By: Brett Schimanski, CRCM
When discussions turn to risk assessments we often hear similar responses. Risk assessments do not provide any value, risk assessments provide the same results every year, risk assessments are too time-consuming, we have to complete too many risk assessments. At the same time we hear that Bank management and the board of directors (BOD) continue to be concerned about complying with regulatory expectations. In particular, Banks are concerned with issues surrounding areas such as fair lending, unfair and deceptive or abusive acts or practices (UDAAP), TILA-RESPA Integrated Disclosures (TRID), etc. Well defined risk assessments can isolate risks, such as fair lending, and identify control points that minimize risk. These control points can then be leveraged to create on-going monitoring plans and generate reporting to management and the BOD.
So, how do you extract value from risk assessments? Due to the perceived value in, and number of, risk assessments that Banks must complete, we often find risk assessments completed using more generic templates and completed with more of a top down focus. These types of risk assessments tend to be broad, qualitative assessments classifying risk by category (e.g. fair lending, UDAAP, Regulation Z). While these types of assessments are useful to identify broader areas of risk, they do not provide the detail necessary to begin to understand where the risk lies within the Bank’s operations and build appropriate monitoring and reporting.
As the risk assessment process moves along the maturity scale, Banks should consider developing more detailed, quantitative risk assessments. More detailed risk assessments can be used as a diagnostic tool to identify not only the broader categories of risk but also where the real risk lies within these categories. To accomplish this, the Bank will want to start breaking down the categories of risk by considering the process flows and work streams along which the respective risks lie. For example, by diagramming the process flow involved in the life cycle of a new consumer loan, it is then possible to identify where fair lending risks lie within the work stream of a new consumer loan request.
Once risks have been identified within the process flow, the Bank can then conduct a gap analysis to assess whether or not offsetting controls have been established. Control gaps should be assessed to determine whether or not a new control should be developed or whether existing controls appropriately mitigate the respective risk.
The Bank can then leverage the controls to develop on-going monitoring programs to supplement annual testing. Results of the on-going monitoring can then be reported to management and the BOD to inform them of the adequacy of the existing controls and alert them to any developing trends.
While the size and complexity of the Bank will be the primary driver of how detailed each risk assessment needs to be, there are certain risks that warrant a more thorough review. By properly identifying those risks and performing a more detailed risk assessment, the Bank will be positioned to pinpoint exposure, develop monitoring and testing programs, and provide management and the BOD with the reporting necessary to make informed decisions.