Financial institutions are expected by their regulators to periodically monitor exposure to existing and emerging risks. This monitoring of risk exposure keeps the institution in the know and helps prevent operational surprises, disruptions, and other negative events.
In its recent Semiannual Risk Perspective, the Treasury Departmentâs Office of the Comptroller of the Currency (OCC) warned that operational and compliance risks remain elevated and financial institutions need to âremain diligent and confirm the effectiveness of their risk management practices, ensuring their ability to continue to withstand current and future economic and financial challenges.â
In a statement released with the report, Acting Comptroller of the Currency Michael J. Hsu said that âthe OCC expects banks to âbe on the balls of their feetâ with regards to risk management,â including:
The best way to monitor exposure to existing and emerging risks is by following documented risk assessment and monitoring processes. Letâs take a look at some best practices.
The risk assessment process should include the performance of a new risk assessment and possibly updates to existing assessments. Both processes should include steps to identify and document new risks and assess the institutionâs exposure. A risk assessment update involves more than just updating the risks already identified in the document; rather, it involves adding new and emerging risks that have surfaced since the last update.
But how is management made aware of these new risks? Below are five sources for staying in the know:
While these committees are similar, they have different drivers. The regulatory change committee receives inputs for new laws and regulations from federal, state, and other regulatory bodies. They then evaluate the institutionâs risk exposure due to these changes. The operational risk committee receives inputs from business line managers. The top three drivers for these requests are process improvements (increased efficiency/effectiveness), client requests, and vendor changes.
Regulatory or operational changes could involve new or modified risks, or new or modified controls. Hence, the change management process produces valuable insight into an institutionâs exposure to risks.
Risk committees are comprised of managers from every function at the institution to contribute their knowledge of emerging risks in their area. Committees generally meet quarterly to capture emerging risks impacting the institution and discuss risk exposure.
One of the best ways to monitor risk exposure is by reporting and logging operational events and incidents. There are times when these occurrences reveal risk exposure that wasnât captured via any other process in the institution. The reporting system needs to include steps whereby management logs the issue, analyzes the root cause, and concludes whether new risks have emerged or an existing risk has greater exposure. Without this feedback loop, risk may be underreported.
Another great way to monitor risk exposure is by capturing and logging consumer complaints. As with events and incidents, the process needs to include an analysis of the root cause and a conclusion on whether new risks have emerged or an existing risk has greater exposure.
In todayâs remote environment, a digital version of a suggestion box gives senior management a way to know what employees are seeing and experiencing and determine whether their observations could lead to risk exposure.
Risks are identified and assessed, but they also have to be monitored. The best way to monitor risk exposure is through key risk indicators, or KRIs. Using the information gleaned from the risk identification and assessment processes, management should identify keys risks and then define exposure levelsâusually three thresholdsâthat indicate their âcomfort zone,â âneeds attention zone,â and âimmediate action zone.â With these thresholds determined, management needs a way to obtain the data periodically (usually monthly or quarterly) to compare actuals against the stated thresholds in the KRIs.
To provide a simplified example, consider an institutionâs anti-money laundering (AML) department monitoring the number of high-risk customers:
A bankâs AML department has established thresholds for the number of high-risk customers they should be able to manage: 0â200 customers is the âcomfort zoneâ; 201â400 is the âneeds attention zoneâ; over 400 is the âimmediate attention zone.â While monitoring this KRI, the bank reaches 203 high-risk customers and determines it needs to alter the pace of onboarding for clients in this category.
Identifying, assessing, and monitoring risks are critical processes for financial services firms. Effective management of risk exposure helps institutions not only maintain sound risk and compliance management practices, but also achieve their organizational goals and objectives.