Don’t Confuse a Control Risk Assessment with Enterprise Risk Assessment

Don’t Confuse a Control Risk Assessment with an Enterprise Risk Assessment

In managing the internal audit function, the institution’s Audit Committee is responsible for commissioning a Control (or “Auditor’s”) Risk Assessment, developing audit plans and the overseeing the execution of the audit program. A Control Risk Assessment documents the internal auditor’s or outsourced audit service provider’s understanding of the institution’s significant business activities and their associated risks. These assessments typically consider the risks inherent in a given business line, the mitigating control processes and the resulting aggregate risk exposure to the institution. The assessments should be updated annually by the auditors to reflect changes to the system of internal control or work processes and to incorporate new lines of business.

Conversely, an Enterprise Risk Assessment can be described as a risk-based approach to managing an enterprise, integrating concepts of internal control, the Sarbanes–Oxley Act and strategic planning (remember: Strategy Drives Risk). ERM addresses the needs of various stakeholders (i.e., risk owners, risk managers, C-Suite executives, Board members) who need to understand the broad spectrum of risks facing the institution to ensure they are appropriately managed. Put another way, enterprise risk management is accomplished in large part by performing an enterprise risk assessment.

With that groundwork paid, let’s take a look at the Control (or “Auditor’s”) Risk Assessment first. The Control Risk Assessment methodology performed by the auditor identifies all auditable areas, provides a narrative basis for the auditor’s (not management’s) determination of relative risks, and, is consistent from one auditable area to another. The Control Risk Assessment quantifies Credit Risk, Interest Rate Risk, Liquidity Risk, Operational Risk, Compliance Risk, Strategic Risk, Reputational Risk, BSA Risk and Fair Lending Risk (if applicable). Some specific functions and activities may be embedded within larger categories; for example, some information technology risks are addressed in the Operational Risk area while certain other IT risks can be found in the Compliance Risk area. The auditor’s Control Risk Assessment considers the potential that deficiencies in the system of internal control would expose the institution to potential loss and provides the auditor with data sufficient to develop the scope, coverage, timing, frequency and budget for the audits planned for the year.

When appropriate, the auditor should consider of the introduction of new products and departmental changes which factor into the audit plan. It should be noted that ratings of particular business activities or corporate functions may change with time and the auditor should revise the method for assessing risk accordingly. A properly drafted internal audit plan is based on the auditor’s Control Risk Assessment and typically includes an evaluation of key internal controls within each significant business activity. Ideally, the auditor’s only role should be to independently and objectively evaluate and report on the effectiveness of an institution’s risk management, control and governance processes for the purpose of audit plan development. The assessment should be periodically updated to reflect changes in the system of internal control, work processes, business activities or the business environment.

Conversely, the institution’s Enterprise Risk Assessment provides management with actionable outcomes that facilitate risk mitigation, controls development and process remediation and includes the methods and processes used to seize opportunities related to the achievement of institutional strategic objectives by assessing them in terms of likelihood and magnitude of impact, determining a response strategy and monitoring progress. By identifying and proactively addressing risks and opportunities, the institution protects and creates value for its shareholders, employees and customers.

Enterprise risk assessment frameworks describe an approach for identifying, analyzing, responding to and monitoring risks and opportunities within the internal and external environment facing the institution. Management selects a risk response strategy for specific risks identified and analyzed, which may include:

  • Avoidance: exiting the activities giving rise to risk
  • Harnessing: taking action to reduce the likelihood or impact related to the risk
  • Alternative Actions: deciding and considering other feasible steps to minimize risks
  • Transferring: or sharing a portion of the risk
  • Accept: no action is taken due to a cost/benefit decision

Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or conducting management committee meetings with relevant experts to understand how the risk response strategy is working and whether the objectives are being achieved.

So, you can see that each of these two risk assessment approaches have distinct objectives, methodologies and outcomes and therefore, should not be combined or mistaken for one another. Moreover, your regulatory examiners expect to see both approaches in operation at your shop. The bad news is that employing both approaches can be costly and time consuming. The good news is that there is a simple, cost-effective way to get them both done and achieve remarkable results that will impress your examiners and Board of Directors and keep your bank compliant with risk management mandates set forth by the OCC, FDIC and FRB.

If you’d like to know more or get some help with either one of these risk assessments. Visit

How do I Implement ERM?

What does ERM do, actually?

  1. Defines and assigns Risk Values (i.e., Inherent Risk, Threats, Vulnerabilities, Annual Rates of Occurrence, Annual Loss Expectancy, Risk Appetite, Risk Tolerance, and Audit Frequency) for every Subject to be assessed.
  2. Provides ‘use cases’ that give context to the Subjects to be assessed by risk owners and managers.
  3. Provides Key Risk Indicators (KRIs) which will be rated for Probability and Impact.
  4. Sums up Probability and Impact ratings to reach Residual Risk outcomes and help determine audit frequencies.
  5. Provides “How We Reached Our Conclusion” for explaining current Residual Risk outcomes and offers links your own policies, procedures, forms, memos and other documentation that support Residual Risk outcomes.
  6. Provides an decision making custom reports specifically designed for risk owners and managers, senior management, the Board and your regulators.
  7. Provides a method for performing comprehensive “bottom up” risk assessments and for performing risk assessments on emerging products, services and activities before they are deployed.
  8. Provides flexibility when assigning risk owners and risk managers while maintaining full administrative control and oversight by the Chief Risk Officer.
  9. Includes supplementary policies, procedures, accessories, tools, resources, forms and immediate, one-touch access to relevant regulatory guidance (no need to ever leave the TraceRisk website to do regulatory research).


Who should perform the risk assessments?

Most banks today have assigned the responsibility for risk management to a Chief Risk Officer. Typically, he or she will be the “gatekeeper” for managing enterprise risk and overseeing the risk assessment process. But, it’s your bank’s risk owners and risk managers who actively participate in the risk assessment process and the TraceRisk implementer can help the Chief Risk Officer identify who they are.

What will the implementation process look like?

Ideally, assign a risk expert to assist your bank with implementing the solution of choice and maximizing all its capabilities and features. The implementer will be performing risk assessments with your staff and should also furnish the bank with a set of supplementary tools and resources including but not limited to:

  • ERM Policy, Procedures and Committee Charter (editable)
  • Checklist – Addressing Risk Management Shortfalls (for Board of Directors’ use)
  • Report Descriptions and Who Should Get Them (reporting TraceRisk outcomes)
  • “Chief Risk Officer’s Risk Management Report to the Board” template
  • Glossary & Definitions; Illustrations; Tips & Tricks when using TraceRisk


What does the Implementer do, exactly?

