Today You Always Have To Update
Life used to be so much simpler. Whoever heard of updating in those childhood years of decades ago. You simply replaced whatever when it no longer worked or the cost of repair made no economic sense. Even new technology was not readily embraced. It was only the result of the color broadcasting of a popular TV show that brought people to have a desire to even buy a color set in the early days of color TV.
Today almost no repair makes economic sense or is even possible (see where you can find a TV repair man these days) and constant updating is needed on things retained even for a short time before their functional obsolescence - your GPS, computer protection software, etc. Be it our work life or our personal life, there is a constant change management effort we must constantly deploy.
Risk assessments are a case in point. To be useful they must constantly be updated to be considered useful due to changes in technology, product delivery methodology, and compliance expectations. Consider for example, BSA. FinCEN now ties in updating and maintaining customer information right to your Customer Due Diligence Program and Beneficial Ownership ties right to that. So here is another point to consider in your BSA risk assessment.
We used to not think that much about PEPs in the average community bank, but now domestic PEPS are becoming an examination finding, and yes, we all have them, case in point, our local, county, and state elected officials with the campaign accounts.
System validation checks are another example - the verification that the automated OFAC and 314a system checks are actually working. This example ties right in to your quality of BSA risk internal controls.
How about your CIP disclosure as related to your new accounts another BSA program risk factor. How do you rate your providing of this disclosure relative to your vendor credit card program offerings, online account product offerings, and indirect lending?
SARs are another case in point on the BSA risk assessment. How well is your bank doing on the SAR reporting? No matter the bank, if you are not seeing SAR reporting for elder abuse, you are not looking. There is the age old example of the customer telling the loan officer "oh that is only my income for tax purposes, my real income is ..." again, a SAR matter. Of course, SAR reporting ties to your BSA risk assessment.
Be it BSA or any other risk assessment, it is important to constantly update that risk assessment to ensure its usefulness. So you need to devote the time to and easily be able to update that risk assessment. It may even be time to dump that old "Black and white" TV risk assessment and buy a "color" automated risk assessment.
Regardless, of one thing you can always be sure, today you always have to update or that "old GPS map" risk assessment may just get you lost come your next BSA or other regulatory exam.