I am an internal auditor and have been at my current company for 2 years. Previously there was no internal auditor. I am curious as to how other (smaller) banks handle the annual risk assessment for threats to customer information. At my previous bank (assets > 400 million) the senior IT officer completed this risk assessment. Included in the risk assessment was a notation of areas that are audited, either externally or internally.

At my current company (holding company assets approx. 160 million) the practice has been to have a committee of 4 employees go to each branch to test the items on the risk assessment and give their opinion as to the risk. This is spearheaded by the compliance officer who writes a report and completes the risk assessment. The IT officer indicated she does not like to do the risk assessment as she feels she is grading herself. I don't feel it is a conflict for IT to complete this. The regulation (12 CFR 30) does not indicate this risk assessment should be independent.

I just don't see the current procedure as efficient and effective as it could be. I feel as though the current procedure duplicates efforts and should updated. It is very obvious when 4 people come to your branch at once, what they are there for. Also, it is supposed to be a surprise, but we know it is not. As I said, I do not see a problem with the IT person completing the risk assessment and then noting how this risk assessment relates to audit. This would eliminate the need for the group "verification". Any thoughts? How does your bank handle this function?

We are a $320 million bank. I'm the Risk Manager and Compliance Officer. Our Operational Risk Working Group, which has representation from across the bank, completes the annual information security risk assessment. I prepare the final documentation, but the individual areas are the source of information/content experts. We outsource internal audit, and many of the items in the risk assessment are audited by our outsourced internal audit function.

I don't see any issue with line of business managers completing the risk assessment - in fact, I think that is the way to go. They are the ultimate risk owners, so they need to make sure they are understanding the risk in their area, and taking appropriate steps to mitigate what the institution considers an unacceptable level of risk. My guess is that your IT officer is like a lot of IT people who absolutely loathe the documentation process. In our institution, we've recognized that even if we force IT to document, it's not their strength and they don't do a great job at it - which is where I come in. I get all of the information/content out of them, and am ultimately the one who writes it down - but it's not my risk assessment - it's still theirs.

Another point, however, is that the IT officer is not the one solely responsible for the information security risk assessment. It goes far beyond technology and systems. All line of business managers in the institution should be involved in the risk assessment and risk mitigation process.

I am at a very small bank (<100 million) and I (Compliance Officer) and the IT Administrator complete this risk assessment. The risk assessment is then reviewed by the IT Steering Committee.

Thanks! Your comments are helpful.