Risk and control self-assessments have been common in the finance industry for many years – so why are they still relatively ineffective? I believe the answer is fairly straight-forward; it’s all to do with the value (or lack of value) of their output.

In order to make assessment outputs more valuable to investment banks and other financial firms, it is imperative that the best methods are used, and that they are ‘fit-for-purpose’. Unfortunately, there are many methods to choose from, each with a slightly different approach to assessing operational risk, however, some of these do not provide the level of granularity required to enable a thorough review.

Traditionally, risk assessments have been conducted on an annual basis, typically in the fourth quarter, looking back over the previous 12 months. In reality, the dynamic nature of financial firms’ internal controls and external regulation means that annual reviews are simply too infrequent to provide a ‘current state’ analysis of a firm’s operational risk profile. Looking back each year is a purely reactionary process that is very likely to be skewed or clouded by outdated data.

Governance is also a factor in the success or failure of risk assessments and of the mitigation of risks that are uncovered by such assessments. In many firms risk and control is embedded in the culture of the organisation, in others it is simply viewed as a requirement that is superficially completed so the ‘box can be ticked’. The attitude to risk and its governance starts with the senior management of the firm, and is an important factor in determining whether such assessments succeed or are doomed to fail.

The value of the assessment outputs to a bank or other financial firm can also be measured by the level of insight they provide, and the actions required to be taken in order to mitigate future risks. Depending on the method employed, these outputs will either be in the form of a tangible list of easily prioritised actions with clear business benefit, or a ‘laundry list’ of actions lacking clear prioritisation. Such ‘laundry lists’ are unfortunately very common, but offer little business value as they tend to mirror the pre-assessment assumptions of the managers completing the assessment, thereby stifling effective and decisive decision making.

We have therefore seen that there can be many reasons for the failure of operational risk assessments, which ultimately could place the firm in jeopardy. It is clear that only by taking a thorough, planned and rigorous approach to any such review, can the firm in question hope to achieve not only a successful output, but one which is truly effective at reporting and mitigating the risks to which the firm is exposed.