Field Guide

How to Build a BSA/AML Risk Assessment Matrix

The short version

A risk assessment matrix is the table that turns a BSA/AML risk assessment into ratings you can defend. The risk drivers run down the rows; inherent risk, control strength, and residual risk run across the columns, each rated on a consistent scale. The discipline matters more than the scale: the same logic applied to every line, and a residual rating the documented controls actually support. This guide builds one step by step with a worked example.

The BSA/AML risk assessment is the analysis; the matrix is how it is expressed. Examiners and sponsor banks ask to see it because it shows the reasoning in one view: what the institution is exposed to, how well it controls each exposure, and what risk is left. A good matrix is legible to someone who was not in the room. This guide covers how to build one.

What a risk matrix is

A risk matrix lays out each risk driver in a row and rates it across three columns: inherent risk, control strength, and residual risk, with a column for the rationale. It is the structured form of the risk assessment, not a separate exercise. The full risk assessment guide covers the categories and method; this one focuses on building the table and scoring it.

Step 1: Define the rating scale first

Before rating anything, define what each level means. A three-point scale, low, moderate, and high, is common and usually enough. Write a short definition for each level so two people rating the same driver would land in the same place. A scale defined after the fact, or applied by feel, produces ratings no one can defend.

Step 2: Lay out the drivers

List the specific risk drivers that apply to your institution, grouped by the standard categories: products and services, customers and entities, geographies, and delivery channels. List the drivers you actually have, not a generic industry list. A matrix that would read identically for a different institution is rating nothing.

Step 3: Rate inherent risk

For each driver, rate the risk it carries before any controls. Volume and dollar value belong here, not just whether the risk exists. A product used by a handful of customers a year is a different exposure than the same product used by thousands. Record the basis for each rating in the rationale column.

Step 4: Score control strength

For each driver, judge the controls that manage it on both design and operation. A control counts only if it exists and works. Strong controls are specific, tested, and tuned; weak controls are generic, untested, or not operating. The control rating is where independent testing and monitoring results feed the matrix.

Step 5: Derive residual risk

Combine inherent risk with control strength to reach residual risk. Use a consistent rule rather than a fresh judgment each time. A simple, defensible rule: strong controls lower the rating by one level, weak controls hold or raise it. High inherent risk with strong controls lands at moderate; moderate inherent risk with weak controls lands at high. Residual risk is the number the program actually carries, and the one an examiner reads.

A worked example

Risk driverInherentControl strengthResidual
International wiresHighStrong (tuned monitoring, sanctions screening)Moderate
Money services business customersHighModerate (EDD in place, refresh inconsistent)High
Non-face-to-face onboardingModerateStrong (identity verification, document checks)Low

The second row is the point of the exercise. The inherent risk matches the first, but weaker controls leave a higher residual risk, and that is where the program should spend its next unit of attention.

Step 6: Aggregate to an enterprise rating

Roll the residual ratings into an enterprise-wide rating. This is a reasoned conclusion, not an average. One high-residual-risk line can set the institution's posture even when most of the book is low risk. State why the aggregate rating is what it is, so the conclusion can be tested.

Qualitative or quantitative

Some programs attach numbers and weights so the aggregation is repeatable; others stay qualitative with written justification. Either is defensible. A three-point scale applied consistently and backed by reasoning beats a ten-point scale assigned by feel. Consistency is what an examiner tests: the same logic on every line, and residual ratings the documented controls genuinely support.

The matrix is only as good as the reasoning behind it. Define the scale first, rate your own drivers rather than a generic list, keep inherent and residual separate, and make every residual rating something the controls actually earn. For the full method and the four risk categories, see the BSA/AML risk assessment guide.

Primary sources

Common questions

What is a BSA/AML risk assessment matrix?
It is the table that expresses a BSA/AML risk assessment: each risk driver in a row, rated across inherent risk, control strength, and residual risk, with the rationale. It shows in one view what the institution is exposed to, how well it controls each exposure, and what risk remains.
How do you score a risk assessment matrix?
Define a rating scale first, such as low, moderate, and high. Rate inherent risk for each driver before controls, score the strength of the controls on design and operation, then combine the two with a consistent rule to derive residual risk. Aggregate the residual ratings into a reasoned enterprise rating.
What is the difference between inherent and residual risk in the matrix?
Inherent risk is the exposure of a driver before any controls. Residual risk is what remains after the controls that manage it are accounted for. Two drivers can share the same inherent risk and end at different residual risk because their controls differ.
Should a risk matrix be qualitative or quantitative?
Either is defensible. Some programs attach numeric weights for repeatable aggregation; others stay qualitative with written justification. What an examiner tests is consistency: the same logic on every line, and residual ratings the documented controls actually support. A consistent three-point scale beats an inconsistent ten-point one.
From the team behind this guide

A risk matrix scored against real enforcement

Compliance Command Center builds your risk assessment matrix on enforcement-calibrated benchmarks, keeps inherent and residual risk separate with the reasoning written down, and prices the residual gaps in dollars. Practitioners build it (JD, CAMS), with a human reviewing every deliverable, so the residual ratings hold up when a sponsor bank or examiner tests them.

See Compliance Command Center Talk to a Practitioner