Now that the Board has reviewed and approved the institution’s new or revised risk assessment, it can be shelved until the examiners ask to see it or it’s time for the next annual update, right? Absolutely not! The risk assessment itself provides a snapshot of the institution’s risk profile at a given point in time; but, with proper care and feeding, the risk assessment provides the basis for an ongoing process whereby the institution can monitor its risk profile on an ongoing basis. And, through proper care and feeding, the next annual revision will be a significantly streamlined process.
To increase the power of your risk assessment, begin by implementing a process to update the assessment with the results of your monitoring activities as those results are published. Be sure to incorporate the results of any related audits and regulatory examinations, too. These results, whether validating the effectiveness of existing controls or identifying areas for improvement, impact the institution’s risk profile and provide direction in the effective deployment of scarce resources. If you are using an automated risk assessment tool, this functionality should be available. In a manual process, you’ll need to review and revise the risk and control values associated with those areas covered in the audit, examination, or monitoring reports.
Updating the risk assessment to reflect the impact of new or revised products, services, and regulations is equally important. Establishing a change management process that mirrors your risk assessment process and includes an evaluation of the associated risks and controls allows for easy integration of the results. Feeding these results into your risk assessment increases your ability to manage the institution’s overall risk profile, on a real-time basis. Again, an automated risk assessment tool should include this functionality; in a manual process, the risk and control values associated with the activity will need to be revised as necessary to reflect the change.
In conjunction with these ongoing updates, expanding your risk assessment process to include other key risk indicators enhances your ability to monitor and manage the institution’s level of risk. Risk levels are impacted by various factors, not all of which are associated with a specific change in products, services, or regulations. Defining and monitoring indicators are vital steps to an effective risk management process.
Indicators may be internal, including activities such as training, staffing expertise and sufficiency, effectiveness of management information systems, and customer communications and complaints. Although generally incorporated into the change management process, these indicators should be continually monitored for changes occurring independent of new or revised products, services, or regulations. For example, the departure of key personnel can have a significant impact on risk and will probably occur outside of an event captured by the change management process.
Monitoring external indicators such as economic conditions and industry-wide litigation or enforcement actions will also increase the power of your risk assessment. Re-evaluating risks and controls associated with areas of increased regulatory focus, as identified by an increase in enforcement actions, affords an institution the opportunity to adjust its program to close potential gaps before they pose significant impact.
Clearly, the requirement to implement an effective risk management process is not going away. Institutions devote significant time and effort in performing and documenting their risk assessments. Yet most institutions are not maximizing the value of the risk assessment process. Through proper care and feeding, you can streamline the process and achieve up-to-the minute results from your risk assessment.
No comments:
Post a Comment