The One Thing Regulators Always Find Missing

The Question That Ends Most Examinations Early

In 2023, I sat across the table from a PRA supervisor at a UK-regulated international banking group. She opened a thick examination file, looked up, and asked a single question: Walk me through how your risk identification process satisfies SS31/15.

She was not asking what risks we had identified. Every bank can produce a risk register. She was asking whether the process that produced those identifications could be traced — requirement by requirement — to the specific provisions of the regulatory framework under which the institution was supervised.[1]

That question, or a version of it, is the one that separates institutions that have a risk identification process from those that merely have a risk identification output. In every regulatory examination I have sat through — PRA, FINMA, the Fed, the EBA — the conversation follows the same pattern. And in most cases, the institution cannot answer it.

The Problem: Output Without Process

Most banks have invested heavily in the downstream machinery of risk management. Credit risk modelling teams with dozens of quants. Market risk systems running millions of simulations daily. Operational risk databases cataloguing loss events with forensic precision. Capital calculation engines. Reporting frameworks. Stress testing programmes consuming thousands of person-hours per year.

But the question that precedes all of this — what are the risks? — is typically addressed in a two-day workshop once a year, facilitated by someone who has never been trained in structured elicitation techniques, using brainstorming that produces groupthink rather than genuine risk intelligence. The output is a spreadsheet. The spreadsheet becomes the risk register. The risk register is updated annually, which in practice means someone changes the date and adjusts a few scores.

Banks have invested billions in measuring and managing risks, but almost nothing in finding them in the first place. It is as if a hospital had the world's best surgeons and diagnostic equipment but no process for examining patients. The treatments are excellent. The diagnosis is guesswork.

The regulator sees this immediately. Not because supervisors are unusually perceptive, but because they have a checklist. ISO 31000 Principle e requires identification to be systematic, structured, and timely.[2] BCBS Principle 7 requires risks to be identified on an ongoing, bank-wide basis.[3] Fed SR 15-18 requires quarterly re-identification feeding directly into capital planning.[4] When the supervisor compares these requirements against the institution's actual practice — an annual workshop with no documented methodology, no standards traceability, no reconciliation between top-down and bottom-up views — the gap is obvious. The register exists. The process does not.

The Evidence: Same Finding, Every Jurisdiction

What the frameworks actually require

The regulatory landscape for risk identification is not a single framework. It is sixteen distinct frameworks across multiple jurisdictions, each imposing specific requirements on how risks must be identified.

BCBS Principle 7 uses four operative words that do significant work: ongoing means not annual — it requires continuous or at minimum quarterly identification. Bank-wide means consolidated, across every legal entity. Individual entity basis means the enterprise view does not excuse the absence of entity-level identification. And identified is listed first, before monitoring and controlling, because identification is the prerequisite for everything that follows.[3]

PRA SS31/15 treats stress testing as a primary method of risk identification, not merely a capital calculation tool. And the consequences for deficiency are concrete: the PRA can impose Pillar 2A capital add-ons with scalars up to 40% of the Pillar 2A requirement for firms whose risk identification is assessed as inadequate.[1] This is not a theoretical penalty. Institutions I have worked with have received supervisory feedback citing specific gaps — risks that should have been in the inventory but were not, enterprise-level concentration risks identified at entity level but not aggregated.

Fed SR 15-18 transforms risk identification from a periodic exercise into a continuous discipline with direct capital consequences. The Material Risk Inventory is the centrepiece: for every risk in the inventory, the bank must map it to the stress test. Is it captured in the scenario? Is it captured in the P&L model? Or does it require a separate capital add-on? A bank that fails this test faces a CCAR qualitative objection, which blocks share buybacks and dividend increases. For a publicly traded US bank, that is a market event.[4]

OCC Heightened Standards require a dual identification system: front-line units must assess material risks in their own activities, while Independent Risk Management must identify and assess material aggregate risks independently. If their assessments diverge, the divergence must be reported.[5] This is structurally equivalent to top-down/bottom-up reconciliation — and most banks do not do it.

