Over time, banks have reacted to operational risk by adding more controls with the assumption that more controls equal stronger risk mitigation. Yet, even with thousands of banking risk controls, lenders continue to receive consent orders and fines. Frustrated leaders wonder why.
One answer is that the banking risk controls aren’t performing as expected; they aren’t effective at mitigating the associated risk. When lenders come to us for help with their controls, we start by reviewing their control inventory and getting agreement on what components make up an effective control.
This blog walks you through a high-level representation of what we define as an effective control, and will only focus on two control types:
A strong control framework will have a proper balance of preventive and detective controls but it’s important to know that each control is performing optimally. A few key components can help define what that looks like.
A note on automation: Although preferred, automated controls are not fail-proof and should always be tested to ensure they continue to work as expected. This is also why all preventive controls should be accompanied by a corresponding detective control.
Ask yourself these questions to identify the frequency for when banking risk controls should be performed:
A note on control frequency: A control performed once per month for a process that occurs daily won’t provide the risk mitigating coverage needed. A control performed at the proper frequency will identify errors quickly. Then, corrective actions can be implemented in time to prevent future errors for the same reason.
Ideally, a banking risk control covers the full population. However, some controls must rely on samples of the full population, especially manual controls. Considerations when determining if the control is strong for sample populations:
Address errors through distinct corrective controls or include them as part of existing preventive or detective controls. Either way, consider the following to determine if a control has the proper corrective actions steps:
Reviewing each control through the lens of these four components will help to ensure that controls are operating as expected. Also, this review helps mitigate the risk that the controls were created for, which further strengthens your risk management activities.
The next blog in this series will focus on how to use the information that you already have available to determine which controls need to modified, which need to be retired, and where there are gaps and new controls that should be added.