Has risk assessment grown out of hand?

Risk management is all the rage. Everyone is doing it. You’d swear it was a new app.

Examiners evaluate risk management in examinations. In fact, examiners seem to be placing as much emphasis on risk assessments as on regulatory compliance. The compliance risk assessment is often the first thing they want to look at.

So it is no wonder that risk management was a very hot topic at ABA’s 2014 Regulatory Compliance Conference.

And the supporting message was also loud and clear: Stay on top of it.

All risk, all the time

This means that risk assessment is an ongoing process, never over.

Once a risk assessment has been completed, it must be worked on again as soon as anything changes. Even weather can affect risks.

Just ask banks in New Orleans (where the conference was held) or Joplin, Mo. So, as changes occur, the risk assessments must be reviewed and revised.

Or perhaps there should be a risk assessment review just to see if anything has changed. Better to be safe than sorry.

How should you be doing risk management?

Everyone agrees that risk management is important. And now, after a decade or so of debate, there is general agreement on how to do it.

Start with a risk analysis. This begins with a close look at everything in the organization—top to bottom, side to side. It looks at staffing, products, locations, systems, and, of course, regulations.

This, alone, is not a minor feat. It is a daunting project in small banks, but in large organizations it is a major project.

Who has to be involved? One message that was clearly delivered at the conference was that risk assessment cannot be performed in isolation. Tempting though it may be to have a risk management team that takes care of the assessments, it isn’t possible. You can’t truly assess risk without involving the people who do the work that is the subject of the assessment.

The risk assessment must involve people from the business functions because they know how things are done, and where the problems can occur.

Then there is the entire process of preparing fancy charts (using colors to indicate risk levels is very popular), parsing words, editing the analysis, and then presenting the package to senior management and the board—who are the folks actually responsible for risk management.

We are all for risk management. It is what running a business is all about. Where people, systems, regulations, and other factors such as weather are involved, things can go wrong. Danger is minimized by anticipating the problem and responding to it in an effective way. That is called risk management.

Many compliance professionals claim that the compliance function invented risk management. It is how compliance works, they say. In the field of compliance, it is not possible to buy insurance to cover the risk. Insurance is out; risk management is in. Focus on and carefully manage the greatest risks while doing what you can with other risks. Risk management is designed to prevent the big problems.

How much is too much?

But now, let’s ask a question:

With all the emphasis on risk analysis, where is the emphasis on getting the jobs done? 

Is there a risk in putting too much emphasis on risk management?  

Sitting around and analyzing risk, preparing fancy charts is all well and good.

But what about the job? Is anyone doing anything other than assessing risk?

Really? Who is doing the work?

There is work to be done. Some work is riskier than other work and it is nice to know the difference. But nothing at all gets done if everyone is busy sitting around analyzing risk and preparing risk assessment charts.

Isn’t not getting anything else done a risk?  Should we assess that?

Risk management is serious—and important. But at the moment, it seems like a fad.

What happens to risk management when another fad comes along? 

And who is minding the store?