When risk controls fail
During December 2018, I experienced a scenario that could trigger a debate on what happens when risk controls fail
One of the critical skills needed by a bank teller is the ability to recognise potential risks related to cash transactions, as well as the ability to utilise the controls that are in place to mitigate these risks.
The scenario I experienced involved a cash transaction. After all my details were verified at the information desk, I was issued a bank cheque, which I filled in and submitted to the teller for processing. The teller followed the routine operational procedure of requesting authorisation from the line manager.
However, when the teller issued the cash, I was given ten times the amount written on the cheque.
A quick examination showed that there was “a lack of verification of the amount on the cheque before the cash was issued”. There could have been underlying causes that one could consider during an investigation.
It is clear that despite the rigorous operational risk controls in a banking environment, some of these controls do fail. Line management and supervisors have to constantly assess the risk exposure while performing critical activities. The same is expected of the frontline personnel. Although risk controls are developed to mitigate this exposure, some of them do fail.
Risk mitigation requires different strategies such as avoiding, accepting and transferring the risk. In the context of the banking environment, it is not possible for the bank teller to avoid issuing cash. Despite the potential consequences that almost manifested in in my case, banks are required to perform the crucial task of issuing cash.
It is important to pay attention to how controls are designed and implemented. For example, preventative controls should be applied frequently to detect the likelihood of inaccuracies occurring.
Management should also recognise that there are potential risks that could manifest even when risk-mitigation strategies are in place.
During my interaction with the bank teller, I noticed a lack of alertness caused by fatigue. What I did not mention earlier is that this all happened during the festive season!
This leads us to the risk register. Let us assume that the supervisor in the bank is the risk owner and the bank teller the risk-control owner. Hence, as the risk owner, the supervisor should at that point remember to update the risk register to ensure that risk-mitigation processes are appropriate to control incidents such as the one that occurred when I was in the bank.
A culture of constructive feedback is encouraged to communicate lessons learned and potential impacts when risk controls fail.
This scenario reminds us that, even if we have all the ideal risk controls in place, the moment of truth is when these controls are tested. As a customer, I had the task of testing the controls that should not have been overlooked by the bank teller.
Furthermore, risk-control failures tend to originate from those routine tasks where they may sometimes be overlooked.
My conclusion in this case was that risk controls had failed and the obligation was now on me to avert the undesired consequences.