Risk Assessments: knowing where you’re vulnerable is 50% of the fix.
Assess The Risk to Mitigate It.
Risk assessments are a ‘must have’ to get exam-ready. For sure, risk assessments are far more important now than in years past. For example, both BSA and IT compliance require a financial institution to perform a periodic, third party, risk assessment. But in the past, only a very high level of analysis was done. Rarely did any institution do a granular, down to specific products or services, analysis. An even greater failure happens when a institution neglects to use a risk assessment as a “Project Risk Scope” or a guide for the institution’s day to day conduct of business. (Many financial institutions use a form (often referred to as “Appendix J”) that was passed around by examiners and peer banks. This form was useful in the past. Now, in 2020, not so much.
Even if not explicitly required, examination teams often look favorably on institutions who perform risk assessments more frequently, not just to satisfy the examiners. But, even more important, a risk assessment should be performed before undertaking any significant project (new products, loss of key employees, change in core processor procedures, etc.).
COVID-19 pandemic became another reason to perform a Risk Assessment, since institutions needed to analyze the pandemic effects on their operations and business risks.
A risk assessment payoff: an example to think about.
In the middle of the process to roll out mobile banking, our client lost the Chief Deposit Operations officer. That person’s areas of supervision included Online Banking, ACH and Wire Transfers plus Reg E disputes. The key employees in the department were stable. The bank’s question was: can we continue with mobile banking or is the risk associated with the loss of the employee big enough to warrant postponing the introduction of Online Banking? The answer was found with a Risk Assessment.
The assessment documented the risks associated with proceeding with the plan while recruiting a replacement. Those risks were determined to be manageable. Which is what the bank decided to do. Guess what? The next independent audit team asked how that decision was made and did the bank have documentation in hand. (Of course, a more embarrassing question could have been, “Can I see the risk assessment you did before you decided to go with mobile banking?” But, we won’t go there.)
Want to to talk it over?
Call 828-252-4036 or fill in the Contact Form.
These guys are good. They helped get our program out of the ditch with a workable compliance plan – which they’ve updated for us twice. They managed to get a compliance team spirit going in the bank – even the BDOs are on board. The outside auditor has rated our program at a “9” (out of 10) for the past four years – and the auditor say, “I never give anybody a 10.”
Let's Talk It Over (No Charge!)
Call us at 828-252-4036 or go here and fill out the form.