Risk: Back to basics

Over the last few months, cyber-security risk has become the topic du jour for regulators and firms.  This should certainly be on the agenda, but it’s not the only risk topic.  Here are some more work-a-day issues that I’m seeing and hearing about.

1           Board risks vs Risk function risks – it’s remarkably rare to find two board members who give the same top five risks or a board member who lists the same top five risks as the Risk function.  I think it’s due to the Risk function applying processes and directors still looking at risks subjectively.

2          Risk processes vs common sense – it’s easy for the processes of risk identification, assessment, management, monitoring, reporting and the like undertaken by the Risk function to supersede a common sense view of where the risks are.  Both the processes and the wider view are needed.  And common sense, gut-instinct risks should be fed into the risk identification process so that all risks are captured.

3          Customer interests and conduct risks – I sometimes see firms equating acting in customers’ interests with identifying and managing conduct risks.  They’re not quite the same.

  • Some firms regard conduct risk, principally, as the risk to them as a result of their conduct.  This means there’s less focus on risks to customers.
  • Risks to customers can be managed within the conduct risk appetite set by the financial institution, but that might not result in acting in the customers’ interests in all cases.

Consider both customer interests and risk to customers arising from your conduct.  At the very least, this will act as a cross-check on customer interests and risks customers might be exposed to.

4          Circumventing procedures – it’s an old chestnut, but staff do try to circumvent procedures from time to time, usually when trying to be helpful and not bother someone who’s busy.  The results can be unfortunate.  Internal Audit are usually best-placed to identify whether – and how – procedures can be circumvented.

5          Access to premises – don’t just worry about access to systems; premises access can do a lot of harm.  Recently, I arrived early for a meeting and got through two layers of security without being challenged.  I was retrieved before I could plan how I might get further, but other people could be a lot quicker.  This isn’t the only case I’ve heard of in the last few months.

6          No red risks: good or bad? – I’m picking up that there are differences of opinion on whether no-red-risks is a good thing or a bad thing.  Some Risk Committees are querying lack of red risks, wondering if it’s a sign that risk work isn’t sufficiently thorough.  No-red-risks isn’t necessarily a sign of weakness.  Consistency of approach and dispassionate assessment should be the hallmarks of risk work, accompanied by appropriate challenge.


The blog and all entries on it are intended to provide general information about recent and expected items that might be of interest.  Neither the blog nor any entry provides or constitutes, or purports to provide or constitute, advice relevant to any particular circumstances.  Legal or other professional advice relevant to any particular circumstances should always be sought.

This entry was posted in Ruth's Blog. Bookmark the permalink. Both comments and trackbacks are currently closed.