TraceRiskPolicy & Procedures

Policy & Procedures

Don’t Confuse a Control Risk Assessment with Enterprise Risk Assessment

Don’t Confuse a Control Risk Assessment with an Enterprise Risk Assessment

In managing the internal audit function, the institution’s Audit Committee is responsible for commissioning a Control (or “Auditor’s”) Risk Assessment, developing audit plans and the overseeing the execution of the audit program. A Control Risk Assessment documents the internal auditor’s or outsourced audit service provider’s understanding of the institution’s significant business activities and their associated risks. These assessments typically consider the risks inherent in a given business line, the mitigating control processes and the resulting aggregate risk exposure to the institution. The assessments should be updated annually by the auditors to reflect changes to the system of internal control or work processes and to incorporate new lines of business.

Conversely, an Enterprise Risk Assessment can be described as a risk-based approach to managing an enterprise, integrating concepts of internal control, the Sarbanes–Oxley Act and strategic planning (remember: Strategy Drives Risk). ERM addresses the needs of various stakeholders (i.e., risk owners, risk managers, C-Suite executives, Board members) who need to understand the broad spectrum of risks facing the institution to ensure they are appropriately managed. Put another way, enterprise risk management is accomplished in large part by performing an enterprise risk assessment.

With that groundwork paid, let’s take a look at the Control (or “Auditor’s”) Risk Assessment first. The Control Risk Assessment methodology performed by the auditor identifies all auditable areas, provides a narrative basis for the auditor’s (not management’s) determination of relative risks, and, is consistent from one auditable area to another. The Control Risk Assessment quantifies Credit Risk, Interest Rate Risk, Liquidity Risk, Operational Risk, Compliance Risk, Strategic Risk, Reputational Risk, BSA Risk and Fair Lending Risk (if applicable). Some specific functions and activities may be embedded within larger categories; for example, some information technology risks are addressed in the Operational Risk area while certain other IT risks can be found in the Compliance Risk area. The auditor’s Control Risk Assessment considers the potential that deficiencies in the system of internal control would expose the institution to potential loss and provides the auditor with data sufficient to develop the scope, coverage, timing, frequency and budget for the audits planned for the year.

When appropriate, the auditor should consider of the introduction of new products and departmental changes which factor into the audit plan. It should be noted that ratings of particular business activities or corporate functions may change with time and the auditor should revise the method for assessing risk accordingly. A properly drafted internal audit plan is based on the auditor’s Control Risk Assessment and typically includes an evaluation of key internal controls within each significant business activity. Ideally, the auditor’s only role should be to independently and objectively evaluate and report on the effectiveness of an institution’s risk management, control and governance processes for the purpose of audit plan development. The assessment should be periodically updated to reflect changes in the system of internal control, work processes, business activities or the business environment.

Conversely, the institution’s Enterprise Risk Assessment provides management with actionable outcomes that facilitate risk mitigation, controls development and process remediation and includes the methods and processes used to seize opportunities related to the achievement of institutional strategic objectives by assessing them in terms of likelihood and magnitude of impact, determining a response strategy and monitoring progress. By identifying and proactively addressing risks and opportunities, the institution protects and creates value for its shareholders, employees and customers.

Enterprise risk assessment frameworks describe an approach for identifying, analyzing, responding to and monitoring risks and opportunities within the internal and external environment facing the institution. Management selects a risk response strategy for specific risks identified and analyzed, which may include:

  • Avoidance: exiting the activities giving rise to risk
  • Harnessing: taking action to reduce the likelihood or impact related to the risk
  • Alternative Actions: deciding and considering other feasible steps to minimize risks
  • Transferring: or sharing a portion of the risk
  • Accept: no action is taken due to a cost/benefit decision

Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or conducting management committee meetings with relevant experts to understand how the risk response strategy is working and whether the objectives are being achieved.

So, you can see that each of these two risk assessment approaches have distinct objectives, methodologies and outcomes and therefore, should not be combined or mistaken for one another. Moreover, your regulatory examiners expect to see both approaches in operation at your shop. The bad news is that employing both approaches can be costly and time consuming. The good news is that there is a simple, cost-effective way to get them both done and achieve remarkable results that will impress your examiners and Board of Directors and keep your bank compliant with risk management mandates set forth by the OCC, FDIC and FRB.

If you’d like to know more or get some help with either one of these risk assessments. Visit

Risk Inventory

Risk Inventory is a “fourth” dimension of risk that provides insight into embedded elements of risk that are not specifically covered by a Key Risk Indicator. Subtle risks are inventoried in this way so that they can be studied orthographically. What does that mean? Orthographic representations of risk are from made from the front view (Subjects), the top view (Silos), the end view (COSO), and, from the inside out ( which is ‘Risk Inventory’). Examples of risk inventory are Product Development Risk, Customer Relations Risk, Training & Backup Risk and Denial of Service Risk.

COSO Integrated Framework – SOX 404 & FDICIA 112

Use Case COSO Integrated Framework – SOX 404 & FDICIA 112

Use Case: The New COSO Integrated Framework is an important development as it facilitates efforts by banks to develop cost-effective systems of internal control to achieve business objectives and sustain and improve performance. The new version is the predominant method for reporting on the effectiveness of internal control over financial reporting by public companies as required by Section 404 of the Sarbanes-Oxley Act.

Who Should Assess the Risk? Chief Administrative Officer, Chief Operating Officer, Chief Financial Officer, Internal Auditor

TraceRisk Demo Button

Concentrations of Credit

Use Case for Concentrations of Credit

Use Case: All banks have credit concentrations. In some cases, this is by choice as the institution seeks to develop expertise in a particular segment. In other cases, it may be the result of mergers or acquisitions. Alternatively, credit concentrations may be unavoidable due to a lender’s limited geographic footprint combined with its market’s dependence on a relatively few employers or industries. Whatever the reason, it is incumbent on management and the board of directors to ensure that the bank has an effective process in place to identify, measure, monitor, and control concentration risk. The board of directors also needs to ensure that the bank maintains adequate capital relative to concentration risks. Although each individual transaction within a concentration may be prudently underwritten, collectively the transactions are sensitive to the same economic, financial, or business development events. If something triggers a negative development, the risk is that the sum of the transactions may perform as if it were a single, large exposure. Identifying, measuring, and appropriately mitigating concentration risk is ultimately dependent on the accurate and timely receipt and analysis of data. The absence of a sufficiently robust set of data elements will hinder an institution’s ability to identify and monitor concentration risk, regardless of the data’s accuracy and timeliness.

Who Should Assess the Risk? Chief Credit Officer, Chief Lending Officer, Credit Administrator



Allowance for Loan & Lease Loss Risk

Use Case:
The purpose of the ALLL is to reflect estimated credit losses within a bank’s portfolio of loans and leases. Estimated credit losses are estimates of the current amount of loans that are probable that the bank will be unable to collect given the facts and circumstances since the evaluation date (generally the balance sheet date). That is, estimated credit losses represent net charge-offs that are likely to be realized for a loan or group of loans as of the evaluation date. The ALLL is presented on the balance sheet as a contra-asset account that reduces the amount of the loan portfolio reported on the balance sheet. The risk to the bank is that the ALLL is miscalculated which can lead to over / underfunding of the allowance and provision accounts, erroneous Call Reporting and adverse capital, earnings, regulatory and reputational implications.

Who Should Assess the Risk: Chief Credit Officer, Chief Lending Officer, Credit Administrator, Chief Financial Officer