Financial institutions are expected by their regulators to periodically monitor exposure to existing and emerging risks. This monitoring of risk exposure keeps the institution in the know and helps prevent operational surprises, disruptions, and other negative events.
In its recent Semiannual Risk Perspective, the Treasury Department’s Office of the Comptroller of the Currency (OCC) warned that operational and compliance risks remain elevated and financial institutions need to “remain diligent and confirm the effectiveness of their risk management practices, ensuring their ability to continue to withstand current and future economic and financial challenges.”
In a statement released with the report, Acting Comptroller of the Currency Michael J. Hsu said that “the OCC expects banks to ‘be on the balls of their feet’ with regards to risk management,” including:
The best way to monitor exposure to existing and emerging risks is by following documented risk assessment and monitoring processes. Let’s take a look at some best practices.
The risk assessment process should include the performance of a new risk assessment and possibly updates to existing assessments. Both processes should include steps to identify and document new risks and assess the institution’s exposure. A risk assessment update involves more than just updating the risks already identified in the document; rather, it involves adding new and emerging risks that have surfaced since the last update.
But how is management made aware of these new risks? Below are five sources for staying in the know:
While these committees are similar, they have different drivers. The regulatory change committee receives inputs for new laws and regulations from federal, state, and other regulatory bodies. They then evaluate the institution’s risk exposure due to these changes. The operational risk committee receives inputs from business line managers. The top three drivers for these requests are process improvements (increased efficiency/effectiveness), client requests, and vendor changes.
Regulatory or operational changes could involve new or modified risks, or new or modified controls. Hence, the change management process produces valuable insight into an institution’s exposure to risks.
Risk committees are comprised of managers from every function at the institution to contribute their knowledge of emerging risks in their area. Committees generally meet quarterly to capture emerging risks impacting the institution and discuss risk exposure.
One of the best ways to monitor risk exposure is by reporting and logging operational events and incidents. There are times when these occurrences reveal risk exposure that wasn’t captured via any other process in the institution. The reporting system needs to include steps whereby management logs the issue, analyzes the root cause, and concludes whether new risks have emerged or an existing risk has greater exposure. Without this feedback loop, risk may be underreported.
Another great way to monitor risk exposure is by capturing and logging consumer complaints. As with events and incidents, the process needs to include an analysis of the root cause and a conclusion on whether new risks have emerged or an existing risk has greater exposure.
In today’s remote environment, a digital version of a suggestion box gives senior management a way to know what employees are seeing and experiencing and determine whether their observations could lead to risk exposure.
Risks are identified and assessed, but they also have to be monitored. The best way to monitor risk exposure is through key risk indicators, or KRIs. Using the information gleaned from the risk identification and assessment processes, management should identify keys risks and then define exposure levels—usually three thresholds—that indicate their “comfort zone,” “needs attention zone,” and “immediate action zone.” With these thresholds determined, management needs a way to obtain the data periodically (usually monthly or quarterly) to compare actuals against the stated thresholds in the KRIs.
To provide a simplified example, consider an institution’s anti-money laundering (AML) department monitoring the number of high-risk customers:
A bank’s AML department has established thresholds for the number of high-risk customers they should be able to manage: 0–200 customers is the “comfort zone”; 201–400 is the “needs attention zone”; over 400 is the “immediate attention zone.” While monitoring this KRI, the bank reaches 203 high-risk customers and determines it needs to alter the pace of onboarding for clients in this category.
Identifying, assessing, and monitoring risks are critical processes for financial services firms. Effective management of risk exposure helps institutions not only maintain sound risk and compliance management practices, but also achieve their organizational goals and objectives.