TraceRiskArticles by: Derek Yankoff

Posts By: Derek Yankoff

What Are Vendor Risk Reviews?

A vendor risk review (a.k.a risk assessment) helps you understand the risks that exist when using a vendor’s product or service. Performing a risk review is especially critical when the vendor will be handling a core business function, will have access to customer data, or will be interacting with your customers.

Vendor risk reviews are not only critical when bringing on a new vendor but are also needed to ensure that the vendor is maintaining expected quality standards without causing any risks to the company, investors or your customers.

The goals of a risk review are to:

  • Identify any risks the vendor will pose
  • Evaluate if the vendor is able to eliminate those risks
  • Monitor the risks that cannot be eliminated
  • Assess the extent that any outstanding risks may bring to the company
  • Determine if your company is willing to accept those risks

Risk assessments are typically a series of questions (or a risk matrix grid), and the answers to those questions result in an overall point value, which then identify the vendor’s risk level. A common risk level breakdown is: Low, Medium and High.

When To Perform Vendor Risk Reviews

Initial Risk Review

Risk reviews should be introduced to vendors during the Request For Proposal (RFP) process. Depending on your current RFP process, you may be able to embed your risk review assessment into the RFP. The risk review should also be used to gauge the vendor’s ability to be accurate and timely with their responses, especially providing documents you request. Everything at this point should be monitored closely, as the vendor’s performance at this stage will likely have a strong correlation to future performance.

Red flags to look out for during the risk review that could remove the vendor from consideration:

  • Does not provide any processes for safeguarding confidential data
  • Does not perform risk assessments internally
  • Does not have a formal security policy
  • Does not perform security checks across all functionality
  • Does not have a disaster recovery/pandemic plan

Ongoing Risk Reviews

I have found that the best time to perform the risk review is 180 days prior to the renewal notification notice. This normally gives ample time to identify any changes to the vendor’s risk level and lets your company respond appropriately.

It has been my experience to allow 10 business days when sending the review to the vendor to complete. Once the review is back in-house, it should only take a few hours for the VMO to review and upload the data into a vendor management software system to identify the risk levels. At this point, you can also compare the current review to the vendor’s previous reviews and spot any trends.

How Often Should Ongoing Reviews Be Conducted?

Reviews should be performed according to the vendor’s current risk level, such as:

  • Low risk vendors → Annually/bi-annually
  • Medium risk vendors → Semi-annually/annually
  • High risk vendors → Quarterly/semi-annually

You may also review the vendor more frequently than normal if any of the following indicators exist:

  • The vendor has been in business less than 3 years
  • Items discovered in the last review need to be monitored
  • Vendor files bankruptcy
  • Vendor layoffs
  • Lawsuits that include the vendor
  • Negative press releases concerning the vendor
  • Lowered ratings by agencies (BBB, Fitch, S&P, Moody’s)
  • Increased vendor incidents or non-resolution of vendor incidents

Who Handles the Review?

The Vendor Management Office (VMO) should be in charge of managing the vendor risk review process. By its nature, the VMO should provide the most non-biased view of the vendor, which is critical since vendor’s risk level classification will dictate how the vendor is managed throughout the relationship.

If the VMO finds any high-risk items on the assessment, it should engage the business owner and any other key parties. The result of this discussion can either be:

  • The decision maker accepts the high risk level and the vendor risk review is considered complete
  • The decision maker does not sign off:
    • The VMO creates an incident for each question that is labeled high-risk
    • The VMO discusses the high-risk items with the vendor and formulates an action plan for the vendor to complete
    • Once those risks are mitigated the VMO will complete a new risk review to show the changes
    • The revised review is then brought back to the business owner for final sign-off

Base the Review on the Type of Vendor

It is best to create risk reviews based on the services the vendor performs; not every vendor should be subjected to the same review form. Always keep in mind the vendor size and the risk the vendor poses to your organization — too many reviews could damage the relationship with the vendor.

Below are five common vendor types that can be used to help shape your risk review efforts:

  • Essential Services — the vendor handles customer data and customer interaction
  • Customer Facing — the vendor interacts with customer without handling customer data
  • Customer Data — the vendor handles customer data without customer interaction
  • Back Office — the vendor supports core services but has no customer interaction/data
  • Non-Essential — the vendor does not provide core services or core product

Risk Areas to Focus On

The table below shows a list of risk areas that your assessment may focus on, and which vendor types are applicable to each area.

