Chart Abstract, How to Measure Compliance Risk

Part 4 of 4

Effective compliance isn’t just about following the rules. It’s about understanding processes and knowing where strengths and weaknesses exist.

That’s why regular compliance risk assessments are essential. A well-executed risk assessment digs into real-world risks and the specific controls an institution uses to mitigate their impact, allowing the board and management to make better, more insightful decisions. From big picture ideas to specific areas of concern, a good risk assessment looks at the good and bad in every situation to provide a thorough understanding of threats and opportunities.

But how exactly do you properly assess a risk? Let’s do just that with one compliance risk: failing to address exam or audit findings in a timely fashion.

Inherent vs. Residual Risk

Inherent risk scores represent the level of risk an institution would face if there weren’t controls to mitigate it. For example, think of the risk of a cyberattack if the institution didn’t have any defenses in place. Residual risk is the risk that remains after controls are taken into account. In the case of a cyber breach, it’s the risk that remains after considering deterrence measures.

To assess inherent risk, determine how big of an impact an event would have and how likely the event is to occur.

Inherent risk = Impact of an event * Probability

To calculate residual risk consider the inherent risk as well as the controls and their effectiveness. That includes how large of an impact a control has in mitigating a problem as well as how effective it is.

Residual risk = Inherent risk * Control effectiveness

Control effectiveness = Control impact * % ineffective

Making the Assessment

Different institutions use different scales when making these measurements. In conducting this exercise, we’ll use a 5-point scale using these terms to measure risk and potential impact:

  • Catastrophic
  • Significant
  • Moderate
  • Minor
  • Insignificant

Control effectiveness will be measured on a three-point scale for impact:

  • Very important
  • Important
  • Not important

Probability and effectiveness will be measured on a five-point scale:

  • Certain
  • Likely
  • Possible
  • Unlikely
  • Remote

With these in mind, let’s begin to assess risk.

Risk: Exam or audit findings fall through the cracks and aren’t properly addressed in a timely fashion.

Event Impact: Catastrophic. Regulators will not be happy if identified problems aren’t actively addressed. Failing to properly manage them can result in regulatory action.

Probability: Likely. With the increasing number of audits generating more and more findings, it’s very possible that a finding could be lost in the shuffle.

As with most risks, there are a variety of controls that can reduce the risk exposure. They include:

  • Policies and procedures
  • Automated tracking system
  • Board reporting

Let’s assess an automated tracking system as a control.

Impact: Very important. An automated system ensures that every audit and exam finding is logged and tracked with someone assigned responsibility for follow through. It can provide reminders that actions are necessary and make it obvious which findings have been addressed and which are on their way.

Effectiveness: Likely. An automated system will very likely ensure that audit and exam findings are not forgotten. Human error remains a small factor, as sometimes people fail to properly use the system, but training can further increase the probability of proper usage.

Residual risk: Insignificant. An automated tracking system greatly reduces the risk of failing to correct the errors that auditors and examiners identify.

Conduct this assessment with each of the controls. Then assess the total value of the controls to determine how high or low the residual risk. Remember, not every control is equal. Give greater weight to those with a high impact and less to those with a low impact.

Be sure to be candid when assessing controls. If the assessment reveals that a control isn’t particularly effective, it might not be a problem if other strong controls are in place. It could be an opportunity to strengthen a weak control or decide that it’s not worth the resources. New controls can be developed to help control the risk. However, nothing will change if the controls are not assessed appropriately.

To learn more about risk assessments, including how to ensure they are reliable, timely and consistent, check out our whitepaper on creating reliable risk assessments.

Related: Compliance Risk Definition

 Featured image for Ask Me Anything Q&A
NCONTRACTS
2020 EVENTS