How regulation broke the risk assessment

Most regulated firms have a Business-Wide Risk Assessment. The risk-based approach is documented, approved and firmly part of the governance cycle. Yet supervisory findings continue to highlight the same issues: generic analysis, weak linkage to controls and limited evidence that the assessment genuinely shapes decisions.

The risk-based approach was meant to sharpen judgement. In practice, it often standardised it.

This was not the intention. But the prescribed regulatory risk factors in the Money Laundering Regulations have quietly (sometimes loudly) nudged practitioners in a particular direction.

Customer risk. Geographic risk. Product risk. Transaction risk. Delivery channel risk.

These were designed as prompts. A necessity to drive some level of consistency. Over time, they became the structure. In truth, we allowed the categories to become the answer. It became easier to score attributes than to define what could actually go wrong. Many of us have sat in board discussions debating whether a jurisdiction is “medium-high” rather than whether a specific control failure would be material. If that feels familiar, it should.

Risk factors describe exposure. They do not describe risk. They matter, but they were never meant to be the whole story.

A high-risk jurisdiction does not launder money. A complex product does not breach sanctions. A non-face-to-face channel does not facilitate fraud. These characteristics may increase vulnerability, but they are not the event. They do not explain who is doing what, how it happens, and where controls might fail.

Real risk, in practice, shows up as events.

It is a criminal exploiting onboarding weaknesses to establish a laundering vehicle. It is a sanctions evader obscuring ownership to bypass screening. It is an employee colluding to override internal controls.

Define risk at that level (actor, act, process, outcome) and the conversation changes. Exposure factors gain context. Controls can be mapped to specific failure points. Gaps become visible. Residual risk becomes something more than an aggregate score on a heat map. It also explains why control enhancements so often feel disconnected from the assessment that supposedly justified them.

To achieve this shift away from performative compliance, the starting point needs to be clearly defined, testable risk events, linked to regulatory exposure factors – not the other way around. Developing such a platform and methodology doesn’t result in a longer document, but instead a more disciplined one. Investment decisions can be traced back to defined risks. Control weaknesses are framed as event-specific vulnerabilities, not abstract observations. Over control can be identified and challenged. 

For the MLRO, it reduces scoring debates and clarifies control failure risk. For the Board, it reframes heat maps as trade-offs. For the organisation, the BWRA becomes less an annual document and more a living view of how financial crime could occur and be prevented.

This is not about rejecting regulation. The framework remains sound. But when risk factors become the backbone of the assessment, we start managing categories rather than events, and categories do not drive decisions. It is compliance theatre. 

The opportunity now is to correct course and turn the BWRA from a document that performs into a tool that drives performance.

We’ll be talking about how we can collectively end compliance theatre at the ICA Future of FinCrime and Compliance Summit on 20 May. Do visit our stand to discuss what this means for you.