My bank seems 'risk assessment' happy to me. We have a big list of them and also IMO they communicate pretty much nothing useful. Does a list exist of required risk assessments and does anyone else do a website risk assessment?

Depending on your regulator, you may or may not be under the order to do an RA for every product and service you offer, via every channel you offer it. Even our exam team stressed the need to start doing more, and we have the fluffiest of regulators there is.

Of course, if you're doing them just to satisfy an examiner and not to actually use them, then you're obviously missing the point.

Website risk would be included in other RAs most likely, not on its own for us. (e.g. fair lending, marketing compliance, online banking, etc)

Risk assessments can be simple or complex depending upon the topic. When you are making a risk based decision, there should be a risk assessment completed, and documented so that you can demonstrate the thought process that was utilized.

A risk assessment should consider what can go wrong, what threats exist, what controls you have in place to prevent or identify, and what you will do about it if something should go wrong.

I'm referring to annual risk assessments though (that go to the board), not an ad hoc one we might use to decide on a new product or choose a new critical vendor.

Okay, what I'm hearing is that this is another one of those 'fuzzy' areas where your particular regulator drives what goes on in the bank. I don't have the benefit of that perspective. I don't know if we've gone hog wild or have a good reason for all of these.

Having them all go to the board is probably excessive, unless your board really doesn't trust your senior management team and wants total control/oversight of every decision that's made. Generally, that responsibility would be delegated down, but at least high risk areas may deserve the board's attention.

There are quite a few that are expected (BSA, Compliance Risk, Information Security Risk, ID Theft Risk, Remote Deposit Capture Risk, mobile banking risk, enterprise risk which covers the whole bank, just as some examples. Audit is expected to do a risk assessment to determine its audit plan.

Whether one of these or new product, the thought process is the same. That was my point.

Can the mobile banking risk assessment be combined into my general compliance risk assessment (which is huge by the way) We just started offering mobile banking.

Thank you.

If your mobile banking service includes mobile deposits, you should include at least that piece under the remote deposit capture risk, since that's the nature of the beast.

I need to create a bank risk assessment for FACT Act. Can anyone give me a little information on a report format that I can use and what things I need to look at???

Any electronic service (mobile, RDC, etc) is all included on our Information Security risk assessment, we don't have separate ones for each. But that being said our IS RA is quite lengthy and detailed.

My take - a risk assessment is more than a piece of paper.

Many years ago, examiners would have a surprise exam, classify loans and tell the bank what their condition was (yes, I was an examiner and was responsible for closing a bank). Later, they started giving the bank notice of the exams so the files could be ready. Even later, they shared their guidelines with the banks and asked the banks to create credit risk guidelines.

More recently they asked the banks to risk rate loans and then compared the bank's risk rating to the regulators. As part of the process, they started asking for risk assessments. WHY?? If a bank is going to be in business, they have to understand what their risks are and manage to the risks. If there are risks, is management aware, and are there adequate controls? Unless management understands the risks, and has the appropriate controls, profit and loss will occur by happenchance rather than by planning.

Example (fair lending) everyone should be evaluated the same. If there is centralized underwriting, the chance of consistancy is greater than if each loan officer makes their own decision in a decentralized environment (taking into consideration that LO's have different experiences and authorities.) In a decentralized environment, there might be a greater need for a 2nd review by a more experienced underwriter to ensure that similarly situated applicants are treated the same. A risk assessment should identify and tell you that.

Some self-assessments may be there to satisfy examiners, most SHOULD be in place to identify inherant weaknesses and identify compensating controls to reduce the risks.

What products/services should be included in a UDAAP RA?

All of them?? Why or how would you exclude any? That is the object of a risk assessment is to assess the risk, even if it is only to say - None.