Risk Area to Focus On Vendor Type
Handling of incident securityA process of how the vendor handles incidents where security has been breached. All vendor types
Environmental securityA safeguard to monitor and protect access to the vendor’s buildings and ensure the environment is monitored and secure, along with ensuring visitors are monitored while inside of secure areas. All vendor types
Organizational securityA process to ensure the vendor has a policy and program in place with a governance committee that oversees and audits all facets of security to protect the vendor and its clients. All vendor types
Human Resource (HR) securityA procedure where all employees and contractors are trained on handling customer information, safeguard it and how to handle breaches of the procedure. All vendor types
Pandemic readinessA documented strategy for business continuity in the event of a widespread outbreak of disease that shows how what support the vendor is able to provide during such an incident. All vendor types
Disaster recoveryThe process, policies and procedures for recovery or continuation of core technology infrastructure after a natural disaster. All vendor types
Handling data (hard and soft copy)A documented process that describes how to handle both electronic and paper files throughout the cycle of that document including destruction documents. Essential Services & Customer Facing
Customer interaction processesA defined process on how to interact with the customer that will meet the client’s expectations along with any regulatory guidelines that must be followed. Essential Services & Customer Facing
Physical securityA procedure that defines the security of the building, both offices and data center to include how to handle visitors, access into buildings and surveillance. All but Non-Essential
Asset managementA process of operating, maintaining, upgrading, and disposing of assets such as computer equipment, company phones or anything of value. All but Non-Essential
CommunicationDefines communication processes. All but Non-Essential
Access controlsA defined process to the selective restriction of access to the vendors computer systems either internal or remotely. All but Non-Essential

Example of a Vendor Risk Questionnaire

Below is a sample risk review form. Please consider it a template that you can tweak to meet your specific needs.

Vendor Response & Risk Rating
Risk Questions Low Medium High
Do you have an internal Risk Assessment program? Yes No
What is the frequency of performing Risk Assessments? Yearly > 1 year Never
Does your company have procedures employed to ensure compliance with privacy laws/regulation requirements related to maintaining security, confidentiality and protection of customer data? Yes No
Is there a designated Information Security team within the organization? Yes No
Does management require the use of confidentiality or non-disclosure agreements? Yes No
Is access to, non-public information provided to external parties? Yes No
Is there an asset management policy? Yes No
Do all employees and contractors sign agreements that pertain to non-disclosure, confidentiality, acceptable use or code of ethics upon hire? Yes No
Does the security awareness training include a testing or a certification of completion? Yes No
Is there a documented termination or change of status policy that specifically identifies which departments to notify for removal of access to systems and the building? Yes or N/A No
Are visitors required to sign in, wear a visitor badge and have a employee escort them in the building at all times? Yes No
Are there badge readers at all entries into the business? Yes No
Are there printers in a non-secured area that are allowed to print non-public data? Yes No
Are operating procedures documented, maintained, and made available to all users who need them? Yes No
Are system changes performed in a test region? Yes No
Do third party vendors have access to Client’s non-public data (i.e. contractors, subcontractors, service providers, etc)? Yes No
Are workstation scans scheduled daily? Yes No
Is there a Network Intrusion Detection/Prevention System? Yes No
If Instant Messaging is used, is communication limited and blocked to internal employees? Yes or N/A No
Do freeware or shareware applications require approval from security prior to installation? Yes No
Are inactive userID(s) deleted or disabled after a certain period of time? Yes No
Do all users have a unique userID when accessing applications? Yes No
How often are passwords reset? 90 days 90+ days When user requests
Is there a policy to prohibit users from sharing passwords? Yes No
What is the limit of unsuccessful login attempts before the account is locked? Up to 3 Up to 6 6+
When upgrades are done, does the Client have full access to the system during this process? Yes No
Is there a documented Incident Response Plan? Yes No
Are the procedures tested at least annually? Yes No
Is there an organizational data protection and privacy policy? Yes No
Does your company have a compliance and ethics training program for all employees? Yes No

Starting A Vendor Management Office

4 Steps to Getting Started with a VMO

Starting a Vendor Management Office (VMO) within a company can be quite challenging. The key is to determine the breadth and depth of services that the VMO will provide the company. With any successful implementation you need a project plan that defines the vision and mission of the VMO.

Step #1 — Know the Business

Before designing the roles and responsibilities of the VMO, you must first know the business and how current vendor relationships are managed.

