Skip to content

Conducting An Information Technology Risk Assessment

I would welcome any suggestions regarding how to conduct an information technology risk assessment.

Answer by Trent Fleming:
There are a number of regulatory bulletins and privately produced guides for this.

Basically, you want to identify all operational systems, and their inputs and outputs. Then, take a look at your exposure to loss, unauthorized access, excessive downtime, etc.

Then, begin to assess the risk to your bank's operations if one or more of your considered risk scenarios plays out.


Answer by Jimmy Sawyers:
Measuring IT risk calls for different approaches based on the situation. You can take a qualitative or quantitative approach. For example, if you are referring to performing the risk assessment for the GLBA, you could take a qualitative approach and write a narrative of the assessment, assigning risk categories (e.g., high, medium, low) to each area. Or, you could take a quantitative approach, assigning values based on: 1. The Threat Likelihood/Probability of Occurrence, and; 2. The Magnitude of Impact. These values can be multiplied to obtain a risk ranking.

Each individual area can then be categorized into a risk summary. Then, you can identify which risk areas you plan to mitigate through your Risk Mitigation Action Plan. This also serves as an excellent tool for board reporting and monitoring the plan’s progress.

We prefer the quantitative approach because you can establish very granular ratings for baselines and benchmarks, plus you can more easily involve several people in the exercise, gaining a consensus and avoiding one person setting the institution’s overall risk management program.

Another approach to IT risk assessment involves considering the bank’s complete IT environment and related sections to be included in the risk assessment. This approach allows a more comprehensive, yet general view of IT risk.

A Significance Ranking can be assigned (i.e., How significant is this area as it relates to the bank's overall IT environment? Consider recent developments within the industry, regulatory issuances and the importance of this area to the bank). Then, you can assign a second value, a Risk Factor, measuring the related risk in this particular bank. The two values can be multiplied to ascertain the Risk Rating for this item.

First published on 2/3/03

First published on 02/03/2003

Filed under: 
Filed under operations as: 

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Topics