A Compliance Risk Assessment is a process which identifies the major inherent risks within a bank’s business lines and factors in all the internal controls employed by your financial institution to control and/or mitigate the identified risks. What remains after the internal controls is the residual risk the business lines pose to your financial institution.
Why should a financial institution prepare a Compliance Risk Assessment?
A financial institution needs to be proactive in identifying areas which may present significant risk to the institution. Some areas to consider are:
The risk assessment should first include an analysis of the types of activities your institution participates in, and the products and services the institution provides to its customers, the physical locations of it branch offices and the stability of its customer base. These factors and activities are known as “Inherent Risk”. Next review the risk controls your institution has in place to mitigate and control these risks. What remains is the “Residual Risk”.
What is inherent risk? Inherent risk is the risk of error if there were absolutely no mitigating controls in place. What is residual risk? Residual risk is the level of risk present after effective controls such as policies, procedures, and secondary reviews are accounted for. The residual risk is where your financial institution should focus its compliance time and resources.
No regulatory requirements exist which require your institution to use a particular risk rating system. Make sure whatever risk rating system your institution utilizes enables conclusions to be consistent and based on logical rationale.
Controls are implemented to perform a function that mitigates or reduces identified inherent risks. The controls may be automated or manual. The controls should be preventive, not detective, and designed to operate in an effective manner and are integrated within all business lines.
How do you evaluate your internal controls?
In evaluating your financial institution’s internal controls, here are some things to consider:
Answer the following questions to assess your institution’s risks and evaluate the internal controls.
Your financial institution has completed and updated its Compliance Risk Assessment, now what are your next steps? Your institution should prioritize compliance resources based on the results of the risk assessment. A current compliance risk assessment needs to be maintained and updated, as necessary, and should integrate changes from new and/or changed products, services, regulations and exam results. Make sure to re-evaluate the compliance risk measurements and implemented controls on a regularly scheduled periodic basis. The optimal position to be in is for your institution to have an updated risk assessment in place allowing you to maintain a more positive stance with your regulator.