As a financial institution, it sometimes seems that everything you do requires a risk assessment. Information security, disaster recovery, ID theft, remote deposit capture, outsourcing, in fact the term “risk assessment” appears 215 times in the FFIEC IT Examination Handbooks. But a risk assessment is only one step of a five step risk management process…and it’s not even the first step.
I think the regulators unnecessarily confuse the issue by conflating “risk assessment” with “risk management”. Sure it’s important to assess risk, but unless you’ve correctly identified the assets to be protected, you’re assessment will be off target. And once you’ve correctly identified the assets, and assessed the risk to those assets, you must design a system of controls to avoid, reduce and transfer the risk down to an acceptable level. And then, because the environment in which the risks and controls exist is not static, you’re still not done managing. You must constantly repeat the process.
The process is further complicated by the fact that there is no one standard for documenting risk management. Although it would be so much easier for both the institution and the regulator if there were a standard checklist or matrix. Easier for the institution to implement, and much easier for the regulator to follow. (In fact, in my opinion a standardized risk management process would have been a mutually beneficial outcome from Dodd-Frank…it would benefit institutions, regulators, and the public.)
So, lacking a universal standard for risk management, how do you proceed? Again, the FFIEC handbooks provide guidance here. I mentioned earlier how often the term “risk assessment” appeared in the handbooks, but the term “risk management” appears even more often…303 times total. The essential elements of an effective risk management program are:
- Identify the assets to be protected. What are you protecting (i.e. customer information, critical business processes, etc.), and why (privacy, security, etc.)?
- Identify the threats to those assets. What could happen to the assets identified in step 1? Rank the threats by both impact and probability. (This is the traditional risk assessment step.)
- Apply controls in a layered, overlapping way until the risks are reduced to an acceptable level.
- Test the adequacy and effectiveness of the controls.
- Monitor the program and periodically repeat the process.
Remember, exactly how this is documented is up to the institution. Most choose to utilize a matrix, others use a narrative, but regardless of how it’s done the process should include all 5 of these elements.
So next time you hear an auditor or regulator ask for a risk assessment, what they are really asking for is one step in your overall risk management program. Deliver it to them as part of the program and you’ll never come up short.