The Implementer assigned to your bank will ideally decades of enterprise risk management experience and be thoroughly familiar with all aspects of the your chosen solution. This individual will work closely with your risk owners and risk managers to accomplish the following:

  • Identify relevant business objectives before meetings or visitation commences.
  • Conduct an initial on-site meeting with senior management, risk managers and risk owners.
  • Identify the events or conditions that could affect the achievement of objectives.
  • Explain what Key Risk Indicators (KRIs) are and how they are used.
  • Assist risk owners and managers in assessing the likelihood and impact of risks across their assigned risk subjects. (This is the fun stuff)
  • Provide insight and tips on how to use the rich data sets captured on each of the 4 Dimensions of Risk: Subject, Silo, COSO & Risk Inventory. (More fun stuff)
  • Provide detailed guidance on how to succinctly and uniformly write conclusions on risk assessment outcomes (outcomes are called “Residual Risk”) and how to develop risk mitigation plans and techniques.
  • Demonstrate how to quickly produce meaningful reports for the Board, the regulators and Executive Management. The variations of the reports are entirely intended audience driven.
  • Train on use of the “New Product/Service – Risk Analysis”
  • Train on use of the “Risk Response” (for indicating how problematic conditions on higher risk Subjects will be handled).
  • Share Best Practices in all aspects of risk assessment and ERM program development.

When should you get started?

Now is the time to start performing your risk assessments. The FRB, OCC, FDIC and CFPB have issued plenty of guidance on risk management and they expect your bank to have your risk assessments done and ready for their field examiners to review.

Let’s get started so you can see what your bank’s risk profile looks like and get some risk mitigation in place before your next regulatory examination.

TraceRisk Demo Button

Demystifying Risk Assessments

Some banks have an idea, albeit vague, about performing risk assessments. But few have made real progress in planning or actually implementing a Risk Assessment Program. Here is a practical approach that demystifies the process so you can get going!


Boards of directors have become increasingly aware of the need to manage the wider range of risks across the banking enterprise. They are looking for ways to meet their fiduciary responsibilities, manage their own personal liability and improve the business. They are asking about, and in some cases, are pushing strongly for a more coordinated and comprehensive process of managing risks − enterprise risk management (ERM), in other words.

At the heart of any ERM program is the risk assessment. And for some banks, the ability to perform a risk assessment poses a significant challenge.

Most bankers are already functioning at full capacity and adding to their workload will not be easy. Moreover, what exactly does ERM work look like? C-level officers are frequently at a loss on how to get started or how to make meaningful progress. They may question how risk assessments will enable them to more effectively manage compliance issues.

A “core risk assessment project” is a practical way to take advantage of what is currently being done in the bank and move forward while managing costs in a tight budgetary environment. The starting point is to identify the effectiveness of risk-related activities the bank has already put into place. Gaps can then be identified and prioritized, leading to significant progress on the journey to a more integrated, efficient and value-driven approach to risk management.

Regulator Expectations

Enterprise risk management has been discussed since before Y2K (remember that?), yet it has been rarely implemented effectively. Professional associations, internal audit groups, bank directors and chief risk officers have been hearing about ERM at conferences and seminars and there is no shortage of articles about ERM in trade publications. However, the discussion has remained largely academic and not actionable. In that light, the regulatory agencies have taken up ERM as a principal focus in their examination process and here’s how the OCC views the issue[1]:

“The OCC expects bank management and the board to oversee all new, expanded, or modified products and services through an effective risk management process. Failure to provide an effective risk management process is an unsafe and unsound banking practice. An effective risk management process includes: (1) performing adequate due diligence prior to introducing the product; (2) developing and implementing controls and processes to ensure risks are properly measured, monitored and controlled; and, (3) developing and implementing appropriate performance monitoring and review systems. The formality of the bank’s risk management process should reflect the size of the bank and the complexity of the product or service offered. Depending on these factors, it may be appropriate for the bank to establish an executive management committee to oversee development and implementation of bank products and services.”

While there is a genuine need for risk management, it is unreasonable to expect senior executives to fully understand the risks, and the interrelationships of the risks that their people are taking, without the use of improved tools and better methods.


In many organizations, operational risks are being managed but frequently in haphazard and fragmented ways. Many banks lose sight of the big picture and do not sufficiently link risk management activities to their business strategies. Some risks are being identified and managed, but only with limited coordination. Other key risks are not even on the radar screen. Many activities are restricted to a controls-based approach with individual requirements being managed too narrowly. There is minimal or no coordination to take advantage of the value available in aggregating these risk management activities within an effective overall risk management approach.

The consequences of fragmented approaches can result in substantial reputational exposure and regulatory criticism. The challenge most community banks face is getting beyond the talking stage and understanding what needs to be done, and then getting on with it in a coordinated, uniform manner that does not require “reinventing the wheel” every year.

Let’s look at the benefits of a well established risk assessment program:

  • It establishes the inherent risk for each area under review
  • It establishes thresholds for risk appetite and risk tolerance
  • It establishes the Key Risk Indicators (KRIs) in a way that promotes a broader understanding of risks
  • It provides for measuring the probability of an adverse event or condition and the consequent impact
  • It provides a “residual” risk that establishes an overall risk profile for the bank
  • It puts in place a process to highlight the key risks, set an action plan, and then establish accountability for risk mitigation
  • It provides a consistent, uniform way of looking at risk at three different but connected levels: from a management perspective; from a Board perspective and from a bank examiner’s perspective
  • It enables organizational alignment to manage the risks and control the costs
  • It allows the bank to take on and effectively manage risks that its competitors cannot


Risks to banks are categorized in operational, financial reporting and compliance areas – the three objectives of the integrated framework modified by the Committee of Sponsoring Organizations (COSO) in 2013. The illustration below looks complicated, but you needn’t fret about it. Just know that this universal framework has been designed to help foster an understanding of the dimensions of risk for those persons charged with risk program development. We’ll demystify all of this for you as you read further.

COSO’s visual model for ERM resembles a complex Rubik’s Cube®, and it is daunting to many bankers. In addition to the three risk objectives mentioned, there are five stages in the COSO ERM integrated framework representing what is needed to achieve each of the objectives (operational, reporting and compliance).

cosoReading from top to bottom, the five components start with “Control Environment” and conclude with “Monitoring Activities,” and there is a clear sequence of activities; some of the interim stages include “Risk Assessment” and “Risk Response.”

The remaining visible side of the cube outlines different levels of the organization. The categorization starts at the broadest level, the entity (or entire enterprise) and proceeds to a subsidiary level. This element of the model is designed to be tailored to each business line of the bank depending on organizational structure. Judging from the complexity of the COSO ERM model, the accompanying framework and separate risk assessment techniques, implementing ERM using this model as a starting point will not happen in most banks unless they have considerable resources and flawless project management skills.

So, What’s the Solution?

Enterprise risk management is a worthy goal for all banks, regardless of size. Risk management activities need to be tied to strategy and ultimately built into everyday business processes. The following project plan can enable banks to identify and coordinate activities they already have begun, identify risks not adequately managed, close gaps, and move forward. The steps of this plan are: 1) organizing your team; 2) establishing a framework; 3) assessing risks; 4) inventorying current risk-response activities; and, 5) closing the gaps.


