Risk management is a critical aspect of banking operations, but it doesn’t always come easily. For newcomers, it can be intimidating. Others find the ongoing nature of risk management challenging. But there’s one area where I find more resistance than any other: risk management controls.
Bankers really don’t like talking about risk management controls. It's not that they don’t understand them. They know what a control is, but they find the practice of evaluating controls a bit overwhelming.
Let’s take a closer look at risk management controls and what bankers can do to make them less intimidating.
A risk management control is a measure, process, or mechanism put in place to mitigate risk. Controls aim to reduce the likelihood of a risk event occurring and/or minimize the impact if the event does occur.
Controls can be preventive, detective, or corrective in nature:
Preventive controls. Preventative controls are proactive controls designed to prevent a risk event from happening. Examples include: automated software controls requiring data or a specific process to be followed, employee training, access controls, and firewalls.
Detective controls. Detective controls identify and detect risk events or issues that have already occurred. These controls help to ensure that incidents are quickly discovered and addressed to reduce the impact. Examples include: audits, monitoring systems, and fair lending data analysis.
Corrective controls. Corrective controls resolve issues once they have been identified through preventive or detective controls. Their goal is to reduce the impact of risk events and prevent them from recurring. Examples include incident response, root cause analysis, and contingency plans.
Effective risk management involves implementing a combination of these controls to address potential risks in a comprehensive and balanced manner.
While the concept of controls is simple, they can still be a source of stress. I’ve discovered four common reasons:
When we understand the challenges that make people want to avoid risk management controls, it’s easier to help people overcome these objections.
Let’s look at each objection.
Yes, there are many controls, but they aren’t all created or managed by those tasked with assessing the controls. Many controls are activities a financial institution is already engaging in. Let’s take a look at some common operational risk controls.
As mentioned, not all controls provide the same amount of risk mitigation. Controls that mitigate risk the most might be considered your "key" controls.
Which controls mitigate risk more than others? It helps to consider the control types.
For example, an automated control that is expected to prevent something may be a candidate to be identified as a "key" control and weigh more than a manual control and corrects a deficiency, issue, or finding.
Weighing controls helps prioritize which controls require more frequent monitoring and review (i.e. a risk-based approach to control monitoring).
Related: Expert Q&A: How to Build a Risk Assessment
There is data to help assess controls. Audit and QA regularly evaluate the effectiveness of control, providing useful data that makes it easier to measure controls.
No one knows everything about a financial institution, including those tasked with assessing controls. It’s not just okay to ask for input from people familiar with a control area. It’s encouraged. In fact, it can be smart to train individuals in other departments or business lines to evaluate their own controls – or offer feedback on an outside evaluation. Risk management is collaboration.
We live in a dynamic risk environment, as events like COVID-19 and the collapse of Silicon Valley Bank regularly remind us. New risks, increased risk, or decreased risk all impact controls. An open mind is a must for successful risk management.
This goes back to the idea of controls as simply the everyday activities of a financial institution. Yes, risk management requires expertise, but training and support can help employees understand controls. There are tools that make it simpler by providing the content to understand what’s needed and provide a framework to put it into action. Training and support can help employees understand controls.
While there are several reasons why employees at financial institutions might be reluctant to talk about risk management controls, they are surmountable. By addressing these challenges and fostering an open and supportive environment, financial institutions can encourage employees to discuss risk management controls and work together to build a strong risk management practice.
Want to learn more about how controls influence risk management? Download our free whitepaper Creating Reliable Risk Assessments.