We are just about at the end of an IT exam by the FDIC. They have reviewed our risk assessment and indicated it was very adequate. All we did was follow the language of the regulation. So we have all the risks identified in the first column, and the remaining columns are as follows:
Data type (physical or electronic)
Threat Type(Unauthorized disclosure, misuse, alteration, or destruction)
Likelihood of Occurrence
Potential Damage to the Bank
Sufficiency of policies, procedures and controls, and
Risk Mitigation Comments
Societies that do not find work in and of itself "pleasing to God and requisite to Man," tend to be highly corrupt.