Welcome » IT Booklets » Operations » Risk Assessment
Management should analyze the survey of the IT operations environment and the inventory of technology resources to identify threats and vulnerabilities to IT operations. The assessment process should identify:
To the extent possible, the assessment process should quantify the probability of a threat or vulnerability and the financial consequences of such an event.
IT operations comprise the framework of service and product delivery to internal and external customers and are intrinsic to much of the risk management undertaken by the institution. For these reasons, management should not limit the risk assessment process to risks associated with specific platforms, their operating systems, resident applications and utilities, the connecting network, associated human processes, and the control environment. Management should also consider the interdependencies between these elements. Threats and vulnerabilities have the potential to quickly compromise interconnected and interdependent systems and processes.
The environmental survey and technology inventory provide the foundation for the risk identification and assessment processes. Once the survey and inventory are complete, management can employ a variety of techniques to identify and assess risks, including performing self-assessments, incorporating concerns identified in internal and external audits, reviewing business impact analyses prepared for contingency planning, assessing the findings of vulnerability assessments conducted for information security purposes, and understanding the concerns identified by insurance underwriters for establishing premiums. In risk identification and assessment management should emphasize events or activities that could disrupt operations, negatively affect earnings or reputation, or that might be categorized in the following general areas:
The individual risk assessment factors management should consider are numerous and varied. The combination of factors used should be appropriate to the size, scale, complexity, and nature of the institution and its activities. These factors include: