What process should I use to perform the risk assessment?
The performance of a risk assessment may take many forms but should always follow an established methodology. The COSO methodology is widely used by financial institutions, but others are available.
At a minimum, you should:
Identify your inherent risk.Inherent risk is the risk that exists naturally when there are no safeguards in place to avoid trouble. Inherent risk can be expressed as the potential impact of an event (how severe it would be if it happened) on the institution multiplied by the probability of the harmful event occurring.
Identify controls that would prevent this risk from occurring and/or minimize its impact should it occur.
Calculate residual risk. Residual risk is the risk to the institution after controls have been applied.
I’ve scheduled interviews with departments to gather information for my risk assessments. What should I ask them?
Interviewing a department isn’t an ideal method for assessing risk. Interviews produce qualitative data. This is non-numerical data based on observations and experiences. While this information is valuable for risk discussions and background, when it comes to measuring risk for assessments, this subjective data won’t be of much value to your institution or your regulators.
Quantitative data, or data that can be expressed with numbers, is much more valuable when making risk determinations. Examples include the number of high-risk customers, the dollar amount of foreign wires in a given time period, or financial losses due to fraud.
How would you suggest prioritizing (or balancing) daily enterprise risk management (ERM) work? We’ve got limited resources and need to conduct risk assessments on new work requests while enhancing our program?
There is no great answer to this, as it will depend on the specifics of your institution. However, a good general rule of thumb would be to not sacrifice current ERM monitoring when taking on program enhancements.
This is why “right-sizing” is so important. It ensures resources are deployed efficiently and effectively.
Balancing the day-to-day with new assessments can benefit from a blended approach.
Evaluate your current monitoring and see where cuts can be made to streamline the process. This includes:
Duplicate KRIs or KPIs in department-level risk assessments
KRI/KPI assessments that occur to frequently
Take the time and effort saved by your streamlining efforts and apply them to program development.
Using this approach should help you achieve the balance that you want without your program suffering. It will also add value to your current program by streamlining and focusing on your organization’s key risks and controls.