- A BWRA is mandatory under EU AML Directives for all obliged entities
- It must cover customer, product/service, delivery channel, and geographic risk
- Generic templates fail regulators; your BWRA must reflect your actual business data
- Review annually and after any material business change
The Business-Wide Risk Assessment (BWRA) — sometimes called an Enterprise-Wide Risk Assessment (EWRA) — is the foundational document of your AML compliance framework. It identifies and quantifies your ML/TF risk exposure and informs every other control: your policies, customer risk ratings, monitoring approach, training programme and resource allocation.
Related HubSecure buying path
AML/KYC & Onboarding guideclient onboarding softwareAML/KYC moduleSumsub comparisonAML/KYC compliance software guideGuide Librarybook a workflow demo
Related AML/KYC and compliance monitoring resources
Continue with AML/KYC monitoring module, compliance workflows, HubSecure for legal teams, HubSecure for finance teams, security and trust center.
Related use case
This guide belongs to the AML and KYC Guides cluster. Continue with the product hub for aml and kyc.
The four risk dimensions you must assess
1. Customer risk
Assess ML risk presented by your customer base as a whole and by defined segments:
- Customer types (retail, corporate, financial institution, trust, charity)
- PEP exposure across your portfolio
- Proportion of non-face-to-face customers
- Customers from high-risk jurisdictions
- Complex ownership structures or nominee arrangements
- High-risk industries represented in your client base
2. Product and service risk
- Cash-handling products (inherently higher risk)
- Anonymous or bearer instruments
- Products allowing rapid movement of value
- High-value or complex transaction products
3. Delivery channel risk
- Non-face-to-face vs. in-person onboarding
- Intermediary or introducer relationships
- Digital-only channels
- Agent or franchise networks
4. Geographic risk
- FATF high-risk and monitored jurisdictions
- EU Commission high-risk third countries
- Countries with weak AML/CFT frameworks (Basel AML Index)
- High-corruption countries (Transparency International CPI)
BWRA structure: template outline
Section 1 — Executive Summary: Risk appetite statement; overall inherent and residual risk levels; material risk areas; key changes since last assessment.
Section 2 — Business Overview: Products and services; customer segments; geographic footprint; delivery channels; material business changes in the period.
Section 3 — Inherent Risk Assessment: For each dimension: risk factors identified; data sources used; inherent risk rating (Low/Medium/High/Critical) with justification.
Section 4 — Control Assessment: Controls in place; effectiveness assessment; control gaps; remediation actions with owners and deadlines.
Section 5 — Residual Risk: Post-control risk ratings; aggregate residual risk; comparison to risk appetite; areas exceeding appetite.
Section 6 — Emerging Risks: New products planned; new customer segments; regulatory changes; typology trends from FATF/US Dollarpol/national FIU.
Section 7 — Action Plan: All identified gaps with owner, priority, deadline and resource requirements.
Use your own data: A BWRA is only credible if grounded in your actual statistics. Include real numbers — how many PEP clients you have, what percentage are from high-risk countries, your average transaction size by product. Regulators immediately distinguish genuine risk assessments from generic templates.
Common BWRA failures
- Identical risk ratings across all products regardless of actual risk profile
- No data supporting the ratings — assertions without evidence
- Risks assessed but no corresponding controls identified
- Action plan with no owners or deadlines
- Not reviewed in over 12 months without documented trigger for earlier review
- No sign-off by senior management or board
See also: EDD Guide — PEP Screening Guide — KYB Compliance Guide
Frequently Asked Questions
Minimum annually. Also after any material business change: new product, new market, acquisition, significant change in customer mix, or relevant regulatory development. The review must be substantive — updating the date without real review does not satisfy regulators.
Senior management — typically the board, CEO, or equivalent governance body, not just the MLRO. The MLRO prepares and owns the document, but board-level sign-off is required to demonstrate ML/TF risk is considered at the highest level.
You must be able to provide it on request. Regulators frequently ask for it during supervisory visits or thematic reviews. Treat it as a live regulatory document, not an internal working paper.
The BWRA assesses the risk profile of your entire business — products, channels, geography, customer base as a whole. Individual customer risk assessments score each client based on your BWRA risk criteria. The BWRA informs what risk factors to apply at the customer level.
Yes, but management must own and understand it. A BWRA that a consultant wrote and management cannot explain is a red flag in regulatory inspections. Management must be able to discuss every section credibly.
HubSecure provides structured client risk scoring aligned with your BWRA criteria, automated PEP/sanctions screening, geographic risk flagging, and a complete audit trail. Data captured in HubSecure can directly feed your BWRA portfolio statistics, making the assessment evidence-based.
See HubSecure in action
Join compliance teams across Europe replacing spreadsheets with a platform built for regulated work.
Official sources and further reading
Use these public sources to verify regulatory background and terminology. HubSecure content is product guidance, not legal advice.
Credibility notes
This guide is written for product and operations evaluation, not as legal advice. For compliance obligations, confirm requirements with qualified counsel or the relevant regulator.
Related HubSecure references: Security · DPA · Subprocessors · AML/KYC glossary · RBAC glossary
Reviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.