Leveraging existing knowledge and programs will go a long way to helping reduce the effort in getting started. For example, internal audit, the compliance officer, the IT security officer and your risk officer (if you have one) have probably already conducted some type of risk assessment.


Here’s how to do it. . .


  • Organize the Effort: Bring resources together to coordinate your activities


To start on the right foot, it is important to assemble the right people and agree on timelines and objectives. Organizing requires assembling all the department heads and managers who have responsibilities for risk management activities to oversee the project and guide what will be done, when and by whom. The risk assessment processes need to be built with these stakeholders in mind and designed to suit the needs of the bank. Since the risk assessment is ultimately strategic in nature, it will never succeed without support from the Chief Executive Officer and other C-suite officers. It may be helpful to include the Chief Financial Officer, Chief Operating Officer, Internal Audit Director, Legal Counsel and, of course, the Chief Risk Officer, if you have one, into the process.


  • Establish a Framework Around Risk: Develop a model but keep it simple.


The risk assessment model should be comprehensive and useful, particularly for smaller banks where investment in risk assessment tools may have limitations. At TraceRisk, we have found that Software-as-aService (SaaS) offers the most cost-effective and readily implementable solution for performing the risk assessments. The approach to get started is one that works from a basic and logical model: Identify – Assess – Mitigate. “Identification” means knowing the key risks (KRIs); the “Assessment” stage involves scoring the probability and impact of events and conditions; and, the “Mitigation” phase means dealing with residual risks (mitigation).


A common understanding of some other key terms will be helpful so team members are on the same page when it comes to comprehending risk concepts, performing risk assess-ments and implementing risk management. Here are some of the most common terms:

  • Risk Appetite: The amount of risk that a bank is willing to seek or accept in the pursuit of its long term objectives.
  • Risk Tolerance: The boundaries of risk taking outside of which the bank is not prepared to venture in the pursuit of its long term objectives.
  • Risk Universe: The full range of risks which could impact, either positively or negatively, on the bank’s capabilities.
  • Risk Capacity: The amount and type of risk the bank is able to support in pursuit of its business objectives.
  • Risk Target: The optimal level of risk the bank wants to take in pursuit of a specific business goal.
  • Risk Limit: Thresholds to monitor that actual risk exposure does not deviate too much from the risk target and stays within the bank’s risk tolerance/risk appetite. Exceeding risk limits will typically trigger management action.
  • The Business Context: This includes understanding the state of development of the bank as a business, its size, industry sector, geographical spread and the complexity of the business model.
  • Risk Management Culture: This addresses the extent to which the board (and its relevant committees), management, staff and regulators understand and embrace the risk management systems and processes of the bank.
  • Risk Management Processes: This refers to the extent to which there are processes for identifying, assessing, responding to and reporting on risks and risk responses within the bank.
  • Risk Assessment: This refers to the bank’s identification of inherent risk, the probability of adverse events or conditions, the impact of such events or conditions, the resultant residual risk, an explanation of how risk conclusions were reached and what actions are planned or taken relative to the level of residual risk.
  • Risk Management Systems: This means the extent to which there are appropriate IT and other systems to support the risk management processes.
  • Risk Capacity: The resources, including financial, intangible and human, which a bank is able to deploy in managing risk.
  • Risk Management Maturity: The level of skills, knowledge and attitudes displayed by people in the bank, combined with the level of sophistication of risk management processes and systems in managing risk within the bank.
  • Risk Capability: A function of the risk capacity and risk management maturity which, when taken together, enable a bank to manage risk in the pursuit of its long term objectives.
  • Propensity to Take Risk: The extent to which people in the bank are predisposed to undertaking activities the impact, timing and likelihood of which are unknown, and which is influenced by financial, cultural, performance and ethical considerations.
  • Propensity to Exercise Control: The extent to which people in the bank are predisposed to take steps to change the likelihood, timing or impact of risks, influenced by financial, cultural, performance and ethical considerations.
  • Performing the Actual Risk Assessment: Avoid getting lost in the details. Start off by thinking broadly about risk and then become more detailed.

Most community banks are already doing a good deal of risk management, but the processes and reporting are often isolated, inconsistent and fragmented. Risks related to internal controls over UDAAP for example, are under scrutiny because of Dodd-Frank. ECOA risks are managed centrally in many banks while at others, it is de-centralized. In some banks, Fair Lending risks are never even measured at all! At this point it is important to ascertain how much your bank is already doing to manage risk. Your team will need to interview key people and ask questions in an open-ended way using Key Risk Indicators (KRIs) as guidance (the “Identification” phase).

Likely candidates to interview include the Compliance Officer, the BSA Officer, the Security Officer (physical and IT/Data) the Chief Credit Officer, heads of business units and your marketing officer. Use Key Risk Indicators to establish a dialogue that brings out the reality of compliance risk without suggesting what it should be.

Rather than thinking in narrow terms, start off by thinking about the largest risk your bank faces: not achieving its overall business objectives. These objectives emerge from the strategic direction set at the highest levels of the bank. Then, begin to identify what the top 10 risks at your bank could be and how they affect the bank’s overall strategic objectives. Confining your list to 10 key risks (or 5, or 15, depending on your bank) in this early stage will keep your team focused on the big picture rather than becoming mired in details.

Once you have corralled the top 10 risks, you can break them down by subject, regulation, department or any other criteria that suits your bank or approach so you can begin to assess the specific risks and get closer to the actual “residual risk” levels (the amount of risk left over after mitigation techniques have been applied). This is the “assessment” phase[2].

A good assessment tool will help you identify a universe of 25 to 40 risks per subject (i.e., products, services, functional areas) so you can learn where risks reside throughout the bank and you can assess their significance. Residual risks will not be the same for any two banks. For some banks, the significance of their geographic area poses higher risks than other financial institutions. In other cases, product risk will have higher risk implications. Still others may face bigger risks when it comes to pricing. It is up to the team to collaborate across the bank’s array of products and services to identify, understand and mitigate the residual risks.

Developing strong risk assessments will not require discontinuation of existing risk activities and starting from scratch. Instead, you can build on existing activities that have proven value and transfer the data into a risk assessment analysis model to achieve a more holistic outcome.

  • Identify Gaps and Prioritize: Compare your inventory of current risk responses to the top 10 priorities.

Now that you know the risks that can impede achievement of your bank’s business objectives, along with the risk response activities currently being conducted, you can study the residual risks. Which risks are being adequately managed? Which ones are missing from the radar screen? Where is an initiative already in place that help you to better understand and manage risks?

Once the residual risks by subject have been assessed, the next step is to develop an approach to close the gaps (this is the “mitigation” phase). This begins with prioritizing which gaps have the greatest potential to derail achievement of your bank’s business objectives. Which would require the greatest deployment of human or financial capital? Which ones would demand outside resources? Which ones could be accomplished in the shortest time?

