Pub. 1 2010 Issue 2

www.wvbankers.org 16 D uring our first article, we introduced the concept of Risk Assessments focusing on the definition of risk. In this article, we begin to focus on key areas of risk and illustrate how the framework can guide you through the process of risk assessment. We begin this process by introducing various con- cepts and areas and what these items mean during a risk assessment. Compensating Controls . Typi- cally, it is not difficult to identify an Effective Risk Management By Keith A. Morgan, CISA, CISSP and Chris Joseph, CPA, CISA This is the second of a multi-part series oriented toward risk assessment and the management of your Information Technology (IT) assets is a practice, policy, or act that serves to provide additional protection - in this case, protection over the identified key assets. The assessment of the affect on the risk area from the successful imple- mentation of the compensating control should be considered and documented. Oversight of Outsourced Ser- vice Providers. More and more products are being offered by outside service providers. With the changing regulatory requirements and the move toward more online products, outside service provider arrangements have become more attractive. One item to consider with the outside service provider arrangements is that while you can outsource the process and responsibility, you cannot outsource the accountability. A bank is still required to assess the risk of the product or ser- vice and evaluate the risk regardless of who is performing the service. Certain documents should be reviewed includ- ing the most recent SAS 70 / SSAE 16 report on the service provider, audited financial statements and the service provider contract including recent addendums. The review should occur annually. In addition, the service pro- vider’s performance should be assessed on an ongoing basis. Risk Management. The general thought on risk management in the past was to obtain what was considered adequate insurance to cover an organi- zation when certain events occurred. The business environment has changed from a regulatory, customer relationship and employee relationship perspective that has affected the risk manage- ment process. For example, regulatory requirements such as GLBA resulted in increased regulations over the security and privacy of customer information. Risk management is the attempt to identify and manage threats that could have adverse affects on a business. Risks originate from a variety of areas includ- ing natural disasters, legal liabilities, credit risks, etc. During the risk man- agement process, a prioritization of the organization’s critical assets that are subject to risk. For a bank, most areas that touch upon customer accounts can be considered a risk area. For example, access to your core processing system containing customer data is typically an area identified as a risk area. While identifying the assets subject to risk is critical in the risk assessment process, equally important is the identification of compensating controls that assist in mitigating those risks. As noted in our previous article, a compensating control