How to manage controls proliferation within Financial Institutions; ensuring the horse remains in the stable.
Risk & Control Assessments (RCAs) have long been mandated by Regulators and used by Financial Institutions to record, maintain and inform on their controls, their effectiveness, and the resulting residual risk a business or function is exposed to.
However, too often the RCAs as a process took precedent over the identification and mitigation of risks Financial Institutions are, were or could be exposed to. The accent was on adding controls and control inventories continued to grow organically – in excess of 30,000 controls were observed in top tier banking houses.
The vast majority of these controls are not genuinely “key”. Our analysis revealed most of those are processes, requirements, statements, and non-key controls.
Read our full analysis here in our 2019 white paper.