Hi Emma,
Check out the roles. The roles must be having "*" in ACTVT. The system cannot behave differently. Definitely there is some leakage of access. Check out the permission you have made as active in BS03 function and the permissions maintained in the roles showing up in the risks.
Thanks,
Fazil