Banking Exchange Magazine Logo

Has risk assessment grown out of hand?

Maybe we’ve forgotten the actual point of it all

Has risk assessment grown out of hand?

Risk management is all the rage. Everyone is doing it. You’d swear it was a new app.

Examiners evaluate risk management in examinations. In fact, examiners seem to be placing as much emphasis on risk assessments as on regulatory compliance. The compliance risk assessment is often the first thing they want to look at.

So it is no wonder that risk management was a very hot topic at ABA’s 2014 Regulatory Compliance Conference.

And the supporting message was also loud and clear: Stay on top of it.

All risk, all the time

This means that risk assessment is an ongoing process, never over.

Once a risk assessment has been completed, it must be worked on again as soon as anything changes. Even weather can affect risks.

Just ask banks in New Orleans (where the conference was held) or Joplin, Mo. So, as changes occur, the risk assessments must be reviewed and revised.

Or perhaps there should be a risk assessment review just to see if anything has changed. Better to be safe than sorry.

How should you be doing risk management?

Everyone agrees that risk management is important. And now, after a decade or so of debate, there is general agreement on how to do it.

Start with a risk analysis. This begins with a close look at everything in the organization—top to bottom, side to side. It looks at staffing, products, locations, systems, and, of course, regulations.

This, alone, is not a minor feat. It is a daunting project in small banks, but in large organizations it is a major project.

Who has to be involved? One message that was clearly delivered at the conference was that risk assessment cannot be performed in isolation. Tempting though it may be to have a risk management team that takes care of the assessments, it isn’t possible. You can’t truly assess risk without involving the people who do the work that is the subject of the assessment.

The risk assessment must involve people from the business functions because they know how things are done, and where the problems can occur.

Then there is the entire process of preparing fancy charts (using colors to indicate risk levels is very popular), parsing words, editing the analysis, and then presenting the package to senior management and the board—who are the folks actually responsible for risk management.

We are all for risk management. It is what running a business is all about. Where people, systems, regulations, and other factors such as weather are involved, things can go wrong. Danger is minimized by anticipating the problem and responding to it in an effective way. That is called risk management.

Many compliance professionals claim that the compliance function invented risk management. It is how compliance works, they say. In the field of compliance, it is not possible to buy insurance to cover the risk. Insurance is out; risk management is in. Focus on and carefully manage the greatest risks while doing what you can with other risks. Risk management is designed to prevent the big problems.

How much is too much?

But now, let’s ask a question:

With all the emphasis on risk analysis, where is the emphasis on getting the jobs done? 

Is there a risk in putting too much emphasis on risk management?  

Sitting around and analyzing risk, preparing fancy charts is all well and good.

But what about the job? Is anyone doing anything other than assessing risk?

Really? Who is doing the work?

There is work to be done. Some work is riskier than other work and it is nice to know the difference. But nothing at all gets done if everyone is busy sitting around analyzing risk and preparing risk assessment charts.

Isn’t not getting anything else done a risk?  Should we assess that?

Risk management is serious—and important. But at the moment, it seems like a fad.

What happens to risk management when another fad comes along? 

And who is minding the store?

Lucy Griffin

"Lucy and Nancy's Common Sense Compliance" is blogged by both Lucy Griffin and Nancy Derr-Castiglione. Both are Banking Exchange contributing editors.
    Lucy, a Certified Regulatory Compliance Manager, has over 30 years experience in compliance. She began as a regulator, including stints with the Federal Reserve Board, the Federal Trade Commission, and the Federal Home Loan Bank Board. For many years she managed the ABA Compliance Division. Since 1993 she has served as a compliance consultant as president of Compliance Resources, Inc., Reston, Va. She is also editor of Compliance Action newsletter and senior advisor with Paragon Compliance Group, a compliance training firm.     
    In addition to serving as a Contributing Editor of Banking Exchange, Lucy serves on the faculty of ABA's National Compliance Schools board. For more than a decade she developed and administered the case study at ABA's National Graduate School of Compliance Management. She can be reached at [email protected]

back to top


About Us

Connect With Us



Belt and Suspenders

Date/Time: October 19, 2:00 CT / 3:00 ET

How Multiple Layers of Defenses Work Together to Keep Your Bank Covered

Cyber threats and attack vectors are ever-changing, especially due to the current geopolitical climate and distribution of data. Financial institutions remain attractive targets for cyber criminals due to the amount of sensitive data they hold. Join CSI’s Director of Product Strategy, Sean Martin, for his insight into why and how institutions should embrace a holistic cybersecurity approach to strengthen their defenses against these evolving threats. You’ll learn: 


This webinar is brought to you by:
OneSpan logo