A risk assessment matrix is the table that turns a BSA/AML risk assessment into ratings you can defend. The risk drivers run down the rows; inherent risk, control strength, and residual risk run across the columns, each rated on a consistent scale. The discipline matters more than the scale: the same logic applied to every line, and a residual rating the documented controls actually support. This guide builds one step by step with a worked example.
The BSA/AML risk assessment is the analysis; the matrix is how it is expressed. Examiners and sponsor banks ask to see it because it shows the reasoning in one view: what the institution is exposed to, how well it controls each exposure, and what risk is left. A good matrix is legible to someone who was not in the room. This guide covers how to build one.
What a risk matrix is
A risk matrix lays out each risk driver in a row and rates it across three columns: inherent risk, control strength, and residual risk, with a column for the rationale. It is the structured form of the risk assessment, not a separate exercise. The full risk assessment guide covers the categories and method; this one focuses on building the table and scoring it.
Step 1: Define the rating scale first
Before rating anything, define what each level means. A three-point scale, low, moderate, and high, is common and usually enough. Write a short definition for each level so two people rating the same driver would land in the same place. A scale defined after the fact, or applied by feel, produces ratings no one can defend.
Step 2: Lay out the drivers
List the specific risk drivers that apply to your institution, grouped by the standard categories: products and services, customers and entities, geographies, and delivery channels. List the drivers you actually have, not a generic industry list. A matrix that would read identically for a different institution is rating nothing.
Step 3: Rate inherent risk
For each driver, rate the risk it carries before any controls. Volume and dollar value belong here, not just whether the risk exists. A product used by a handful of customers a year is a different exposure than the same product used by thousands. Record the basis for each rating in the rationale column.
Step 4: Score control strength
For each driver, judge the controls that manage it on both design and operation. A control counts only if it exists and works. Strong controls are specific, tested, and tuned; weak controls are generic, untested, or not operating. The control rating is where independent testing and monitoring results feed the matrix.
Step 5: Derive residual risk
Combine inherent risk with control strength to reach residual risk. Use a consistent rule rather than a fresh judgment each time. A simple, defensible rule: strong controls lower the rating by one level, weak controls hold or raise it. High inherent risk with strong controls lands at moderate; moderate inherent risk with weak controls lands at high. Residual risk is the number the program actually carries, and the one an examiner reads.
A worked example
| Risk driver | Inherent | Control strength | Residual |
|---|---|---|---|
| International wires | High | Strong (tuned monitoring, sanctions screening) | Moderate |
| Money services business customers | High | Moderate (EDD in place, refresh inconsistent) | High |
| Non-face-to-face onboarding | Moderate | Strong (identity verification, document checks) | Low |
The second row is the point of the exercise. The inherent risk matches the first, but weaker controls leave a higher residual risk, and that is where the program should spend its next unit of attention.
Step 6: Aggregate to an enterprise rating
Roll the residual ratings into an enterprise-wide rating. This is a reasoned conclusion, not an average. One high-residual-risk line can set the institution's posture even when most of the book is low risk. State why the aggregate rating is what it is, so the conclusion can be tested.
Qualitative or quantitative
Some programs attach numbers and weights so the aggregation is repeatable; others stay qualitative with written justification. Either is defensible. A three-point scale applied consistently and backed by reasoning beats a ten-point scale assigned by feel. Consistency is what an examiner tests: the same logic on every line, and residual ratings the documented controls genuinely support.
The matrix is only as good as the reasoning behind it. Define the scale first, rate your own drivers rather than a generic list, keep inherent and residual separate, and make every residual rating something the controls actually earn. For the full method and the four risk categories, see the BSA/AML risk assessment guide.
Primary sources
- FFIEC BSA/AML Examination Manual: The interagency supervisory standard; see the BSA/AML Risk Assessment and Independent Testing sections, including the risk-based approach to scope and frequency.
- 31 CFR 1020.210: Anti-money laundering program requirements for banks (the program pillars, including independent testing and customer due diligence).