Answer:
Oh, the dreaded answer of "It Depends." I believe the answer lies in how you are approaching your risk assessment topics from the outset. If your breakdown of risk areas themselves are granular enough, you do not need to describe controls with exorbitant detail.
For example, something like "Privacy" could be managed with an overall residual risk statement and less granular control descriptions. However, a very complex topic cannot. If you have a single risk assessment for, say, "Reg Z", your overall risk view is going to be extremely broad, so the controls narrative would have to be extremely granular. This approach is not effective, as inevitably some area is going to be missed or inadequately mitigated. (Been there, done that.) It is far better to break it into subparts (such as open end credit, TRID, ATR, credit cards, private ed loans, HPML, HCML, Mortgage Statements, etc. etc. etc.) and express the risks (inherent and residual) of each area. With this approach, a granular controls narrative is not really needed, as you are identifying and measuring risks more appropriately from the outset, with the result that the mitigation of residual risks can be addressed more briefly.
print
share