Questions to ask:

  • Why did the company decide to implement a VMO?
  • What are the current challenges with vendor relationships?
  • How does each line of business (LOB) handle vendors?
  • Who currently negotiates contracts?
  • Where are the contracts, reviews, SSAE 16’s and Insurance Certificates stored?
  • Who performs vendor risk and performance reviews?
  • Who reviews and submits invoices?
  • Who handles vendor end-of-year tax processing (1099-M)?
  • Who sets up vendors in the company’s database or servicing systems?
  • Who are the business owners for the vendors?

To answer the above questions, I would suggest meeting with each functional area to discuss the questions above. This would also be the perfect time to set expectations on gathering all vendor documents, understand the services provided by the vendors, and be made aware of any current vendor incidents and active projects in the pipeline.

Step #2 — Design & Propose the VMO’s Roles & Responsibilities

The VMO team provides a support role and assists each department with vendor selection, negotiations, contract terms, monitoring vendor performance, identifying risk and handling on-site reviews. Once you have your list of issues, vendors, documents and corporate structure, it’s time to create a VMO implementation plan.

Design the Plan

Each company will vary on what roles they want the VMO to be responsible for. The company may not have performed a deep dive into all aspects of what a VMO can provide. I would suggest gathering your data from Step 1 and putting a deck together to present to the executive team.

The deck should contain:

  • Timelines for each implementation phase
  • Projected staff size
  • How you will manage the data

This is the perfect way to validate the business needs and to determine if your VMO vision meshes with the executive team’s expectations.

VMO Functions

After you analyze the company’s current vendor management approach, you need to evaluate and prioritize what functions you can provide that will eliminate risks for the company and create efficiencies for the lines of business.

I call these the 22 keepsakes of a VMO:

  1. Execution of all NDA’s
  2. Manage RFP’s
  3. Perform due diligence
  4. Negotiate costs
  5. Create contracts
  6. Contract negotiations
  7. Contract approval process
  8. Gather business requirements
  9. Negotiate contract terms
  10. Manage contract renewals
  11. Termination of vendors
  12. Maintain vendor documents
  13. Risk reviews
  14. Onsite reviews
  15. Vendor performance reviews
  16. Vendor incident resolution
  17. End-of-year processing (1099M)
  18. Invoice audits
  19. Vendor utilization
  20. Vendor setup in systems
  21. Manage vendor scorecards
  22. Purchasing/purchase orders

Keep in mind the functions you commit to may require additional staff, depending on the company’s volume of vendors.

Job Descriptions

Depending on the initial assessment of duties, you can start creating VMO roles and the set of tasks that each person will perform.

Among the roles you may consider are a contract administrator, a vendor analyst and a vendor auditor. Their typical responsibilities include:

Contract administrator

  • Assist with the RFP process
  • Review and negotiate contract terms and pricing
  • Obtain proper approvals and signatures on all contracts
  • Maintain and update as needed company standard blanket contracts
  • Manage select vendors
  • Assist with administering vendor action plans as needed
  • Conduct vendor business reviews
  • Perform other activities as assigned by the Vendor Manager

Vendor analyst

  • Research, collection, tracking and reporting of vendor SLA’s
  • Maintain information in the vendor management system
  • Track escalated issues and reporting of root cause analysis
  • Manage the archive and cataloging processes for all VMO documents
  • Tracking of agreement renewal dates
  • Assist the team in the collection and analysis of vendor information as input to the annual profit plan cycle
  • Perform invoice tracking against purchase orders as directed by the Vendor Manager

Vendor auditor

  • Perform daily activities related to managing regulatory compliance and performance of the company’s vendors
  • Partner with the Compliance Department to review changes in regulation that may apply to the company’s vendors
  • Maintain an overall vendor scorecard that relates to vendor risk and performance as related to the review analysis
  • Conduct vendor performance reviews
  • Conduct due diligence reviews during the vendor on-board process
  • Conduct vendor risk reviews as directed by company guidelines
  • Perform vendor on-site reviews as directed by the Vendor Manager

Step #3 — Select Your VMO Database

Another factor to consider is how to manage your documents, data and timelines. Building a spreadsheet can be overwhelming document for more than 100 vendors. Some things to keep in mind when planning what your database should have are:

You’ll also need to determine how you’ll manage all of the information and action items you’ll be accumulating. Using a spreadsheet can work as a bare minimum solution, but it proves to be an inadequate solution once you have more than 100 vendor and/or need features like document storage and email reminders.