Many elements of your bank’s existing structure may be sufficient and will be retained, but significant gaps will probably be found. These may be in risk management leadership, risk assessment methodology, specific technical skills, common processes or technological capabilities. Internal cultural biases or paradigms may need to be changed as well.

After weighing the urgency and the resources required, you then can develop specific strategies to close the most critical gaps. While keeping the desired end result in mind, each of the strategies can be slotted into an implementation plan, complete with action steps and a timeline. A process will need to be established for ongoing reporting of the progress to mitigate the risks, as well as periodic reassessment of the risks being tracked.

Discuss ways to move forward with members of your team and let members of this group direct you to the appropriate people for answers. Also, be alert for new risks, whether arising from the environment, regulatory changes, competitors or new products. You’ll need to include recommendations to guide the bank to improve ongoing risk assessment processes. Decisions will need to be made on how to best manage a risk and where it should be managed. Will you centralize certain activities, or embed them in specific processes or business units?


Assessing risk is a journey. A well-defined and supported risk assessment project enables the bank to “jump start” the process, rather than delaying moving forward because the concept seems grandiose, costly and unworkable. In fact, delaying further on assessing enterprise risk can very likely lead to regulatory action in the form of a “Matter Requiring Attention” or worse, compelling your bank to develop and implement a risk assessment program within a timeframe set by the regulators. Nobody wants that.

It’s best to take stock of existing risk assessments as well as risk-response activities and build on them right now. At the end of the project, your executive management group, the Board of Directors and your risk assessment team will realize the value of implementing the risk assessment model and continuing the risk management journey.

To learn more or to see how the TraceRisk solution can save you tons of time and dollars, call Derek Yankoff, Chief Design Officer at (877) 711-4824

or email him at

Copyright ©2016 TraceRisk llc All Rights Reserved. TraceRisk and the TraceRisk logo are trademarks of MSBMCo, Inc. in the U.S. and/or other countries. All other trademarks are the property of their respective owners.

[1] OCC Bulletin 2004-20

[2] TraceRisk has this approach built right in on over 75 Subjects and 3000 KRIs.

Risk Silo’s

Categories of risk used by regulatory agencies for ascertaining the effectiveness of the bank’s identification, measurement, monitoring and controlling of risk across all products, services and activities.


Compliance (Legal) Risk:

Compliance risk is the current and prospective risk to earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies and procedures or ethical standards. Compliance risk also arises in situations where the laws or rules governing certain bank products or activities of the bank’s clients may be ambiguous or untested. This risk exposes the institution to fines, civil money penalties, payment of damages and the voiding of contracts. Compliance risk can lead to diminished reputation, reduced franchise value, limited business opportunities, reduced expansion potential and lack of contract enforceability.


Credit Risk:

Credit risk is the current and prospective risk to earnings or capital arising from an obligor’s failure to meet the terms of any contract with the bank or otherwise perform as agreed. Credit risk is found in all activities where success depends on counterparty, issuer or borrower performance. It arises any time bank funds are extended, committed, invested or otherwise exposed through actual or implied contractual agreements, whether reflected on or off the balance sheet.


Foreign Exchange Risk:

Foreign Exchange risk is the current and prospective risk to capital or earnings arising from the conversion of a bank’s financial statements from one currency to another. It refers to the variability in accounting values for a bank’s equity accounts that results from variations in exchange rates which are used in translating carrying values and income streams in foreign currencies to U.S. dollars.


Liquidity Risk:

Liquidity risk is the current and prospective risk to earnings or capital arising from a bank’s inability to meet its obligations when they come due without incurring unacceptable losses. Liquidity risk includes the inability to manage unplanned decreases or changes in funding sources. Liquidity risk also arises from the failure to recognize or address changes in market conditions that affect the ability to liquidate assets quickly and with minimal loss in value. Market Risk and Interest Rate Risk are factors in liquidity risk.


Market (Price) Risk:

Market risk is the current and prospective risk to earnings and capital arising from adverse movements in market rates or prices such as interest rates, foreign exchange rates or equity prices. Repricing risk, basis risk, yield curve risk and options are the types of risk to be considered. Interest Rate Risk considerations should include the effect of a change in interest rates on both the bank’s accrual earnings and the market value of portfolio equity.


Operational Risk:

Operational risk is the current and prospective risk to earnings and capital arising from poor customer service, processing errors and the inability to efficiently deliver products or services due to weaknesses in systems, processes or people. Additionally, policies and procedures and forms that are absent, out-of-date, poorly drafted, overlooked or not used can lead to operational exposure.


Reputation Risk:

Reputation risk is the current and prospective impact on earnings and capital arising from negative public opinion. This affects the institution’s ability to establish new relationships or services or continue servicing existing relationships. This risk may expose the institution to litigation, financial loss or a decline in its customer base. Reputation risk exposure is present throughout the organization and includes the responsibility to exercise an abundance of caution in dealing with customers and the community.


Strategic Risk:

Strategic risk is the current and prospective impact on earnings or capital arising from poor business decisions, improper implementation of decisions, weak corporate governance or lack of responsiveness to industry changes. This risk is a function of the compatibility of an institution’s strategic goals, the business strategies developed to achieve those goals, the resources deployed against these goals and the effectiveness of implementation. The resources needed to carry out business strategies are both tangible and intangible. They include communication channels, operating systems, delivery networks and managerial capacities and capabilities and a strong “Tone at the Top” attitude.


Transactional Risk:

Transactional risk is the current and prospective risk to earnings and capital arising from fraud, error, and the inability to deliver products or services, maintain a competitive position, and manage information. Risk is inherent in efforts to gain strategic advantage, and in the failure to keep pace with changes in the financial services marketplace. Transaction risk is evident in each product and service offered. Transaction risk encompasses product development and delivery, transaction processing, systems development, computing systems, complexity of products and services, and the internal control environment.


Technology Risk:

Technology risk is the current and prospective risk to earnings and capital arising from the failure to identify, measure, control and monitor technological activities. The institution should: 1) plan for use of technology; 2) assess the risk associated with technology; 3) decide how to implement the technology; and, 4) establish a process to measure and monitor the risk that is taken on. The risk identification and management process for technology-related risks is not complete without consideration of the overall IT environment in which the technology resides. Management may need to consider risks associated with IT environments from two different perspectives: 1) if the IT function is decentralized, and business units manage the risk, then management should coordinate risk management efforts through common organization-wide expectations; and, 2) if the IT department is a centralized function that supports business lines across shared infrastructure, management should centralize their IT risk management efforts.


Vendor Risk:

Vendor risk is the current and prospective risk to earnings and capital arising from the bank’s use of third parties to achieve its strategic goals when that party performs functions on the bank’s behalf; when it provides products and services that the bank does not originate; and, when it “franchises” the bank’s attributes by lending its name or regulated entity status to products and services originated by others or activities predominantly conducted by others. Third-party relationships should be subject to the same risk management, security, privacy and other consumer protection policies that would be expected if the bank were conducting the activities directly.

Cybersecurity Guide!

