Hate Talking About Risk Management Controls? You’re Not Alone.

Risk management is a critical aspect of banking operations, but it doesn’t always come easily. For newcomers, it can be intimidating. Others find the ongoing nature of risk management challenging. But there’s one area where I find more resistance than any other: risk management controls. 

Bankers really don’t like talking about risk management controls. It's not that they don’t understand them. They know what a control is, but they find the practice of evaluating controls a bit overwhelming. 

Let’s take a closer look at risk management controls and what bankers can do to make them less intimidating. 

What are risk management controls? 

A risk management control is a measure, process, or mechanism put in place to mitigate risk. Controls aim to reduce the likelihood of a risk event occurring and/or minimize the impact if the event does occur.  

Controls can be preventive, detective, or corrective in nature: 

Preventive controls. Preventative controls are proactive controls designed to prevent a risk event from happening. Examples include: automated software controls requiring data or a specific process to be followed, employee training, access controls, and firewalls. 

Detective controls. Detective controls identify and detect risk events or issues that have already occurred. These controls help to ensure that incidents are quickly discovered and addressed to reduce the impact. Examples include: audits, monitoring systems, and fair lending data analysis. 

Corrective controls. Corrective controls resolve issues once they have been identified through preventive or detective controls. Their goal is to reduce the impact of risk events and prevent them from recurring. Examples include incident response, root cause analysis, and contingency plans. 

Effective risk management involves implementing a combination of these controls to address potential risks in a comprehensive and balanced manner.  

Why do some people avoid talking about risk management controls? 

While the concept of controls is simple, they can still be a source of stress. I’ve discovered four common reasons: 

1. The number of controls. Financial institutions face many risks, and every one of those risks has at least one control to help mitigate it – often more. Multiply risks by controls and suddenly you’ve got an unwieldy number of controls to implement and monitor.  
2. Measuring controls feels arbitrary. How effective is a specific control? What is its impact? These questions can feel more like art than science, which makes some people wonder why they should even bother with it. Does it really matter? Or worse, these decisions are made by a committee or with a co-worker and it leads to long, boring debates over minute details. 
3. Limited experience. Some people in financial services lack the experience or knowledge required to understand the complexities of risk management. This can lead to feelings of intimidation and a lack of confidence in their ability to implement effective controls. Others feel like they lack the expertise to make informed decisions about control effectiveness and impact. 
4. Overconfidence / resistance to change. Those who’ve been in risk management for a while may feel particularly confident in their work and not see the value in adjusting how they engage in risk management, including how they view controls. In their mind, everything has worked fine until now so there is no reason to change.  
5. Perception of risk management: Risk management can be seen as a technical, complicated subject that is not relevant to an employee’s day-to-day operations. This perception can make them reluctant to talk about risk management controls and see them as something that is only important to a select group of experts.

Rethinking risk management controls 

When we understand the challenges that make people want to avoid risk management controls, it’s easier to help people overcome these objections. 

Let’s look at each objection. 

The number of controls  

Yes, there are many controls, but they aren’t all created or managed by those tasked with assessing the controls. Many controls are activities a financial institution is already engaging in. Let’s take a look at some common operational risk controls. 

Examples of operational risk controls 

1. Risk governance: A strong risk management culture through clear risk appetite, policies, and board-level oversight. 
2. Risk identification and assessment: Regularly identifying, assessing, and documenting potential risks across the organization. 
3. Risk monitoring and reporting: Continuous monitoring and reporting of risk exposures and performance against risk appetite and limits. 
4. Procedures: Documented, step-by-step procedures for routine operations to ensure consistency and reduce the risk of errors. 
5. Incident management: Processes to identify, report, and resolve operational incidents, including root cause analysis and corrective action plans. 
6. Business continuity planning: Developing and testing plans to ensure the bank can continue to operate in the event of a disruption or disaster. 
7. Vendor risk management: Assessing and managing risks associated with third-party service providers, including conducting vendor due diligence and monitoring performance. 
8. Technology risk management: Implementing controls to protect against IT system failures, data breaches, and cyberattacks, such as firewalls, intrusion detection systems, and regular security assessments. 
9. Employee training and awareness: Providing regular training to employees on operational risk management, including topics such as fraud prevention, data protection, and workplace safety. 
10. Physical security measures: Implementing access controls, surveillance systems, and other security measures to protect bank assets and personnel. 
11. Performance metrics and monitoring: Establishing key performance indicators (KPIs) to track operational efficiency and effectiveness and using these metrics to identify areas for improvement.

Weighing controls 

As mentioned, not all controls provide the same amount of risk mitigation. Controls that mitigate risk the most might be considered your "key" controls.  

Which controls mitigate risk more than others? It helps to consider the control types.  

For example, an automated control that is expected to prevent something may be a candidate to be identified as a "key" control and weigh more than a manual control and corrects a deficiency, issue, or finding. 

Weighing controls helps prioritize which controls require more frequent monitoring and review (i.e. a risk-based approach to control monitoring).

Related: Expert Q&A: How to Build a Risk Assessment 

Measuring controls feels arbitrary  

There is data to help assess controls. Audit and QA regularly evaluate the effectiveness of control, providing useful data that makes it easier to measure controls.  

Limited experience 

No one knows everything about a financial institution, including those tasked with assessing controls. It’s not just okay to ask for input from people familiar with a control area. It’s encouraged. In fact, it can be smart to train individuals in other departments or business lines to evaluate their own controls – or offer feedback on an outside evaluation. Risk management is collaboration. 

Overconfidence / resistance to change  

We live in a dynamic risk environment, as events like COVID-19 and the collapse of Silicon Valley Bank regularly remind us. New risks, increased risk, or decreased risk all impact controls. An open mind is a must for successful risk management. 

Perception of risk management.  

This goes back to the idea of controls as simply the everyday activities of a financial institution. Yes, risk management requires expertise, but training and support can help employees understand controls. There are tools that make it simpler by providing the content to understand what’s needed and provide a framework to put it into action. Training and support can help employees understand controls. 

Conclusion 

While there are several reasons why employees at financial institutions might be reluctant to talk about risk management controls, they are surmountable. By addressing these challenges and fostering an open and supportive environment, financial institutions can encourage employees to discuss risk management controls and work together to build a strong risk management practice.  

Want to learn more about how controls influence risk management? Download our free whitepaper Creating Reliable Risk Assessments.