Risk has always been a part of banking. But today, with the spread of COVID-19 wreaking havoc on customers, the economy, and how we live and do business, banking might feel even riskier.
But is it? Not necessarily in the way you might think.
The risks facing financial institutions are well known and studied. They have been identified by everyone from regulators to academics to risk officers. They include operational, transaction, financial, credit, strategic, compliance, reputation, concentration, and cyber risks, among others.
While the COVID-19 pandemic is a new event, it does not create new risks. Yes, the spread of COVID-19 may lead to increased loan defaults, branch closures, or personnel shortages—but these are all known risks.
If your FI has a good enterprise risk management (ERM) program in place, these risks were identified long ago. Controls are in place to mitigate them.
While the risks themselves haven’t changed, inherent risk has.
Inherent risk is the risk that an activity would pose if there weren’t any controls or other mitigating factors in place. An example is the risk of a cyberattack when there are no firewalls or other defenses.
Inherent risk is defined by two elements: the impact of an event and its probability.
Under the COVID-19 pandemic, the potential impact of an event hasn’t changed. A cyberattack, large-scale employee absenteeism, an increase in loan defaults, or other known risks would probably have the same impact on your FI today as it would have in January before COVID-19 was a widespread problem. A cyberattack or increase in loan defaults is bad no matter when it happens.
What has changed is probability. Many of the risks FIs have identified, assessed, and monitored are far more likely to occur in today’s environment than they would have two months ago. Between working from home and opportunistic cyber crooks, the likelihood of suffering a cyberattack has increased. Large-scale employee absenteeism is far more likely. The rapid decline in the economy makes loan defaults much more likely.
This increase in probability increases inherent risk. An activity that posed a moderate risk before COVID-19 might suddenly be high risk because it’s far more likely to occur. For example, a staff suddenly working remotely from their personal devices can cause the likelihood of unauthorized access to FI systems to increase dramatically. (Download the Ncontracts Work-From-Home (WFH) Risk Assessment.)
When risk increases, more or better controls are needed to mitigate it. Residual risk is defined as the risk that remains after accounting for controls. In the case of a cyberattack, it’s the risk that remains after considering deterrence measures like firewalls and penetration testing.
Residual risk is all about control effectiveness. The greater the inherent risk, the stronger the controls need to be. Controls that are 50 percent effective might be enough to mitigate the impact of a low probability event. They may not be up to the task when that low-probability event becomes a high-probability event.
Existing controls may need to be expanded or new controls introduced. It’s all about ensuring the controls remain commensurate with the risks.
There’s a good chance your FI is experiencing increased inherent risk in critical areas, but there is only one way to know for sure: revisiting your risk assessments.
That includes:
There may not be time to review every area, so focus on your most critical areas.
COVID-19 is putting a strain on FIs and their resources, but now is not the time to put risk management on the backburner. Make time to reassess inherent risk and determine if your FI’s controls are sufficient.
You don’t want to find out the hard way.