Pub. 1 2010 Issue 2

summer 2010 17 risk is conducted to assist management with the allocation of resources to address the identified risks. Therefore, one result of the risk assessment process is to assist bank management with making decisions on the allocation of limited resources to ad- dress the high prioritized risk areas. The prioritization is critical because you do not have sufficient funds and staff to ‘eliminate’ all risk; you have to manage those that are most critical. BOD Involvement. The bank’s Board of Directors (BOD) must be involved in the risk management process. In order to ensure the appropriate level of involvement, appropriate risk communication to the bank’s BOD should be established. The communication can be in various forms including vendor management policy, information security program, disaster recovery/business continuity planning and risk as- sessment matrices. The main goal of the communication to the BOD is to improve the decision making during the risk management process. Testing. As noted previously, the risk assessment process involves the identification of compensating controls that assist in mitigating the identified risk. The compensating controls are used to assist in assessing the overall risk and ultimately with the prioritization of resources to address those risks. There- fore it is critical that the compensating controls are tested on a regular basis to determine if the controls are working as bank management intended. The testing should be documented along with the results of the testing and any corrective action to address identified issues. The testing activities should be reported to the bank’s BOD as part of the risk communication. In addition, testing applies to other areas that address the bank’s risk management process such as the bank’s disaster recovery / business continuity planning. Real Life Procedures. Risk management is an integral part of everyday life in your business. It is important to focus your efforts to areas that have a much greater risk of occurring as opposed to areas with low risk of actually occurring. When considering the risk management process, ensure that the proper amount of energy is focused on areas that have a higher prob- ability of occurring. Setting Policy. The bank should have established policies to document bank management’s intentions. Several poli- cies can be established that affect the bank’s risk management process. Some of these policies assist in defining the bank’s security posture as it relates addressing risk. Two of these policies include the Information Security Program and the Disaster Recovery / Business Continuity Plan. Understanding the relationship between these policies and the risk manage- ment process is important to the successful development of these policies. An item we have seen in the past is the de- velopment of the Information Security Program without the completion of a risk assessment. The Information Security Program should be a result of the risk assessment process. In order to have an effective Information Security Program, a risk assessment must be completed. In addition, the Disaster Recovery / Business Continuity Plan should be based upon a business impact analysis. Training. Even with the best policies and procedures in place, without effective employee training, the risk of the policies and procedures not being effective will increase sig- nificantly. Training on the applicable regulatory requirements will increase the probability of the bank being compliant with those regulatory guidelines. For example, GLBA training should be an ongoing process. The hiring of new employees, changes in employee responsibilities and the introduction of new products all could result in the need for employee training to increase the possibility of GLBA compliance. In addition, training employees on the bank’s policies increases the prob- ability of adherence to those policies. The training programs and processes should be documented. Regulatory Management. An end product of the risk management process is to provide the bank with regulatory management. Effective risk management should address regu- latory requirements such as GLBA, vendor management and information security programs. An effective risk management process can provide bank management the tool to address the ever changing regulatory requirements. Our next article will further detail the risk assessment process and the tools that can be used to document the risk assessment activities. Q Keith A. Morgan is a P.L.L.C. Member of Arnett & Foster, P.L.L.C., Certified Public Ac- countants, in Charleston, West Virginia. A Certified Information System Auditor and Certified Information System Security Professional, Mr. Morgan has over thirty years experience in information technology audit and security services in multiple industries including financial institutions. ChrisJoseph isaP.L.L.C.MemberofArnett&Foster,P.L.L.C.,CertifiedPublicAccountants, in Charleston, West Virginia. A Certified Public Accountant and Certified Information SystemAuditor, Mr. Joseph has over twenty-five years experience in information technol- ogy audit and security services in the financial institutions industry. Mr. Morgan and Mr. Joseph can be contacted at 800-642-3601 or through email: keith. morgan@afnetwork.com or chris.joseph@afnetwork.com. With the changing regulatory requirements and the move toward more online products, outside service provider arrangements have become more attractive.