Key Highlights

• Your statistical return is one of the most complete snapshots of your risk profile you produce all year.
• It already holds much of the evidence your BRA needs — CRA outcomes, PEP/CEP exposure, jurisdictional spread and concentrations.
• Use it to benchmark against the NRA, build a CRA-outcomes section that says something, and track year-on-year movement.
• Keeping the data usable (an Excel export) is what turns a generic BRA into a specific, defensible one.

You know the feeling: weeks of pulling numbers, checking categories, chasing internal data, and finally submitting the statistical return — then wanting to never think about it again.

Fair. But if you're a regulated firm, that return isn't just a regulatory chore. It's one of the most complete snapshots of your risk profile you produce all year — and it contains much of the evidence your Business Risk Assessment (BRA) is supposed to be built on.

Why this matters (and why the regulator cares)

The Isle of Man supervisor has been clear for years that generic BRAs don't demonstrate an understanding of your business. A BRA that lists broad threats and standard controls might show you completed a document, but it doesn't show you understand your own exposure or that your controls are proportionate to your real client base.

More recently, sector work on BRAs has illustrated what "good" looks like: not just referencing high-level risk themes, but demonstrating how your own data supports your risk conclusions, your appetite, and your control framework.

In practice, where firms often fall down is simple:

1. they don't connect the BRA to the National Risk Assessment (NRA) in a meaningful way; and
2. they don't translate Customer Risk Assessment (CRA) outcomes into an aggregated, evidenced picture inside the BRA.

Your statistical return is where much of that evidence already lives.

What your statistical return is really telling you

A good BRA isn't meant to be a description of process ("we do CRAs"). It's meant to reflect what the process is showing you — in numbers and trends — and what you are doing about it.

Your return data gives you exactly that kind of aggregated view, including (depending on the return and how you extract it):

• your client base by risk rating and client type (drawn from CRA outcomes);
• counts of PEPs and Commercially Exposed Persons;
• jurisdictional spread of clients and beneficial owners;
• disclosure activity (including SAR-related reporting rates);
• concentration indicators (e.g., where income is coming from); and
• reliance on introducers and similar channels.

If you pause on that list, what you have is not "statistics homework". It's a structured description of your business risk profile — by customer type, geography, and risk distribution — and that's exactly what your BRA is meant to evidence. It's the same dataset we describe in more than a filing exercise, viewed from the BRA side.

Step 1: Use it to benchmark against the NRA (properly)

It's not enough to cite the NRA and move on. The stronger approach is to place the NRA's relevant observations alongside your own position, and then say plainly whether you sit in line with, above, or below the broader profile — and why.

Your return data helps you do that comparison because it gives you the "your business" side of the equation. Where sector aggregates are published, you can use your own numbers to explain whether your profile differs — and whether that difference is intentional (risk appetite) and supported by controls.

This is also where you protect yourself: if a metric looks unusual (for example, a low SAR rate relative to your client base), that doesn't automatically mean you're wrong — but it does mean it's worth addressing in your BRA before anyone asks the question.

Step 2: Build a CRA outcomes section that actually says something

Many BRAs say "we conduct CRAs" and then describe the method. That's not the difficult part. The difficult part is summarising what the method is showing you in the round.

A practical way to do this is a dedicated section that sets out:

• the proportion of higher-risk clients (and the direction of travel year-on-year);
• your key higher-risk jurisdictions and how they arise (client residence vs beneficial ownership);
• your PEP / exposed person concentration and what controls support it; and
• any obvious concentrations (types of client, revenue drivers, introducer reliance).

The best versions don't stop there — they use those numbers to drive the rest of the BRA narrative: where the data shows an elevated exposure, the BRA addresses it; where your higher-risk proportion sits above the norm, the risk appetite statement explains the rationale and the controls that make it acceptable.

Step 3: Turn the return into management information (not a yearly panic)

Your risk profile isn't static. Client mix changes. Jurisdictional exposure shifts. PEP numbers move. Those movements are exactly the sort of internal signals that should prompt updates, board reporting, or targeted reviews between formal annual BRA refreshes.

A simple but effective habit is to treat each year's statistical return as a consistent "snapshot", then compare it to last year:

• What moved materially? (risk distribution, geographies, PEP levels, introducer use)
• Why did it move? (business decisions, market changes, client lifecycle)
• What did you do about it? (controls, resourcing, enhanced monitoring, risk appetite adjustments)

The return gives you a repeatable framework for trend analysis. Used properly, it can help you evidence that your BRA is a living risk tool — not a document that gets dusted off once a year.

A practical tip: keep the data in a usable format

If you can extract the return data into Excel before submitting, do it. If you didn't this year, make it a standard step next year. It makes internal analysis far easier, and it means you can reuse the data directly in your BRA and board reporting rather than recreating it from scratch.

The punchline

If your BRA feels like it's always one step away from being "too generic", your statistical return is one of the quickest ways to fix that — because it forces specificity.

It's the evidence base you already have:

• your customer outcomes in aggregate,
• your jurisdictional exposure,
• your exposed-person concentrations, and
• the internal indicators that should drive risk governance through the year.

So before you file it away and try to forget it, pull it back out and ask one question: What does this return say about our business — and where is that evidenced in our BRA?

Frequently Asked Questions

Isn't the statistical return just a regulatory filing?

No. It's one of the most complete, structured snapshots of your risk profile you produce all year — customer outcomes in aggregate, jurisdictional exposure, PEP/CEP concentrations and more. Much of the evidence your BRA needs already lives inside it.

How do I use the return to benchmark against the NRA?

Don't just cite the NRA. Place its relevant observations next to your own numbers and state plainly whether you sit in line with, above, or below the broader profile — and why. Where your profile differs, explain whether that's intentional (risk appetite) and how your controls support it.

What's the quickest way to make our BRA less generic?

Reconcile it to your statistical return. Build a CRA-outcomes section from the aggregated data, address anything that looks unusual before a supervisor asks, and keep the data in a usable format so you can track movement year on year.