Data breaches resulting in the compromise of personally identifiable information affects of thousands of Americans. Intrusions into financial, corporate and government networks are no longer rare or isolated incidents. Complex financial schemes committed by sophisticated cyber criminals against businesses and the public in general are now commonplace. These are just a few examples of crimes perpetrated online over the past year or so, and part of the reason why FBI Director James Comey, testifying before Congress last week, said that “the pervasiveness of the cyber threat is such that the FBI and other intelligence, military, homeland security, and law enforcement agencies across the government view cyber security and cyber attacks as a top priority.” The FBI, according to Comey, targets the most dangerous malicious cyber activity—high-level intrusions by state-sponsored hackers and global cyber syndicates, and the most prolific botnets. And in doing so, we work collaboratively with our domestic and international partners and the private sector.

Financial institutions, regardless of size, are particularly vulnerable to cyber attacks and that’s why it’s so important to assess your risks in this critical area of your operations. To assist you in this effort TraceRisk has developed a Cyber Security Risk Management Guide. Our clients have found it to be very helpful and, just like we do for our ERM clients, we’re making it available to you FREE OF CHARGE! A copy of the Table of Contents is attached so you can see what is covered.

Guide to Developing a Cyber Security and Risk Mitigation Plan
A Community Bank White Paper from TraceRisk™

Table of Contents
Target Audience
Building a Risk Management Program
Appointing Leadership
Establishing a Risk Management Framework
Defining the System
Cyber Asset Identification and Classification
Identifying Critical Cyber Assets (Additional Guidance URLs)
Classifying Cyber Assets
Personally Identifying Information (PII)
Identifying the Electronic Security Perimeter (ESP) Protecting Cyber Assets
Conducting a Vulnerability Assessment (Additional Guidance URLs)
Assessing and Mitigating Risks
Assessing Impact and Risk Levels
Mitigating Risks with Security Controls (Additional Guidance URLs)
Evaluating and Monitoring Control Effectiveness
Addressing People and Policy Risks
Cyber Security Policy
Security Policy Elements
Security Related Roles and Responsibilities
Policy Implementation and Enforcement
Policy Exceptions (Additional Guidance URLs)
Personnel and Training
Security Awareness and Training (Additional Guidance URLs)
Due Diligence in Hiring
Access Privileges
Operational Risks
Perform Periodic Risk Assessment and Mitigation
Enforce Access Control, Monitoring and Logging
Perform Disposal or Redeployment of Assets (Additional Guidance URLs)
Enforce Change Control and Configuration Management
Conduct Vulnerability Assessments (Additional Guidance URLs)
Control, Monitor and Log all Access to Assets
Configuration and Maintenance (Additional Guidance URLs)
Incident Handling (Additional Guidance URLs)
Contingency Planning (Additional Guidance URLs)
Insecure Software Development Life Cycle (SDLC) Risks
Physical Security Risks
Plan and Protection
Monitoring, Logging and Retention
Maintenance and Testing
Third Party Relationships
Addressing Technology Risks
Network Risks
Platform Risks
Application Layer Risks
Communications Systems
Supervisory Control and Data Acquisition (SCADA)
Identifying and Protecting Private Data (Additional Guidance URLs)
Steps in Vulnerability Assessments
Incident Response Planning Items
Disaster Response Planning Items
Glossary and Appendices

61% Increase in Regulatory Guidance in 2016

Our friends over at Pacific Coast Bankers Bank publish a daily bulletin for their readers and there was a story in this morning’s issue that really caught our attention. It’s about the deluge of regulatory guidance that has come out this year and how PCBB found that FDIC Financial Institution Letters (not including FRB, OCC or CFPB Bulletins) have increased 61% so far in 2016 over the total number issued in 2015. They went on to say that all that guidance, on an annualized basis, will amount to roughly 5400 pages of regulatory information! That’s a lotta stuff bankers have to receive, study, interpret and act upon in order to stay current with regulatory expectations regarding risk management, corporate governance, compliance and safety & soundness.



OK, that’s the UGLY part.

Then comes the BAD part: How in the world are you supposed to cope with all that guidance? Remember, all this new guidance is not “in place of” but rather, it’s “in addition to” what you’re already doing and that’s a baaaad proposition. Think about it, who’s supposed to implement all that guidance? Who’s supposed to perform the risk assessments relative to all that guidance? Who’s supposed to report to the Board and/or its Risk Committee on the outcome of all that guidance? Is that person YOU?

Are you as exhausted as we are thinking about all this stuff?

Well, here’s the GOOD part. The team at TraceRisk sat around the table this morning with a big pot of hot coffee and a box of donuts (yeah, we like ’em, too) and we re-imagined our role in helping banks assess the risks outlined by the FDIC, OCC, FRB and CFPB in all those guidance letters. We already know that our clients look to us for innovation when helping them keep pace with all that guidance. Our discussion revolved around what more could we do. First, we’re going to continue to provide useful answers to questions posed on the CBANC website. We love this forum and we hope you like our offerings.

Next, we decided that the Content and Features teams at TraceRisk will focus on delivering risk assessment modules (we call ’em Subjects) that have a one-to-one relationship with emerging regulatory guidance and do it within 30 business days of issuance. In this way, we believe that Chief Risk Officers (or those bankers tasked with risk management responsibilities) will be able to perform timely risk assessments on “hot” topics and be ready to confidently report to their Boards on the latest issues. Moreover, CROs want to be ready for the examiners when they show up and start asking tough questions. We concluded that in a thankless job like risk management, CROs can be heroes if properly equipped and informed and that is a GOOD thing. And, that’s where we can help most.

If you’re looking for a partner and not just a vendor to help you with your enterprise risk assessments, and, you want to avoid producing complicated charts and graphs that require heavy interpretation and are not “actionable”, give us a call at TraceRisk. You’ve got a lots of important things to do – let us help you get this one done.

Governance and Risk Management in the Wake of Wells Fargo Bank’s Misbehavior!


Governance and Risk Management in the Wake of Wells Fargo Bank’s Misbehavior!

OH BOY, what a mess, huh? The newspapers, Internet bloggers, business and social commentators, Twitter and all the rest are posting endless commentaries about Wells Fargo Bank’s indiscretions embedded in their sales culture and the OCC’s punitive actions. And, to be sure, everybody has a legitimate complaint. WFB is, at minimum, guilty of violating Unfair, Deceptive & Abusive Acts and Practices regulations and the fundamental trust of its customers and shareholders, plain and simple. What’s worse is that WFB’s former CEO, John Stumpf did neither himself, nor his bank, nor the banking industry at large any favors when he wrote his [apology?] letter to WFB customers acknowledging the problem and offering his ‘solutions’. Here’s part of what he said:
“Every day we strive to get things right. In this instance we did not – and that is simply not acceptable. So we are making it right. The first step we’ve taken is to fully reimburse any customers who were affected by these actions.”

