No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Financial Services

Control Assurance During the Pandemic Era

Revisiting the Basics with a Modified Approach

by Samiksha Sharma
November 16, 2020
in Financial Services
closeup of Benjamin Franklin's face on the $100 bill wearing medical mask

The pandemic era has ushered in new challenges for financial institutions. Are current risk Identification and control assurance methods enough to deal with the challenges of a dynamic environment? Samiksha Sharma discusses how to address changing needs in an evolving risk landscape.

The pandemic era has seen financial institutions activate their business continuity plans in the shortest possible time. The current situation has defied the duration of most “worst-case” scenarios. Organizations have been forced to operate in a “business as usual” manner while in continuity mode, and many have continued to be in a “makeshift” model. Due to many factors, including the nature of the prevailing situation, the organizations may not have assessed the new normal for inherent risks and threats.

In the new norm, financial institutions may need to deal with newly exposed threats and vulnerabilities. The remote nature of business and working has made it imperative for organizations to revisit how they function. From addressing challenges in accessing their clients and providing seamless services, financial institutions have reimagined their business, technology and processes. For example, the number of organizations converting to digital and cloud services is increasing. The pandemic has given a sudden thrust to this conversion.

Technology functions, which are the backbone of financial institutions, must work around the clock to make delivery seamless. At the same time, they need to minimize risk and ensure regulatory compliance. Demonstrating compliance with multiple regulatory requirements and adhering to the industry standards is also one of the top agendas for most risk organizations, as the threat levels have increased. Due to these external situations and internal vulnerabilities, the controls need to be beefed up and enforced to address the elevated risk levels.

Reconsidering Risk Identification and Risk Assessment

There is a need to relook at the basics and revisit the risk identification and risk assessment process across the organization. A remote, digital environment warrants a review of the end-to-end life cycle of every process and technology.

Risk identification needs to consider both the “top down” and “bottom up” approach. This two-pronged approach for revisiting the risk assessment processes will help organizations address the immediate threat they have been exposed to. A holistic approach is needed. It includes identifying and assessing risks that are emerging (top-down view). Climate risk, operational resilience and new regulatory risk are a few top-down risks to be considered. Furthermore, the financial industry at large faces several significant events. Hence, identifying and evaluating external events that have impacted other financial institutions for applicability and subsequent gap assessment on any applicable external event will help plug any similar weakness within the organization.

Similarly, it’s important to identify and assess those risks that have crept in due to changes in process, technology or infrastructure (bottom-up view); for example, cyber risks, money laundering, fraud, etc.

A Collective Assessment

Organizations must also assess risks collectively to identify real exposure from threats and to identify areas of opportunity. For example, a process with weak controls for high-value transactions coupled with a compromised technology and infrastructure can have a ripple effect on inherent risk. Risk interactions also need to be considered from both top-down and bottom-up risk views.

Organizations also face added exposure to fraud risk, regulatory breaches and cyberattacks. These risks may not be alarming in isolation; however, if combined, they can have a damaging effect. Hence, there is a need for every organization to review the risk identification and assessment for every process. Any new risks identified and any increase in the risk posture of an already-identified risk must be mitigated, and controls identified and tested.

The risk assessment criteria should not only look at the impact, probability and speed of onset, but also at the duration of the event. These assessment criteria could either be clustered together or carried out individually. While identifying and assessing the risks, organizations should consider multiple sources of anomalies and breaches. For example, when looking at operational losses during the period, customer complaints, frauds, ethics issues, significant incidents and audit findings may not be significant when reviewed individually; however, when analyzed together, they may help to identify significant control gaps at the organization level, thereby leading to high residual risk.

Residual Risks

Most organizations carry out the risk identification and risk assessment process but do not discuss the inherent and residual risks separately. For each risk assessment process, there must be a residual risk assessment followed by risk treatment criteria. Determination of whether the risks would be accepted, transferred or mitigated should be conducted depending upon the residual rating of the risk and risk appetite of the organization.

Risk-Rating

For a holistic approach, the residual risk-rating process should consider all significant breaches and incidents before the risk can be considered or rated as “medium” or “low.” A continuous review mechanism of inherent and residual risk assessment in this manner will ensure that there are no surprises and that risk management organizations are looking at risks dynamically as the environment is changing. The idea is to identify the anomalies and address them rather than addressing every risk event.

Thresholds

The risk thresholds also need evaluation, given the changing environment. For example, with the number of transactions taking place online, the earlier KRI’s (key risk indicator) and thresholds may be misleading, increasing the workload of risk analysts by creating “false positives” while ignoring “true negatives.” Similar changes need to be identified and addressed in the risk threshold definitions so that appropriate breaches can be identified. In addition to individual KRI and threshold, cumulative thresholds need to be defined to address the collective impact of multiple control breakdowns and trigger a risk treatment if the cumulative threshold is breached.

The risks identified thus – rated as high inherent risks and high/medium residual risks – should be reported at the risk committee level for review and action, with final reporting to the board risk committee for appropriate oversight and to prevent surprises to the board.

Given the exposure in most financial institutions, there is a need to focus on revisiting risk exposure and the control foundation. Digital and cognitive interventions to assess controls may be deployed, freeing up risk resources to focus on the foundation review and prepare for the future. Besides, technology can also be used to speed up the risk identification and risk assessment process. Similarly, a single view of regulatory and compliance requirements to the control environment can be built using digital interventions. Implementing automated controls where applicable also reduces the element of error and provides greater assurance.

With added pandemic stress on the financial and economic health of most organizations, it is imperative for financial institutions to revisit their risk and control assurance processes. This will help them detect vulnerabilities and identify opportunities, making them stronger and more resilient to face any upcoming challenges while also supporting their growth goals.


Tags: BankingBusiness Continuity PlanningRisk Assessment
Previous Post

Cost-Effective Intermediary Monitoring and Auditing

Next Post

Compliance Challenges: Crypto and the Travel Rule

Samiksha Sharma

Samiksha Sharma

Samiksha Sharma is Consulting Partner, Risk and Compliance (BFSI) for North America at Tata Consultancy Services and is based out of New Jersey. She has 20+ years of banking and financial services experience, including risk and compliance roles.

Related Posts

North American – 14th Third Party Risk Management And Oversight For Financial Institutions

North American – 14th Third Party Risk Management And Oversight For Financial Institutions

by Aarti Maharaj
November 28, 2022

This marcus evans conference will showcase best practices to strengthen third party risk management frameworks, through procurement of new vendors,...

red flag warnings

Fostering Risk Transparency in the Organization

by Jim DeLoach
November 9, 2022

Serious risks to your company’s financial and reputational health probably aren’t going to walk up and introduce themselves. Protiviti’s Jim...

NAVEX regional whistleblowing hotline benchmark report_f

Navex 2022 Regional Whistleblowing Hotline Benchmark Report

by Corporate Compliance Insights
November 9, 2022

Explore benchmark data and regional comparisons for Europe, APAC, North America and South America. Regional Benchmark Report 2022 Regional Whistleblowing...

Research Compliance Conference

Research Compliance Conference

by Aarti Maharaj
November 7, 2022

Get the latest insights in research compliance. The risks and challenges that come with clinical research are unique, as are...

Next Post
Compliance Challenges: Crypto and the Travel Rule

Compliance Challenges: Crypto and the Travel Rule

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT