A version of this article was previously published in the June 2019 edition of the Western Bankers Association’s WesternBanker Magazine.
When it comes to managing risk, most financial institutions focus their time and energy on regularly scheduled risk assessments. However, in many situations, these limited-scope risk assessments don’t provide the insight necessary to effectively identify risks—let alone manage them.
There are three key elements to successfully managing risk:
- Performing regularly-scheduled, comprehensive risk assessments
- Taking a risk-based approach and focusing time and resources on high-risk areas
- Developing and implementing programs to manage and mitigate risk
Following is a comprehensive overview of each of these strategies, and steps your organization can take to implement them.
Comprehensive Risk Assessment
During risk evaluations, many organizations rely on risk-assessment heat maps to determine their organization’s vulnerabilities. While these maps reveal high, medium, and low risk areas within a company and the likeliness and impact of a negative event, they don’t help a company determine why risk exists or which action each risk rating requires.
To receive a more informative assessment, decision makers need to understand risk context and trends through evaluating a variety of factors, such as:
- Root cause of the risk
- Likelihood of a negative event
- Impact of a negative event
- Preparedness to respond to a negative event
- Trajectory of risk—increasing, decreasing, or flat
- Activities to manage or reduce risk
- Residual risk if mitigating activities are accomplished
- Description of the environment
A thorough risk assessment that analyzes these elements allows an organization to pinpoint and address risk areas based on each area’s specific circumstances. It can also inspire an organization to create new mitigation strategies that help prevent or manage future exposure. New mitigation strategies can take the form of policies and procedures, systems, processes, education, and personnel.
Risk-Focused Practices
Similar to risk assessments, there are traditional, narrow risk-focus practices that only analyze financial activities and controls. While it’s critical to assess financial activities and controls, many other factors also put your organization at risk.
That’s why it’s important to take a broader, more comprehensive approach to risk-focus practices, addressing top risk areas throughout your financial institution.
Address High-Risk Areas
More comprehensive evaluations focus on higher-risk areas, include the following:
- Cybersecurity
- Reliance on third-party service providers
- Credit Risk and Current Expected Credit Losses (CECL) implementation
- Regulatory risk, the Bank Secrecy Act or Anti-Money Laundering law (BSA/AML), and the Truth in Lending Act (TILA) and Real Estate Settlement Procedures Act (RESPA) Integrated Discloser (TRID)
- Fraud
Improve Performance
All functional areas of your financial institution are connected, and each area has associated risks and opportunities for improving performance. Taking a more comprehensive approach to addressing your organization’s risk areas allows you to evaluate potential issues that might otherwise be overlooked.
In addition to the above risk areas, financial institutions should analyze the following elements to improve performance after a complete risk-focus assessment:
- Governance and management. Such as leadership, development, and succession
- Structure and staffing. Including staffing levels, skills, training, recruiting, retention, and turnover
- Operational efficiency. Such as technology, internal controls, policies, and procedures
- Safety and security. Including fraud, waste, and abuse
- Processes. Such as procurement, compliance, financial reporting, and marketing
Program Development and Implementation
While risk assessment is important, continuing to analyze and mitigate risk following the assessment is key to your company’s continued safety. The hardest part of this process may be finding the time to prioritize continued mitigation efforts.
This is where internal audits or risk management practices—depending on which functions exist within your organization—can take on an expanded role to help your company:
- Prioritize risk
- Develop annual internal audit programs that focus on reducing priority risks
- Validate management actions
- Track and report program implementation progress
Implement Key Benefits
Of course, management is ultimately responsible for implementing new ways to mitigate risk, but there are many ways internal audits or risk-management practices can help, such as:
- Providing policy, procedure, and process best practices
- Guiding efforts to update policies and procedures and streamline processes
- Supplying training opportunities
- Focusing testing on areas of identified weakness
This approach can help your financial institution stay on top of current and emerging industry risk as well as leverage your risk assessments to identify actionable opportunities for improvement.
We’re Here to Help
For more information on this topic or additional insight into how your organization can transform findings into opportunities for improvement, contact your Moss Adams professional.