Mr. Stumpf’s so-called first step is to “fully reimburse affected customers”. Really? Is that how WFB will “strive to get things right” – by reimbursing affected customers? Isn’t that a given? He goes on to say,

“We have been making some changes to how we do business over the last several years to ensure we are always aligned with our customers’ interests. To that end, the second change is to ensure Team Members in our Retail Bank are compensated on what matters most: delivering great experiences and ensuring positive outcomes – not on product sales.”

So, what he’s saying is, as a second (and presumably last) change, WFB is going to ensure that team members are not compensated on product sales. Wow, that’s it? The sales culture was OK before, but now it’s not? Why, because they got caught? Nothing said about strengthening internal audit and supervisory practices? Nothing mentioned about actions that will be taken against the perpetrators and their superiors – all the way up the line? Nothing offered about how WFB will rebuild trust? Mr. Stumpf and his Board along with their legal counsel and their public relations firm missed the point entirely when issuing that tepid letter.

And, with subsequent action taken by the OCC on WFB just two weeks ago where they assessed a $20 million civil money penalty and ordered the bank to make restitution to Servicemembers who were harmed by the bank’s repeated violations of the Servicemembers Civil Relief Act (SCRA), WFB’s reputational risk profile has reached new lows. Somehow, Mr. Stumpf and his Board of Directors seemed to have overlooked the fundamental tenet that guides all business enterprises, including banks – it’s called sound Corporate Governance and Risk Management.

In light of the foregoing, the team at TraceRisk has developed tools for performing corporate governance assessments and enterprise risk management assessments using current regulatory guidance and proprietary resources to prepare this reminder for your Board and senior management of their combined responsibility for developing and implementing related policies and procedures. We hope you find it helpful.

Corporate Governance & Risk Management
Federal regulatory agencies have an expectation that financial institutions under their supervision will develop, adopt, execute and maintain governance and risk management policies and procedures that comply with both the spirit and the letter of Section 39 of the Federal Deposit Insurance Act (FDIA and codified to 12 U.S.C. 1831p-1{a}(1-2)).

 Chief Audit Executive means an individual who leads internal audit and is one level below the Chief Executive Officer in a bank’s organizational structure
 Chief Risk Executive means an individual who leads an independent risk management unit
 Front Line Unit means any organizational unit or function thereof at the bank that is accountable for a risk that:
 Engages in activities designed to generate revenue or reduce expenses for the bank;
 Provides operational support or servicing to any organizational unit or function within the bank for the delivery of products or services to customers; or,
 Provides technology services to any organizational unit or function within the bank
 Independent risk management means any organizational unit within the bank that has responsibility for identifying, measuring, monitoring or controlling residual and aggregate risks. Such units maintain independence from front line units through the following reporting structure:
 The Board of Directors or the Board’s Risk Committee reviews and approves the risk governance framework;
 The Chief Risk Executive has unrestricted access to the Board of Directors and its committees to address risks and issues identified through independent risk management’s activities;
 The Board of Directors or its Risk Committee approves all decisions regarding the appointment or removal of the Chief Risk Executive(s) and approves the annual compensation and salary adjustment of the Chief Risk Executive(s); and,
 No front line unit executive oversees any independent risk management unit.
 Internal audit means the organizational unit within the bank that is designated to fulfill the role and responsibilities outlined in Section 39 (including outsourced internal audit service providers). Internal audit maintains independence from front line units and independent risk management through the following reporting structure:
 The Chief Audit Executive has unrestricted access to the Board’s Audit Committee to address risks and issues identified through internal audit’s activities;
 The Audit Committee reviews and approves internal audit’s overall charter and audit plans;
 The Audit Committee approves all decisions regarding the appointment or removal and annual compensation and salary adjustment of the Chief Audit Executive;
 The Audit Committee or the Chief Executive Officer oversees the Chief Audit Executive’s administrative activities; and,
 No front line unit executive oversees internal audit.


Risk Governance Framework
The bank should establish and adhere to a formal, written risk governance framework that is designed by independent risk management and approved by the Board or its Risk Committee. The risk governance framework should include delegations of authority from the Board to management committees and executive officers as well as the risk limits established for material activities. Independent risk management should review and update the risk governance framework at least annually and as often as needed to address improvements in industry risk management practices and changes in the bank’s risk profile caused by emerging risks, its strategic plans or other internal and external factors.

Scope of Risk Governance Framework
The risk governance framework should cover, at minimum, the following risk categories that apply to the bank: credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputation risk. Other risk categories may also apply (e.g., technology risk, vendor management risk).

Roles and Responsibilities
The risk governance framework should include well-defined risk management roles and responsibilities for front line units, independent risk management and internal audit. Front line units should take responsibility and be held accountable by the Chief Executive Officer and the Board for appropriately assessing and effectively managing all of the risks associated with their activities. In fulfilling this responsibility, each front line unit should, either alone or in conjunction with another organizational unit that has the purpose of assisting a front line unit:
 Assess, on an ongoing basis, the material risks associated with its activities and use such risk assessments as the basis for fulfilling its responsibilities and for determining if actions need to be taken to strengthen risk management or reduce risk given changes in the unit’s risk profile or other conditions;
 Establish and adhere to a set of written policies that include front line unit risk limits. Such policies should ensure risks associated with the front line unit’s activities are effectively identified, measured, monitored and controlled, consistent with the bank’s risk appetite statement, concentration risk limits and all policies established within the risk governance framework;
 Establish and adhere to procedures and processes, as necessary, to maintain compliance with the bank’s risk policies;
 Adhere to all applicable policies, procedures and processes developed by Operating Management in conjunction with independent risk management;
 Develop, attract, and retain talent and maintain staffing levels required to carry out the unit’s role and responsibilities effectively;
 Establish and adhere to talent management processes; and,
 Establish and adhere to compensation and performance management programs that are in keeping with regulatory guidance, reasonableness, transparency and prudent banking practice.

Role and Responsibilities of Independent Risk Management
Independent risk management should oversee the bank’s risk-taking activities and assess risks and issues independent of front line units. In fulfilling these responsibilities, independent risk management should:
 Take primary responsibility and be held accountable by the Chief Executive Officer and the Board for designing a comprehensive written risk governance framework that meets these Guidelines and is commensurate with the size, complexity, and risk profile of the bank;
 Identify and assess, on an ongoing basis, the bank’s material aggregate risks and use such risk assessments as the basis for fulfilling its responsibilities and for determining if actions need to be taken to strengthen risk management or reduce risk given changes in the bank’s risk profile or other conditions;
 Establish and adhere to enterprise policies that include concentration risk limits. Such policies should state how aggregate risks within the bank are effectively identified, measured, monitored and controlled, consistent with the bank’s risk appetite statement and all policies and processes established within the risk governance framework;
 Establish and adhere to procedures and processes, as necessary, to ensure compliance with the policies;
 Identify and communicate to the Chief Executive Officer and the Board or the Board’s Risk Committee:
 Material risks and significant instances where independent risk management’s assessment of risk differs from that of a front line unit; and
 Significant instances where a front line unit is not adhering to the risk governance framework, including instances when front line units do not meet the established standards
 Identify and communicate to the Board or the Board’s Risk Committee:
 Material risks and significant instances where independent risk management’s assessment of risk differs from the Chief Executive Officer; and,
 Significant instances where the Chief Executive Officer is not adhering to, or holding front line units accountable for adhering to, the risk governance framework;
 Develop, attract, and retain talent and maintain staffing levels required to carry out its role and responsibilities effectively; and,
 Establish and adhere to compensation and performance management programs.

