Bank Risk Identification

Most banks can identify their risks.
Very few can prove it to a regulator.

A comprehensive, regulator-aligned methodology for bank risk identification — built from 20 years of doing it at the world's largest institutions.

Score Your Process Explore the Methodology
Rory Roberts, FRM — Former Global Head of Risk Identification

Built across 6 institutions

The Problem

Most banks have a risk register. Very few have a defensible risk identification process. The difference shows up when the regulator asks "how did you identify this?" and no one can answer.

Regulators keep finding the same gaps

ICAAP reviews, CCAR, SREP — supervisors consistently find incomplete risk identification, missing risk categories, and no documented methodology.

Risk registers that no one trusts

Static spreadsheets updated once a year, scored by people who weren't calibrated, with no confidence rating on the data underneath.

?

No one can explain how the process works

Ask three people in the risk function how risks are identified and you'll get three different answers. Or no answer at all.

The Evidence

179 Bank Failures. One Recurring Problem.

In every case, the risk was identifiable before the loss materialised. We studied every one and asked: what went wrong in the risk identification process?

Barings Bank (1995)

$1.3B loss

Nick Leeson held both trading and settlement authority. Internal audit flagged the segregation-of-duties violation. Management ignored it.

Risk ID Failure: Governance bypass

Northern Rock (2007)

£26B loss

75% wholesale-funded. No scenario tested what happens when securitisation markets close. The business model was the risk.

Risk ID Failure: Complacency

Wells Fargo (2016)

$3B loss

3.5 million fake accounts opened to meet cross-selling targets. Whistleblower complaints treated as HR, not risk.

Risk ID Failure: Cultural suppression

179
failures studied
10
failure modes
$2.3T
aggregate losses
6
decades
30+
countries

We studied every one. Then built a methodology to prevent the next.

Explore the Evidence

How We Can Help

Start by understanding your gaps, then get the tools to fix them — or bring us in to help.

Step 1
Score Your Process

27 questions. 10 minutes. Find out where your risk identification process is strong and where regulators will find weaknesses.

Free Self-Assessment
📦
Step 2
Get the Toolkit

The complete methodology: 16-chapter book, 30-tab Excel template pack, AI prompt library, and Copilot agent definition. Free.

Download Free
Step 3
Work With Us

Gap assessments, full implementation, and audit-readiness reviews. Expert guidance building or fixing your process.

Talk to Us

The Methodology

A Six-Phase Process Built on
ISO 31000, COSO ERM, and Real Regulatory Experience

1
Foundation Setting

External context (PESTLE), internal environment and risk culture assessment, risk criteria, risk appetite, building the starting universe.

2
Dual-Track Identification

Top-down SWIFT workshops and Delphi method. Bottom-up with 10 specialist sub-processes. Mandatory reconciliation and enterprise portfolio view.

3
Assessment & Prioritisation

Four-dimensional scoring. Multi-dimensional impact. Data quality ratings. Bow-tie analysis for critical risks. Cost-benefit with ALARP.

4
Documentation

Living risk inventory with full audit trail. One-page risk profiles for every material risk. KRIs with RAG thresholds.

5
Integration

Direct linkage to ICAAP/ILAAP/CCAR scenario design, strategic planning, Board reporting, and regulatory submissions.

6
Ongoing Cycle

Quarterly re-identification. Event-driven updates. Annual full re-identification. Internal audit assurance over the process itself.

Aligned to 16 regulatory frameworks

BCBS PRA SS31/15 Fed SR 15-18 OCC EBA ECB FCA ISO 31000 ISO 31010 COSO ERM AMLD6 DORA
Explore the Full Methodology

Who This Is For

Risk Identification Leads

You need a process that survives regulatory scrutiny. Not a theoretical framework — a practical methodology you can implement and defend.

CROs at Mid-Tier Banks

You don't have a team of 50. You need a framework that works with the team you have and meets the same regulatory standard as the global banks.

Fintechs & Challenger Banks

You're hiring your first risk person. Give them the blueprint so they don't have to build from scratch.

🔍
Risk Consultants

You advise banks and need a methodology to deliver. This gives you the complete framework, templates, and regulatory mapping.

Internal Auditors

You need to know what good looks like so you can assess whether your bank's process measures up.

Latest Insights

Methodology

Methodology

Why Most Banks Can't Identify Their Own Risks

The gap between having a risk register and having a risk identification process. And why the regulator sees the difference immediately.

Read more →
Regulatory

Regulatory

The One Thing Regulators Always Find Missing

Across PRA, EBA, and the Fed, the same finding appears in supervisory reviews year after year. Here's what it is and how to fix it.

Read more →
Case Study

Case Study

Your Risk Heatmap Is Lying to You

If you don't attach a data quality rating to every risk score, you're presenting false precision to the Board. Here's why it matters.

Read more →
View All Insights

How mature is your bank's risk identification process?

Take the free self-assessment and find out in 10 minutes.

Score Your Process