Recently, at the request of a client we created a compliance risk assessment template for our online shop. As is often the case with product requests the person asking is not alone in their need and our risk assessment template is proving to be really popular.
Creating the template got us thinking more about how you go about carrying out your risk assessment. Here are our top 8 tips
1. It should feel a bit uncomfortable
Not all risks result in positive outcomes. A proper risk assessment will consider things that are hard to explain , unexpected and difficult to imagine.
At times this will feel alien, strange or uncomfortable. That is quite normal and means you really are getting into the realms of all possibilities.
2. Nothing should be off limits
How can you prevent or mitigate something you haven’t considered?
This really is one of those times where you say ‘there are no bad ideas’ and really mean it so that you can encourage everyone to contribute.
There also need to be no ‘sacred cows’ where compliance feel they cannot challenge. For example, your institution might have spent a lot of time and effort building ESG products and the CEO is personally championing the initiative, this still needs proper scrutiny in the risk assessment.
3. Low risk is not no risk.
This is such an important mantra. It is easy to fall into the trap of focussing your risk assessment actions on the higher risks, especially when resources are stretched. But can you really afford to do this year on year?
If we look back 10 years or so the desks in a financial markets business making Libor and FX submissions were often considered low risk as they dealt in simpler products such as money market instruments and fx spot. However issues in these desks lead to billions in fines and staff ending up in prison.
4. Constant review/ never static
The nature of risk is that it is always changing. So should your risk assessment. Keep the audit trail and don’t leave it to the annual refresh.
Make sure you update your risk assessment when things change. This doesn’t mean you need to keep redoing the full annual exercise. Rather you update the area where there has been a change
5. Don’t let the output drive the input
A common mistake with risk assessments is to start with design of the MI or dashboard. Leaving out a risk because it doesn’t naturally fit in a dashboard or on one page for a committee is inexcusable. Slotting a risk into an ill-fitting category because that is how the dashboard has been designed without clear signposting for the committee is a risky strategy.
Whilst it can be challenging to aggregate and present risks in an easy-to-follow format, the content is far more important than the presentation. It is not worth the personal risk to senior managers to not misrepresent or leave a risk out because of difficulty making it look pretty on a page.
6. Start wide and narrow it down later
As with most things it is often easier to take things out towards the end than add them in later.
Think about what has happened in different firms, industries and countries and how these risks could apply to your business. Look at enforcement cases, regulatory changes, the financial media and commentary from regulators (and some really good compliance consultants provide thought leadership through their regular blogs ;-) !) to help you build out your population of risks.
7. Have an even number of scores
If your risk scoring system is an odd number, say high, medium and low, the natural instinct is to always go for the middle option – medium.
Having an even number of scores removes the middle option and forces an opinion, is it medium-high or medium-low for example.
8. Cast the net wide, accept contributions from everyone.
This doesn’t mean sharing the whole thing but getting people involved means they will be encouraged to think about risks to your business.
If only Compliance and Risk functions are involved in the process you are likely to miss something. So involve business line colleagues and audit colleagues in early evaluation sessions.