Risk management hinges on robust risk identification—a fundamental banking principle that takes on even greater importance in uncertain times. Amid sweeping leadership changes in Washington in 2025, which may include a potential shift toward deregulation, financial institutions must stay vigilant in identifying both ongoing and emerging risks. Activities like risk acceptance, effective challenge, risk appetite, risk measurement, issue management, and risk reporting remain essential for maintaining an organization’s safety, soundness, and strategic resilience. Furthermore, these integrated activities demonstrate to shareholders, regulators, analysts, and other stakeholders that executive leadership is effectively managing both financial and non-financial risks in pursuit of the bank’s strategic objectives.
The outcomes of effective risk identification activities serve as strong indicators of a bank’s current and future operating performance. As outlined in “Best Practices for Building or Enhancing a Risk Identification Program,” maintaining a proactive, integrated, and data-driven approach is essential. This article builds on those principles, offering insights on how institutions can refine their risk identification practices to meet stakeholder expectations and confidently navigate an evolving regulatory landscape.
The identification of risks and risk issues is a continuous process that leverages various internal and external mechanisms, such as risk and control self-assessments (RCSAs), targeted risk assessments (e.g., compliance, privacy, technology), internal audit reviews, and regulatory examinations. These processes uncover a broad spectrum of risks, but not all of them warrant the attention of executive management or the board. It is the responsibility of the business units, in collaboration with independent risk management (IRM), to identify, monitor, and report risks while discerning which of them rise to a material level that justifies escalation and board reporting.
Determining materiality is critical for prioritizing risk management efforts. Although there is no universal regulatory definition for material risk, for the purposes of this article, the term refers to risks that pose a significant threat to the bank’s safety and soundness and therefore require heightened scrutiny and board oversight. By effectively managing material risks through activities like risk acceptance, effective challenge, risk appetite, risk measurement, issue management, and risk reporting, institutions can ensure that risks are not only identified but also appropriately assessed and addressed. This approach supports strategic resilience, operational integrity, and stakeholder confidence in a dynamic regulatory environment.
Risk Acceptance
Risk acceptance is a deliberate decision by the business, reviewed by IRM, to accept a risk rather than reduce, eliminate, or mitigate it. This decision typically involves a cost-benefit analysis and is made when the potential loss is deemed tolerable.
Accepting a risk reflects the bank’s risk tolerance. If the risk is infrequent, well-controlled, or has a low impact on the bank’s safety and soundness, acceptance is reasonable—provided the rationale is documented and governed by clear policies.
- Governance and Approval: Risks should only be accepted within defined parameters set forth in procedural or governance documents. Higher-level approval, such as from the business head and the chief risk officer (CRO), ensures independent oversight of risk acceptance decisions.
| Practical Example: A bank hires contractors for a critical project after performing due diligence on their credentials and past performance. While the contractors appear qualified, there is still execution risk outside the bank’s control. The bank may choose to accept this risk, documenting the decision and ensuring it aligns with established governance standards and approval processes involving both the business head and the CRO. |
Effective Challenge
Effective challenge is a constructive dialogue between the business and IRM that examines the materiality, frequency, and impact of a risk. This process helps ensure risks are properly assessed and documented. Effective challenge discussions typically address three key questions:
- What is the magnitude of the risk? Is it enterprise-wide or limited to a specific business unit?
- Should the risk be accepted or escalated?
- Is the risk material?
| Practical Examples: Effective challenges occur organically throughout the organization.
For example:
|
Banks typically have policies outlining documentation requirements for effective challenge to ensure an auditable trail for internal and regulatory review.
When the business and IRM cannot reach an agreement, escalation protocols should be followed, involving the CRO for an independent decision.
Risk Appetite
Risk appetite is the board-approved level of risk a bank is willing to accept to achieve its strategic objectives. It reflects the bank’s tolerance in areas like acquisitions, credit concentrations, and product risk. Risk appetite acts as both a control mechanism and a measurement tool, with defined limits and thresholds. When thresholds are approached or limits are breached, immediate action is required to remediate the issue. Regular breaches call into question the bank’s commitment to its risk appetite framework.
| Practical Examples:
In the 1990s and early 2000s, the Royal Bank of Scotland (RBS) pursued an aggressive acquisition strategy, believing its diversified assets resulted in a moderate risk profile. However, during the 2008 financial crisis, RBS’s acquisition of ABN Amro—which was under regulatory scrutiny for anti-money laundering (AML) violations—exposed significant weaknesses. The bank faced large write-offs and capital shortfalls, ultimately requiring an 84% taxpayer-funded bailout by the UK government. Other examples of the consequences of poor risk appetite management include Silicon Valley Bank’s (SVB’s) collapse due to poorly managed interest rate risk. |
The cases above illustrate that when risk appetite is not clearly defined, measured, understood, and enforced by executive management and the board, the consequences can range from financial penalties to institutional failure. Effective risk appetite practices ensure that risk-taking remains aligned with the bank’s strategic goals and resilience.
Risk Measurement
Risk measurement estimates the potential loss impact that could affect the safety and soundness of the bank and helps determine the materiality of a risk. For quantifiable risks—such as those in a credit portfolio—a quantitative risk assessment should be applied. This typically involves calculating the loss amount and comparing it against a standard measure like Common Equity Tier 1 (CET1) capital to gauge the severity of the risk. Industry best practices use both frequency and loss amounts to assess materiality, such as in a Comprehensive Capital Analysis and Review (CCAR), which evaluates risk on a 1-in-50-year event basis. For banks not subject to CCAR, a one-year time horizon is often more appropriate.
