Sustain the Success of Your Online Gambling Business with A Robust Business Risk Assessment

20 December 2022

Nestled in the heart of the Irish Sea, the Isle of Man has emerged as a powerful launch pad for regulated eGaming businesses. With a history steeped in tradition and a forward-thinking approach to industry oversight, the island has cultivated a regulatory reputation that stands as a shining example of excellence.

The Isle of Man's journey to becoming a global hub for online gambling and eGaming has been one of relentless commitment to integrity and innovation, making it a go-to destination for businesses seeking a secure and thriving environment in the digital gaming realm.

The Gambling Supervision Commission ('GSC') is the independent statutory board responsible for maintaining the Island’s strong regulatory reputation in the online gaming space.

Established in 1962, the core principles the Commission upholds are: 

  • To keep the gambling industry crime free
  • To protect the young and those at risk
  • To ensure that the services offered by licence holders are fair and that players receive their true winnings 

In this article, Nick Wait, Managing Director of Impact Professional Services, looks at what regulated online gaming businesses can learn from another highly regarded regulatory body in the Isle of Man – the IOM Financial Services Authority (IOMFSA), specifically in relation to the importance of Business Risk Assessments (BRA).


What is a Business Risk Assessment and How Does It Help Your Business?

“A Business Risk Assessment (BRA) is a key part of a firm’s compliance and risk management framework to help detect and prevent money laundering and terrorist financing. The BRA needs to be checked regularly to ensure it is still fit for purpose, and it should be continuously reviewed and updated when circumstances change or new risks or threats emerge.” Ian Spence, Head of the IOMFSA AML/CFT Supervision Division

A BRA ensures that everyone in your business understands the appetite for risk. A well communicated BRA informs a business’s culture, procedures , policies and checklists at every level of the business.

If Anti Money Laundering or Countering the Financing of Terrorism regulations are breeched it can result in public prosecution and serious damage to a business’s reputation.

When a business’s BRA is fit for purpose, it ensures operational efficiency and safety.

So, it’s in everyone’s interest to get it right.


The Recent Thematic Review by the IOMFSA Relating to Trust and Corporate Service Providers (“TCSPs”)

The IOMFSA published the findings of phase one of a thematic review relating to Trust and Corporate Service Providers (“TCSPs”) on the 12 July 2023.

A Business Risk Assessment questionnaire was sent to a cohort of Island firms to assess how they are meeting their obligations in respect of the Anti-Money Laundering and Countering the Financing of Terrorism (“AML/CFT”) Code 2019.

The phase one report, which is available to view online, sets out the responses submitted by 106 licence holders, as well as the Authority’s observations on the data and some examples of best practice.

Phase two of the project, consisting of desk-based inspections focusing on a firm’s BRA, is currently in progress, with the results expected to be published in 2024.

The outcomes will help to inform the Authority’s overall picture of risk and support its work to protect consumers, reduce financial crime, and maintain confidence in the financial services industry through effective regulation.

The TCSP sector is identified in the Isle of Man National Risk Assessment as one of the highest risk business sectors in the Island. The Authority is conducting the thematic review to test the strength of measures and controls put in place by firms to mitigate Money Laundering and Financing of Terrorism related risks and protect their businesses from potential abuse by criminals.

It also provides an opportunity for the Authority to enhance its engagement with firms and to share the findings and feedback with industry.

We recommend that all firms, whether regulated by the IOMFSA or by the Gambling Supervision Commission, read the phase one report and take any action necessary to ensure their own risk-based compliance regimes in relation to BRAs are effective, up-to-date, and properly documented.


What Should Be Contained in a Business Risk Assessment (BRA)?

A BRA should clearly set out the risks a business faces in relation to customers and their activities and explain the basis of the assessment.

It should highlight how much, and what level of risk the business is prepared to take.  Additionally, the BRA should clarify what risk the firm is not prepared to take. 


Other Key Points to Include
  • There should be a documented Risk Appetite Statement or associated Policy. 
  • There should be a documented Anti-Money Laundering / Countering the Financing of Terrorism Policy in place. 

The BRA should:

  • be informed by other risk assessments required by the Gambling Anti-Money Laundering and Countering the Financing of Terrorism Code 2019 (the Code) as well as the Isle of Man National Risk Assessment
  • detail the composition of the customer base and where the risks are. For example, how many high & standard risk clients, Politically Exposed Persons split by domestic & foreign and high & standard risk ratings. 
  • incorporate the link to Customer Risk Assessments as a key source of information.   
  • contain evidence of the BRA’s review and approval, for example extracts of Board minutes. 
  • be communicated to the entire business. 
  • have clearly documented reviews and approvals, using a version control. 


  • there should be a process in place to ensure the timely supply of information or documentation requested by the Authority. 
  • there should be a documented Risk Assessment Methodology / Risk Scoring Matrix in place to:
    • assess the inherent risks relevant to the business.
    • identify mitigating factors and controls to manage the impact of the risks.
    • assess the risk impact.
    • assess the effectiveness of the controls in place.
    • assess whether the residual risk is within the documented risk appetite.
    • assess the likelihood / probability of the risks.
    • assess the cumulative risks.


Some Wider Points to Consider
  • If the business is part of a Group, the BRA should consider the specific risks relevant to the Isle of Man licence holder.
  • Any areas for development highlighted in the BRA should be reported to the Board / senior management team. 
  • It’s important to identify whether there any barriers in place to prevent the operation of effective systems & controls. 
  • Record keeping requirements should be followed. Previous versions of the BRA should be kept for a minimum of 5 years. 
  • If the BRA would be reviewed and updated at a trigger event this should be documented


Important ‘Housekeeping’ tips for Ensuring a BRA Continues to Be ‘Fit for Purpose’.
  • Ensure a regular review of what is in your BRA and that it adequately reflects your business’s appetite to risk
  • Ensure that everything is documented and there is a central store for documents
  • Review who has, and should have, contributed to the BRA
  • Ensure that everyone in the business is aware of the BRA (trickier in larger organisations)
  • Ensure that the BRA has been reviewed in the last 12 months
  • Ensure that the board have taken time to review and digest the BRA in the last 12 months.



As eGaming enterprises navigate the complex landscape of compliance and risk management, the recent IOMFSA review serves as a poignant reminder of the importance of a well-structured BRA.

Incorporating the insights gained from this review will not only safeguard consumers but also protect against financial crime, fostering and sustaining confidence in all regulated sectors through the vehicle of effective regulation.

While the costs associated with compliance are not insignificant, they pale in comparison to the potential consequences of non-compliance.

The Isle of Man's regulatory journey stands as a testament to the fact that in the world of eGaming, understanding, and implementing sound risk assessment practices are not just obligations but essential strategies for long-term success and sustainability.

As businesses look to thrive in the ever-evolving digital gaming sector, the Isle of Man provides a compelling blueprint for achieving both regulatory excellence and operational efficiency.

Impact Professional Services support finance and eGaming businesses in the Isle of Man with compliance and risk expertise. From license application and procedure documents to one off projects and Independent monitoring and oversight – they’re here to support your navigation of the regulatory landscape.


This article has been created by a third party and is provided for general informational purposes only and does not constitute endorsement, recommendation, or approval by Digital Isle of Man.

While we strive to ensure the accuracy, relevance, and reliability of third-party content, we do not warrant or guarantee its completeness, timeliness, or fitness for any particular purpose. Any reliance you place on such content is strictly at your own risk.