Overview
Business Risk Assessment (BRA) is the core workflow in Risk Legion for identifying, evaluating, and managing business risks across your organization. A BRA systematically assesses risk scenarios against your organizational structure, links controls, and produces actionable insights.Key Concepts
What is a BRA?
A Business Risk Assessment is a structured evaluation that:- Assesses risk scenarios relevant to specific Legal Entities and Business Units
- Captures both Inherent Risk (before controls) and Residual Risk (after controls)
- Links key controls and sub-controls to risk scenarios
- Tracks risk triggers that may indicate elevated risk
- Generates mitigation actions for risks above appetite
BRA Lifecycle
Creating a BRA
Step 1: Initialize the BRA
Navigate to BRAs → Create New BRA and provide:Step 2: Select Risk Scenarios
After creating the BRA, you’ll be directed to the Risk Scenarios tab where you can:- Browse the Risk Library - View all available risk scenarios
- Filter by Category - ML, TF, Fraud, Sanctions, Operational, etc.
- Include/Exclude Scenarios - Toggle scenarios relevant to this assessment
- View Linked Products - See which products each scenario applies to
Only risk scenarios linked to products assigned to the selected Legal Entity/Business Unit will appear as relevant.
Step 3: Assess Inherent Risk
For each included scenario, rate the Inherent Risk (risk before considering controls):
Risk Score Calculation:
Step 4: Link Controls
For each risk scenario, link the relevant Key Controls and Sub-Controls:- Key Controls - High-level control categories
- Sub-Controls - Specific control instances with ToD/ToE assessments
Step 5: Assess Control Effectiveness
For each linked control, assess:
See Control Assurance for detailed guidance.
Step 6: Assess Residual Risk
After considering control effectiveness, rate the Residual Risk:- Residual risk should typically be lower than inherent risk
- If controls are ineffective, residual may equal inherent risk
- Justification must explain how controls mitigate the risk
Step 7: Add Risk Triggers
Link relevant risk triggers to each scenario. Triggers are indicators that may signal elevated risk:- Economic indicators (unemployment, inflation)
- Regulatory events (inspection notices, new regulations)
- Operational events (system outages, fraud incidents)
- Market events (interest rate changes, currency fluctuations)
Step 8: Review and Finalize
The Review & Finalize tab shows:- Executive Summary - Overall risk profile
- Key Findings - Scenarios requiring attention
- Risks Above Appetite - Scenarios exceeding risk tolerance
- Mitigation Summary - Recommended actions
- Attestation - Sign-off checkbox
BRA Approval Workflow
Submission
When the assessment is complete:- Navigate to the Review & Finalize tab
- Verify all scenarios have been rated
- Check the attestation checkbox
- Click Submit for Approval
Approval (Client Admin Only)
Client Admins can approve submitted BRAs:- Review the complete assessment
- Add approval comments
- Click Approve
Upon approval, the system creates an immutable snapshot containing all assessment data. This snapshot cannot be modified and serves as the permanent record.
Post-Approval
After approval:- BRA becomes read-only
- Data is copied to
le_assessed_risk_scenarios(Layer 2) - Future BRAs can pre-fill from this assessment
- Mitigation actions are automatically generated for risks above appetite
BRA Workspace
The BRA Workspace consists of three tabs:Tab 1: Risk Scenarios
- View all risk scenarios for the BRA
- See inherent/residual risk ratings
- Progress indicators show assessment completion
- Filter by category, risk level, assessment status
Tab 2: Controls
- View all controls linked to scenarios
- Accordion view groups sub-controls under key controls
- ToD/ToE ratings displayed with color-coded badges
- Quick stats show assessed vs. total controls
Tab 3: Review & Finalize
- Executive summary of the assessment
- Key findings and attention items
- Mitigation action summary
- Approval workflow controls
Best Practices
Plan Your Assessment
Plan Your Assessment
Before starting, gather information about:
- Products offered by the business unit
- Recent incidents or near-misses
- Regulatory changes affecting the entity
- Control testing results from the period
Be Consistent with Ratings
Be Consistent with Ratings
Use the same rating criteria across all scenarios:
- Reference your organization’s risk rating guidelines
- Consider both quantitative and qualitative impacts
- Document assumptions in justifications
Link Relevant Controls
Link Relevant Controls
Ensure all mitigating controls are linked:
- Include both preventive and detective controls
- Don’t forget manual controls (committees, reviews)
- Consider IT and operational controls
Write Clear Justifications
Write Clear Justifications
Each justification should:
- Explain the reasoning for the rating
- Reference specific data or evidence
- Be auditable and defensible
API Reference
See API Reference for complete documentation.