You’ll want your VMO database to handle:

Document Storage

  • Vendor performance reviews
  • Risk reviews
  • Fully executed contacts
  • Vendor certifications (SSAE 16)
  • Insurance certificates
  • On-site reviews
  • Vendor incidents
  • Contract redlines
  • NDA’s
  • Email communications
  • RFP results
  • Notes
  • Misc. documents

Tracking and Notifications

  • Contract expirations
  • Vendor performance reviews
  • On-site reviews
  • Insurance expirations
  • Risk reviews
  • Vendor certifications (SSAE 16)

Quick Reference Information

  • Vendor contact info
  • Contract clauses
  • Service level agreements (SLA)
  • Cost of services
  • Termination dates

Step #4 — Implement the Plan

Now that you have the plan approved it’s time to put everything together. Being in a support role it’s imperative whatever you implement has to be simplistic for the business as well as efficient for the VMO. Whatever database you chose, ensure that the business has access to it so you can concentrate on your core functions to support the business.

In implementing any plan you should have policies and procedures for the company to follow and an internal VMO policy for your staff.

VMO Company Policy Topics

  • Vendor onboard process
  • Contract signing authority
  • Ongoing relationship with vendors
    • Contract renewals
    • Performance reviews
    • Risk reviews
    • Price changes
    • Change in terms
    • Vendor scorecards
    • Vendor issues
    • Gift policy
  • How and when to terminate a vendor

VMO Internal Policy Topics

  • When to use an NDA
  • Steps on implementing a new vendor
  • How to create and score an RFP
  • How to upload new vendors into your Customer Information System (CIS), if applicable
  • Creating and managing a risk review
  • Creating and managing a performance review
  • Processes on managing the vendor management software or database
  • How to terminate a vendor
  • Contract expiration notification process
  • How to manage and resolve vendor incidents

Implement your vendor management software or database as soon as possible. The last thing you want to have happen is for high volume or risk vendors contract to expire during this transition phase.

Once you have your policies and procedures published, a repository and tracking system and your staff hired, it’s time to officially kick off the VMO and introduce the policies and procedures and show present the value you will add to support the lines of business by managing vendor relationships and processes.

Depending on the company culture, you may wish to do a roadshow by starting with the department heads to get their buy in so they can trickle it down to their team, conducting continuing education, or email. I would suggest getting with your training department and see how they have rolled out new departments in the past.


Don’t Confuse a Control Risk Assessment with Enterprise Risk Assessment

Don’t Confuse a Control Risk Assessment with an Enterprise Risk Assessment

In managing the internal audit function, the institution’s Audit Committee is responsible for commissioning a Control (or “Auditor’s”) Risk Assessment, developing audit plans and the overseeing the execution of the audit program. A Control Risk Assessment documents the internal auditor’s or outsourced audit service provider’s understanding of the institution’s significant business activities and their associated risks. These assessments typically consider the risks inherent in a given business line, the mitigating control processes and the resulting aggregate risk exposure to the institution. The assessments should be updated annually by the auditors to reflect changes to the system of internal control or work processes and to incorporate new lines of business.

Conversely, an Enterprise Risk Assessment can be described as a risk-based approach to managing an enterprise, integrating concepts of internal control, the Sarbanes–Oxley Act and strategic planning (remember: Strategy Drives Risk). ERM addresses the needs of various stakeholders (i.e., risk owners, risk managers, C-Suite executives, Board members) who need to understand the broad spectrum of risks facing the institution to ensure they are appropriately managed. Put another way, enterprise risk management is accomplished in large part by performing an enterprise risk assessment.

With that groundwork paid, let’s take a look at the Control (or “Auditor’s”) Risk Assessment first. The Control Risk Assessment methodology performed by the auditor identifies all auditable areas, provides a narrative basis for the auditor’s (not management’s) determination of relative risks, and, is consistent from one auditable area to another. The Control Risk Assessment quantifies Credit Risk, Interest Rate Risk, Liquidity Risk, Operational Risk, Compliance Risk, Strategic Risk, Reputational Risk, BSA Risk and Fair Lending Risk (if applicable). Some specific functions and activities may be embedded within larger categories; for example, some information technology risks are addressed in the Operational Risk area while certain other IT risks can be found in the Compliance Risk area. The auditor’s Control Risk Assessment considers the potential that deficiencies in the system of internal control would expose the institution to potential loss and provides the auditor with data sufficient to develop the scope, coverage, timing, frequency and budget for the audits planned for the year.

