What Is a Risk Assessment? Complete Guide for Financial Institutions

Risk Assessment vs. Risk Management

Risk assessment and risk management are related but distinct.

The assessment is the diagnostic, asking:

• What risks exist?
• How severe are these risks?
• How well are we controlling the risks?

Risk management is the response, and it answers:

• What are we going to do about what we found?

In a mature ERM programme, assessments are conducted on a defined cycle and the results inform strategic planning, capital allocation, and board reporting.

Types of Risk Assessments Financial Institutions Conduct

Banks and credit unions are not exposed to a single category of risk. Most financial institutions maintain separate assessments for each major risk domain, updated on a schedule that reflects both regulatory requirements and the pace of change within that domain.

BSA/AML Risk Assessment

The FFIEC BSA/AML Examination Manual requires institutions to assess their inherent exposure to money laundering and terrorist financing risk across four dimensions: products and services, customers and entities, geographic locations, and delivery channels.

The assessment then evaluates AML programme controls to arrive at a residual risk rating. Per the FFIEC BSA/AML Examination Manual, this assessment “should provide a comprehensive analysis of the bank’s ML/TF and other illicit financial activity risks.” It must be reviewed and updated at least annually or when material changes occur.

Compliance Risk Assessment

A compliance risk assessment evaluates the institution’s exposure to violations of the consumer protection and financial laws applicable to its operations (CRA, HMDA, ECOA, TILA, and others depending on the institution’s product mix).

A compliance risk assessment in practice maps each applicable regulation to the bank’s products and processes, rates the inherent likelihood and impact of a violation, assesses control quality, and produces a prioritised view of compliance risks.

Credit Risk Assessment

Credit risk is typically the largest source of loss for a financial institution, and the credit risk assessment evaluates loan portfolio quality, credit concentration, and underwriting standards.

This financial risk assessment is reviewed by the board’s loan committee and by examiners, who look at classified asset ratios, past-due trends, and stress-test results alongside the institution’s own documentation.

For financial institutions evaluating how to operationalise this process, enterprise risk management software can centralise assessment workflows and risk register documentation across all domains.

Operational Risk Assessment

Fraud, technology outages, third-party failures, and human error in transaction processing all fall under operational risk. An operational risk assessment:

• Catalogues the major processes and systems the institution depends on
• Rates failure scenarios by likelihood and severity
• Tests the strength of controls against those scenarios

Cybersecurity Risk Assessment

Financial institutions conduct cybersecurity risk assessments to measure their exposure to technology-related threats and the adequacy of their security controls. Institutions now commonly use these as frameworks per FFIEC guidance:

• The NIST Cybersecurity Framework (CSF) 2.0
• The Cyber Risk Institute (CRI) Profile
• or CISA’s Cybersecurity Performance Goals

Regardless of the specific tool used, the assessment evaluates an inherent risk profile (based on the institution’s technology footprint, delivery channels, and third-party connections) against the strength of its cybersecurity controls.

Interest Rate Risk Assessment

When the Federal Reserve and OCC added Sensitivity to Market Risk to the CAMELS rating system in 1995, interest rate risk (IRR) became a formal examination criterion. OCC, FDIC, and Federal Reserve guidance all require IRR assessments.

These stress-test net interest income under multiple rate scenarios using the institution’s asset/liability management (ALM) model. The output shapes funding strategy, investment portfolio positioning, and deposit pricing decisions.

The 5-Step Risk Assessment Process

While the regulatory frameworks governing specific risk domains vary in their prescriptions, the underlying methodology for conducting a risk assessment follows a broadly consistent five-step cycle:

• Identify risks – Define the scope of the assessment and catalogue every material risk within it.
• Analyse risks – For each identified risk, estimate the likelihood of occurrence and the potential impact if it materialises.
• Evaluate and prioritise – Compare each risk’s inherent rating against the institution’s risk appetite.
• Treat risks – For each prioritised risk, decide on a response.
• Monitor and review – Establish key risk indicators (KRIs) that signal when a risk is trending toward its tolerance threshold.

Financial institutions typically document this process in a risk register and visualise the aggregate result in a heat map that the board reviews on a defined schedule.

Connecting Risk Assessments to Your ERM Framework

Risk assessments conducted in isolation are a common and costly pattern. Regulators increasingly expect financial institutions to maintain an enterprise risk management framework that brings assessments across all domains into a unified picture.

Platforms such as Predict360 integrate risk assessment workflows with the broader GRC programme, allowing institutions to link assessment results directly to controls, issues, findings, and remediation tasks.

Institutions that also implement continuous controls monitoring alongside periodic risk assessments gain real-time visibility into whether controls are performing as rated.

Frequently Asked Questions