Business Risk Assessments - The Cornerstone of an Effective RMCP
Subscribe here to receive more articles like this from Masthead.
A well-executed business risk assessment (BRA) is more than a compliance obligation – it’s the foundation of an effective risk management and compliance programme (RMCP). With regulatory scrutiny on the rise, all accountable institutions, including financial service providers (FSPs), must ensure their risk assessments and RMCPs are robust, documented and defensible.
Since South Africa’s greylisting by the Financial Action Task Force (FATF), supervisory bodies such as the Financial Intelligence Centre (FIC) and the Financial Sector Conduct Authority (FSCA), in the case of FSPs, have significantly intensified their inspections. A key finding from their audits is the widespread failure by accountable institutions to conduct BRAs to inform their RMCPs.
In this article, we explore how a BRA forms the foundation of an effective RMCP. We also offer practical guidance to help accountable institutions, especially FSPs, conduct thorough, tailored assessments that meet both regulatory expectations and operational needs.
The evolving risk landscape
Over the years, the Financial Intelligence Centre Act (FICA) has significantly expanded the compliance obligations placed on accountable institutions. Initially, FICA applied to a limited group, which included FSPs, with a focus on knowing your client.
Subsequent amendments broadened the scope to include additional sectors such as legal practitioners, crypto asset service providers (CASPs) and trust and company service providers, among others. Updates also introduced the requirement for institutions to know their employees – ensuring they understand who works within their business and the risks those individuals may pose.
More recently, there has been a strong emphasis on knowing your business. Accountable institutions are now required to assess how their own operations, products, services and delivery channels may be exploited for money laundering (ML), terrorist financing (TF) and proliferation financing (PF).
Regulators require accountable institutions to conduct BRAs as the foundation of their RMCPs. For all institutions falling under FICA, a documented BRA is no longer optional – it is a critical and enforceable component of compliance.
Understanding BRAs
A BRA is a structured, documented process used to identify and evaluate ML/TF/PF risks a business may face. It forms the foundation of an accountable institution’s RMCP, as required under Section 42 of FICA. Guidance Note 7A, issued by the Financial Intelligence Centre (FIC), provides the primary guidance on conducting BRAs.
The BRA enables institutions to identify areas vulnerable to exploitation by criminal actors and determine the level of risk involved. Based on this assessment, the business must consider what controls to implement to mitigate the identified risks.
Every accountable institution – regardless of its size, complexity or sector – must assess and document its exposure to risk categories. Within each of these categories, there are multiple risk factors. For example:
Institutions must assess their risks by the likelihood and potential impact of each risk. They should apply risk ratings (such as low, medium or high) and clearly explain the rationale for each rating. This rationale should be guided by the country’s national risk assessment, relevant sector risk assessments (such as the FSCA’s assessment for FSPs) and guidance issued by the FIC, FATF and other authorities. The resulting BRA must then directly inform the RMCP’s mitigation and management of the risks identified and must address both inherent and residual risks.
How to structure an FSP’s BRA
While the core risk categories apply across all sectors of accountable institutions, FSPs face specific risk exposures due to the nature of their products, clients and delivery models. Common examples include, but are not limited to, the following:
By systematically evaluating these risks, FSPs can create a BRA that not only satisfies regulatory requirements but also strengthens their operational resilience. The assessment should be documented, regularly reviewed and updated whenever there are material changes to the business, product offerings or client base.
Common pitfalls – and solutions
The strategic role of a BRA
All accountable institutions are operating in a regulatory environment where scrutiny is intensifying – and the non-compliance can carry severe consequences. The regulators have made it clear that a BRA should be more than a once-off supporting document – it should form the foundation of a compliant and effective RMCP.
But beyond regulatory expectations, a well-executed BRA offers tangible benefits to businesses. For example, it:
Whether your business offers traditional insurance and investment products or is expanding into high-risk areas like crypto, your BRA must accurately reflect the operational realities of your business. It should be documented, regularly updated and capable of withstanding regulatory scrutiny.
When treated as a living, strategic tool – not just a compliance checkbox – the BRA becomes central to protecting your institution, your clients and the integrity of South Africa’s financial system.
How Masthead Can Assist
Masthead supports accountable institutions across South Africa – including FSPs, legal and property practitioners, credit providers, crypto asset service providers (CASPs) and high-value goods dealers (HVGD) – with their FICA compliance obligations.
Need assistance with your BRA? We can help you develop and maintain a tailored BRA that aligns with your RMCP. Get in touch to find out how we can support you.
Looking to refresh your FICA knowledge? The Masthead Learning Centre offers a range of FICA-related online courses that you can complete at your own pace – and they’re CPD-recognised. Click here to browse our available courses.