Welcome » IT Booklets » Management » Roles and Responsibilities » IT Responsibilities and Functions » Risk Management Functions
A financial institution should ensure an adequate risk management structure exists within the organization. Some institutions have a separate risk management department that is responsible for overseeing the areas of information security, business continuity planning, audit, insurance and compliance. Regardless of the particular structure used, the institution should ensure that lines of authority are established for enforcing and monitoring controls. These risk management functions should play a key role in measuring, monitoring, and controlling risk.
The board is responsible for overseeing and approving the development, implementation, and maintenance of a comprehensive, written information security program, as required by the Gramm-Leach-Bliley Act (GLBA). GLBA is discussed in more detail on page 30 of this booklet. The information security program should include appropriate administrative, technical, and physical safeguards based on the size, complexity, nature, and scope of the institution's operations. The board may delegate information security monitoring to an independent audit function and information security management to an independent information security officer. Ideally, the institution should separate information security program management and monitoring from the daily security duties required in IT operations. The senior information security officer should be an organization-wide risk manager rather than a production resource devoted to IT operations. To ensure independence, the information security officer should report directly to the board or senior management rather than through the IT department. The IT department needs personnel with daily responsibility for implementing the corporate security policy, but they should not have the ability to change policy and grant exceptions. The IT Handbook's "Information Security Booklet" has additional information on this topic.
Similar to information security, business continuity planning should be a corporate-wide strategy. Business continuity planners should assess business continuity across all lines of business. The business continuity function often resides in the risk management organizational structure. The IT department should have personnel responsible for developing and maintaining the department's business continuity plans. The IT Handbook's "Business Continuity Planning Booklet" has additional information on this topic.
Senior management and the board should ensure cooperation between management and IT audit. It should also ensure timely and accurate response to audit concerns and exceptions. The IT audit area should report directly to the board of directors or a designated committee of the board comprised of outside directors. The board is responsible for overseeing the audit department's performance and compensation. Audit's key role is to review risk within each of the departments. Audit should verify that management has implemented effective control processes. Audit should have no role in implementing controls and should not have primary responsibility for enforcing policy.
Management should have processes in place to monitor and enforce policy compliance. Audit should verify those processes function effectively and report to the board. The board, in turn, should ensure auditors have the necessary expertise and that audit coverage is adequate, timely, and independent. IT audit coverage should include system development and acquisition projects. See the IT Handbook's "Audit Booklet" for additional discussion of this topic.
Senior management should ensure the involvement of regulatory compliance staff whenever a new system or application affects compliance with regulations. New implementations or application changes can cause noncompliance through inaccurate interest rate calculations, inadequate or inaccurate disclosures, weak security controls over the storage or transmission of customer information, and poor customer verification procedures. The compliance function should review any new system or significant change for regulatory compliance.