Role and Responsibilities of Internal Audit
Internal audit should ensure that the bank’s risk governance framework complies with these Guidelines and is appropriate for the size, complexity and risk profile of the bank. In carrying out its responsibilities, internal audit should:
 Maintain a complete and current inventory of all of the bank’s material processes, product lines, services and functions, and assess the risks, including emerging risks, associated with each, which collectively provide a basis for the audit plan;
 Establish and adhere to an audit plan that is periodically reviewed and updated that takes into account the bank’s risk profile, emerging risks and issues, and establishes the frequency with which activities should be audited. The audit plan should require internal audit to evaluate the adequacy of and compliance with policies, procedures and processes established by front line units and independent risk management under the risk governance framework. Significant changes to the audit plan should be communicated to the Board’s Audit Committee;
 Report in writing, conclusions and material issues and recommendations from audit work carried out under the audit plan to the Board’s Audit Committee. Internal audit’s reports to the Audit Committee should also identify the root cause of any material issues and include:
 A determination of whether the root cause creates an issue that has an impact on one organizational unit or multiple organizational units within the Bank; and,
 A determination of the effectiveness of front line units and independent risk management in identifying and resolving issues in a timely manner;
 Establish and adhere to processes for independently assessing the design and ongoing effectiveness of the risk governance framework on at least an annual basis. The independent assessment should include a conclusion on the Bank’s compliance with the standards set forth in these Guidelines;
 The annual independent assessment of the risk governance framework may be conducted by internal audit, an external party, or internal audit in conjunction with an external party.
 Identify and communicate to the Board’s Audit Committee significant instances where front line units or independent risk management are not adhering to the risk governance framework;
 Establish a quality assurance program that ensures internal audit’s policies, procedures and processes comply with applicable regulatory and industry guidance, are appropriate for the size, complexity and risk profile of the bank, are updated to reflect changes to internal and external risk factors, emerging risks, and improvements in industry internal audit practices and are consistently followed;
 Develop, attract, and retain talent and maintain staffing levels required to effectively carry out its role and responsibilities;
 Establish and adhere to talent management processes; and,
 Establish and adhere to compensation and performance management programs.

Strategic Plan (Strategy Drives Risk)
The Chief Executive Officer should be responsible for the development of a written strategic plan with input from front line units, independent risk management, and internal audit. The Board should evaluate and approve the strategic plan and monitor management’s efforts to implement the strategic plan at least annually. The strategic plan should cover, at a minimum, a three-year period and:
 Contain a comprehensive assessment of risks that currently have an impact on the bank or that could have an impact on the bank during the period covered by the strategic plan;
 Articulate an overall mission statement and strategic objectives for the bank and include an explanation of how the bank will achieve those objectives;
 Include an explanation of how the bank will update, as necessary, the risk governance framework to account for changes in the bank’s risk profile projected under the strategic plan; and,
 Be reviewed, updated and approved, as necessary, due to changes in the bank’s risk profile or operating environment that were not contemplated when the strategic plan was developed.

Risk Appetite Statement
The bank should have a comprehensive written statement that articulates the bank’s risk appetite and serves as the basis for the risk governance framework. The risk appetite statement will include both qualitative components and quantitative limits. The qualitative components describe a safe and sound risk culture and how the bank will assess and accept risks, including those that are difficult to quantify. Quantitative limits should incorporate sound stress testing processes, as appropriate, and address the bank’s earnings, capital and liquidity. The bank should set limits at levels that take into account appropriate capital and liquidity buffers and prompt management and the Board to reduce risk before the bank’s risk profile jeopardizes the adequacy of its earnings, liquidity and capital.

Where possible, the bank should establish aggregate risk appetite limits that can be disaggregated and applied at the front line unit level. However, where this is not possible, the bank should establish limits that reasonably reflect the aggregate level of risk that the Board and executive management are willing to accept (called Risk Tolerance).

Concentration and Front Line Unit Risk Limits
The risk governance framework should include concentration risk limits and, as applicable, front line unit risk limits, for the relevant risks. Concentration and front line unit risk limits should limit excessive risk taking and, when aggregated across such units, provide that these risks do not exceed the limits established in the bank’s risk appetite statement.

Risk Appetite Review, Monitoring and Communication Processes
The frequency of monitoring and reporting should be performed as frequently as necessary, based on the size and volatility of risks and any material change in the bank’s business model, strategy, risk profile, or market conditions. The bank’s risk governance framework requires:
 Review and approval of the risk appetite statement by the Board or the Board’s Risk Committee at least annually or more frequently, as necessary;
 Initial communication and ongoing reinforcement of the bank’s risk appetite statement throughout the bank in a manner that causes all employees to align their risk-taking decisions with applicable aspects of the risk appetite statement;
 Monitoring by independent risk management of the bank’s risk profile relative to its risk appetite and compliance with concentration risk limits and reporting on such monitoring to the Board or the Board’s Risk Committee at least quarterly;
 Monitoring by front line units of compliance with their respective risk limits and reporting to independent risk management at least quarterly; and,
 When necessary due to the level and type of risk, monitoring by independent risk management of front line units’ compliance with front line unit risk limits, ongoing communication with front line units regarding adherence to these limits, and reporting of any concerns to the Chief Executive Officer and the Board or the Board’s Risk Committee, all at least quarterly.

Processes Governing Risk Limit Breaches
The bank should establish and adhere to processes that require front line units and independent risk management, in conjunction with their respective responsibilities, to:
 Identify breaches of the risk appetite statement, concentration risk limits and front line unit risk limits;
 Distinguish breaches based on the severity of their impact on the bank;
 Establish protocols for when and how to inform the Board, front line unit management, independent risk management, internal audit and the bank’s regulators of a risk limit breach that takes into account the severity of the breach and its impact on the bank;
 Include in the protocol the requirement to provide a written description of how a breach will be, or has been, resolved; and,
 Establish accountability for reporting and resolving breaches that include consequences for risk limit breaches that take into account the magnitude, frequency, and recurrence of breaches.

Concentration Risk Management
The bank’s risk governance framework should include policies and supporting processes appropriate for the bank’s size, complexity and risk profile for effectively identifying, measuring, monitoring and controlling the bank’s concentrations of risk.

