Melissa Sutherland, EverC VP and thought leader, recently joined FINTRAIL CEO Rob Evans and Managing Director Maya Braine to explore how organizations can get the most out of their risk assessments.
Risk assessments may seem tedious, must be conducted regularly so organizations can shift the appropriate resources to the threats that are most likely to occur, and would have the biggest impact on their business if they did. This is the foundation for adopting a risk-based approach to mitigating risk in the payments industry — and beyond.
Why is a risk-based approach necessary?
Not only do regulators expect organizations to take a risk-based approach, it’s the most effective way to manage risk. That’s because it identifies where organizations need to prioritize their resources at any given time. It’s much like triage in a hospital emergency room.
Braine describes the risk-based approach as “identifying the risks that you potentially face and then assessing them – working out which ones are more likely to occur, choosing which ones are more relevant risks for your business. Then as a result of those two things, work out where you’re then going to apply more resources.”
These steps are crucial because the threats are many, and compliance resources are limited. Allocating resources away from low-priority areas to threats that are the most imminent and likely to have the largest impact on business can help organizations mitigate risk in a way that is more efficient and effective.
Better data drives better risk decisions
Consistent data is vital to making good risk mitigation decisions in a risk assessment, and enables teams to justify those decisions to leadership and possibly regulatory authorities. Data findings should also be aligned with the organization’s risk tolerance, as well as industry trends, global events, and other key priorities.
“You do need to be a little sensible about how broad you go in the data points and categorization that you utilize, and you need some consistency…especially if you’re looking at benchmarking evolution of risk events, let’s say in the payments industry,” Evans explained. “You need to use relatively consistent data points for a period of time to enable you to form that valuation and justify some of the decisions that you make.”
While some organizations are hesitant to pull resources from low-risk areas to focus on more relevant threats, having clean, consistent data can help support the need to do so.
Proper risk assessment can help a payment provider better maintain regulatory compliance — and organizations should also be encouraged to rethink how they approach that goal. As Sutherland explains, “A regulator is not out to get us. A regulator is here to stress test us to make sure that the worst case scenario doesn’t happen to us.”
We at EverC would like to thank FINTRAIL for welcoming us to this discussion, and we look forward to more great conversations together!