22 Hoosier Banker July 2015 Continued from page 21. material risks associated with their activities. The risk assessment process should start with identification of all of the specific, material risks associated with the institution’s products and activities. Examples are the risks of sharing nonpublic or personal information or of external mortgage fraud. Avoid identifying multiple versions of the same risk, such as specific forms of external fraud, which can inflate the assessment. In identifying risks, consider events that have been experienced by others in the industry, even if your institution has been spared. Including them can help your institution avoid unpleasant surprises in the future. Strategic risks, such as concentration risks or market changes, also should be considered, even if outside of your institution’s control. Finally, identify and assess as a group the key controls for each material risk, to ensure that the highest risks have the strongest controls. To promote consistency, establish common definitions of risks and the adequacy of controls before risks and controls are assessed. If an assessment of “high” has different meanings for different risk areas, it will be nearly impossible to use the risk assessment to prioritize risks. Avoid the temptation to borrow definitions from others; instead, customize definitions to your institution, based on size, capital resources and risk appetite. It also is important to centralize coordination of the risk assessment process to ensure consistency, as otherwise each business area is likely to apply its own standards for level of detail. Additionally, from a practical standpoint, some areas will be better skilled at identifying and assessing risks than others. An effective way to coordinate the process is to facilitate risk assessment sessions with each business area to develop initial risk assessments. This process can provide an opportunity for training and communication between risk management and the business lines, as well as improve the accuracy and objectivity of risk assessments. Keeping Risk Assessments Fresh Enterprise-wide risk assessments should be updated on an ongoing basis, as stale risk assessments make it difficult to keep the board informed of the institution’s risk profile, or to maintain useful risk management action plans. Risk assessments need to become part of the fiber of the organization, not relegated to an annual exercise. The goal is to establish a process whereby managers automatically consider whether updates to risk assessments are necessary as material changes occur. Be wary of handing out risk assessments as assignments for business line managers. Assessments should be viewed as part of managers’ risk management responsibilities, not as a task required by risk management. Only when managers understand the importance and value of risk assessments to the institution as a whole are they likely to devote the effort to completing risk assessments in a thoughtful manner. Another way to keep risk assessments fresh is to link them to other processes, such as vendor management or new product reviews. This approach not only avoids duplication of effort, but also helps to ensure that new risks are not missed. Executive management can reinforce the importance of risk assessments by asking whether risks have been incorporated into risk assessments before approving material changes to products and processes. Like many cultural changes, integrating risk assessments into decision-making processes takes time. However, transitioning risk assessments from burdensome assignments to useful risk management tools can produce benefits that far outweigh the effort. t • Use appropriate assessment methodologies for each risk type. • Create common definitions across risk types. • Conduct facilitated risk assessment sessions with managers. • Include compliance and information security risks in business line assessments. • Maintain risk assessments throughout the year. • Focus on key risks to avoid inflating the assessment. • Consider strategic risks and those not yet experienced by the institution. • Link risk assessments to new product and vendor risk reviews. • Widely communicate and discuss risk assessment results. • Create and monitor action plans. • Look for ways to redirect resources from low risks to high ones. • Summarize risk assessment results in quarterly ERM dashboard reports. Tips for Value-Adding Risk Assessments Marlene Wells has retired as education meeting coordinator of the Indiana Bankers Association after 18 years of service. She was named to her position at the time of the Association’s 2006 merger with the Community Bankers Association of Indiana, which she had joined in 1997. Wells has more than 40 years of experience in office support, including 25 years with Abundant Life Church, Indianapolis. t taking it easy
RkJQdWJsaXNoZXIy MTg3NDExNQ==