When appropriate, the auditor should consider of the introduction of new products and departmental changes which factor into the audit plan. It should be noted that ratings of particular business activities or corporate functions may change with time and the auditor should revise the method for assessing risk accordingly. A properly drafted internal audit plan is based on the auditor’s Control Risk Assessment and typically includes an evaluation of key internal controls within each significant business activity. Ideally, the auditor’s only role should be to independently and objectively evaluate and report on the effectiveness of an institution’s risk management, control and governance processes for the purpose of audit plan development. The assessment should be periodically updated to reflect changes in the system of internal control, work processes, business activities or the business environment.

Conversely, the institution’s Enterprise Risk Assessment provides management with actionable outcomes that facilitate risk mitigation, controls development and process remediation and includes the methods and processes used to seize opportunities related to the achievement of institutional strategic objectives by assessing them in terms of likelihood and magnitude of impact, determining a response strategy and monitoring progress. By identifying and proactively addressing risks and opportunities, the institution protects and creates value for its shareholders, employees and customers.

Enterprise risk assessment frameworks describe an approach for identifying, analyzing, responding to and monitoring risks and opportunities within the internal and external environment facing the institution. Management selects a risk response strategy for specific risks identified and analyzed, which may include:

  • Avoidance: exiting the activities giving rise to risk
  • Harnessing: taking action to reduce the likelihood or impact related to the risk
  • Alternative Actions: deciding and considering other feasible steps to minimize risks
  • Transferring: or sharing a portion of the risk
  • Accept: no action is taken due to a cost/benefit decision

Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or conducting management committee meetings with relevant experts to understand how the risk response strategy is working and whether the objectives are being achieved.

So, you can see that each of these two risk assessment approaches have distinct objectives, methodologies and outcomes and therefore, should not be combined or mistaken for one another. Moreover, your regulatory examiners expect to see both approaches in operation at your shop. The bad news is that employing both approaches can be costly and time consuming. The good news is that there is a simple, cost-effective way to get them both done and achieve remarkable results that will impress your examiners and Board of Directors and keep your bank compliant with risk management mandates set forth by the OCC, FDIC and FRB.

If you’d like to know more or get some help with either one of these risk assessments. Visit

Risk Rating Impact

Example: Impact Rating System

Rating 1 – Fully Controlled: Factors such as cost, time, delivery, quality and security are virtually not affected. Little or no exposure to dollar losses, compliance issues, customer complaints, capital decay, insufficient liquidity or reputational damage. Value-at-Risk (VaR) is slight and well within the bank’s stated risk appetite. Risk events will not negatively affect the bank’s financial, operational, compliance or reporting objectives. The annual rate of loss expectancy is very low.

Rating 2 – Largely Controlled: Losses concerning cost, time, delivery, quality and security are inconsequential and can be absorbed when adverse events or conditions occur (think: “the cost of doing business”) and routine remediation is appropriate. There is very modest exposure to dollar losses, compliance issues, isolated customer defection and reputational damage. Value-at-Risk is acceptable and remains within the bank’s stated risk appetite. Risk events could have a negligible effect on the bank’s financial, operational, compliance or reporting objectives, as applicable. Loss expectancy remains well within acceptable limits.

Rating 3 – Adequately Controlled: Losses concerning cost, time, delivery, quality and security can be managed when adverse events or conditions occur but preventative and corrective remediation is required. There is measurable exposure to one or more of dollar losses, compliance issues, capital decay, insufficient liquidity, possible customer defection and reputational damage. Value-at-Risk remains acceptable but is at the limit of risk appetite and the bank will likely be criticized by regulatory supervisors. Risk events could have a negative effect on the bank’s financial, operational, compliance or reporting objectives, as applicable. Loss expectancy is at the bank’s tolerable limit.

Rating 4 – Inadequately Controlled: Losses concerning cost, time, delivery, quality and security are almost a certainty when adverse events or conditions occur and prompt preventative and corrective remediation is warranted. There is meaningful exposure to one or more of dollar losses, regulatory criticism and lawsuits stemming from non-compliance with laws and regulations, and an increasing likelihood of capital decay, insufficient liquidity, customer defection and reputational damage. Value-at-Risk exceeds the bank’s stated risk appetite and risk tolerance levels are stressed. The bank will be criticized by regulatory supervisors and shareholders. Risk events will have a negative effect on the bank’s financial, operational, compliance or reporting objectives, as applicable. Loss expectancy exceeds the bank’s tolerable limit.

