The traditional approach to assessing risk, often called risk and control self-assessment (RCSA) or process risk and control self-assessment (PRCSA), is no longer effective in today’s fast-paced, data-driven and heavily interconnected banking environment—but why?
Working closely with financial services clients for over two decades, our experts have seen the traditional approach to risk assessment evolve, especially as potential consequences of a lack of modernization are on the rise. The Consumer Protection Financial Bureau alone collected over $3 billion for impacted consumers and $498 million in civil penalties in 2023—and they’ve announced they are expanding enforcement capacity going forward.
In this article, we will explore why the traditional approach to risk assessment is changing and discuss how to ensure your organization is staying ahead of risk.
How is a traditional risk assessment approached?
A traditional risk assessment typically occurs on an annual cycle, involving multiple manual steps including process mapping, risk identification and rating, control identification and control testing. This process can take up to a year to complete, resulting in a series of control gaps and breaks being cited, with associated plans for their resolution. The cycle repeats itself year over year with lagging oversight.
Assessments are often performed in a silo by risk managers or team-by-team with little to no aggregation across departments. A qualitative approach to rating risk that leverages heatmaps of low-med-high ratings is often used without quantifiable data to support ratings.
Why it’s not sufficient for today’s environment
Organizations often have a centralized process or framework, but they can be poorly executed. Legacy systems and processes sometimes also lack the functionality needed to be effective.
Risk management modernization efforts can be costly and not always prioritized when competing against UX or revenue-producing initiatives. As a result, there are many manual processes, and the RCSA output often lacks robust data, making it difficult to measure and monitor risks and prioritize remediation efforts.
Another notable limitation of a traditional risk management approach is its tendency to capture a finite point in time for the current specific set of circumstances.
A lack of dynamic process and visibility into real-time identification and monitoring can lead to delayed remediation, resulting in:
- Potential financial impact
- Enforcement actions from regulatory authorities
- Reputational damage, legal action
- Operational disruption
- Loss of competitive advantage in the marketplace
Financial institutions are trending toward being more dynamic to quickly adapt to evolving conditions. However, risk is not always top of mind in the product and program development cycle as a candidate for improvement. The risk tolerance framework must become dynamic and pertinent to effectively adapt to evolving circumstances and product development. Your development is likely agile—why wouldn’t your approach to risk be as well?
Data quality and visibility
A lack of visibility in risk across the organization with siloed practices and lack of data sharing can leave gaps with unidentified risks and mitigation, as well as misalignment with strategic business goals and a firm-wide risk appetite. Poor quality, siloed and incomplete assessments provide insufficient intelligence to effectively manage risks within the defined appetite.
Insufficient data impacts those who have authority to make risk-related decisions, escalation procedures for risk exceeding tolerance levels and mechanisms for periodic review and adjustment of risk appetite.
An inability to communicate effectively across the organization with quality intelligence can lead to misalignment in remediation enforcement, prevent departments from learning from one another and hinder pattern recognition and identification of larger organizational risk.
Manual processes
The traditional risk management approach is also prohibitively manual. Outputs of this model can include large Visio files and Excel documents. Managing these demands significant time from risk managers and affiliated business units, leading to ineffective allocation of time and human capacity.
In this environment, process flows and description details can become standalone documents. Critical metadata cannot be leveraged across the organization when stored in Excel files or lengthy control descriptions within a risk management system. There’s no effective method to extract information from these assessment outputs, nor create standardization and categorization of risk across an organization.
In a common language or risk taxonomy, information is difficult to access, visualize and interpret. Static processes offer less visibility into risks and controls, preventing alignment with strategic business goals and, therefore, making it difficult to identify true gaps and effective risk remediation activities. This makes it difficult for both leadership and the other lines of defense to be fully briefed on what is happening within the organization.
A lack of automation, inefficient use of data and using manual processes lead to a lack of standardization, unnecessary cost and difficulty in identifying, interpreting and managing risk in a timely manner.
Solutions banks can consider
A good first step is for financial institutions to adopt and clearly articulate a board-approved risk appetite that is aligned with business objectives to build a foundation for an organization’s risk framework. This framework acts as the litmus test against which the entire organization determines what level of risk is acceptable.
Leadership can establish an organization-wide risk tolerance framework to measure and guide risk-based decisions, including acceptable ranges or thresholds for risk metrics (like financial ratios and loss exposure KPIs that help measure risk exposure relative to its appetite, among others).
A risk management framework serves as the foundation for risk-based decisions and provides for a more standardized approach to managing risk. This creates an environment in which the RCSA (or similar) becomes part of a top-down risk management strategy empowering every employee to confidently identify and move to mitigate risk. It should be everyone’s job to reduce risk—and that starts at the top.
Here are a few things that can help:
1. Ensure your risk management practices can adapt to your ever-changing environment.
Financial institutions (FIs) need a robust change management process with a diverse set of perspectives at the table. This includes frontline teams, program management, product, risk, compliance, operations and legal.
2. Leverage modern tooling, such as artificial intelligence (AI) and machine learning (ML), that accelerates automated solutions.
This helps eliminate human error and more effectively identify deviations from standard processes, highlighting areas of focus for risk managers to assess. Those with bad intentions are certainly using technology in their favor, so organizations must prioritize using it as a protective measure to stay ahead.
3. Ensure a centralized, enterprise-wide single source of truth to effectively manage risk across the organization.
Technology can be used to standardize, centralize and create interconnectedness. It’s also important to identify software solutions that offer end-to-end support for process mapping, robust risk and control documentation and aggregation, issue and action plan resolution, legal and regulatory change management, etc.
These systems should be built in partnership with technology and data teams to ensure appropriate metadata is captured and delivered in away that is useful from a leadership perspective.
4. Emphasize and enable data-based monitoring and decision-making.
FIs can leverage KPIs and other metrics that identify trends and opportunities to manage risk proactively and create real-time notifications when activity is outside of agreed-upon thresholds. Dashboarding is a very approachable way to manage risk.
Leveraging machine learning algorithms to analyze larger volumes of data more effectively and efficiently is also an excellent tool for your risk management toolbox. It is important to incorporate quantitative factors (monetary or financial value) to help prioritize mitigation efforts when using heatmaps or a low/med/high prioritization approach.
More accurate information for reporting at all levels allows for dynamic and well-informed risk decision-making. Organizations should bring risk assessments off the page and into systems to empower leaders to make data-driven and real-time decisions.
Moving forward
These changes may seem significant, but it’s likely your organization has already embarked on a digital transformation in some form. By including risk in this journey, you can set up your resources and operations for greater efficiency, ultimately creating a better experience for your customers.
While there’s a lot to consider, you don’t have to move forward alone. Our technical experts are here to collaborate and assist in achieving your risk management objectives—find out more about how we can help here.