When risk increases, the natural response is to take action to reduce that risk. But not every increase requires action. In fact, it may distract you from more important issues.
I’m talking about the risk of treating every risk the same.
Astute observers of risk have a variety of tools to monitor risk, from near real-time indicators to audits, exams, and reviews. But it’s not enough to recognize that risk has increased. Its ultimate impact must be considered.
For example, a review might show that employees haven’t been regularly reviewing a checklist to ensure the institution is collecting all five key pieces of customer information required under the Customer Identification Program (CIP) provisions of the USA PATRIOT Act when opening an account. On its surface, this may seem like a huge increase to the bank’s BSA risk, requiring swift and immediate action. Memos should be sent. Training should be instituted. Sound the alarm!
But is that really necessary? Maybe not.
In this case, the checklist is just one control. There is also automated software to prevent an account opening from moving forward without the information and a quality control program that double checks a sample of new accounts. These two controls have a much greater impact and therefore influence residual BSA risk to a much greater degree.
The fact that the institution is inconsistent on the checklist, a relatively unimportant control, might not have a huge impact on the institution’s overall BSA residual risk. The institution might even decide to discontinue the control due to its ineffectiveness.
On the other hand, perhaps the failure to use the checklist is part of a pattern of failing to follow policies and procedures, contributing to an increase in compliance risk. In that case, the risk goes well beyond forgetting a checklist. It indicates a problem with the entire institution’s compliance culture.
How do you spot the difference? You need a system in place that makes it easy to understand the context of specific risks, including how they impact different business areas and categories of risk. Both inherent and residual risk should be monitored and risk exposure should be categorized by category and hierarchy to make it easy to understand the relationship between a particular risk and the institution as a whole.
That’s why enterprise risk management is so important. It’s not about immediately correcting every increase in risk. It’s understanding exactly how a single increase in residual risk fits into the overall risk picture, impacting different risk areas and categories.
When reporting risk to the board, make sure you communicate the global perspective. It’s not enough to know that risk is increasing. The board needs to know what it means. Not every risk increase means the same thing or requires the same attention. Good enterprise risk management allows the board and management to know what a risk increase really indicates.