<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

3 Steps to a Proficient Risk Assessment

3 min read
Aug 21, 2013

A compliance risk assessment is a procedure or tool that identifies the major inherent risks, factors in the processes and procedures that are practiced by the institution to control and/or mitigate those risks, which results in the measurement of the residual risk the business poses to the institution.  Risk assessments move organizations from being reactive to proactive and demonstrate to the regulators that risk is being actively managed.  What are the common three steps in any risk assessment?


The Federal Reserve Bank reminded everyone that there are three common steps associated with a risk assessment:

  • Step 1:  Identify the Inherent Risk
    • Overview:  Inherent risk is the risk that exists without consideration for the level of management or compliance controls in place.  Inherent risk may include items that the financial institution can control (e.g. electing to originate subprime mortgage loans) or things outside the financial institution’s control (e.g. economy, changing demographics, etc.).  In general, the greater the inherent risk, the more monitoring and controls that need to be in place.
    • Analogy:  Inherent risk is like the risk that comes from crossing a city street.  The busier the automobile traffic on the street, the more inherent risk that exists. 
    • Regulator Question:  What activities does the financial institution participate in and what level of risk do those activities pose to the institution?
  • Step 2:  Review the Risk Controls in Place to Manage the Inherent Risk 
    • Overview:  Controls are what you use to manage the inherent risks to a level that is appropriate based on the firm’s risk appetite.  Controls and other mediation methods to monitor and reduce risk help you manage an “acceptable level of risk.”
    • Analogy:  You can implement controls to lower the risk associated with crossing the street.  Controls may include reviewing the oncoming traffic, crossing at designated cross walks, and coordinating your movement with the surrounding traffic lights.
    • Regulator Question:  What does the institution have in place to mitigate and control the risk?
  • Step 3:  Evaluate the Residual Risk
    • Overview:  Simply stated, residual risk is the risk that remains after the controls for reducing inherent risk are taken into account.
    • Analogy:  You can mitigate the inherent risk of crossing a busy street by monitoring the automobile traffic and crossing at designated cross walk; however, this will not eliminate every possible risk and residual risk remains.  For example, you could still be hit by an airplane because you did not look up.
    • Regulator Question:  Where does the institution stand after controls are applied?  Is this an acceptable level of risk?  Based on the residual risks, where should compliance efforts be focused?

Once you understand the residual risk that exists within your financial institution, you have three options:

  1. If the amount of residual risk is acceptable – then you do nothing.  Management and compliance should accept those risks and continue with the current control efforts. 
  2. If the amount of residual risk is above what is acceptable - then you need to find cost effective ways to mitigate the risks by increasing controls (e.g. policies, procedures, monitoring, training, etc.).
  3. If the level of residual risk is above what is acceptable AND the cost of controls are cost prohibitive – then the firm should either revisit the amount of residual risk the financial institution is willing to accept (e.g. agree to accept more risk) or determine if there are strategies you can employ to manage the underlying inherent risk (e.g. exit the no documentation, subprime mortgage market).

Management should take the lead and determine the acceptable residual risk appetite for each product, business line and regulation.  Based on the agreed upon risk appetite, financial institutions should define the appropriate level of controls (and the costs associated with the desired controls) in order to manage the desired residual risk level.  Ultimately, it is the level of residual risk that should drive decisions regarding the allocation of time, money and resources. 

There are no regulatory requirements to use a particular process, tool or rating system.  However, it is important that the risk assessment approach is consistent and the answers are based on logical rationale.

Nrisk is a a solution built specifically for financial institutions with the tools to better monitor, report on, and communicate risk internally and externally. Click here to learn more.

For more insights into the Federal Reserve’s call from Tuesday, August 20th, on Conducting Consumer Compliance Risk Assessments – Examiner Insights:

Related: Creating Reliable Risk Assessments

Subscribe to the Nsight Blog