The risk climate in the financial services industry (FSI) feels like a pressure cooker, and discussing FSI risk assessment best practices demands acknowledgment of the fact that “risk” is a dirty, stressful word for insiders.
According to a survey by Accenture, 72 percent of FSI executives have been tasked with cutting operating costs by at least ten percent by 2022—and continuously pursuing innovation, compliance, automation, and growth at the same time.
5 Risk assessment best practices for FSI
The only way to survive the current climate is to update how we think about financial services security and risk. The first step is to step back. You’ll need to examine your perceptions and redefine risk to perform a full assessment.
Risk isn’t new for financial services—in fact, it’s inherent in the business. What’s changed is the type of risk that businesses face. Additionally, with a growing global economy and customer base, the stakes are higher than ever. Work with your executive team to redefine risk and develop a common understanding. Categories of FSI risk include:
- Strategic: Missteps resulting from pressure to innovate and evolve
- Compliance: Failed audits and regulatory fines
- Credit and Liquidity: Traditional balance sheet risks
- Information security: Data loss due to a breach or cybersecurity attack
- Operations: Issues with people, processes, or systems
- Reputation: Public loss of confidence
- Market risks: Large-scale economic downturns
All of these categories of risk are related. An attack by a hacker or virus could have an impact on operations and brand reputation. A bad investment that leads to decreased liquidity could hinder an organization’s ability to innovate. A global or nationwide economic crisis has the potential to influence all of these areas. In an industry that’s under such pressure, cross-functional collaboration is the only way to tackle a risk assessment.
A risk assessment requires a framework that can rank risks by potential damage and likelihood and then point to the smartest response. Feeding that framework effectively requires high-quality data, and a lot of it. FSI firms need a metrics-driven approach to risk assessment to view weaknesses and opportunities objectively.
More sources of data are always better in this regard. To understand strategic risk, for example, you might use insights about your competitors, partners, and customers. Manage information security risks with intelligence from penetration testing, security analytics, and insight into the most common data security threats facing finance firms. A data-driven framework can create a common view of risks and strengthen the organization against blind spots.
In the past, Finance Compliance Officers owned risk, but you can throw that out the window now—it’s no longer practical. Cross-functional collaboration is the only way to evolve. The leadership team should work on assessments with subject matter experts to:
- Use a framework to quantify risks
- Create controls and risk response plans
- Review existing policies and processes
- Drive measurable change
The goal of a data-driven finance risk assessment is to identify potential gaps and use a common framework to quantify the impact of realized risks as critical, important, moderate, or low-priority. Every time a risk is identified, controls are needed to create benchmarks for change. A single risk is likely to have multiple controls and control owners. Consider the following example that illustrates this point.
Customer financial data is routinely exposed during operations
- HR: Identify all individuals who handle financial data and create updated position descriptions
- HR: Background check all new hires
- IT: Conduct an access audit to ensure that all employees have appropriate data access
- IT: Enlist third-party security advisors to audit endpoint security for vulnerabilities and process weaknesses
- Leadership Team: Create new policies for employee data handling and security procedures
- Department Leaders: Conduct awareness training
Every risk identified in your business requires collaborative brainstorming to determine multi-layered risk controls and assign responsibility for mitigation.
The goal of a risk assessment is financial services security. This can be achieved by aligning people, process, and technology toward objectives like improving safety performance. Technology is a driving force in mitigating risks without an unmanageable workload. Wherever it’s possible, use technology and automation to demonstrate risk performance and compliance.
For example, you may discover that a multi-vendor printer network is an information security risk due to printer vulnerabilities and the burden on the IT team. One opportunity for innovation could involve the adoption of Managed Print Service (MPS) to refresh your technology, manage device overhead, implement process automation, and gain greater security visibility.
Innovation is the best response to risk
Financial services organizations face greater risks and innovation pressures than ever before. Use a risk assessment as an opportunity to recast how you think about risk and identify opportunities for innovation. By decreasing the burden of risk management, you can make way for smarter business practices and better cross-functional collaboration.