Risk Management Systems: Risk Management Systems should accomplish the following:
- Identify Risk – To properly identify risks, the Board and management must recognize and understand existing risks or risks that may arise from new business initiatives. Risk identification should be a continuing process, and risks should be understood at the transaction (or individual) level and the portfolio (or aggregate) level.
- Measure Risk – Accurate and timely measurement of risk is essential to an effective risk management system. The bank should periodically test its measurement tools to make sure they are accurate. Sound risk measurement tools assess the risks at the transaction and portfolio levels.
- Monitor Risk – Banks should monitor risk levels to ensure timely review of risk positions and exceptions. Monitoring reports should be timely, accurate and informative and should be distributed to appropriate individuals to ensure action, when needed.
- Control Risk – Banks should establish and communicate risk limits through policies, standards, and procedures that define responsibility and authority. These limits should serve as a means to control exposures to the various risks associated with the bank’s activities. The limits should be tools that management can adjust when conditions or risk tolerances change. Banks should also have a process to authorize and document exceptions or changes to risk limits when warranted. To control risk, the bank should employ the following:
- Policies are statements of actions adopted by a bank to pursue certain objectives. Policies often set standards (on risk tolerances, for example) and should be consistent with the bank’s underlying mission, values and principles. A policy review should always be triggered when the bank’s objectives or standards change.
- Processes are the procedures, programs and practices that impose order on a bank’s pursuit of its objectives. Processes define how daily activities are carried out. Effective processes are consistent with the underlying policies and are governed by appropriate checks and balances (such as internal controls)
- Personnel are the bank staff and managers who execute or oversee processes. Personnel should be qualified and competent and should perform appropriately. They should understand the bank’s mission, values, principles, policies and processes. Banks should design compensation programs to attract, develop and retain qualified personnel. In addition, compensation programs should be structured in a manner that encourages strong risk management practices.
- Control Systems are the functions (such as internal and external audits, risk review and quality assurance) and information systems that bank managers use to measure performance, make decisions about risk and assess the effectiveness of processes. Control functions should have clear reporting lines, adequate resources and appropriate authority. Management information systems should provide timely, accurate and relevant feedback.
 Ref: OCC Community Bank Supervision