Welcome » IT Booklets » Management » III IT Risk Management » III.A Risk Identification
Financial institution management
should maintain a risk identification process that is coordinated
and consistent throughout the institution. Risk identification
includes ongoing data collection from existing activities and new
All activities within a financial institution present a degree
of risk. The nature of such risk, before applying controls and
other mitigations, is called inherent risk. Senior management
should ensure that IT risk identification efforts at the
enterprise-wide level are coordinated and consistent throughout the
institution. Management should maintain inventories of assets
(e.g., hardware, software, and information), event classes (e.g.,
natural disaster, cyber, and insider abuse or compromise), threats
(e.g., theft, malware, and social engineering), and existing
controls as an important part of effective risk identification.
Inventories should include systems and information hosted or
maintained externally. Comprehensive IT risk identification should
include identification of cybersecurity risks as well as details
gathered during information security risk assessments required
under guidelines implementing the GLBA.Refer
to the "Information Security" booklet of the IT
Handbook for more information on the GLBA and the "Interagency
Guidelines Establishing Information Security Standards."
Participation in an information-sharing forum, such as
FS-ISAC, Refer to "FFIEC Releases
Cybersecurity Assessment Observations, Recommends Participation in
Financial Services Information Sharing and Analysis Center,"
November 3, 2014. should be a component of the risk
identification process because sharing information may help the
institution identify and evaluate relevant cybersecurity threats
and vulnerabilities. Ibid.
Senior management should make risk management decisions based on
a full understanding of identified risks. Small institutions with
less complex systems may have a more simplified risk identification
process. Regardless of the complexity, the process should be formal
and adapt to changes in the IT environment. The effectiveness of
the risk identification process is demonstrated by management's
understanding and awareness of risk, the adequacy of formal risk
assessments, and the effectiveness of the risk mitigation,
including policies and internal controls.