Defining a risk is less straightforward than you may think. The following examples illustrate some of the common inaccuracies that occur in risk identification exercises.
Technology is not a risk; it's a resource. All firms rely on technology, and risks linked to technology are best defined as potential incidents and accidents due to failures, such as systems interruption, model error, wrong pricing calculation, overcapacity and application crashes.
Manual processing is also not a risk; it's a cause or a risk driver. It increases the probability of another risk occurring, such as input errors and omissions. Risks due to manual processing may include errors in the valuation of funds, errors in accounting records, omitting to send reports to clients, etc.
Compliance and regulatory change is a priority for every regulated financial entity. It's an obligation and a constraint, but once again, not a risk in itself. Rather, it brings risks such as compliance breach, mostly through oversight due to the sheer number and complexity of regulations that must be followed. However, it can also be deliberate, perhaps temporarily when adjusting to new regulatory requirements.
Inadequate supervision or insufficient training are also commonly cited as risk factors, but they are not risks per se; they are control failures. The answer to a control failure is simple: fix the control. Or add a secondary control. If that sounds all too familiar, ...