EBA Internal Governance Guidelines require a holistic view that aggregates across legal entities and risk types to identify cross-cutting themes. They also place a specific duty on the risk management function to detect instances where the business has taken risk outside agreed appetite.[6]

The pattern is clear. Every major regulator requires a documented, repeatable identification methodology. Not a register. Not scores. A process.

What happens when the process is missing

The consequences are not abstract. They are written in the loss databases.

At HBOS, Paul Moore — Group Head of Regulatory Risk — identified concentration risk in the corporate banking division. He documented it. He escalated it to the Board. The Board's response was to remove the person who had identified it. Three years later, HBOS collapsed with losses exceeding GBP 10 billion.[7] The risk was identified. What failed was the governance around the identification process — the escalation path was blocked, the Board received filtered information, and the cultural incentive to suppress uncomfortable findings overwhelmed the structural obligation to act on them.

At Wells Fargo, front-line employees knew that aggressive cross-selling targets were driving fraudulent account openings. Many raised complaints. But the governance structure treated these as HR matters — employee dissatisfaction — rather than risk signals. The result: 3.5 million potentially unauthorised accounts and a $3 billion DOJ settlement. The Federal Reserve imposed an asset-growth restriction that lasted seven years.[8]

At AIB's Baltimore subsidiary, Allfirst, John Rusnak concealed $691 million in losses through fictitious option trades. The failure was not that operational risk was unrecognised as a category. It was that there was no standardised bottom-up process requiring the subsidiary to complete the same risk assessment template, using the same taxonomy and scoring methodology, as every other business unit in the group. Geographic separation became risk invisibility.

In every case, the regulator did not penalise the crystallisation of risk — risk is inherent in banking. The regulator penalised the failure to identify it.

The compliance theatre problem

There is a failure mode that is subtler than having no process at all: having a process that produces the appearance of identification without the substance.

In early 2017, several months into a role building risk identification at a European G-SIB, I received the first round of bottom-up risk assessments from business units. I opened the first submission — a major trading division — and compared it against the prior year. It was identical. Not similar. Identical. Same risks. Same order. Same scores. Same control descriptions. Same owner names — one of whom had left the firm six months earlier. The dates had been updated. Nothing else had.

Of the twelve submissions I reviewed that day, nine were either unchanged from the prior year or contained only cosmetic updates. This is compliance theatre. The process runs. The templates get filled. The deadlines get met. And the output tells the institution nothing it did not already know.

A bottom-up process that produces compliance theatre is worse than no process at all, because it creates a documented record suggesting that identification has occurred when it has not. The institution believes it has a comprehensive risk inventory. It does not. It has last year's inventory with this year's date.

What Good Looks Like

The methodology that survives regulatory scrutiny is not more complex than what most banks currently do. It is more deliberate. It is built on four pillars.

First, standards traceability. Every phase of the identification process maps to specific provisions of specific frameworks — ISO 31000, ISO 31010, COSO ERM, and the applicable banking regulations. When the supervisor asks what standards the process is built on, you do not need to construct an answer. You open the regulatory mapping appendix.[2] At a European G-SIB in 2016, when I built the risk identification process, one of the first design decisions was that every key feature of the methodology had to trace back to a specific regulatory requirement. Not because the standards would tell me how to identify risks in a global investment bank — they would not — but because every regulator with jurisdiction over the bank would assess our process against them.

Second, four identification frequencies. Annual full re-identification from scratch, not rolled forward. Quarterly re-identification consistent with Fed SR 15-18 — active re-identification, not just re-assessment of existing scores. Monthly KRI monitoring with defined thresholds and escalation triggers. And event-driven updates outside any regular cycle, triggered by material changes in the internal or external environment. An annual cycle is not governance. It is a filing exercise.

Third, dual-track identification with reconciliation. Top-down workshops using structured techniques like SWIFT and Delphi. Bottom-up assessments across every business unit using a standardised template and common taxonomy. And mandatory reconciliation between the two — putting the lists side by side, finding the gaps, and investigating every one. The risks that appear in only one list are the risks most likely to materialise unmanaged. Most banks do top-down or bottom-up. Almost none iterate between them.

