I was wondering if anyone has looked into this tool yet; I know it's relatively new but personally when I heard that they were looking to make the process more transparent and help us out a little bit (less comments from examiners if there's a standard format someday!), I went right out and looked through the material.

What I'm confused with is its purpose. They state that the tool is not a replacement for a risk assessment, and that institutions that utilize it should use it in addition to the FFIEC Manual and corresponding laws and regulations. All of the categories listed within the tool come directly from the FFIEC Manual, and it provides a spot for each. So if they pulled information from the FFIEC Manual, and it appears (at initial glance) to cover everything in the FFIEC Manual and also provide additional slots for an institution to list additional items that may be specific to them -- why wouldn't it be suitable to replace an institution's risk assessment?

To me, it seems like if I were to complete it I would also need to complete my existing risk assessment which covers virtually all of the same material, so why would I go through that effort if it's more or less reiterating everything I've already done? I'm thinking that they've potentially offered the product with those contingencies to protect themselves in the event that an institution utilizes the tool as their Risk Assessment and returns negative results in an examination, but I wasn't sure if I was missing something.

Figured this would be something the group would be more than willing to discuss!

Related thread

It's little more than a casual version of the OCC's MLR. If they had published it in 2005, it might have been helpful.

The Risk Assessment process has been a point of issue with many examiners. Even third party ones (from nationally recognized Firms) that have been accepted in past reviews have been found to be lacking. This appears to sum up the Risk Assessment narrative to show the banks thought process in the narrative and act more like a support document than the actual Risk Assessment that will be found to be lacking for some unknown reason. Hopefully a standardized form will make it easier on the examiners (and then us).

I looked at it yesterday after that post Ken linked above. My risk assessment follows the exam manual just like this one does, with each category listed, but I also list the risk factors/bank exposure in a column next to the subject. I'm not clear on why you'd do this and a BSA risk assessment either, it's basically the same thing. I prefer the format layout of my risk assessment over this one. I think there are too many columns showing and once you start narrating out your controls in this thing, all your specific bank data such as how many accounts, how many bill pay customers, wire transfer info, etc, these cells are going to expand so far so you won't be able to view it very well. I think the 3 columns with Low, Moderate & High just add to the width - it would make more sense to hide these columns and just use a formula to pull the results into one column labeled "Inherent Risk Rating".

But back to the original question, it makes no sense why you'd do this and your risk assessment.

If your risk assessment doesn't have a discussion in each area that quantifies your exposure and then through that process you identify what your "Inherent Risk" might be, followed by a thorough discussion of your mitigating controls in place which ultimately identifies the "Residual Risk" for each area, you can rest assured you are going to eventually get criticized.

I totally agree, not sure I conveyed that very well in my response, but that's what I was trying to get at, there doesn't seem to be enough focus on the banks controls/processes, etc., in the linked one.

There appears also that too much time is spent developing a document that meet regulator requirements and not enough time on determining actual risk and producing policy and procedure to meet actual risk. In my region a narrative is expected and not just a complete spreadsheet with all the required bells and whistles.

I think that the use of the provided document may help as supporting documentation for the regulator approved narrative and provide a basis for determining actual risk,