Rating 5 – Uncontrolled: Losses concerning cost, time, delivery, quality and security are profound when adverse events or conditions occur and immediate preventative and corrective remediation is warranted. There is significant exposure to dollar losses, regulatory censure and civil money penalties stemming from non-compliance with laws and regulations. There is a strong likelihood of one or more of customer defection, capital decay, insufficient liquidity and reputational damage. Value-at-Risk critically exceeds risk tolerance levels and could prove fatal. Risk events will have a severe and unpredictable negative effect on the bank’s financial, operational, compliance or reporting objectives, as applicable. Loss expectancy far exceeds the bank’s tolerable limit.

Risk Rating Probability

Example: Probability Rating System

Rating 1 – Optimal: Threats and vulnerabilities have been identified and control processes are aligned with strategic plans, cost-benefit analyses and corporate governance objectives. Fully leveraged technologies, personnel and processes minimize the probability of an adverse event or condition and operational, compliance, financial and reporting objectives are always met. The likelihood of an unforeseen adverse event or condition is slight. Historical performance has been strong with the annual rate of problematic occurrences being very low.

Rating 2 – Managed: Threats and vulnerabilities are measured quantitatively and technologies, personnel and processes are routinely effective causing operational, compliance, financial and reporting objectives to be typically achieved. Current risk management and internal control practices anticipate and address potentially problematic conditions. The likelihood of an unforeseen adverse event or condition is relatively low and when such occurs, it is manageable. Historical performance has been very good with the annual rate of problematic occurrences being sufficiently below the bank’s acceptable limit.

Rating 3 – Defined: Most threats and vulnerabilities are identified and remedied but adverse events or conditions can arise suddenly and with unpredictable consequences. Technologies, personnel and processes are sometimes ineffective and operational, compliance, financial and reporting objectives are not always met. There is an increasing likelihood that an unforeseen adverse event or condition will happen due to occasional lapses in applying sound risk management techniques or internal controls and, if such occurs, the situation must be carefully managed. Historical performance has been good but there is room for improvement and the annual rate of problematic occurrences has reached the bank’s acceptable limit.

Rating 4 – Intuitive: Threats and vulnerabilities are not always identified and/or remedied and adverse events or conditions are largely unpredictable. Technologies, personnel and processes are often ineffective and operational, compliance, financial and reporting objectives are infrequently met. Adverse events or conditions will very likely occur because controls are largely people- reliant and risk management techniques are often weak or absent. Historical performance indicates that the annual rate of unforeseen problematic incidents exceeds the bank’s acceptable limit.

Rating 5 – Hazardous: Threats and vulnerabilities are not identified or even recognized and problematic situations and loss exposure will almost surely result. Technologies, personnel and processes are ineffective and operational, compliance, financial and reporting objectives are almost never met. Adverse events or conditions will very likely occur because controls are largely people- reliant and risk management techniques are weak or absent. The historical annual rate of unforeseen problematic incidents well exceeds the bank’s acceptable limit and it reflects poor corporate governance by the Board and management.

Audit Scope and Frequency

Audit Scope and Frequency

Typically, the schedule of audit is cyclical. In reviewing the annual plan, the auditor should determine the appropriateness of the institution’s audit cycle. Audit planning and scheduling is also based upon the outcomes of risk assessments performed at least once annually on the listed Subjects. Generally, when residual risk is equal to or exceeds the institution’s stated risk appetite for a given Subject, best practices suggest that the Subject be audited no less than once annually and more often as deemed necessary. Subjects rated Low Risk should be audited at least once every 18 months; Subjects rated Moderate Risk should be audited at least once annually; and, Subjects rated High Risk should be audited once every 6 months until the residual risk rating is less than 5 for at least six months. As a general rule, any Subject assigned a Risk Appetite of Moderate or High should be audited at least once annually regardless of its residual risk rating. Also, the scope, timing and frequency of audits may also be influenced by the existence of a regulatory order, i.e., MRA, MOU or Consent Order.

Risk Narratives

Risk Narratives are expected from regulators and examiners.  They are the “show me” vs “tell me” aspect of how your FI came to reach ints understadning of risk in a particular area.  Its critical to ensure that this narrative is socialized from Board to Baseline Staff.  In essence, How did we reach this conclusion and can our entire staff tell the same story of risk about it?


