(Originally published in ABA Risk and Compliance, May/June 2026)

The first two parts of this series covered approaches to obtaining a risk assessment (building, buying, or something in between) and creating a suitable methodology for determining inherent risk, control effectiveness, and residual risk. Once the bank has determined the methodology, completed the risk assessment, and produced results, one may wonder: “what do I do now?” Far too often when completing risk assessments, institutions report the results to the Board of Directors, adjust monitoring and testing schedules, and then set the risk assessment aside until the next cycle begins. While reporting to the Board and updating monitoring and testing schedules are critical uses of a risk assessment, its results can also provide insights into other areas.

Executed properly, risk assessments can be among the most valuable sources of up-to-date institutional information and can drive meaningful change. By virtue of their broad scope, risk assessments offer a unique opportunity to review longstanding processes and controls. This review of processes and controls can not only assess them against the current risk environment but also determine whether they remain efficient. Risk assessments are more than a point-in-time representation of an organization’s ability to manage risk—they are the starting points to roadmaps for the institution’s future.

While there are numerous ways in which risk assessments can be used throughout the enterprise, some of the best uses include process evaluation and building responses to rapid internal or external change. Institutions can use their risk assessments to inform current state assessments (especially as it relates to issue identification), process optimization, and future state visualization. In a similar vein, institutions can use risk assessments for internal technology transformation initiatives such as artificial intelligence (AI) adoption or robotic process automation (RPA). Lastly, the changing regulatory environment invites the use of risk assessments, both within and outside of the usual regulatory change management program, to best prepare for changing regulatory obligations.

Current State Assessments, Process Optimization, and Future State Visualization

Risk assessments are uniquely valuable in many ways, but of incalculable value is that they require a deeper understanding of everything that comprises the institution’s current state. When one strips away the underlying methodology, a risk assessment is essentially a gap assessment focused on risks and controls. Inherent risk, or all the risks posed to the institution, must be mitigated by a process, system, or other mechanism (i.e., controls). When the risk assessment is complete, two of the easiest takeaways are where controls do not sufficiently mitigate inherent risk and where controls are nonexistent.

That, however, is just scratching the surface. With the careful planning, risk assessments can yield comprehensive current state assessments and lay the groundwork for process optimization and future state visualization. With a keen eye, a risk assessor can identify not only missing or deficient controls, but also inefficient ones. For example, consider a semi-manual control that has been in place for ten years. While this control may adequately mitigate risks within prescribed tolerances, that does not mean that it is efficient. Technological advances have skyrocketed over the last ten years, and the human resources dedicated to a semi-manual process are likely to have higher or better uses of their finite time. The risk assessment process helps the risk assessor think outside the box: while the process perhaps mitigates risk appropriately, is it in the best interest of the institution to keep this process static?

Using the risk assessment process to evaluate the current state charts a course for process optimization and future state visualization. Any successful process optimization project includes an assessment of the existing process, identifying where it succeeds and where it needs improvement, and ultimately creating a new process. Using risk assessment processes and results to inform process optimization essentially kills multiple birds with one stone:

• The risk assessment process identifies current-state processes and controls
• The risk assessor can identify missing, deficient, and inefficient controls
• The institution can prioritize process optimization efforts using risk assessment results
• Future-state visualization is completed through the lens of real risks

While process optimization and future-state visualization contemplate risk and controls, leveraging the risk assessment process prevents potential siloes of operation. The enterprise takes a risk-forward, results-driven approach starting from a position of strength. The risk assessment yielded not only underlying results that substantiate the need for process optimization, but also the mechanism by which the institution was able to identify areas for efficiency gains. In short, whereas banks viewed risk assessments of the past as check-the-box  requirements, banks today can (and should) position their risk assessments as fact-finding missions to inform the bank on how efficiently the organization mitigates risk and where it can strengthen its processes.

Technology Transformation
The same way that risk assessments are optimal vehicles for identifying process improvement opportunities, they are also ripe for identifying where technology, especially longstanding systems, can be updated. In the hierarchy of control effectiveness, automated controls that require little human  intervention are among the strongest and most desirable controls. However, not every automated system control is equal. Dated technology, while adequate today, will become rapidly ineffective over time.

In the last five years alone, the industry has seen the boon of AI (from generative to agentic and beyond), RPA, machine learning, optical character recognition (OCR), and a myriad of other technological advancements. Whereas mining consumer complaint data to identify trends, issues, or other data points can take days of effort for an entire team, certain AI tools can produce results in mere minutes. Manual review of unsearchable documents can take weeks or months to review to identify a single data point; OCR turns the unsearchable into a data scrape in a matter of hours. All this to say, the bank that leverages technology to its fullest potential will reap the rewards.

Advanced risk assessors consider the maturity of automated system controls to identify those that have been in place for the longest. While longer maturity is historically considered an indicator of control maturity, it can also signal complacency or stagnation. Core systems, loan origination systems, pricing engines, internal case management systems, and other technological assets have long shelf lives, and for good reasons: technology costs, implementation timelines and level of effort, opportunity cost of time spent on system migrations, training, pilot programs, and full-scale launches, and debugging are tremendous.

