Pub. 1 2010 Issue 4

www.wvbankers.org 24 Keith A. Morgan is a P.L.L.C. Member of Arnett & Foster, P.L.L.C., Certified Public Ac- countants, in Charleston, West Virginia. A Certified Information System Auditor and Certified Information System Security Professional, Mr. Morgan has over thirty years experience in information technology audit and security services in multiple industries including financial institutions. Chris Joseph is a P.L.L.C. Member of Arnett & Foster, P.L.L.C., Certified Public Ac- countants, in Charleston, West Virginia. A Certified Public Accountant and Certified Information System Auditor, Mr. Joseph has over twenty-five years experience in information technology audit and security services in the financial institutions industry. Mr. Morgan and Mr. Joseph can be contacted at 800-642-3601 or through email: keith. morgan@afnetwork.com or chris.joseph@afnetwork.com. mend that the risk assessment be reviewed again to address the identified risk areas. Ultimately, the identified risks result- ing from the risk assessment process is one of the first steps in managing and controlling risk. When dealing with risk, you will be challenged with monitoring the controls, identifying controls that are not working as bank management intended, identifying new controls, developing corrective action and implementing change. All of these procedures can fall under the remedia- tion procedures. Controlling risk involves remediation. Remediation includes the following tasks: • Monitoring changes in the risk areas • Assessing the applicability of the stated controls • Develop testing procedures for the identified controls • Testing the controls • Assessing the testing results • Developing corrective action to address issues noted • Retesting the controls The corrective action that addresses issues noted could include training of bank personnel on the established controls, modifying controls that were deemed ineffective, developing new controls and reviewing technologies used to implement controls. Of course, the corrective action could Q Risk Management — continued from page 23 include other items that are considered appropriate. The main focus is that remediation should be used to assist bank management with managing and controlling risks. We present the following as an example: XYZ Bank has identified a risk as it relates to their backup solution. Specifically, the risk identified is the backup media that contains the customer data is lost or stolen. The controls identified by the XYZ Bank include the following: • The backup media used by XYZ Bank is encrypted • The backup media is maintained in a secured case while in transit During testing of the backup media, the XYZ Bank noted that two days of the backup media tested were not encrypted. Further investigation by XYZ Bank personnel indicated that the person who made the backups for those days was not the regular person who performs that function and they did not specify the appropriate job that included encrypting the data during the backup process. In this case, the remediation steps included training all applicable XYZ Bank personnel on the proper backup procedures to encrypt the backup me- dia. In addition, the XYZ Bank updated their backup policy to include the appropriate procedures to backup the data in an encrypted manner. With these steps in place, the XYZ Bank effectively iden- tified a risk, developed controls, tested the controls and implemented corrective action to address an issue with the implementation of the control. The XYZ Bank performed Effective Risk Management. As it has been illustrated throughout our series of articles, Effective Risk Management is an ongoing process. Success- ful risk management involves the process of identifying risk, identifying controls, rating the risk, testing of controls and remediation efforts to manage the identified risks. Effective Risk Management involves the utilization of limited resources to address the risks that are most significant to your bank. We are at the end or our multi-part series on Effective Risk Management and you may have concluded that your risk assessment process is also at the end. However, your risk as- sessment process is just that, a process that continues. Q