Home > News & Insights > Insights & Publications

3/29/16 - Developing and Implementing a Robust Risk-Identification Process

Regulators expect financial institutions to have a robust, forward-looking process to appropriately define their unique risk profiles and risk drivers through a transparent, repeatable process. This is a recurring theme in supervisory exams for risk management, stress testing, and other areas.

Supervisors also expect institutions to continually enhance their risk-identification processes. With all the other work enterprise risk management requires — from enhancing the risk management program to promoting risk culture — this can be a struggle. The risk-identification process, therefore, should be seen as a tool to assist in the evolution of the risk management framework and promotion of the risk culture.

It is critical that banks carry out a risk-identification process that thoroughly considers all major risk types within each of their major business lines and activities, and consider the risk profile of the enterprise when risks are aggregated. Banks seeking to enhance or develop their risk-identification processes may benefit from the following insights.

Risk-Identification Process

Regulators expect banks to implement a transparent risk-identification process that is logical, repeatable, and useful. A risk-identification process helps banks to:

  • Mitigate losses on an annual basis for identified risks
  • Monitor how and which risks evolve as business activities change
  • Make business decisions and develop other management processes, such as capital planning and recovery and resolution planning

Banks should not only identify top-of-the-house risks, but also work with business lines to incorporate their specific risks into a comprehensive risk inventory. Several different lines of management should review and discuss the inventory to ensure it appropriately captures the true risk of the institution. The risk inventory should be thoroughly documented, and include the risk definition, risk-measurement methodology, and ownership. It should also be incorporated into stress-testing methodologies.

Supervisors expect banks to conduct a thorough analysis of its exposures to each of the major risk types (e.g., credit, market, and operational). This analysis includes a review of existing risks and controls — as well as any identified control gaps — and periodic updates to reflect any potential risks that may develop over time. Regulators expect that risk and control owners are assigned across each of the bank’s business lines and corporate functions, as appropriate.

It is critical that institutions involve their business lines in the risk-identification process, rather than just their risk management department. Having business lines’ input allows the process to capture much greater detail around all risk types, specifically risks that banks are vulnerable to on a day-to-day basis.

Risk Identification and Risk Management

The risk-identification process should be aligned with the bank’s ERM framework. As is the case for many ERM practices and processes, banks should aim to leverage their risk-identification process in as many ways as possible. The risk-identification framework can be a powerful tool in the overall risk management decision-making process.

Management should rectify any coverage gaps as soon as practical and demonstrate that the process is an active element of the risk management framework. In addition, management should ensure that the process is not only a central risk management tool, but an essential component of forming the institution’s business structure and strategy.

Year-Over-Year Enhancements

Financial institutions must strive to continually find ways to enhance their ERM programs. As firms adjust their activities through new strategies or products, they should also adjust their risk-identification processes. For instance, if a bank’s strategy changes, the bank should be able to efficiently update its risk-identification process in a timely manner for senior management. At minimum, banks should re-evaluate their risk-identification process on an annual basis.

In addition, each time the process is executed, banks should simultaneously re-evaluate both their enterprisewide and business-line risks to ensure they correspond and to identify gaps. The risk inventory should be updated periodically to ensure that all new risks identified are captured.


Regulators understand the challenges of implementing risk-identification process findings into day-to-day risk management practices. Likewise, regulators realize the difficulty institutions have in keeping their business lines involved in this process. Senior management, however, must involve key individuals who have the insight to make the most from the risk-identification process. It is easy for financial institutions to fall into the habit of completing processes solely to comply with regulatory requirements; banks must break this habit by finding ways to leverage the exercise.

If done incorrectly and/or with a lack of purpose, the risk-identification process can have both short- and long-term negative impacts on the institution. Therefore, institutions must invest the necessary time and effort on the process to ensure all risks are captured, monitored, and reported. Firms need to take the initiative on this process, rather than waiting until they receive regulatory scrutiny before taking action.

How Promontory Can Help

Promontory understands the time and resources needed in implementing an ERM framework that includes robust risk-identification processes. We work with clients to ensure they have a strong understanding of what the process requires, and how the risk-identification framework can be leveraged in day-to-day risk management.

Promontory has assisted clients in a variety of ways with regards to the risk-identification processes.

For those firms with an established risk-identification process, we can:

  • Review documentation to ensure it aligns with regulatory expectations
  • Provide feedback and recommendations to align the process with regulatory expectations
  • Assist in enhancing the process to align with other risk and business functions

For those firms without a risk-identification process or those with only a nascent process, Promontory can:

  • Establish a risk-identification process to be used for risk management purposes
  • Develop or enhance documentation to support the risk-identification process
  • Develop a scenario-generation process linked to the risk-identification process

Contact Us

For more information about risk-identification processes or ERM frameworks, please contact:

David Samuels
Managing Director
+1 212 542 6776

Abhishek Malhotra
+1 646 599 0315