Risk assessment: what it is and why it is important for banks
The globalisation of financial markets, the development of information technology as well as the increasing competition have affected banking activities to a great extent, especially the associated risk management, which has become a pillar ensuring banks’ productivity and soundness. In fact, in terms of macro-assessment, analysis, priorities and strategy definition, this process allows to mitigate threats to resources and profits. To this goal, the risk assessment plays a crucial role.
What is risk assessment and what is it about? In a nutshell, risk assessment is a fundamental step of the wider risk management procedure, which helps businesses in general – and banks in particular – in preventing and managing possible problematic situations.
Risk assessment could be defined as the middle-level process within risk management to ensure that all risks associated with the activities – in this case those of a credit institution – are fully and immediately identified, measured, contained, controlled, mitigated and reported.
Let us look more closely to the substance of risk management as well as its steps, benefits and objectives.
What is risk assessment
‘Risk assessment’ refers to a process which identifies potential risks and analyses their consequences, both at a qualitative and quantitative level. This word is used to describe the procedure/general method of:
- identifying the dangers and risk factors which may cause damages (i.e., danger identification);
- analysing and assessing the risk associated with such dangers (so-called risk analysis and risk assessment);
- determining the appropriate ways to eliminate dangers or monitor risks when dangers cannot be eliminated (i.e., risk control).
What is the difference between risk management and risk assessment?
Risk assessment activities are preliminary to risk management: the former aims at locating and analysing the different risk types to which companies could be exposed, while the latter indicates the set of operations an undertaking should implement to preserve its own economic and financial balance.
Which elements generate risk?
Before delving into the risk assessment functioning, let us see what a risk is ‘composed of’. Risk can be expressed through the formula below:
Risk = Danger x Magnitude
That is, risk is the product of dangerousness (the likelihood that an event will occur in a given space/time) and magnitude, i.e., the seriousness of harmful consequences.
Clearly, in such context, risk control analytics becomes a crucial player. It could be defined as the identification and analysis of risks, to understand the priorities of an intervention and consequently take strategic actions to contain or mitigate those risks.
When is risk analysis carried out
Risk analysis can be carried out anytime and applies to any aspect of business, in this case banking activity, considering an infinite range of interlinked dangers and scenarios which can cause accidental, damaging and serious undesired events.
What are, in short, the steps of risk analysis?
There are four of them and they consist of the following:
- identification and recording of risks;
- assessment of dangers to determine risk level;
- definition of prevention and protection measures;
- implementation of measures.
Risk assessment 231: what it contains
Before examining the individual steps, it is essential to understand the content of Article 6, point 2, Legislative Decree No 231/2001, according to which the model needs to ‘a) identify those activities under which the crimes may be committed…’.
This represents the main part of the overall process to define the organisational model ex Legislative Decree No. 231/2001; in fact, it allows to identify industries and business processes exposed to the potential perpetration of one of the crimes provided for in the abovementioned Decree, thus putting in place the countermeasures aimed at avoiding that those risks materialise in the operativity context of the institution (in our case, a bank).
Risk assessment steps
As already stated above, the risk assessment process consists of four stages. The first one is risk identification, involving a description of the risks which might prevent a company from reaching its goals.
In this phase, two aspects should be taken into full account:
- within the perimeter of Legislative Decree 231/2001, the focus will be on identifying those scenarios, threats or behaviours which characterise one of the crimes (especially in the case of event crimes) that, based on context analysis, could actually materialise. For instance, as regards corruption risk, given a context of relationships with public authorities and a business involving procurement management, there will be a need to characterise the assumption of conducts which could potentially expose to corruptive behaviours (e.g., donation of valuable commodities or selection of partners in breach of rules or in the absence of transparency);
- in wider compliance analyses (used also for the purposes of Legislative Decree No. 231/2001) it will be helpful to locate within processes the potential violation of rules to which the organisation is generally subjected, given that, for some specific offences, such violation (including purely conduct-related or simple omissions) may constitute “predicate offences” of criminal relevance.
Once completed this task, the logical course followed will have to be demonstrated at documentation level and some action should be taken, such as:
- for those crimes which can be incorporated in a variegated manner, with composite or varying conducts, to draw a list of behaviours or situations (threats) which will consequently undergo an assessment;
- for the violation of rules which may occur by themselves and are included in the analysis perimeter, to create an inventory of the main regulatory and control obligations for the company.
