|
Booklet:
Operations Section: Risk Assessment Subsection: |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
Action Summary
IT
operations comprise the framework of service and product delivery to internal
and external customers and are intrinsic to much of the risk management
undertaken by the institution. For these reasons, management should not
limit the risk assessment process to risks associated with specific platforms,
their operating systems, resident applications and utilities, the connecting
network, associated human processes, and the control environment. Management
should also consider the interdependencies between these elements. Threats
and vulnerabilities have the potential to quickly compromise interconnected
and interdependent systems and processes.
The environmental survey and technology inventory provide the foundation
for the risk identification and assessment processes. Once the survey
and inventory are complete, management can employ a variety of techniques
to identify and assess risks, including performing self-assessments, incorporating
concerns identified in internal and external audits, reviewing business
impact analyses prepared for contingency planning, assessing the findings
of vulnerability assessments conducted for information security purposes,
and understanding the concerns identified by insurance underwriters for
establishing premiums. In risk identification and assessment management
should emphasize events or activities that could disrupt operations, negatively
affect earnings or reputation, or that might be categorized in the following
general areas:
|
|
Technology investment mistakes including improper implementation, failure of a supplier, inappropriate definition of business requirements, incompatibility with existing systems, or obsolescence of software (including loss of hardware or software support); | |
|
|
Systems development and implementation problems including inadequate project management, cost and time overruns, programming errors, failure to integrate or migrate from existing systems, or failure of a system to meet business requirements; | |
|
|
Systems capacity including lack of capacity planning, insufficient capacity for systems resiliency, or software inadequate to accommodate growth; | |
|
|
Systems failures including interdependency risk, or network, interface, hardware, software, or internal telecommunications failure; and | |
|
|
Systems security breaches including external or internal security breaches, programming fraud, or computer viruses. | |
The individual risk assessment factors management should consider are numerous and varied. The combination of factors used should be appropriate to the size, scale, complexity, and nature of the institution and its activities. These factors include:
|
|
Importance and business criticality; | |
|
|
Extent of system or process change; | |
|
|
Source of system access (internal or external, including Internet, dial-up, or WAN); | |
|
|
Source of application (commercial off the shelf (COTS), in-house developed, combination of these two, etc.); | |
|
|
Scope and criticality of systems or number of business units affected; | |
|
|
Sophistication of processing type (batch, real-time, client/server, parallel distributed); | |
|
|
Transaction volume and dollar value of transactions; | |
|
|
Classification or sensitivity of data processed or used; | |
|
|
Impact to data (read, download, upload, update or alter); | |
|
|
Experience level and capability of functional area management; | |
|
|
Number of staff members and staff stability; | |
|
|
Number of users and customers; | |
|
|
Changes in the legal, regulatory, or compliance environments; | |
|
|
Presence of new or emerging risks from developing technology or technology obsolescence; and | |
|
|
Presence of audit or control self-assessment weaknesses. | |
PRIORITIZING
RISK MITIGATION EFFORTS
Once an institution identifies and analyzes the universe of risks, management
should prioritize risk mitigation actions based on the probability of
occurrence and the financial, reputational or legal impact to the institution.
Organizational impacts are variable and not always easy to quantify, but
include such considerations as lost revenue, loss of market share, increased
cost of insurance premiums, litigation and adverse judgment costs, and
data recovery and reconstruction expense. Management should prioritize
the risk assessment results based on the business importance of the associated
systems. The probability of occurrence and magnitude of impact provide
the foundation for establishing or expanding controls for safe, sound,
and efficient operations appropriate to the risk tolerance of the institution.