Risk Data Aggregation and Reporting
The bank’s risk governance framework should include a set of policies, supported by appropriate procedures and processes, designed to provide risk data aggregation and reporting capabilities appropriate for the size, complexity, and risk profile of the bank, and to support supervisory reporting requirements. Collectively, these policies, procedures, and processes provide for:
 The design, implementation and maintenance of a data architecture and information technology infrastructure that support the bank’s risk aggregation and reporting needs during normal times and during times of stress;
 The capturing and aggregating of risk data and reporting of material risks, concentrations, and emerging risks in a timely manner to the Board and the regulators; and,
 The distribution of risk reports to all relevant parties at a frequency that meets their needs for decision-making purposes.

Relationship of Risk Appetite Statement, Concentration Risk Limits and Front Line Unit Risk Limits to Other Processes
The bank’s front line units and independent risk management shlould incorporate, at a minimum, the risk appetite statement, concentration risk limits and front line unit risk limits into the following:
 Strategic and annual operating plans;
 Capital stress testing and planning processes;
 Liquidity stress testing and planning processes;
 Product and service risk management processes, including those for approving new and modified products and services;
 Decisions regarding acquisitions and divestitures; and,
 Compensation and performance management programs.

Talent Management Processes
The bank should establish and adhere to processes for talent development, recruitment and succession planning to ensure that management and employees who are responsible for or influence material risk decisions have the knowledge, skills and abilities to effectively identify, measure, monitor and control relevant risks. The Board or an appropriate committee of the Board should:
 Appoint a Chief Executive Officer and appoint or approve one or more C-level executives who should be responsible for risk governance and internal audit and who possess the skills and abilities to carry out their roles and responsibilities within the risk governance framework;
 Review and approve a written talent management program that provides for development, recruitment and succession planning regarding the individuals described above, their direct reports, and other potential successors; and,
 Require management to assign individuals specific responsibilities within the talent management program and hold those individuals accountable for the program’s effectiveness.

Compensation and Performance Management Programs
The bank should establish and adhere to compensation and performance management programs that comply with any applicable statute or regulation and are appropriate to:
 Ensure the Chief Executive Officer, front line units, independent risk management, and internal audit implement and adhere to an effective risk governance framework;
 Ensure front line unit compensation plans and decisions appropriately consider the level and severity of issues and concerns identified by independent risk management and internal audit, as well as the timeliness of corrective action to resolve such issues and concerns;
 Attract and retain the talent needed to design, implement, and maintain an effective risk governance framework; and,
 Prohibit any incentive-based payment arrangement, or any feature of any such arrangement, that encourages inappropriate risks by providing excessive compensation or that could lead to material financial loss.


Require an Effective Risk Governance Framework
The bank’s Board should:
 Oversee the bank’s compliance with safe and sound banking practices. The Board should also require management to establish and implement an effective risk governance framework that meets the minimum standards described in these guidelines. The Board or the Board’s Risk Committee will approve any significant changes to the risk governance framework and monitor compliance with such framework.
 Provide active oversight of management. The Board should actively oversee the bank’s risk-taking activities and hold management accountable for adhering to the risk governance framework. In providing active oversight, the Board may rely on risk assessments and reports prepared by independent risk management and internal audit to support the Board’s ability to question, challenge, and when necessary, oppose recommendations and decisions made by management that could cause the bank’s risk profile to exceed its risk appetite or jeopardize the safety and soundness of the Bank;
 Exercise independent judgment;
 Include independent directors;
 Provide ongoing training to all directors. The Board should establish and adhere to a formal, ongoing training program for all directors. This program should consider the directors’ knowledge and experience and the bank’s risk profile. The program should include, as appropriate, training on:
 Complex products, services, lines of business and risks that have a significant impact on the bank;
 Laws, regulations and supervisory requirements applicable to the bank; and,
 Other topics identified by the Board
 Perform Self-assessments. The bank’s Board should conduct an annual self-assessment that includes an evaluation of its effectiveness in meeting the standards of these guidelines.

Debit Cards

Use Case for Assessing Risk on Debit Cards

Why assess the risk?   Online debit cards use a PIN for customer authentication and online access to account balance information. At present, financial institutions authenticate customers by matching the PIN with the account number directly through a merchant’s terminal. Banks engaged in retail payment systems should establish an appropriate risk management process that identifies, measures, monitors, and limits risks. Management and the board should manage and mitigate the identified risks through effective internal and external audit, physical and logical information security, business continuity planning, vendor management, operational controls, and legal measures. Risk management strategies should reflect the nature and complexity of the institution’s participation in retail payment systems, including any support they offer to clearing and settlement systems. Management should develop risk management processes that capture not only operational risks, but also credit, liquidity, strategic, reputational, legal, and compliance risks, particularly as they engage in new retail payment products and systems.  Management should also develop an enterprise wide view of retail payment activities due to cross-channel risk. These risk management processes should consider the risks posed by third-party service providers.
Who should assess the risks? Electronic Banking Officer, Operations Administrator, Cash Management/ACH Officer, Chief Financial Officer, Information Technology Officer, Data Security Officer

How to assess the risk: Rate the KRIs to determine if a threat would successfully exploit a vulnerability and to justify expenditures to implement countermeasures to protect the bank’s assets or reputation. Use the “Focus Risk Assessment” tool for in-depth analysis of risks and mitigation techniques.


TraceRisk Demo Button

Credit Administration

Use Case for Assessing Risk on Loan Administration

Why assess the risk? Credit administration and the quality of the loan portfolio is among the most important aspects of the bank’s business strategy. To a great extent, it is the quality of a bank’s loan portfolio that determines the profitability of the bank and the ultimate return on investment to the shareholders. Conclusions regarding the bank’s condition and the quality of its management are weighted heavily by the degree of risk in lending practices. The loan portfolio and its administration recognizes that loans comprise a major portion of the bank’s assets and that it is this asset category which ordinarily presents the greatest credit risk and potential loss exposure to the bank. Moreover, pressure for increased profitability, liquidity considerations, and a vastly more complex marketplace have produced an ever-changing risk profile to the bank.

Who should assess the risks? Credit Administrator, Chief Credit Officer, Chief Lending Officer, Directors’ Loan Committee

How to assess the risk: Rate the KRIs to determine if a threat would successfully exploit a vulnerability and to justify expenditures to implement countermeasures to protect the bank’s assets or reputation. Use the “Focus Risk Assessment” tool for in-depth analysis of risks and mitigation techniques.


TraceRisk Demo Button

COSO Integrated Framework – SOX 404 & FDICIA 112

Use Case COSO Integrated Framework – SOX 404 & FDICIA 112

Use Case: The New COSO Integrated Framework is an important development as it facilitates efforts by banks to develop cost-effective systems of internal control to achieve business objectives and sustain and improve performance. The new version is the predominant method for reporting on the effectiveness of internal control over financial reporting by public companies as required by Section 404 of the Sarbanes-Oxley Act.

Who Should Assess the Risk? Chief Administrative Officer, Chief Operating Officer, Chief Financial Officer, Internal Auditor

TraceRisk Demo Button