By Jim Vilker
When it comes to performing risk assessments, it appears the credit union industry is doing them for just about every process, product, and service our coops offer including third party providers of home banking, vendor relationships, BSA, ACH, cybersecurity, IT infrastructure, disaster recovery and business resumption, core providers, etc. While not an exhaustive list, it is exhausting.
My experience has been that whoever is completing these finds a template, slaps their credit union logo on it, does a find and replace, and voilĂ , a new risk assessment. Here in lies the issue with this extremely important process. Firstly, it has become a task, not a thoughtful process. Secondly, it does not yield results that help senior management make decisions on the likelihood of something bad happening or if additional resources will be required to mitigate the risks identified.
The lack of standardization of the assessment process and an abundance of templates has led us to become complacent when evaluating the risks of running our businesses, understanding them and, where appropriate, controlling them. Most models start with the area of operations being considered; take BSA for example. They start with a standard of assessing members, products and services, and geography. From there they will outline the inherent risks found in each category. This approach is sound and for the most part standardized. What is not is what is done with the inherent risks identified. How do you classify them and create candid discussion revolving around them?
Most BSA assessments will go as far as listing loss mitigating controls that you can identify, but where they fail is they do not identify the residual risk left behind that management needs to understand and either live with or act upon. Residual risk is a simple formula: inherent risk minus loss mitigating controls equals residual risk. It is the risk that everyone should understand.
Ask the Big Question
This is where the thoughtfulness of the process should become very apparent to insiders and outsiders evaluating the process. Done correctly, management should have the capability to determine if the risk is acceptable or if more resources are required for further mitigation. Or ask the big question: What is the likelihood of it happening and what would be the damage if the risk became reality?
How can management make a business decision without knowing the likelihood of damage and what type of damage would occur? Here is where the lack of standards has led to complacency in our world of managing risk. Yes, there is residual risk and it may appear to be relatively severe, but if the likelihood is equivalent to getting hit by a bolt of lightning or the damage would be miniscule, what types of decisions can be made from the assessment being performed?
We, as the custodians of our members’ information and financial future, need to evaluate our risk assessment process, use it to make educated decisions, and change the mentality that we do these only because we are required to do so.
Jim Vilker is the leader of AuditLink, a division of cooperative CUSO CU*Answers.