The Problem
Most regulated institutions complete an annual risk assessment because they are required to. They pull last year’s document, update a few dates, maybe add a new vendor or two, and submit it to the board for approval. Examiners have seen this pattern thousands of times, and they know how to spot it.
A stale or superficial risk assessment is one of the most common examination findings across institution sizes and charter types. And unlike a missing policy, which has a clear fix, a weak risk assessment signals something broader to examiners: that management may not have a genuine understanding of where the institution’s risks actually live.
What Regulators Require
The FFIEC Information Security Booklet and the GLBA Safeguards Rule both require institutions to conduct risk assessments as the foundation of the information security program. The Safeguards Rule, updated in 2021 and effective for most institutions in 2022, specifically requires a written risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information.
The NCUA’s Part 748 Appendix A carries parallel requirements for credit unions. Across all frameworks, the expectation is the same: the risk assessment should drive your controls, not the other way around.
What Examiners Are Looking For
When examiners sit down with your risk assessment, they are evaluating several things simultaneously:
Is It Actually Current?
Examiners compare the risk assessment against other documentation — vendor inventory, IT audit findings, incident logs, and new product approvals — to verify that the assessment reflects actual current-year conditions. A risk assessment that doesn’t account for a new mobile banking platform launched six months ago will stand out immediately.
Does It Cover the Right Asset Types?
A complete risk assessment covers people, processes, and technology. Examiners expect to see risks identified across all three dimensions — not just a list of IT systems. Insider threat, social engineering, and process failures are just as much a part of the risk picture as network vulnerabilities.
Is the Scoring Methodology Defensible?
Examiners will ask how you arrived at your risk ratings. A methodology that assigns risk scores based on likelihood and impact — with documented criteria for each rating level — is far more credible than one that assigns ratings without explanation. Inherent risk, control effectiveness, and residual risk should each be addressed.
Does It Connect to Your Controls?
The risk assessment is supposed to tell you where to invest in controls. Examiners look for evidence that your identified risks are reflected in your information security program — and conversely, that your controls exist because of identified risks, not as a generic checklist copied from a template.
Has Board Seen It?
The board must review and approve the risk assessment as part of its oversight of the information security program. Examiners will verify this in meeting minutes. Approval without meaningful discussion — particularly at institutions that are actively managing identified risks — is another pattern they recognize.
How to Build One That Holds Up
Start With Your Asset Inventory
You cannot assess risk to assets you haven’t inventoried. Begin with a current list of information assets: systems, databases, data repositories, and the processes that touch customer information. Map each asset to its owner, its data sensitivity classification, and its criticality to operations.
Identify Threats and Vulnerabilities Separately
A common mistake is conflating threats and vulnerabilities into a single entry. A threat is something that could cause harm — a phishing attack, a disgruntled employee, a power outage. A vulnerability is a weakness that a threat could exploit — lack of multi-factor authentication, inadequate access reviews, a single point of failure in your network topology. Keeping them separate makes the scoring more meaningful and the analysis more useful.
Score Inherent Risk Before Controls
Assess the likelihood and impact of each threat-vulnerability pairing as if you had no controls in place. This is your inherent risk. Then evaluate the effectiveness of your existing controls and arrive at a residual risk rating. This two-step process gives you a way to identify where controls are actually reducing risk — and where they may not be doing as much as you think.
Map Residual Risk to Open Action Items
For every residual risk rated Medium or above, there should be either an accepted risk documented with board approval, or an active remediation item tracked in your information security program. Examiners look for this linkage. A long list of high residual risks with no corresponding action items is a red flag.
Update It Throughout the Year
The annual cycle is a floor, not a ceiling. Significant events — a new core system, a data breach at a peer institution, a material change in your product offerings — should trigger a reassessment of the affected risk areas. Document those interim reviews so examiners can see that your risk management is ongoing, not just a year-end exercise.
Practical Checklist
Before submitting your next risk assessment to the board, confirm it includes all of the following:
- A current asset inventory covering all systems and processes that handle customer information
- Threats and vulnerabilities identified separately, with documented likelihood and impact scoring criteria
- Inherent risk ratings calculated before controls are factored in
- Control effectiveness assessed and residual risk ratings documented
- All risks rated Medium or above linked to either an accepted-risk decision or an active remediation item
- Changes since the prior year’s assessment explicitly noted
- Board review and approval reflected in meeting minutes
- A schedule or trigger criteria for interim updates during the year