Pub. 10 2019 Issue 3

www.wvbankers.org 10 West Virginia Banker Don’t Just Check the Box By Trista Cline, Arnett Carbis Toothman, LLP H as your financial institution performed an internal audit risk assessment? It seems like a risk assessment is required or needed for every audit, regulatory exam, new product or service, business continuity plan and various other items. The real question to ask is why is the risk assessment so important for a financial institution? A risk assessment is meant to include an analysis of threats based on the impact to the financial institution and its customers. As it relates to internal audits, the risk assessment should be the first step in assessing the financial intuition’s audit risk. There may be a number of risk assessments conducted throughout the financial institution (IT Audit, GLBA, Business Secrecy Act (BSA), etc.). These documents will be used to evaluate the financial institution’s risk, identify necessary controls, develop policies and procedures, and for implementing an audit cycle as well as the approach for assessing the risk. So why do financial institutions keep getting asked to com- plete risk assessments? What is so important about these risk assessments? Risk assessments are a way for financial institu- tions to analyze the processes within their organization and identify different threats/risks within their financial institution. An operational risk is a risk of failure or a loss within a process, a person, or a system. Operational risk can occur throughout all areas of op- erations within the financial institution and can be caused by internal or external events. Per the FFIEC, a few of the main threats to be considered for operational risk may be caused from the following: • Fraud • Error • Inability to deliver Operational risk not only includes operations and transaction processing but also the following risks: • Reputation risk • Strategic risk • Compliance risk