All the Risk News That’s Fit to Print: Ncontracts’ Top 2020 Risk Management Blogs

2020 is the year everyone became a risk manager. Faced with the COVID-19 pandemic, we’ve all had to make decisions about risk tolerance, mitigation, and avoidance.

While that may make your job more relatable (that is, if there were still cocktail parties to talk about these things), it hasn’t made it any easier. Risk management remains a nuanced and enterprise-wide activity that requires specialized knowledge and an analytical mind—not to mention automated tools to simplify it all.

With that in mind, we’ve gathered our most popular risk management blog articles—selected from over 150 written this year—to help inform your risk management efforts. Whether you’re an old hand or a newbie, we’ve got something for you.

1. Risk Assessments 101: The Role of Probability & Impact in Measuring Risk

Assessing risk can feel like a subjective task. Many bankers make a gut call, acting as the institution’s de facto Magic 8 Ball. But you don’t need a phony fortune-telling toy to know that “outlook not so good” for this practice.

Guessing at risk assessments is a dangerous practice. Assessing risk is not a check the box activity. It’s an essential tool for mitigating risk and assessing controls. If you don’t put in the work to systematically evaluate risk, you’re creating even more risk.

Deep down you know this and so do examiners. Here’s what you need to do to assess risk.

2.Your Risk Assessment Process Questions Answered

You know you need to perform risk assessments, but what really goes into the risk assessment process? We tackled this topic in our recent webinar, Risk Assessments: Making the Most of Your FI’s Secret Weapon, but we know you have more questions including:

• What process should I use to perform the risk assessment?
• I’ve scheduled interviews with departments to gather information for my risk assessments. What should I ask them?
• How would you suggest prioritizing (or balancing) daily enterprise risk management (ERM) work? We’ve got limited resources and need to conduct risk assessments on new work requests while enhancing our program?

3. Risk & Exams: Insights into Where Examiners Will be Looking in 2021

It’s the fourth quarter, and chances are your financial institution is deep into strategic planning for 2021—if not already done. You are not the only one.

Looking ahead, the Office of the Comptroller of the Currency has released its Fiscal Year 2021 Bank Supervision Operating Plan, which took effect October 1. This document is full of insights for all financial institutions—even those not overseen by the OCC—because it hints at what other financial supervisory agencies are likely to be looking at, too.

Are your strategic priorities aligned with OCC supervisory objectives? Here’s a clue: If your financial institution is actively engaged in risk management, you’ve got a good head start.

Read on to find out more about some of the key non-financial risks of interest to the OCC.

4. Ncast Podcast Launches with Remote Exam & Cyber Risk Discussion with ABA’s Paul Benda

Over the years, the enormous popularity of our webinars and blog has shown us that bankers want to hear from risk management experts. They're looking for industry insiders who can break down the most important risk and compliance trends and topics of the day and translate them into usable insights.

That’s what Ncast, our new weekly podcast, delivers. Each episode invites you inside an in-depth conversation between risk management experts. From industry thought leaders, newsmakers, practitioners, and regulators to Ncontracts’ subject matter experts and customers, you’ll listen in as these leaders share insights and experiences related to today’s most relevant risk and compliance topics.

5. Citibank’s $400 Million ERM & Compliance Fine: 6 Lessons Learned

What does it take to get a $400 million civil money penalty for data governance, risk management, and internal controls resulting in unsafe or unsound practices? 

That’s what everyone is asking since the Office of the Comptroller of the Currency hit Citibank with a $400 million civil money penalty while the Fed released its own enforcement action against the megabank earlier this month.

The agencies are requiring Citi to take corrective action (beginning at the board level) to remediate an enterprise risk management (ERM) program that has repeatedly failed. Where did Citi go wrong and how can you avoid its mistakes? Here are six lessons learned.

Related: Creating Reliable Risk Assessments

 6. Board & Management Fail: Operational Risk Management Weaknesses Leads to $80 Million Fine

Last August Capital One got in trouble when a former Amazon Web Services employee hacked into one of its databases and accessed the data of 100 million Americans and 6 million Canadians, which includes names, addresses, zip codes/postal codes, phone numbers, email addresses, birthdates, income, credit scores, and payment history. The breach went on for three months before the bank was tipped off by an anonymous email.

What went wrong? While initial speculation suggested a vendor management flaw since the perpetrator had been an employee of the vendor, it turns out weak risk management is to blame, the OCC says.  Here’s how to avoid making the same mistakes.

7. 9 Risk Management Failures That Lead to Charges Under NY’s Cyber Law

Earlier this year NYDFS filed its first cybersecurity enforcement action, charging a large title company based in Nebraska with exposing more than 850 million documents containing private customer data over at least four years between 2014 and May 2019.

The potential financial consequences are huge. Even though the company is based in Nebraska, the company must answer to NY state law since it operates there, writing more than 50,000 policies in 2019, says NYDFS. Under NY state law, each exposed document could result in a fine of as much as $1,000.

How does a cyber mistake of this size happen? The answer touches upon nearly every area of risk management including risk assessments, findings, and internal controls as well as ineffective manual processes.

8. What Asset-Based Risk Assessments Get Wrong
Wouldn’t it be nice to reduce risk management to a simple checklist? You could go down a list of business assets, answer a few questions, and be on your way.

That’s the thinking behind asset-based risk management, a buzzy risk management catchphrase. Unfortunately, this idea has more flash than substance and could lead a financial institution to overlook or underestimate risks, exposing the institution to unwanted risk, and creating the potential for non-compliance with regulatory expectations.

9. 4 Ways to Improve Risk Management When Risk Is High
Risk management is an active and ongoing process. The pandemic has created a situation marked by rapid change. Here are four ways to improve risk management when risks are elevated.

10. Training Risk Management Heroes – Maximizing the Board & C-Suite
It’s no secret that enterprise risk management should inform every decision the board and C-suite make. Yet there are many ways that ERM falls short:

• It’s reactive. ERM should be a proactive exercise and a priority at board meetings. Responding to problems as they emerge, instead of anticipating and mitigating them, will not make an institution successful.
• It’s stymied by silos. ERM is not a department or solely the domain of the chief risk officer. Everyone needs to be involved and share information.
• It doesn’t inform decision making. ERM adds value to decision making and should be a component of all strategy and objective discussions.
• There’s no ownership. Authority, accountability, and responsibility for risk management should be clearly defined and enforced.

Read on for tips on how to solve these problems from the top.

Related: Shelved Elves: Santa Ponders the Risks and Rewards of Outsourcing Toy Making