| Booklet:
Management Section: IT Risk Management Process Subsection: Risk Identification and Assessment |
|||||||||||||||||||||||||||
| |
|||||||||||||||||||||||||||
Action
Summary 
Operational
IT planning should identify and assess risk exposure to ensure policies,
procedures, and controls remain effective. Information security risk assessments
are required under the GLBA.
The assessments should identify the location of all confidential customer
and corporate information, any foreseeable internal and external threats
to the information, the likelihood of the threats, and the sufficiency
of policies and procedures to mitigate the threats. Management needs to
consider the results of these assessments when overseeing IT operations.
GLBA risk assessments should cover all IT risk management functions including
security, outsourcing, and business continuity. Senior management should
ensure IT-related risk identification and assessment efforts at the enterprise-wide
level are coordinated and consistent throughout the organization. A strong,
high-level, risk assessment process provides the foundation for more detailed
assessments within the functional risk management areas. An effective
IT risk assessment process will improve policy and internal controls decisions
across the organization.
Senior management can use risk assessment data to make informed risk management
decisions based on a full understanding of the operational risks. Small
institutions with less complex systems may have a more simplified risk
assessment process. Regardless of the complexity, the process should be
formal and should adapt to changes in the IT environment. Examiners should
measure the effectiveness of the process by evaluating management’s
understanding and awareness of risk, the adequacy of formal risk assessments,
and the effectiveness of the resulting policies and internal controls.
Ongoing Data Collection
Understanding the institution's environment is the first step in any risk
assessment process. Senior management should incorporate information on
IT issues such as resource limitations, threats, priorities, and key controls
from several sources. In developing a formal risk assessment, management
should collect and compile information regarding the organization’s
information technology environment from several locations including:
|
|
IT systems inventories are critical to understanding and monitoring the tactical operations of the institution’s information technology as well as to identifying the access and storage points for confidential customer and corporate information. |
|
|
IT strategic plans provide insight into the organization’s planning process. Review and analysis of the strategic plans as part of the risk assessment process may spotlight developing risk exposures or other deficiencies that limit the institution’s ability to implement strategic priorities. |
|
|
Business recovery and continuity plans prioritize the availability of various business lines to the institution and often encompass restoration and provision of control, customer service, and support. The plans can offer insight into the organization’s critical operating systems and the control environment. |
|
|
Due diligence and monitoring of service providers can present valuable information on the servicer control environment. The information is necessary for a complete risk assessment of institution’s information technology environment. |
|
|
Call center issue tracking reports can often indicate potential performance or control issues if the problem reports are aggregated and analyzed for repetitive or common issues. |
|
|
Department self-assessments on IT-related controls can provide early identification of policy noncompliance or weaknesses in controls. |
|
|
IT audit findings provide insight into the veracity and responsiveness of the institution’s staff and management, commitment to policy compliance and internal controls. |
Risk Analysis
Management should use the data collected on IT assets and risks to analyze
the potential impact of the risks on the institution. The analysis should
identify various events or threats that could negatively affect the institution
strategically or operationally. Management should evaluate the likelihood
of various events and rank the possible impact. Some examples of events
that could affect the institution include the following:
|
|
Security breaches - Security breaches that can affect the institution include external and internal security breaches, programming fraud, computer viruses, or denial of service attacks. |
|
|
System failures - Common causes of system failures include network failure, interdependency risk, interface failure, hardware failure, software failure, or internal telecommunication failure. |
|
|
External events - Institutions are also exposed to external threats including weather-related events, earthquakes, terrorism, cyber attacks, cut utility lines or wide spread power outages that bring about system or facility failures. |
|
|
Technology investment mistakes - Mistakes in technology investment including strategic platform or supplier risk, inappropriate definition of business requirements, incompatibility with existing systems, or obsolescence of software may constrain profitability or growth. |
|
|
Systems development and implementation problems - Common system development and implementation problems include inadequate project management, cost/time overruns, programming errors (internal/external), failure to integrate and/or migrate successfully from existing systems, or failure of system to meet business requirements. |
|
|
Capacity shortages - Shortages in capacity result from lack of adequate capacity planning, including the lack of accurate forecasts of growth. |
Once the institution has identified the universe of risks, management
should estimate the probability of occurrence as well as the financial,
reputation, or other impact to the organization. Organizational impacts
are highly variable and not always easy to quantify, but include such
considerations as lost revenue, flawed business decisions, data recovery
and reconstruction expense, costs of litigation and potential judgments,
loss of market share, and increases to premiums or denials of insurance
coverage. Typically, risk analysis ranks the results based on the relationship
between cost and probability.
Prioritization
Once management understands the institution's technology environment and
analyzes the risk, it should rank the risks and prioritize its response.
The probability of occurrence and the magnitude of impact provide the
foundation for reducing risk exposures or establishing mitigating controls
for safe, sound, and efficient IT operations appropriate to the complexity
of the organization. The overall risk assessment results should be a major
factor in decision making in most IT management responsibility areas including:
|
|
Technology budgeting, investment, and deployment decisions; |
|
|
Contingency planning; |
|
|
Policies and procedures; |
|
|
Internal controls; |
|
|
Staffing and expertise; |
|
|
Insurance; |
|
|
IT performance benchmarks; |
|
|
Service levels for internal and outsourced IT services; and |
|
|
Policy enforcement and compliance. |
Monitoring
Management and the board should monitor risk mitigation activities to
ensure identified objectives are complete or in process. Monitoring should
be ongoing, and departments should provide progress reports to management
on a periodic basis. Ongoing monitoring further ensures that the risk
assessment process is continuous instead of a one-time or annual event.
Key elements of an effective monitoring program include:
|
|
Mitigation or corrective action plans; |
|
|
Clear assignment of responsibilities and accountability; and |
|
|
Management reporting. |