Replace old-fashioned spreadsheets with a proven and repeatable process

Financial institutions today are legally required to comply with risk management and data security mandates. One of the most useful methods for doing this is a risk assessment, which helps you identify and understand risks to the confidentiality, integrity and availability of your data and systems. Below are some best practices based on the collective experience of dozens of banks that can help you get the most value from your institution’s investment in risk assessments.

Make it process-driven, not event-driven

Examiners today want to see a consistent and repeatable approach to risk management that’s integrated into daily operations. But “home-grown” processes that often rely on spreadsheets are a poor choice because they are usually “owned” by part-time compliance officers who can’t easily pass on the process to others. The result: Risk assessments that are neither consistent nor repeatable. You need a process that can:

• Document how and why you rate a risk, and if something changes, why you made that change. Examiners want to see evidence that you are reviewing and updating your risk assessments throughout the year.
• Make the risk assessment process something others can access, understand and use. When a new compliance officer takes over your program, for example, it should instantly make sense and they should be able to start using it immediately.
• Integrate risk management into daily operations. Examiners want to see evidence that risk assessment is integrated into operations throughout the year, not just in the weeks before an exam.
• Ensure appropriate branch personnel can understand, be trained for and participate in the process. The goal should be to make risk management a consistent and repeatable process, and integrate risk assessment into daily operations.

Remember that risk is subjective

As with anything in banking, some risk is acceptable. But if you’re unable to prioritize risk based on asset criticality and impact on operations, you may focus on the wrong risks and end up spending far more money, time and effort than you should.

Remember that risks are always changing

Don’t assume that the risks you identified two years ago are the same risks you face today. Institutions need to regularly review their assets, risks and controls to ensure they’re up-to-date and comprehensive.

Periodically get an outside perspective

Complacency is always a danger when risk management activities become mundane or routine. That’s why it’s a good idea to periodically get an outside perspective on your program from banking or risk management specialist who is tied into the changing regulatory, industry and information security scene.