This message was posted by a user wishing to remain anonymous
I apologize in advance if this seems like a silly question, but hoping this group can help provide me some clarity.
We are a smaller bank and I'm new to my role in leading our risk area. Although our regulator has not required us to complete individual risk assessments, I've done an enterprise-wide risk assessment and applied the 8 categories of risk to the various major functions within each department. Our Internal Audit and Compliance areas have risk assessments, which they use to drive audits and QA spot checks, respectively. But I'm not sure what to do with the enterprise- wide risk assessment, other than to recognize the areas that are riskier.
Additionally, I see others request risk assessment templates for specific services. I'm curious what do you do with these risk assessments, too. Do you use them to identify weaknesses which then make sure controls are implemented to reduce the risks? Do you only do them when you implement a new solution or revise and existing one?
Thanks for your feedback.