Risk Assessments

 View Only
  • 1.  Completed Risk Assessments

    This message was posted by a user wishing to remain anonymous
    Posted 04-03-2024 04:59 PM
    This message was posted by a user wishing to remain anonymous

    I apologize in advance if this seems like a silly question, but hoping this group can help provide me some clarity.

    We are a smaller bank and I'm new to my role in leading our risk area. Although our regulator has not required us to complete individual risk assessments, I've done an enterprise-wide risk assessment and applied the 8 categories of risk to the various major functions within each department. Our Internal Audit and Compliance areas have risk assessments, which they use to drive audits and QA spot checks, respectively. But I'm not sure what to do with the enterprise- wide risk assessment, other than to recognize the areas that are riskier. 

    Additionally, I see others request risk assessment templates for specific services.  I'm curious what do you do with these risk assessments, too. Do you use them to identify weaknesses which then make sure controls are implemented to reduce the risks?  Do you only do them when you implement a new solution or revise and existing one?  

    Thanks for your feedback.



  • 2.  RE: Completed Risk Assessments

    Posted 04-04-2024 08:16 AM

    Sounds like you have ERM Framework you are comfortable with.  Ours is proprietary and honed over time.  It also sounds like there is some duplication between IA and you.   Strongly suggest you have a singular standard against which vendors will be assessed and asked for information.   You can have various functions perform specific elements and have some combined final review and determination or get individual functional signoffs – for example on access, information security, disaster recovery, cybersecurity, back up/vendor replacement plan, etc,.

     

     

    Tony

     

    Anthony W. Schweiger, MCMB

    Managing Principal/CEO

     Mortgage Banking and Risk Management Consultants

     

    "This electronic message and all attachments contain information sent by The Tomorrow Group and may be confidential or protected by privilege. The information is intended to be for the sole use of the individual or entity named above.  If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the information contained in or attached to this message is strictly prohibited. Please notify the sender of the delivery error by replying to this message, and then delete it from your system.  Thank you."