Pub. 1 2010 Issue 1

www.wvbankers.org 24 Q Risk Management — continued on page 26 A uditors and Regulators call for Bank’s to perform routine Risk Assessments, and to base their busi- ness practices on a risk based approach. In this article we will try to set a frame- work for later articles which will deal with each of the major areas of risk, providing guidance and best practices. Effective Risk Management By Keith A. Morgan, CISA, CISSP, Chris Joseph, CPA, CISA While we will focus on IT, the practices, procedures and guidelines are applicable to all of the Bank’s assets, including physical plant, people, hardware & software, cash and investments. In its simplest term, risk is the likeli- hood of an external or internal event that can impair the Bank’s ability to conduct business as usual. It is typical to define risk in terms of threats and vulnerabilities. A threat is an event such as a disgruntled employee or the potential for a flood. It is easy to say a Bank located along the banks of a river is more liable (vulnerable) to a flood than a branch located on top of a hill outside of town. A vulnerability is a weakness in practice, physical plant, hardware or software. Who would have imagined that an ice storm in Kentucky (a threat) would expose a vulnerability in a bank in another State (lack of contingency plans to oper- ate with their core systems)? Yet this threat became a reality and the vulner- ability became a realized event that left some banks operating in a reduced capacity for almost a week. If it takes a threat and a vulnerability to produce risk we could state this as an equation: RISK=THREAT x VUL- NERABILTY and assign a value to each. A Bank cannot eliminate all risk; the best approach is to minimize risk. There are three ways to accomplish this: • Remove the threat; • Reduce the vulnerability; and/or, • Install compensating controls. Realistically, you cannot eliminate most threats. Risk reduction always involves the financial cost of a solution, the im- pact on your way of doing business and the reality that elimination of one threat doesn’t help because new ones appear every day. Twenty years ago, there were only a few issues related to virus attacks because your data center wasn’t networked to other computers across the world. Imagine how you would function today if you chose to eliminate the threat of antivirus by disabling your Internet connections. This is the first of a multi part series oriented toward risk assessment and the management of your Information Technology (IT) assets. We want to step back and re-visit the definition of risk so all of our readers are aware of our point of reference which has been developed over years of involvement, not only in finan- cial services but in other areas like healthcare, not-for-profit and other industries.