Items to consider in a risk narrative:

  • Inherent Risk
  • Residual Risk:
  • How we mitigate risk (brief description of controls):
  • Exceptions noted in last audit/exam (indicate date):
  • Gaps (differences between where we are and where we should be):
  • Corrective action taken:
  • Other factors regarding mitigation/controls:
  • Training:

Risk Management System

Risk Management Systems: Risk Management Systems[1] should accomplish the following:


  • Identify Risk – To properly identify risks, the Board and management must recognize and understand existing risks or risks that may arise from new business initiatives. Risk identification should be a continuing process, and risks should be understood at the transaction (or individual) level and the portfolio (or aggregate) level.
  • Measure Risk – Accurate and timely measurement of risk is essential to an effective risk management system. The bank should periodically test its measurement tools to make sure they are accurate. Sound risk measurement tools assess the risks at the transaction and portfolio levels.
  • Monitor Risk – Banks should monitor risk levels to ensure timely review of risk positions and exceptions. Monitoring reports should be timely, accurate and informative and should be distributed to appropriate individuals to ensure action, when needed.
  • Control Risk – Banks should establish and communicate risk limits through policies, standards, and procedures that define responsibility and authority. These limits should serve as a means to control exposures to the various risks associated with the bank’s activities. The limits should be tools that management can adjust when conditions or risk tolerances change. Banks should also have a process to authorize and document exceptions or changes to risk limits when warranted. To control risk, the bank should employ the following:
  • Policies are statements of actions adopted by a bank to pursue certain objectives. Policies often set standards (on risk tolerances, for example) and should be consistent with the bank’s underlying mission, values and principles. A policy review should always be triggered when the bank’s objectives or standards change.
  • Processes are the procedures, programs and practices that impose order on a bank’s pursuit of its objectives. Processes define how daily activities are carried out. Effective processes are consistent with the underlying policies and are governed by appropriate checks and balances (such as internal controls)
  • Personnel are the bank staff and managers who execute or oversee processes. Personnel should be qualified and competent and should perform appropriately. They should understand the bank’s mission, values, principles, policies and processes. Banks should design compensation programs to attract, develop and retain qualified personnel. In addition, compensation programs should be structured in a manner that encourages strong risk management practices.
  • Control Systems are the functions (such as internal and external audits, risk review and quality assurance) and information systems that bank managers use to measure performance, make decisions about risk and assess the effectiveness of processes. Control functions should have clear reporting lines, adequate resources and appropriate authority. Management information systems should provide timely, accurate and relevant feedback.

[1] Ref: OCC Community Bank Supervision

Silos of Risk

Silos of Risk

Compliance (Legal) Risk. Compliance risk is the current and prospective risk to earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies and procedures or ethical standards. Compliance risk also arises in situations where the laws or rules governing certain bank products or activities of the bank’s clients may be ambiguous or untested. This risk exposes the institution to fines, civil money penalties, payment of damages and the voiding of contracts. Compliance risk can lead to diminished reputation, reduced franchise value, limited business opportunities, reduced expansion potential and lack of contract enforceability.

Credit Risk. Credit risk is the current and prospective risk to earnings or capital arising from an obligor’s failure to meet the terms of any contract with the bank or otherwise perform as agreed. Credit risk is found in all activities where success depends on counterparty, issuer or borrower performance. It arises any time bank funds are extended, committed, invested or otherwise exposed through actual or implied contractual agreements, whether reflected on or off the balance sheet.

Foreign Exchange Risk. Foreign Exchange risk is the current and prospective risk to capital or earnings arising from the conversion of a bank’s financial statements from one currency to another.  It refers to the variability in accounting values for a bank’s equity accounts that results from variations in exchange rates which are used in translating carrying values and income streams in foreign currencies to U.S. dollars.

Liquidity Risk. Liquidity risk is the current and prospective risk to earnings or capital arising from a bank’s inability to meet its obligations when they come due without incurring unacceptable losses. Liquidity risk includes the inability to manage unplanned decreases or changes in funding sources. Liquidity risk also arises from the failure to recognize or address changes in market conditions that affect the ability to liquidate assets quickly and with minimal loss in value.

Market (Price) Risk. Market risk is the current and prospective risk to earnings and capital arising from adverse movements in market rates or prices such as interest rates, foreign exchange rates or equity prices. Repricing risk, basis risk, yield curve risk and options are the types of risk to be considered.  Interest Rate Risk considerations should include the effect of a change in interest rates on both the bank’s accrual earnings and the market value of portfolio equity.

