There are a number of regulatory bulletins and privately produced guides for this.
Basically, you want to identify all operational systems, and their inputs and outputs. Then, take a look at your exposure to loss, unauthorized access, excessive downtime, etc.
Then, begin to assess the risk to your bank's operations if one or more of your considered risk scenarios plays out.
Measuring IT risk calls for different approaches based on the situation. You can take a qualitative or quantitative approach. For example, if you are referring to performing the risk assessment for the GLBA, you could take a qualitative approach and write a narrative of the assessment, assigning risk categories (e.g., high, medium, low) to each area. Or, you could take a quantitative approach, assigning values based on: 1. The Threat Likelihood/Probability of Occurrence, and; 2. The Magnitude of Impact. These values can be multiplied to obtain a risk ranking.
Each individual area can then be categorized into a risk summary. Then, you can identify which risk areas you plan to mitigate through your Risk Mitigation Action Plan. This also serves as an excellent tool for board reporting and monitoring the plan’s progress.
We prefer the quantitative approach because you can establish very granular ratings for baselines and benchmarks, plus you can more easily involve several people in the exercise, gaining a consensus and avoiding one person setting the institution’s overall risk management program.
Another approach to IT risk assessment involves considering the bank’s complete IT environment and related sections to be included in the risk assessment. This approach allows a more comprehensive, yet general view of IT risk.
A Significance Ranking can be assigned (i.e., How significant is this area as it relates to the bank's overall IT environment? Consider recent developments within the industry, regulatory issuances and the importance of this area to the bank). Then, you can assign a second value, a Risk Factor, measuring the related risk in this particular bank. The two values can be multiplied to ascertain the Risk Rating for this item.
We cover both of these practical approaches to measuring IT-related risk in our book, IT Auditing for Financial Institutions, available in the BankersOnline Banker Store.
BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.
Print Friendly!
Email This Article!
Discuss NOW!
