How to Conduct Risk Assessments in Your Organization

What Is a Risk Assessment in Banking?

In a banking regulatory context, a risk assessment is a structured, documented evaluation of the risks an institution faces in a specific area. Assessment is an input that defines what the organization’s risk program needs to address.

Federal banking agencies (the OCC, FDIC, and Federal Reserve) operate under a risk-based supervisory model. Examiners use risk assessments to determine where to focus examination resources. Institutions that document their risk profile credibly tend to receive a narrower, more focused examination scope.

The FFIEC sets examination standards for most U.S. banking risk assessment types through its interagency examination manuals. The core methodology is consistent:

• Identify inherent risk
• Evaluate controls
• Determine residual risk

The FFIEC Three-Component Risk Assessment Framework

Compliance teams commonly apply the same three-component risk assessment framework for banks used across other risk types because it reflects how examiners evaluate risk.

Component 1 — Inherent Risk

Inherent risk is the level of risk present before any controls are applied. For BSA/AML, the FFIEC manual identifies four primary categories:

• Products and services
• Customers and entities
• Geographic locations
• Transaction channels

An institution offering international wire transfers, serving money service businesses, and operating in high-risk geographies carries high inherent BSA/AML risk. Examiners evaluate whether the inherent risk assessment is comprehensive and current.

Component 2 — Risk Management Controls

Controls are the policies, procedures, systems, monitoring programs, and training in place to manage inherent risk. The controls assessment asks: given the inherent risk profile, are the controls appropriate and operating as intended?

A common examination finding is the gap between documented controls and functioning controls. An institution may list a transaction monitoring system as a control but have never validated its alert thresholds against the actual customer risk profile. That gap is precisely what this component is designed to surface.

Component 3 — Residual Risk

Residual risk is the level of risk remaining after controls are applied. Board and audit committee reporting typically focuses on residual risk because it reflects the institution’s actual position after management systems are accounted for.

Strong controls applied to high inherent risk can produce an acceptable residual risk profile. The practical implication: risk assessment findings should drive compliance program priorities and resource allocation.

Types of Risk Assessments Banks Must Conduct

Financial institutions typically conduct eight to ten distinct risk assessments, each tied to a specific regulatory requirement. The scope and frequency of each should reflect the institution’s size, complexity, and risk profile.

BSA/AML risk assessment

Required by the FFIEC BSA/AML examination manual and FinCEN customer due diligence rules. Covers products, services, customer types (including high-risk designations such as money service businesses and politically exposed persons), geographic footprint, and transaction channels.

The 2026 proposed AML/CFT program rule from FinCEN, OCC, and FDIC would formalize this requirement in program rules. Typically reviewed at least annually and updated for material business changes.

Credit risk assessment

Evaluates loan portfolio quality, underwriting standards, concentration levels, and borrower creditworthiness. OCC, FDIC, and Federal Reserve credit examination guidance sets supervisory expectations. Connects directly to allowance for credit losses under the Current Expected Credit Loss (CECL) standard.

Operational risk assessment

Covers losses from failed internal processes, systems, people, or external events. Typically encompasses business continuity, internal control failures, technology outages, and fraud. Informs business continuity plans and internal audit priorities.

Compliance risk assessment

Evaluates exposure to violations of applicable laws and regulations, including ECOA, TILA, RESPA, CRA, and HMDA. The OCC Comptroller’s Handbook on compliance management sets out what examiners expect:

• Systematic identification of compliance requirements
• Exposure assessment
• Control evaluation
• Remediation tracking

Cybersecurity and IT risk assessment

Evaluates threats against technology systems, data, and operational continuity under the FFIEC IT Examination Handbook. The current standards reference the FFIEC’s updated cybersecurity guidance and the NIST Cybersecurity Framework.

Interest rate risk assessment

Evaluates earnings and economic value sensitivity to changes in interest rates. The ALCO typically governs this assessment, supported by scenario analysis and stress testing across rate shock scenarios.

OCC and FDIC guidance requires board-approved policies and independent model validation for institutions with significant interest rate exposure.

Liquidity risk assessment

Evaluates the institution’s ability to meet obligations under normal and stressed conditions. Larger institutions subject to Basel III must address the Liquidity Coverage Ratio. FDIC and OCC supervisory guidance requires contingency funding plans and documented analysis of funding sources, concentrations, and stress scenarios.

Model risk assessment

The OCC, Federal Reserve, and FDIC issued interagency updated model risk management guidance in April 2026 (OCC Bulletin 2026-13) clarifying that governance should be tailored to institution size, complexity, and model risk profile.

Requires a model inventory, validation against each model’s intended use, ongoing performance monitoring, and gap identification in the development and validation process.

Third-party and vendor risk assessment

Evaluates risks from vendors, service providers, and others with access to institution systems or performing functions on its behalf. The 2023 Interagency Guidance on Third-Party Relationships establishes the current framework, covering three phases: pre-contract due diligence, ongoing monitoring, and termination planning.

Fair lending risk assessment

Evaluates compliance with ECOA, the Fair Housing Act, and related laws. In 2026, the OCC shifted from requiring fair lending risk assessments during every supervisory cycle to a risk-based approach calibrated to the institution’s actual fair lending profile.

How to Conduct Risk Assessments: Step by Step

Regardless of risk type, effective bank risk assessments follow a consistent methodology aligned with agency guidance.

1. Identify the risk type, applicable regulatory requirements, and the organizational units and activities covered.
2. Catalog the products, services, customer types, geographies, and channels relevant to the assessment using internal data, transaction analysis, and business unit input.
3. Document policies, procedures, systems, and monitoring programs. Assess whether each control is designed appropriately and operating as intended.
4. Combine inherent risk with control effectiveness to produce a residual risk rating.
5. Include scope, methodology, data sources, assumptions, findings by risk category, and overall risk rating.
6. Report risk assessment results to senior management and, for material risk areas, to the board or audit committee.
7. Annual review is the minimum standard under most agency guidance; updates should be triggered by material business changes.
8. Findings should drive monitoring priorities, internal audit scheduling, staffing decisions, and budget allocations.

Frequently Asked Questions