Compliance Risk Assessment - Have You Updated Yours to Reflect all the New Regulatory Changes?

What is a Compliance Risk Assessment?

A Compliance Risk Assessment is a process which identifies the major inherent risks within a bank’s business lines and factors in all the internal controls employed by your financial institution to control and/or mitigate the identified risks.  What remains after the internal controls is the residual risk the business lines pose to your financial institution.

Why should a financial institution prepare a Compliance Risk Assessment?
A financial institution needs to be proactive in identifying areas which may present significant risk to the institution.  Some areas to consider are:

Components of a Compliance Risk Assessment

The risk assessment should first include an analysis of the types of activities your institution participates in, and the products and services the institution provides to its customers, the physical locations of it branch offices and the stability of its customer base. These factors and activities are known as “Inherent Risk”.  Next review the risk controls your institution has in place to mitigate and control these risks.  What remains is the “Residual Risk”.

Inherent Risk vs. Residual Risk

What is inherent risk?  Inherent risk is the risk of error if there were absolutely no mitigating controls in place.  What is residual risk? Residual risk is the level of risk present after effective controls such as policies, procedures, and secondary reviews are accounted for.  The residual risk is where your financial institution should focus its compliance time and resources.

Risk Rating Systems

No regulatory requirements exist which require your institution to use a particular risk rating system.  Make sure whatever risk rating system your institution utilizes enables conclusions to be consistent and based on logical rationale.

Mitigating Inherent Risk – The Controls

Controls are implemented to perform a function that mitigates or reduces identified inherent risks. The controls may be automated or manual.  The controls should be preventive, not detective, and designed to operate in an effective manner and are integrated within all business lines.

How do you evaluate your internal controls?
In evaluating your financial institution’s internal controls, here are some things to consider:

What are Other Internal Controls Considerations?

Answer the following questions to assess your institution’s risks and evaluate the internal controls.

Post Compliance Risk Assessment

Your financial institution has completed and updated its Compliance Risk Assessment, now what are your next steps? Your institution should prioritize compliance resources based on the results of the risk assessment.  A current compliance risk assessment needs to be maintained and updated, as necessary, and should integrate changes from new and/or changed products, services, regulations and exam results.  Make sure to re-evaluate the compliance risk measurements and implemented controls on a regularly scheduled periodic basis. The optimal position to be in is for your institution to have an updated risk assessment in place allowing you to maintain a more positive stance with your regulator.



Please wait...

Subscribe to our Technical Publication!

Want to be notified when Compass is published? Enter your email address and name below and sign up to our mailing list!
Please wait...

Download the PDF File