This part of GOV.UK is being rebuilt – find out what beta means

HMRC internal manual

Tax Compliance Risk Management

The Business Risk Review (BRR): Approaching the Business Risk Review

Leading up to the BRR the CRM should aim to work with the customer to establish a good understanding of the inherent risks they present and how they identify and manage those risks through their behaviour.

Where possible this should be a collaborative process with the customer forming their own view of how they match up to the risk criteria, comparing their findings with the CRM and discussing any differences. In any event the CRM should invite the customer to discuss the BRR and try to come to an agreed view of whether the customer is Low Risk or not and, if not, the extent to which their behaviour increases or decreases their inherent risk.

In carrying out the BRR CRMs should be mindful of the fact that the BRR is also taken very seriously by many customers. It may form part of the customer’s overall governance process and the results shared with the Board, the Audit Committee and external auditors.

In situations where a group has a divisional structure, or where there is a need to maintain confidentiality between different parts of a group, CRMs should use their judgement as to whether separate Business Risk Reviews are required for each part of the group. In these cases it is quite feasible that some parts of the group will meet the Low Risk criteria and others will not. An overall risk marking will be required for the purposes of the Customer Relationship Management Module and, in general, if any parts of the group do not meet the Low Risk criteria then the business should be classified as not Low Risk overall. Notwithstanding this overall marking, those parts of the group which are Low Risk should be treated as such and resources directed to those parts of the group which are not Low Risk.

Where there are confidentiality issues, the CRM should only discuss the results of these individual BRRs with the parts of the group to which they relate and not divulge the overall risk marking.

CRMs should use input from Tax, Audit and other specialists in considering levels of risk. Where appropriate, this includes obtaining and considering input from colleagues outside Large Business.