Information security, business continuity, vendor management, ID theft, RDC, Internet banking…it seems that every time you do anything these days you’re expected to perform a risk assessment. This is nothing new, risk assessments have been around since risk management began, but I think we’re going to see even more focus on them in the future. Furthermore, I believe this is actually a 2 part trend. Not only will the volume of assessments increase, but the scope will expand to include additional risks as well. So perhaps this trend should be called:
Risk Assessments – More of them, and more in them
First of all, as I’ve said before the blame for the largest recent failures in the financial industry has been placed largely on managements’ inability to properly assess and manage risk. Additionally the vast majority of FDIC Consent Orders require increased Board and senior management involvement. The intent is to place the accountability firmly at the top, because management is expected to make decisions based on an accurate understanding of the risks involved. And that always requires a risk assessment.
Secondly, there has been a clearly discernible shift towards including enterprise-wide risks into all risk assessments. This started with the FDIC Winter 2009 Supervisory Insights newsletter, which basically redefined the customer information risk assessment to include “assessment of risks across all business lines, including, but not limited to, risks to information security“. We also saw this trend exhibited in the disaster recovery process, where the term “enterprise-wide” is mentioned 39 times in the latest FFIEC guidance. Finally, we’ve seen this enterprise-wide focus validated in recent regulatory examinations. Regulators are now asking about things like strategic risk and reputation risk and operational risk, and expecting that these risks are assessed alongside the more traditional categories like privacy and security.
In order to fully understand and prepare for this trend, it’s important to understand 2 things:
- There is no single universal template for all risk assessments, and
- A risk assessment is only one step in the risk management process…and it’s not the first step
So, lacking a universal template for risk assessments, how do you proceed? You start by understanding that risk assessments are actually step 2 in the risk management process. The essential elements of an effective risk management program are:
- Identify the assets to be protected. What are you protecting (i.e. customer information, critical business processes, etc.), and why (privacy, security, reputation, etc.)? Be sure to consider all (i.e. enterprise-wide) risks.
- Identify the threats to those assets. What bad things could happen to the assets identified in step 1? Rank the threats by both impact and probability. (This is the traditional risk assessment step.)
- Apply controls in a layered, overlapping way until the risks are reduced to an acceptable level.
- Test the adequacy and effectiveness of the controls.
- Monitor the program and periodically repeat the process.
Exactly how the risk management process is documented is not specifically prescribed by the regulators, it is up to the institution to adopt a process that works best for them. I do suggest you try to adopt a consistent format that can be easily duplicated for all occasions requiring a risk assessment, and is also flexible enough to accommodate change. I’ve found that a spreadsheet-type risk ranking matrix works best, with assets on the vertical axis, and threats and controls on the horizontal axis, but other approaches work fine too. Regardless of how it’s done, the process should include all 5 of the required elements, and include enterprise-wide risks. From the FDIC:
“Risk assessment findings should be tied to business risks more broadly. These efforts will help ensure that senior management, the Board of Directors, and the institution’s regulators gain sufficient insight into the institution’s true risk posture and help reduce the potential for an unforeseen, escalated risk profile.”