Technology transformations require rigorous cost-benefit analyses to determine if the effort required will truly optimize the business. That said, complacency and stagnation are the enemies of efficiency. Using the risk assessment to inform technological transformation initiatives can add another data point to the overarching cost-benefit analysis. Take, for example, a core system implemented immediately following the 2008 financial crisis. While the core technically supports various control points in this fictitious example, frontline staff spend 15 hours (37.50 percent) of a standard work week on manual processes to ensure the controls function as intended. While the system is technically controlling for various risks adequately, the real question becomes: Is this the best use of the bank’s finite resources? The risk assessment process can help institutions:

• Identify aging technologies that slowly but steadily require additional manual intervention, which in turn costs the business growing amounts of opportunity cost
• Prioritize technology transformation projects on a risk-aware basis
• Understand how new and emerging technologies can create efficiencies in both first-line
  business and second-line risk

Keeping Pace: Changing Regulatory Environments
The regulatory landscape for banks continues to evolve rapidly. From the amended Small Business Lending (1071) rule to the executive order deemphasizing disparate impact to prudential regulatory reviews of potential debanking practices, there has been no shortage of regulatory changes in recent years. Banks generally have regulatory change management programs that assess the applicability of the change, identify affected areas of the institution, create or update processes to control the new or changed risk, and perform testing to ensure sustainable compliance.

Working alongside regulatory change management, there should be a compliance risk assessment determining the following:

• Any new or updated inherent risks, including their impact and likelihood of occurrence
• The feasibility of leveraging existing controls to mitigate new or amended risks
• Control gaps
• Target end-state residual risk

While it may be difficult, regularly updating a compliance risk assessment throughout the regulatory change management process presents numerous benefits. Using 1071 as an example, the industry has seen an initial notice of proposed rulemaking and final rule, extended compliance dates, the revocation of the original final rule, a new final rule, and further updated compliance dates. Additionally, various legal challenges and judicial decisions affected the 1071 rulemaking during this time period. The regulatory change management process was working overtime throughout the lifecycle of 1071. The compliance risk assessment, meanwhile, could have been used in several ways to prepare banks for the forthcoming rule. For example, 1071 will require data collection of certain loan and borrower attributes, similar to the Home Mortgage Disclosure Act (HMDA). Risk assessors should take a moment and contemplate: Do we mitigate HMDA risk appropriately? Do we have experience with similar data collection through HMDA or the Community Reinvestment Act (CRA) small business/small farm data? If these are known pain points for an institution, they should be evident in the risk assessment and prompt a compliance professional to pay heightened attention to 1071. Where gaps or inefficiencies exist in similar processes, the compliance risk assessment can serve as a “crystal ball” as institutions navigate rules that will require similar processes.

In times of heightened regulatory change, regardless of whether the wind is blowing towards more or less regulation, risk assessments become even more valuable. The intrinsic value of the risk assessment, as stated throughout this article, lies in the ability to fully understand how the bank identifies and mitigates risks and where it is falling short. Boards and management operate from their best footing when armed with knowledge. In the industry’s flurry of regulatory change, a “fog of war” of sorts descends on decision-makers, making it increasingly difficult to discern risk exposures in business opportunities. In these circumstances, a risk assessment serves as a guiding light for the Board and management. It provides information in clear, calculable ways that can translate the thrum of constant regulatory change into actionable intelligence, serving as the benchmark for strong business decisions.

Conclusion
Executed with foresight and vision, a risk assessment is more than a tool for measuring risk. It becomes a navigable map charting a course from the present to the future, with inputs and outputs identifying roadblocks and optimal routes. Perhaps the greatest source of institutional knowledge, risk assessments have endless uses beyond qualitative and quantitative representations of risks and controls. Effectively managed, they also offer insights into longstanding processes and technologies that have become institutions in and of themselves, but perhaps at the expense of technological innovation. They can measure risks arising from pending laws and regulations, providing the institution with valuable intelligence on which type
of control will work best once the law is effective. In short, there isn’t much a risk assessment cannot do. It’s all a matter of how the institution wields the power that it contains.

About the authors

Ryan Labriola is a Director with Asurity Advisors. Ryan has expertise in military lending laws and regulations, including the Servicemembers Civil Relief Act and the Military Lending Act. He has advised financial institutions and non-bank lenders on SCRA and MLA compliance, and has participated in significant lookback and remediation engagements relating to servicemembers’ benefits and protections under federal and state law.  Connect with him at rlabriola@asurity.com. 

Melissa Ettel is a Manager with Asurity Advisors. She is an experienced advisory professional with over seven years of experience assisting clients in the financial services sector. Throughout her career, she has led and supported a diverse range of projects, including data quality reviews, regulatory compliance initiatives, business process optimization, and developing and performing risk assessments. Melissa is also known for her technical expertise, particularly in building advanced Excel tools that automate manual tasks, streamline workflows, and enable deep analysis of complex datasets. She is also highly skilled in regulatory compliance, data analysis, problem-solving, process improvement, and project management, ensuring successful project completion.  Connect with Melissa at mettel@asurity.com.