Welcome » IT Booklets » Management » IT Risk Management Process » Risk Identification and Assessment
Financial institutions should maintain a risk assessment process that drives technology selection and controls implementation. The risk assessment process should incorporate specific assessments conducted for functional responsibilities such as security, business continuity, and vendor management. Risk assessment involves four critical steps:
Operational IT planning should identify and assess risk exposure to ensure policies, procedures, and controls remain effective. Information security risk assessments are required under the GLBA.Federally insured credit unions must comply with 12 CFR 748. Appendix A of 12 CFR 748 contains guidelines specifically relating to information security risk assessments to assist credit unions in complying with the re-quirements of 12 CFR 748. The assessments should identify the location of all confidential customer and corporate information, any foreseeable internal and external threats to the information, the likelihood of the threats, and the sufficiency of policies and procedures to mitigate the threats. Management needs to consider the results of these assessments when overseeing IT operations.
GLBA risk assessments should cover all IT risk management functions including security, outsourcing, and business continuity. Senior management should ensure IT-related risk identification and assessment efforts at the enterprise-wide level are coordinated and consistent throughout the organization. A strong, high-level, risk assessment process provides the foundation for more detailed assessments within the functional risk management areas. An effective IT risk assessment process will improve policy and internal controls decisions across the organization.
Senior management can use risk assessment data to make informed risk management decisions based on a full understanding of the operational risks. Small institutions with less complex systems may have a more simplified risk assessment process. Regardless of the complexity, the process should be formal and should adapt to changes in the IT environment. Examiners should measure the effectiveness of the process by evaluating management's understanding and awareness of risk, the adequacy of formal risk assessments, and the effectiveness of the resulting policies and internal controls.
Understanding the institution's environment is the first step in any risk assessment process. Senior management should incorporate information on IT issues such as resource limitations, threats, priorities, and key controls from several sources. In developing a formal risk assessment, management should collect and compile information regarding the organization's information technology environment from several locations including:
Management should use the data collected on IT assets and risks to analyze the potential impact of the risks on the institution. The analysis should identify various events or threats that could negatively affect the institution strategically or operationally. Management should evaluate the likelihood of various events and rank the possible impact. Some examples of events that could affect the institution include the following:
Once the institution has identified the universe of risks, management should estimate the probability of occurrence as well as the financial, reputation, or other impact to the organization. Organizational impacts are highly variable and not always easy to quantify, but include such considerations as lost revenue, flawed business decisions, data recovery and reconstruction expense, costs of litigation and potential judgments, loss of market share, and increases to premiums or denials of insurance coverage. Typically, risk analysis ranks the results based on the relationship between cost and probability.
Once management understands the institution's technology environment and analyzes the risk, it should rank the risks and prioritize its response. The probability of occurrence and the magnitude of impact provide the foundation for reducing risk exposures or establishing mitigating controls for safe, sound, and efficient IT operations appropriate to the complexity of the organization. The overall risk assessment results should be a major factor in decision making in most IT management responsibility areas including:
Management and the board should monitor risk mitigation activities to ensure identified objectives are complete or in process. Monitoring should be ongoing, and departments should provide progress reports to management on a periodic basis. Ongoing monitoring further ensures that the risk assessment process is continuous instead of a one-time or annual event. Key elements of an effective monitoring program include: