20 Hoosier Banker July 2015 DIRECTORS / SENIOR MANAGEMENT For most financial institutions, maintaining risk assessments takes up considerable time and, with the focus on getting them done, it is easy to lose sight of why they are important. Further, the burden is increasing as, in addition to assessments in areas such as information security and internal audit, an increasing number of institutions are now developing enterprise-wide risk assessments. Enterprise-wide risk assessments, by definition, encompass all areas and types of risk relevant to the institution. They serve to help identify the most material risks and to provide the basis for prioritizing risk monitoring activities, aligning risks with controls and reporting the institution’s aggregate risk profile to the board. Developing an enterprise-wide risk assessment, however, is only the first step. To add value, the assessment must also be integrated into the institution’s enterprise risk management (ERM) program and used to drive day-to-day decisionmaking and strategic planning. Integrating Risk Assessments With ERM Enterprise-wide risk assessments are part of a larger ERM program. As shown in the exhibit on the facing page, risks should be identified and assessed by the first line of defense (the business lines) and used to prioritize management’s risk responses and monitoring processes. Assessments should be coordinated by the second line of defense (risk management) to drive consistency. To link risk assessments with action plans, risks that are assessed as “high” or above on a residual basis (the risk that is leftover after internal controls are applied) need to be reviewed to determine whether additional controls or other responses are needed. Business line managers need to fully understand the risks that are being reported to the board; this goal can be achieved by discussing top risks and action plans at risk committee meetings. Without appropriate communication, risk assessments can devolve into data-collection exercises. Another approach is to map risks based on their likelihood and potential impact. This helps to separate highly improbable, catastrophic risk events, such as a market crisis, from the more frequent but less severe events, like ATM fraud. This distinction directs management to the appropriate risk response, whether it be an additional control or a change in strategy to lessen the potential impact of a risk. Additionally the overall level of inherent risk – that is, before the benefit of internal controls – should be compared to the adequacy of controls. High inherent risks with less-than-adequate controls need to be prioritized. Low inherent risks with strong controls can be reviewed to determine whether risks have lessened, and whether the same level of controls needs to be maintained. This can create efficiencies and free up resources to focus on higher risks. An advanced practice is to include summaries of risk assessment results in an ERM dashboard report. Where Turning Risk Assessments Into Value-Adding Tools About the Author Rebecca Towne is founder and president of Quadrant Risk Advisory LLC, Indianapolis, which provides enterprise risk management services to community banks nationwide. Previously Towne served as national lead for ERM services for financial institutions for McGladrey LLP. An experienced bank chief risk officer, she has more than 25 years of executive level risk management experience with large, regional and community banks, and was engaged by the Federal Reserve Bank of Cleveland to assist in developing a comprehensive ERM assessment framework. Towne earned a master’s degree from Duke University and can be reached at 317-566-2112, email rebecca.towne@quadrantrisk.com.
RkJQdWJsaXNoZXIy MTg3NDExNQ==