The second step is risk analysis, which has to consider the following:
- uncertainties, including those causing possible positive and negative consequences;
- risk sources;
- likelihood that an event will occur;
- consequences of such events;
- effectiveness of current controls;
- effectiveness of potential future controls.
It should be noted that risk analysis will be more thorough and precise if the information used are of high quality – that is, accurate and comprehensive. Let us not forget that sometimes one may have to step out of the operational circle of his own company to obtain this information. Moreover, it is necessary to know, document and disclose any opinions, prejudices, assumptions, exclusions and possible limitations of the techniques used.
The third step is risk assessment, which means comparing the results of risk analysis with the company’s existing risk criteria, to establish whether taking further action is essential to deal with risks under assessment.
Finally, the fourth step is measure implementation, which may consist of different alternatives:
- no further action is needed, because the company is already compliant;
- to consider the implementation of other risk treatments;
- to re-consider the organisation’s objectives;
- to return to the risk analysis step, to develop a deeper understanding of the risks.
Find Out TIGREARM
An application suite to control banking and financial information.
Click on the button and go to the TIGREARM page to discover the modules or request a 15-day free trial (for a maximum of 3 modules)
Which factors should be considered when assessing risk?
First of all, the likelihood that the danger will occur; second, the seriousness of the effects after the danger has occurred; third, the frequency and duration of exposure to danger; and eventually population – that is, the number of people exposed to risk.
What are the objectives of risk assessment?
Risk assessment aims at locating and analysing risks, to understand the priorities of an intervention and consequently take strategic actions to contain or mitigate those risks. This is the crucial point of any risk management strategy and includes further steps.
Risk assessment also bears a strategic value, as it allows for risk forecasts. This process starts with the study, for each of the dangers identified in the business environment, of the likelihood that such dangers would really occur. To this aim, it is useful to rely on statistics enabling an historical reconstruction of past crisis suffered by the company, to understand which dangers have materialised and in what extent. Moreover, the assessment will produce data on potential impacts caused by the materialisation of identified risks, within a range contemplating different steps – from the least serious to catastrophe –, also indicating the consequences on the company (e.g., a bank). It should be noted also that, from a strategic perspective, the assessment may help establishing the limits within which to take risks in a controlled way, achieving the objectives pursued by the credit institution or firm.
Who is in charge of risk assessment?
The risk assessment procedures, i.e., the methodology to carry out such task, are generally overseen by the Chief Risk Officer (CRO) – a qualified professional figure who is an expert in the field and is able to manage each step of the analysis and assessment process.
What is ERM
In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) – that is, the joint initiative to counter business frauds – proposed an Enterprise Risk Management (ERM) to guide managers in the assessment and improvement of business risk management, altogether understood as through an integrated model including all business risks.
As part of the Internal Control System (ICS), the ERM is included in the set of rules, controls and any other activity contributing to keep the institution’s – in this case a bank’s – organisation constantly oriented towards achieving the following objectives:
- operation compliance with laws and regulations;
- reliability and integrity of information (including financial and balance sheet information);
- preservation of corporate assets;
- operation efficiency and effectiveness.
The meaning of BCM
The Business Continuity Management (BCM) is a holistic management process identifying the potential risks which threaten a company’s organisation. It puts in place a resilient management system, able to provide an immediate and effective response in case of accident, fraud or damage as well as to protect all stakeholders’ interests, reputation and value-generating assets.
The main goal of business continuity management is allowing a firm to continue its main activities in adverse conditions. How? By introducing appropriate resiliency strategies, temporal objectives of recovery, technological and organisational continuity solutions, measures to manage business disruption risk as well as crisis management plans.
Risk management and risk assessment: a growing market
The global market value of systems dedicated to risk management was estimated to be 6.25 billion dollars in 2018 and should grow to 18.50 billion by 2016, with a year-over-year average increase of +14.6% according to a study conducted by Allied Market Research.
A confirmation comes from the fact that a growing number of companies, including banks, is using advanced risk management and risk assessment systems to protect their business, due to the increasing of data and security breaches within firms, the sharpening of government and industry regulations as well as the development of the IoT (Internet of Things) environment. On top of that, as highlighted by the report of Allied Market Research, the incorporation of artificial intelligence in risk management platforms and an increasing demand by developing economies should pave the way for a wider spreading of risk culture and related technological products.
In this sense, our company SAVE Consulting Group has developed – and keeps working on – the TigreArm platform; in particular, through its MidaBI module, we support the banking and financial risk management function in implementing RAF and related risk governance policies, by means of an appropriate risk management process.