Fourth, named ownership and governance. Every risk in the inventory has one named owner. Not a committee. Not a function. One person. Seven specific roles must be defined: Board Risk Committee, CRO, Risk Identification Lead, Business Unit Heads, Risk Assessors, Risk Owners, and Front-Line Employees. Ambiguity in role definition is one of the most common governance failures in risk identification. When everyone is responsible, no one is accountable.

The risk identification template pack in the EON methodology toolkit includes the regulatory traceability matrix, the standardised bottom-up assessment template, and the reconciliation framework — specifically designed to close these gaps.

What To Do Monday Morning

Ask yourself the regulator's question. Sit down with your risk identification documentation and try to answer it: Walk me through how this process satisfies [your primary regulator's framework]. If you cannot trace each phase of your process to specific regulatory provisions, you have your first gap. Map every applicable framework — BCBS, PRA, Fed, EBA — to each phase of your current process. The empty cells in that matrix are your exposure.
Check your identification frequency. If you identify risks once a year and re-assess quarterly, you are going nine months at a time without looking for risks that are not already on the register. Fed SR 15-18 expects quarterly re-identification, not just re-assessment. Introduce a lightweight quarterly scanning process — it does not need to be the full annual exercise, but it must actively ask: what is new?
Pull last year's bottom-up submissions and compare them to this year's. If more than half are substantially unchanged, you have a compliance theatre problem. Introduce a requirement that every business unit must identify at least three new or materially changed risks each cycle. Not because three is a magic number, but because an honest assessment will always find something new. If it does not, the assessor has not looked.
Check whether you reconcile top-down and bottom-up. If your top-down material risk inventory and your bottom-up risk register exist as separate documents with no documented analysis of the gaps between them, start the reconciliation. Every risk that appears in one view but not the other needs investigation.
Name one person as Risk Identification Lead. Not the CRO. Not a committee. A named individual whose job is to own the identification process end to end — methodology, governance, quality assurance, and regulatory traceability. If no one owns it, it does not get done.[9]

Sources & References

PRA SS31/15, The Internal Capital Adequacy Assessment Process (ICAAP) and the Supervisory Review and Evaluation Process (SREP). Originally November 2015, updated December 2023. Pillar 2A scalars up to 40% of the Pillar 2A requirement may be applied for firms with inadequate risk identification.
ISO 31000:2018, Risk Management — Guidelines. Principle e requires risk management to be “systematic, structured and timely.” Section 5.4.2 requires identification of sources of risk, events and their causes, and potential consequences.
BCBS 328, Corporate Governance Principles for Banks, Basel Committee on Banking Supervision, July 2015. Principle 7, paragraph 100: “Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis.”
Federal Reserve Board, SR 15-18, Federal Reserve Supervisory Assessment of Capital Planning and Positions for LISCC Firms and Large and Complex Firms, 18 December 2015. Requires quarterly risk re-identification feeding into the Material Risk Inventory with direct linkage to CCAR stress scenario design.
OCC Heightened Standards, 12 CFR Part 30, Appendix D, Guidelines Establishing Heightened Standards for Certain Large Insured National Banks. Final rule effective 1 January 2014. Section III codifies three-unit risk identification with effective challenge requirements.
EBA/GL/2021/05, Guidelines on Internal Governance, European Banking Authority, 2 July 2021. Section 17 (paragraphs 72-74) on holistic risk identification; Section 20.4 (paragraph 119) on detection of unapproved exposures.
FSA, The Failure of HBOS plc, FCA/PRA joint report, November 2015; House of Commons Treasury Committee, Banking Crisis: Reforming Corporate Governance and Pay in the City, HC 519, 15 May 2009.
DOJ/Wells Fargo settlement, Press release 20-146, 21 February 2020; Federal Reserve Cease and Desist Order, 2 February 2018. The asset-growth restriction was lifted in June 2025.
BCBS 328, Principle 7, paragraphs 107-122 detail risk management function requirements including independence from business lines. The SM&CR (Senior Managers and Certification Regime, implemented 7 March 2016) holds individual senior managers personally liable for failure to take reasonable steps to identify risks in their area of responsibility.