CLARITY - our library of practical, frank compliance information for regulated businesses

Weigh Anchor: How to Build a BRA That Works for Your Business and the FSA

Most Business Risk Assessments have something in common: they were completed in a rush, filed with relief, and won’t be opened until the next obligatory review.

That’s not entirely the fault of the businesses that produce them. The FSA’s AML/CFT Handbook tells you what your BRA must cover. It does not tell you how to make it useful. Firms do the exercise, arrive at a risk rating, and move on. The document sits in a folder, doing nothing, until someone remembers it needs reviewing.

A BRA built that way is technically compliant and practically worthless. This article is about building one that does some heavy lifting.

Where the BRA fits

If you’ve read our risk framework article, you’ll know that the BRA sits at the second level of a layered framework. The National Risk Assessment sets the national picture. Your BRA narrows that picture to your specific business: what you do, who you do it with, and how. Below it sits your Technology Risk Assessment, and at the base of the funnel, your Customer Risk Assessments for individual clients.

The BRA is the engine of that framework. Everything below it should flow from it. Everything above it should inform it. Which means getting it right matters more than getting it done.
The structure of the exercise

The Code identifies the areas your BRA must address. These broadly group into your business risk (your target client base, how you grow, your geographic exposure, how you’re structured), your client risk (the nature of your clients, how you interact with them, source of wealth and funds considerations), and your services risk (the specific services you provide and the distinct exposures each one carries). The FSA Handbook and the NRA between them provide further context for each area.

For every risk area, the process follows the same logic. You identify the potential threats, you decide which of them actually apply to your business and why, you assess the inherent risk before any controls are in place, you describe how you manage or mitigate each risk, and you arrive at a residual risk rating that reflects your actual position once those controls are operating.

That distinction between inherent and residual risk matters more than it might seem. The regulator is not expecting every firm to be low risk. It is expecting every firm to know its risk and manage it proportionately. A business with elevated inherent risk but strong, well-documented mitigations can arrive at a perfectly defensible residual rating. The BRA is the document that makes that case.
Internal anchor points

Identifying your risks and rating them is one thing. Connecting them to your actual business is where most BRAs fall short.

For years, the standard approach was to gesture broadly at mitigations: “we have robust processes and procedures in place.” It sounded reasonable. It covered the bases. And for a while, it was broadly accepted.

It isn’t any more.

The FSA has published several thematic review reports across industries dealing with the BRA since 2023, and a consistent finding across all of them has been the same: generic references to policies and procedures do not demonstrate that risk is actually being managed. The regulator expects specificity. Not “we have a procedure” but which procedure, what it covers, and how it connects directly to the risk being managed.

The most practical way to meet that expectation is to treat the risk assessment as a mapping exercise. Take your existing procedures, training records and monitoring activities, and connect them directly to the relevant risk areas in your BRA. That connection is the internal anchor point.

Where your BRA identifies a risk around client onboarding, the anchor point is the named onboarding procedure. Where it identifies a sanctions risk, the anchor point is your specific screening process and the training that supports it. Where it identifies a risk around source of wealth verification, the anchor point is the procedure that governs how that information is gathered, documented and assessed. The anchor point is not invented for the BRA. It is the living framework that already exists in your business, named and linked.

There is a further benefit to this exercise that has nothing to do with the FSA. If you work through your risk areas and find that a mitigation cannot be anchored to anything, whether because it exists only as unwritten habit rather than documented process, or because the risk has no active management at all, you have identified a gap. The mapping exercise does not just evidence what you are doing well. It shows you, clearly and without ambiguity, where the holes are. There’s a version management shortcut here as well; when the BRA is updated in any material fashion, tracking which internal anchor points need to be reviewed and updated (or logged as continuing to work) is easier.

Keeping it alive: the Projects and Actions log

A well-built BRA will also surface things that need to change. A risk area that isn’t adequately covered. An anchor point that references a procedure which turns out to be out of date. A gap that the mapping exercise has exposed. These are not failures in the BRA process. They are exactly what the process is supposed to produce.

A practical way to handle them is an actions log sitting within the BRA itself. Each action or project arising from the review is recorded, with a note of what needs doing and by when. As actions are completed, the log is updated. The BRA reflects the result.

This does two things simultaneously. It demonstrates to the FSA that your BRA is a living document that drives real activity in the business, not an annual exercise in box-ticking. And it makes the next annual review considerably easier, because you can see at a glance what changed, what was done about it, and whether anything needs following up.

The crucial governance connection

There is a reason this matters beyond the BRA itself.

As we explored in our article “Is Governance the Regulator’s Next Focus?”, in our view the FSA’s attention is increasingly turning from whether firms have a risk framework to whether that framework actually functions. The question regulators are increasingly asking is not “does your BRA exist?” but “can you show how your business responded to what it told you?”

A BRA with internal anchor points and a live actions log answers that question directly. It shows that identified risks are connected to real mitigations. It shows that gaps, when found, generate activity. It shows that the framework is not static documentation but a working part of how the business manages itself.

That information needs to travel upward. When the BRA is reviewed, material findings, new risks, changes to residual ratings, significant actions, should reach the board. The board should be able to show that it considered them, asked questions, and where necessary directed a response. That is the closed loop that a genuinely risk-based approach requires: the framework produces information, the board uses it, decisions are recorded, and the cycle repeats.

A BRA that is built to feed that loop is not just a compliance document. It is part of the governance infrastructure of the business. And that, increasingly, is exactly what the FSA is looking for.