<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Expert Q&A: How to Build a Risk Assessment

6 min read
Mar 21, 2023

The best risk assessments are built from research, analysis, experience and collaboration. That’s according to Monica Bolin, CERP, NCRM. She’s a former chief risk officer with over 30 years of banking experience. She’s also a risk management expert on the Ncontracts product and development team. 

Monica spends much of her time building out risk assessments for Nrisk, a product she relied on when she was a banker. Nrisk helped her build out her entire risk management program from scratch when her bank’s president asked her to build a risk department. She created every risk assessment – an experience she describes as “one of those feet to the fire, trial by error, kind of figuring out as I went situation” that required a lot of research. 

Today that process is a lot easier thanks to the model risk assessments in Nrisk. We asked Monica about her process for creating risk assessments, what a good risk assessment looks like, and how to draft a risk assessment when you don’t know much about the area being assessed.  

Table of contents 

Q: What’s it like being on the other side of things now you build model risk assessments within Nrisk?  

A: I know how time intensive the risk assessment process is, so I was really excited when I came on board with Ncontracts to help build those templates. It feels good to be part of this project because I believe these templates will cut down the time it takes to launch a new risk program by at least 50%.  

Q: How do you know when something requires a risk assessment?  

A: It's really based on your plan for the enterprise risk management program. 

You start by making a list of the areas in your institution that you need to have risk assessments for. There's certain ones that the regulators require. Others come from looking at your whole ERM program, your entire organizational structure, and figuring out where you have exposure. You break down the areas within the institution and come up with your overall game plan.  

That being said, you also need to make sure that any time you have a new product, new service, new process or procedure, you have a risk assessment or you need to modify an existing assessment. 

Q: There is nothing more intimidating than a blank page. Where do you start in building a risk assessment? 

After you make your plan for all the risk assessments that you need, then you gather your resources. Gather up the actual regulations and guidance on your regulatory risks.   

Examination handbooks are great, especially for operational risks where there might not be a specific regulation tied to it. Examiner handbooks are going to tell you exactly what the regulators are looking for when they come into your institution, so that gives you a great idea of what risks and controls you need to identify. 

Once you identify what risk assessment you’re going to work on first and have gathered your resources, you need to identify the relevant risks. Next you evaluate those risks to identify the inherent risk level (that’s the possibility and probability of a risk happening) for each one of those things. 

Once you evaluate inherent risk, identify your controls by asking “what are we doing right now to prevent that risk?” 

Then you evaluate how effective that control is. For instance, someone who doesn’t put in the payroll might be reviewing all the payroll records every day to make sure that everything is right. There's an audit that's being done to evaluate how good that control is. 

If the control is a policy or procedure, somebody else is going to look at that policy and ask: Is it comprehensive? Does it mitigate risk? 

Those are the main parts of a risk assessment. Identify the risks, identify the controls, and then check the effectiveness of those controls to determine your overall risk levels. 

Related: Risk Assessments for Financial Institutions

Q: How long should a risk assessment be? 

My favorite answer is: It depends. 

It’s going to be guided by whether it's a regulatory or an operational risk and the type of product or service. For example, a BSA risk assessment is going to be a long one because the regulation is huge, and there are so many requirements. Other risk assessments won’t be as long because it's not as big of a regulation, such as the Military Lending Act. There are maybe 5 to 10 risks in that.  

It really depends on the size of the process, the financial institution, and how deeply it’s involved in that project. 

Q: What if you are creating a risk assessment for an area you don’t know much about?  

A: The most helpful thing for me when I worked in the bank was doing my research, building out my assessment and then taking it to the business process owner.  As risk practitioners, we can’t know everything there is to know about everything in every department. 
For instance, I've never worked in human resources before. When I was doing the HR risk assessment, I made a draft of the assessment and then I brought it to the business owner and asked them to fill in the blanks. I told them that they are the one that’s doing this day in and day out so they’ll know every single risk and every single control in place to prevent those risks. Then I’d either sit down with them or let them review it on their own and email me later. 

I would get the ball rolling and try to make it easier on them because a risk assessment is outside of what they would normally do. It takes time away from their daily tasks and they usually don’t want to do it.  But their input is so valuable to the process.  It is a great collaboration. 

Q: How do you know if your risk assessment is good or comprehensive enough? 

You're going to know because you will have done your research. You’ll have all your resources, and you’ll have given it to the business owner to add in any other risks and controls. Someone else will do the control effectiveness assessments and your internal audit will look at that process and tell you if those controls are working. You are also looking at those risk assessments daily, making updates based on new guidance, new regulations, new products, new processes. 

The regulators will come in and ask you for your risk assessments, and they're going to look at it and they will let you know if something's missing or something is not right. 

Q: When should you conduct a risk assessment for a new product? 

A: Whether it's a new product or a new service, or even a new program or process, the risk manager really needs to be involved in the process from the very beginning. They need to help identify risks and make sure a risk assessment is completed before any contract is signed or implementation is done. You have to make sure the risk of the new product or service is within your bank or credit union’s risk appetite before it is implemented.  

If the board says it doesn’t want that much risk, you need to find different controls or a different approach to bring that risk down to an acceptable level if you want to move forward with that new product. 

Q: Any parting thoughts on risk assessments? 

Back in the day, everybody used to think that risk assessments were done once a year and then they're put on a shelf. The next year, they come back and update it. 

We now know that risk assessments are a daily process. Regulations are changing every day. Processes change. The economy changes. The banking system changes. 

It's important that you're always evaluating the adequacy of your risks and your controls. It should be an everyday process, not a once-a -year process.


Want to learn more about risk assessments?  
Download our whitepaper Creating Reliable Risk Assessments 



Subscribe to the Nsight Blog