TCRM3420 - The Business Risk Review (BRR+): Revisiting the BRR+: Customers who are not Low Risk
Customers who are not Low Risk will generally receive an annual Business Risk Review (BRR+) but the aim is still to carry out the minimum work required to determine the overall risk status while meeting the evidence requirements. Where a customer has had an open and transparent relationship with us in the period between BRRs, the BRR+ is likely to be a simple process of summarising what has happened since the last BRR+ and agreeing what further action is needed to reduce the customer’s risk profile. Where we have not had an open and transparent relationship with the customer the BRR+ is likely to be a more prolonged exercise and/or will result in more intensive Risk Assessment activity as we seek to understand the risks presented by the customer.
Where a customer is stepping down the risk ratings but does not meet the assessment of Low Risk, any revisit of the risk rating should be undertaken at the next annual review. Whilst customers can demonstrate their improvements in systems, governance and behaviour in lowering their risk rating the fact that they do not meet the Low Risk assessment will mean that they are continually reviewed and a revisit of the risk rating before 12 months of exhibiting the requisite behaviours will not be appropriate. Additional details on revisiting the BRR+ risk rating are found within TCRM4400.
If at any point a change to or from High Risk status is proposed this should be agreed by the BRR+ Countersigning Officer, see TCRM 3430