Many financial institutions (FIs) view risk assessments as one-time or annual occurrences. They gather the documentation necessary, assess risks and controls, and assume that's it.
However, a one-time or annual risk assessment is no longer adequate. Compliance constantly evolves, so a past risk assessment isn't a reliable indicator of future risks. By actively engaging in risk management, FIs can keep up and significantly reduce their risk exposure.
So, what exactly is dynamic risk management (DRM)? How does it differ from traditional risk management? What are the benefits and challenges FIs face when adopting a dynamic approach to risk management? Let's explore these questions in more detail.
Related: Integrated Risk Management 101: What and Why?
What is dynamic risk management?
Dynamic risk management is a proactive, flexible approach to identifying, assessing, and mitigating risks in real time. It ensures that risk assessments are updated as risk conditions – both inside and outside the institution – change. To understand the nuances of dynamic risk management, it’s important to first establish an understanding of traditional risk management.
Traditional risk management vs. dynamic risk management
Traditional risk management, also called static risk management, is a risk management approach that relies on pre-determined frameworks and scheduled periodic assessments. Like a train that leaves and arrives at the same stations at scheduled times, traditional risk management runs on a fixed schedule.
Emerging risks, incidents that reveal control weaknesses, and regulatory changes typically don't impact a traditional risk management assessment schedule. For example, suppose an FI schedules a review of its fair lending risk assessment in September, but in October, regulators announce an increased focus on redlining. In that case, a static institution will reevaluate its risk assessment in September next year – 11 months after regulators announce increased attention to redlining issues.
DRM is a more comprehensive approach to risk management that emphasizes agility, responsiveness, and resilience in the face of uncertainty. FIs that use DRM can more easily adapt and thrive in a changing environment because they can effectively anticipate, assess, and mitigate risks.
While DRM can help institutions stay informed and execute changes to their risk assessments as needed, there are times when static risk management is the only choice. For example, a small or mid-size FI may not have the resources, systems, or people to manage an area actively, or the area is low-risk and doesn't require consistent risk assessment updates. A static risk management approach may be an option, although DRM is best.
Critical components of dynamic risk management
When using a DRM model, FIs update risk assessments when regulations, products, processes, the external risk environment, or the institution's risk tolerance change or when control self-assessments, audits, and findings suggest the controls aren't adequate.
When updating your FI’s risk assessments:
- Look for sources of new or increased risk. Consider your institution's scale. A mid-sized institution may have different sources of risk than a very large one.
- Be proactive about potential risk. Refrain from relying on old risk assessment schedules and seek to uncover new risks. For example, ask product committees for the latest updates to see if there are any new or changed products and services and check change management processes, documenting how new requirements affect your FI's operations.
- Perform priority risk assessments promptly. Remember our example of increased regulatory attention on redlining? That's a perfect case of an instance that requires immediate action. If the FI decided to wait to address the issue until the following year, it could face severe regulatory penalties and fines, not to mention other consequences like reputational loss if it wasn’t doing enough to address fair lending risk.
How to reap the benefits of dynamic risk management (H2)
Dynamic risk management offers many benefits to financial institutions that implement it correctly. To implement DRM:
- Be prepared to audit and test more frequently. An FI should ensure it has the controls to effectively mitigate and manage risk as needed.
- Mitigate risk. Use insights from control self-assessments, testing, and auditing results to develop new internal controls or enhance old ones.
- Refer to other departments for assistance. Individual departments know their people, processes, and technology best. They can identify what changes are needed, who is responsible for them, and when they need to happen.
- Get the frontline on board. Risk management responsibility isn't limited to people with the words “risk manager” in their titles. DRM requires the participation of everyone, from lending to IT to marketing and frontline employees. This participation occurs in a risk culture where everyone has the tools and resources to embrace a risk mindset.
- Establish and monitor key risk indicators (KRIs) and key performance indicators (KPIs). KRIs are metrics used to identify and predict potential risks, while KPIs measure an FI's success in meeting strategic goals and objectives. Examples of KRIs include increased customer complaints and frequent turnover in key personnel, while KPIs cover areas such as consumer satisfaction and financial performance.
Related: Key Risk Indicators for Banks and Other Financial Institutions
How technology can help your FI’s DRM strategy
DRM has garnered the attention of regulators recently. A new interagency rule proposed by NCUA, FDIC, FRB, OCC, and FinCEN seeks to modify Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) regulations by introducing a fifth prong, dynamic risk assessments, to the current four prongs of a well-structured AML/CFT program.
The suggested regulation not only calls out the importance of DRM but also the use of technologies such as machine learning and artificial intelligence (AI) to better fulfill compliance obligations. When a financial institution lacks a clear understanding of risks, it can easily overlook strategic goals, milestones, and policy objectives. Risk management software can assist organizations in better monitoring, reporting, and communicating risks internally and externally. It can also support your FI’s integrated risk management (IRM) strategy by facilitating collaboration between departments, promoting information sharing, establishing a common risk language, and enabling continuous risk assessments.
Want more insights on how your FI can navigate risk efficiently and effectively? Learn how to create reliable risk assessments and avoid common pitfalls.
Subscribe to the Nsight Blog
Share this
FDIC to Banks Considering Crypto: Ask for Permission, Not Forgiveness
Compliance Risk - Avoid Vendor Compliance Failures by Properly Assessing Risk
