HMRC Overhauls its Business Risk Review (BRR) Regime

HMRC administers the whole of the tax system for the UK and Northern Ireland.  Although there are some 5.7 million active businesses in the UK, less than half a percent are responsible for 40% of the tax HMRC collects (approximately £217 billion in 2017).  So, how well those businesses manage their tax compliance will make a significant impact on total tax collected. Those with a UK turnover above £200m, or gross balance sheet assets of over £2bn, are overseen by HMRC’s Large Business Directorate (LBD), which administers a Business Risk Review (BRR) process via an assigned Customer Compliance Manager (CCM) who is supported by a team of risk analysts, forensic accountants, lawyers and other experts. 

The aim of the BRR

The purpose of the BRR is to proactively apply HMRC’s resources to where they believe the greatest tax risk exists.  This is done by accrediting each business with a risk rating, determined by the CCM team’s detailed knowledge of the group across three defined categories of assessment:

1. Systems and Delivery: how the business ensures its systems and process are appropriate and sufficiently resourced to enable them to pay “the right tax at the right time” and continue to identify and minimise risk;
2. Internal Governance: the framework within which the business manages its tax compliance risk and its practical application, along with their openness and cooperation with HMRC;
3. Approach to Tax Compliance: the tax strategy and the structure of business interactions alongside the transparency and cooperation in its dealings with HMRC.

Once an appraisal is finished, the CCM applies ratings to each of the categories culminating in an overall risk classification that is presented to the business, along with an Action Plan setting out corrective behaviour where control gaps and failings have been identified.

Recognising that its existing BRR had been in place virtually unchanged for over a decade, HMRC undertook a business consultation in Q4 2017 to evaluate what improvements could be made.  As a result, a revised BRR was conceived, and, following a limited pilot scheme in 2018, it was formally rolled out to all LBD ‘customers’ with effect from 1 October 2019.      

What’s changed?

The most significant difference between the new BRR and the old is a widening of the risk ratings from three (low, moderate, high) to four (low, moderate, moderate-high and high).  Across the three assessment categories there are eight low risk indicators. Risk indicators are applied separately in respect of each individual tax regime (e.g. Corporation Tax, VAT, PAYE).  The risk rating applied to a business depends on the proof they can provide to HMRC demonstrating they meet each of those indicators. 

Low Risk behaviour comprises not failing any of the Low Risk criteria in any material aspect (whilst also complying with Senior Accounting Officer regime obligations). There may be occasions where a business doesn’t meet one or more of the criteria, but the failure does not imply any significant or ongoing threat (e.g. where an insignificant error has been made in one category that might have been unforeseen, and/or controls have since been put in place to prevent it reoccurring).

Any business falling within BRR control should already have implemented a broad spread of internal controls within their finance departments and wider accounts receivable, accounts payable and procurement functions.  This would be an appropriate time to revisit these internal controls in alignment with the defined risk categories to evaluate if your risk profile might have changed under the revised BRR risk classification, and to consider any further initiatives you could employ to reduce it, since HMRC will undoubtedly be doing the same.