Pub. 1 2010 Issue 1

www.wvbankers.org 26 Risk Management — continued from page 24 A compensating, or mitigating, control is a practice, policy, or act that serves to provide additional protection. Many towns situated along rivers where flooding occurred have constructed floodwalls at great expense to provide a compen- sating control over the threat of a flood. If, due to changing circumstances, the rivers do not reach flood levels anymore, you might question the effectiveness of that decision in today’s environment. You may decide that the future cost is not worth the price against the reduced risk of a flood and decide to abandon the ongoing cost of maintenance of the floodwalls to direct your countermeasure dollars toward other risks. However, you must also consider the impact of an event along with the probability of occurrence and cost. This should bring to light two principles with regard to risk management. 1. A risk assessment is intended to be a continu- ous process of defining all relevant threats, searching for areas of vulnerability and quantifying the potential for realization. Too many people get caught up in the quantifying issue - it is not a numerical score that means the same thing for all Banks with different circumstances. However, this risk assessment is an attempt to ensure that the Bank realizes which risks are more likely to occur. This analysis then provides the basis for the Bank to take action suitable for their level of risk and the potential impact on their business environment. 2. The process has to be continuous because the environment is constantly changing. New risks appear, new processing environments are introduced, people change, new products are introduced and the ability to withstand a certain level of risk will change. There are, in our opinion, two major ways to approach risk assessment. Both of them require a framework in which to operate. A framework acts as a model for all of the risks in an organization and provides a means to classify, document, reduce and manage risk. A risk framework generally describes the various classes of risk and the degree of Risk Management expected. Many different frameworks exist; some are specialized for certain industries. One we are currently reviewing is Hitrust (Health Information Trust Alliance) which is specific to the healthcare industry but also focuses on standards and regu- lations including GLBA 1 , PCI 2 , COBIT 3 and NIST 4 . There are many frameworks, including guidance from the Federal Deposit Insurance Corporation (FDIC) which conducts Information Technology (IT) Examinations of financial institutions. No one framework is better than another. Each provides a roadmap to take the Bank from its status quo to a setting where risk is managed and minimized. The frame- work is a high level means of managing the process, often called domains or key indicators of success. We have listed below the frameworks for Cobit and FDIC in Table 1: COBIT FDIC Monitoring Audit Planning & Organization Management Acquisition and Implementation Development and Acquisition Delivery and Support Support and Delivery Keith A. Morgan is a P.L.L.C. Member of Arnett & Foster, P.L.L.C., Certified Public Ac- countants, in Charleston, West Virginia. A Certified Information System Auditor and Certified Information System Security Professional, Mr. Morgan has over thirty years experience in information technology audit and security services in multiple industries including financial institutions. Chris Joseph is a P.L.L.C. Member of Arnett & Foster, P.L.L.C., Certified Public Ac- countants, in Charleston, West Virginia. A Certified Public Accountant and Certified in InformationSystemAuditor,Mr.Josephhasovertwenty-fiveyearsexperience information technology audit and security services in the financial institutions industry. Mr. Morgan and Mr. Joseph can be contacted at 800-642-3601 or through email: keith. morgan@afnetwork.com or chris.joseph@afnetwork.com. 1 Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999, it includes a number of measures to protect and safeguard financial data. 2 Payment Card Industry contains security standards and means to assure compliance. 3 Control Objectives for Information and related Technology, provides principles, objectives and key measures for managing the IT environment, closely allied with the objectives for Certified Information System Auditors (CISA). 4 National Institute of Standards and Technology is a federal agency that develops and promotes measurement, standards and technology to enhance economic security. While the frameworks are different in focus, this table illus- trates four key concepts: 1. The need to monitor or audit various processes; 2. The requirement to manage by planning and organizing your efforts; 3. The major change agent being the introduction of new services, software, hardware, etc.; 4. The requirement to ensure that services are delivered as intended and that support is provided. Our next article will begin to focus on key areas of risk and il- lustrate how the framework can guide you through the process of risk assessment. Q Table 1