Operational Risk. Operational risk is the current and prospective risk to earnings and capital arising from poor customer service, errors and the inability to efficiently deliver products or services due to weaknesses in systems, processes or people. Additionally, policies and procedures and forms that are absent, out-of-date, poorly drafted, overlooked or not used can lead to operational exposure.

Reputation Risk. Reputation risk is the current and prospective impact on earnings and capital arising from negative public opinion. This affects the institution’s ability to establish new relationships or services or continue servicing existing relationships. This risk may expose the institution to litigation, financial loss or a decline in its customer base. Reputation risk exposure is present throughout the organization and includes the responsibility to exercise an abundance of caution in dealing with customers and the community.

 Strategic Risk. Strategic risk is the current and prospective impact on earnings or capital arising from adverse business decisions, improper implementation of decisions, weak corporate governance or lack of responsiveness to industry changes. This risk is a function of the compatibility of an institution’s strategic goals, the business strategies developed to achieve those goals, the resources deployed against these goals and the quality of implementation. The resources needed to carry out business strategies are both tangible and intangible. They include communication channels, operating systems, delivery networks and managerial capacities and capabilities and a strong “Tone at the Top” attitude.

Transactional Risk. Transactional risk is the current and prospective risk to earnings and capital arising from fraud, error, and the inability to deliver products or services, maintain a competitive position, and manage information. Risk is inherent in efforts to gain strategic advantage, and in the failure to keep pace with changes in the financial services marketplace. Transaction risk is evident in each product and service offered. Transaction risk encompasses product development and delivery, transaction processing, systems development, computing systems, complexity of products and services, and the internal control environment.

Technology Risk. Technology risk is the current and prospective risk to earnings and capital arising from the failure to identify, measure, control and monitor technological activities. The institution should: 1) plan for use of technology; 2) assess the risk associated with technology; 3) decide how to implement the technology; and, 4) establish a process to measure and monitor the risk that is taken on. The risk identification and management process for technology-related risks is not complete without consideration of the overall IT environment in which the technology resides. Management may need to consider risks associated with IT environments from two different perspectives: 1) if the IT function is decentralized, and business units manage the risk, then management should coordinate risk management efforts through common organization-wide expectations; and, 2) if the IT department is a centralized function that supports business lines across shared infrastructure, management should centralize their IT risk management efforts.

Vendor Risk. Vendor risk is the current and prospective risk to earnings and capital arising from the bank’s use of third parties to achieve its strategic goals when that party performs functions on the bank’s behalf; when it provides products and services that the bank does not originate; and, when it “franchises” the bank’s attributes by lending its name or regulated entity status to products and services originated by others or activities predominantly conducted by others. Third-party relationships should be subject to the same risk management, security, privacy and other consumer protection policies that would be expected if the bank were conducting the activities directly.

Common Risk Terms

Risk Universe: The full range of risks which could impact, either positively or negatively, on the bank’s capabilities.

Risk Capacity: The amount and type of risk the bank is able to support in pursuit of its business objectives.

Risk Target: The optimal level of risk the bank wants to take in pursuit of a specific business goal.

Risk Limit: Thresholds to monitor that actual risk exposure does not deviate too much from the risk target and stays within the bank’s risk tolerance/risk appetite. Exceeding risk limits will typically trigger management action.

Risk Management Culture: This addresses the extent to which the board (and its relevant committees), management, staff and regulators understand and embrace the risk management systems and processes of the bank.

Risk Management Processes: This refers to the extent to which there are processes for identifying, assessing, responding to and reporting on risks and risk responses within the bank.

Risk Capacity: The resources, including financial, intangible and human, which a bank is able to deploy in managing risk.

Risk Management Maturity: The level of skills, knowledge and attitudes displayed by people in the bank, combined with the level of sophistication of risk management processes and systems in managing risk within the bank.

Risk Capability: A function of the risk capacity and risk management maturity which, when taken together, enable a bank to manage risk in the pursuit of its long-term objectives.

Propensity to Take Risk: The extent to which people in the bank are predisposed to undertaking activities the impact, timing and likelihood of which are unknown, and which is influenced by financial, cultural, performance and ethical considerations.

Propensity to Exercise Control: The extent to which people in the bank are predisposed to take steps to change the likelihood, timing or impact of risks, influenced by financial, cultural, performance and ethical considerations.