means replacing risk factor tick-boxes with structured, data-driven event analysis.

It means calibrating controls in line with genuine exposure, not legacy perception.

In other words, it means doing the hard work.

The good news is that work has already been done.

Over the past year we’ve developed and tested an enhanced BWRA methodology that translates these ideas into practice, a structured framework that connects external intelligence, business profile, risk events, and controls in a way that can be operationalised across domains.

So by all means, read the FCA’s findings. Reflect on them.

But don’t rush to “fix” what you don’t yet understand.

Transform deliberately.

We’ve done the hard work. Talk to us before you start again.


Stefania Cirignano
Next

“You can’t handle the truth”: What HMRC’s TBML Handbook reveals about risk assessments