Risk Management Controls: A Primer
Risk management is a critical aspect of banking operations. However, one area that often draws resistance is risk management controls. The concept may seem intimidating or overwhelming, but when you break down the components, you’ll find risk management controls aren’t nearly as complicated as you think.
Understanding Risk Management Controls
Risk management controls are measures or mechanisms implemented to mitigate risk. They aim to reduce the likelihood of a risk event or minimize its impact should it occur. Controls can be classified as preventive, detective or corrective:
- Preventive controls aim to prevent a risk event from happening. Examples include automated software controls, employee training and firewalls.
- Detective controls identify and detect risk events or issues that have occurred to quickly address them and reduce their impact. Examples include audits, monitoring systems and fair lending data analysis.
- Corrective controls resolve issues once they have been identified, with the goal of reducing the impact of risk events and preventing them from recurring. Examples include incident response, root cause analysis and contingency plans.
Effective risk management involves implementing a combination of these controls to comprehensively balance potential risks.
Understanding the Resistance to Risk Management Controls
Despite their importance, risk management controls can be a source of stress. The reasons include the sheer number of controls to implement and monitor, the perceived arbitrariness of measuring control effectiveness, limited experience in risk management, resistance to change and the perception of risk management as a technical, complicated subject.
Understanding the challenges that make people avoid risk management controls allows us to address these objections effectively:
- The number of controls: While there are, indeed, many controls, not all are directly managed by those assessing them. Many controls are activities a financial institution is already engaging in, such as risk governance, risk identification and assessment, procedures, incident management, business continuity planning, vendor risk management, technology risk management, employee training and awareness, physical security measures and performance metrics and monitoring. Risk managers can either assess these controls themselves or delegate the job to the person or department who oversees the controls. It doesn’t have to all fall on the risk manager.
- Measuring controls feels arbitrary: There are ways to assess control effectiveness using data. Audits, reports and quality assurance are all great sources of objective information.
- Limited experience: Collaboration and cross-departmental training can help individuals unfamiliar with control areas gain a better understanding and contribute meaningfully to risk management. Risk managers can also ask internal subject matter experts to review controls. Again, it doesn’t all have to fall on the risk manager.
- Overconfidence/resistance to change: The dynamic nature of risk requires an open mind and readiness to adjust risk management strategies as needed. You can’t rest on previous risk assessments and assume nothing has changed.
- Perception of risk management: While risk management requires expertise, training and support can help employees understand controls as part of their everyday activities, making the topic less intimidating.
Prioritizing Key Controls
Given the variety of controls, it's essential to prioritize those providing the most significant risk mitigation — your "key" controls. These controls may require more frequent monitoring and review, adopting a risk-based approach to control monitoring.
Weighing controls helps you identify controls that have the greatest impact. For example, automated controls may prove more effective than manual processes because they are completed more frequently and eliminate human error.
Weighing controls might even reveal that control isn’t contributing much to risk mitigation and is no longer needed.
Risk Management as Collaboration
Risk management should be a collaborative effort. Training individuals in different departments or business lines to evaluate their controls or provide feedback on outside evaluations can improve the overall effectiveness of your risk management strategies.
While discussing risk management controls can seem daunting, the challenges are surmountable. By addressing these issues and fostering an open, supportive environment, financial institutions can encourage employees to engage in discussions about risk management controls and collectively build a robust risk management practice.
Michael Carpenter is vice president of risk management at Ncontracts, the leading provider of risk and compliance management solutions to the financial services industry. An indispensable risk management, compliance and vendor management resource, he is an advocate of building stronger, more proactive and more resilient institutions. Prior to joining Ncontracts, Mr. Carpenter served as the vice president of risk management at several banks and credit unions. His broad base of industry knowledge is the result of building and running programs — including director training and reporting, compliance management, information security and BSA/AML, among others— at both small community financial institutions and larger institutions such as KeyBank and Chase Bank. He is the veteran of the U.S. Army.