TCRM3200 - The Business Risk Review (BRR+): Approaching the Business Risk Review (BRR+)
Leading up to the BRR+ the CCM should aim to work with the customer to establish a good understanding of the landscape in which the business operates and the ways in which the business handle their tax affairs.
Where possible BRR+ should be a collaborative process with the customer forming their own view of how they match up to the risk criteria, comparing their findings with the CCM and discussing any differences. In any event the CCM should invite the customer to discuss the BRR+ and try to come to an agreed view of the correct risk rating.
In carrying out the BRR+, CCMs should be mindful of the fact that the BRR+ is also taken very seriously by many customers. It may form part of the customer’s overall governance process and the results shared with the Board, the Audit Committee and external auditors.
In situations where a group has a divisional structure, or where there is a need to maintain confidentiality between different parts of a group, CCMs should use their judgement as to whether separate Business Risk Reviews are required for each part of the group. In these cases it is quite feasible that some parts of the group will meet the Low Risk criteria and others will not. An overall risk marking will be required for the purposes of the Customer Relationship Management Module and, in general, if any parts of the group do not meet the Low Risk criteria then the business should be classified overall at the highest risk rating a part of the group has received which would be Moderate, Moderate - High or High Risk. Notwithstanding this overall marking, those parts of the group which are Low Risk should be treated as such and resources directed to those parts of the group which have higher risk ratings.
Where there are confidentiality issues, the CCM should only discuss the results of these individual BRRs with the parts of the group to which they relate and not divulge the overall risk marking.
CCMs and Tax Specialists should use input from Audit and other Specialists in considering levels of risk. Where appropriate, this includes obtaining and considering input from colleagues outside Large Business.