- Metrics and Monitoring: The consistent capture, measurement, and reporting of data is essential for developing metrics to monitor changes in risk. These metrics should be governed by policies or procedures and curated to ensure board reporting focuses on the most relevant indicators. Metrics should be periodically reviewed and refreshed to maintain relevance—for example, retiring metrics related to divested assets or businesses.
- Examples of Meaningful Metrics:
- Credit Risk: Monitoring credit rating migrations and setting thresholds for timely action.
- Cyber Risk: Tracking data breaches with limits and escalation protocols for remediation.
Tracking these metrics over time—such as quarter-over-quarter or year-over-year—provides insight into how effectively the bank is controlling its risks and adhering to its risk appetite. When metrics approach defined limits or thresholds, prompt action ensures risks remain within acceptable levels, supporting the bank’s overall resilience and strategic objectives.
Issue Management
Issue management is the process of identifying, analyzing, prioritizing, and remediating risks that have materialized into issues. These issues can arise from various internal and external sources, such as RCSAs, internal audit reviews, or regulatory examinations. Not all issues are of equal severity, and therefore, not all warrant board-level reporting. Prioritization and evaluation are necessary to determine which issues rise to that level.
- Ongoing Monitoring:
Issue management is a continuous process. It involves:
- Proactive monitoring for signs of deterioration of existing issues, or emerging issues.
- Severity assessment to gauge potential financial, regulatory, and operational impacts.
- Development of responses that are both tactical (short-term fixes to mitigate disruption) and strategic (long-term solutions to address root causes).
- Severity and Governance:
The severity of an issue should be clearly documented, including its current and potential impacts. Investments in people, processes, and systems should be guided by an understanding of whether the issue is systemic (enterprise-wide) or isolated to a business unit. To promote transparency, many banks address remediation costs (i.e., people, processes, and/ or systems), and the timeframe for remediation of their high-risk issues as part of their investment committee agenda, ensuring visibility for executive management and the board.
- Remediation and Tracking:
Once a risk is identified as an issue and a remediation solution is determined—such as replacing multiple outdated AML transaction monitoring systems with a single, modern system—certain steps must follow to ensure effective resolution:
- Approvals and Funding:
- The remediation plan should go through appropriate approvals from relevant stakeholders, such as the business head, CRO, and investment committee as noted above.
- Ensure funding is allocated for the solution, including resources for implementation and ongoing support.
- Progress Tracking:
- Establish metrics to track progress against defined goals and milestones.
- Monitor key indicators, such as implementation timelines, system performance, and issue resolution status.
- Resolution and Proving Period:
- Resolution is considered complete only after full implementation of the solution.
- A proving period (typically over two quarters) ensures the solution is effective and sustainable.
- During this period, performance data should be collected to validate that the issue is resolved and controls are functioning as intended.
- Closure and Sustainability:
An issue can be submitted for closure by the internal audit team only after full implementation and successful demonstration of sustainability (aka proving period). This ensures the solution is both effective and enduring.
Risk Reporting
Risk reporting is the process of documenting and informing executive management and the board about the bank’s top or material risks and issues. Effective risk reporting transforms raw data into actionable information, enabling the board to provide advice or make decisions. It is essential that the board not only receives this information but also fully understands the risks and issues presented. Where appropriate, the board should challenge management on the severity, impact, and remediation status of these risks. Regular risk reporting helps the board monitor ongoing risks and issues, minimizing the potential for unexpected surprises.
- Critical Elements of Risk Reports:
An effective risk report should include these five key elements:
- Risk or Risk Issue Statement: What is the problem? Clearly define the risk or issue.
- Impact Assessment: What is the effect or potential effect on the bank? Consider financial, operational, regulatory, and/ or reputational impacts if the risk is not remediated.
- Risk Appetite: What is the bank’s appetite for this risk or issue? Indicate whether the risk is within acceptable limits or exceeds defined thresholds.
- Metrics and Measurement: How is the risk being measured? Use key risk indicators (KRIs) to track the risk over time, such as month-over-month, quarter-over-quarter, and/ or year-over-year trends.
- Action Plans: What are the steps to manage the risk or resolve the issue? Specify the plan to accept, reduce, transfer, mitigate, eliminate, or remediate the risk, along with timelines and accountability.
By including these elements, risk reports provide clarity, support decision-making, and ensure that risks are actively monitored and managed.
| For a deeper dive into optimizing your risk reporting processes, refer to our article “Optimizing Enterprise Risk Reporting: A Roadmap for Risk and Compliance Executives” or view our American Bankers Association webinar, “A Data-Driven Approach for Optimizing Enterprise Risk Reporting.” These resources highlight strategies for improving data quality, centralizing risk reporting, and leveraging dynamic reporting systems to provide real-time, actionable insights for senior management and regulators. |
Conclusion
Risk identification and its associated activities may assume greater importance during shifts in political climate. While some relaxation of regulation may be anticipated under the new administration in Washington, the importance of this discipline will not diminish. Given evolving technology, business, and regulatory conditions, risk identification helps ensure the safety and soundness of an institution by consistently uncovering material risks and issues that, if left unaddressed, could significantly impact the stability of individual banks and possibly the banking industry as a whole.
Authors
