Welcome » IT Booklets » Management » Roles and Responsibilities » IT Responsibilities and Functions » Risk Management Functions
A financial institution should ensure an adequate risk
management structure exists within the organization. Some
institutions have a separate risk management department that is
responsible for overseeing the areas of information security,
business continuity planning, audit, insurance and compliance.
Regardless of the particular structure used, the institution should
ensure that lines of authority are established for enforcing and
monitoring controls. These risk management functions should play a
key role in measuring, monitoring, and controlling risk.
The board is responsible for overseeing and approving the
development, implementation, and maintenance of a comprehensive,
written information security program, as required by the
Gramm-Leach-Bliley Act (GLBA). GLBA is discussed in more detail on
page 30 of this booklet. The information security program should
include appropriate administrative, technical, and physical
safeguards based on the size, complexity, nature, and scope of the
institution's operations. The board may delegate information
security monitoring to an independent audit function and
information security management to an independent information
security officer. Ideally, the institution should separate
information security program management and monitoring from the
daily security duties required in IT operations. The senior
information security officer should be an organization-wide risk
manager rather than a production resource devoted to IT operations.
To ensure independence, the information security officer should
report directly to the board or senior management rather than
through the IT department. The IT department needs personnel with
daily responsibility for implementing the corporate security
policy, but they should not have the ability to change policy and
grant exceptions. The IT Handbook's "Information Security Booklet"
has additional information on this topic.
Similar to information security, business continuity planning
should be a corporate-wide strategy. Business continuity planners
should assess business continuity across all lines of business. The
business continuity function often resides in the risk management
organizational structure. The IT department should have personnel
responsible for developing and maintaining the department's
business continuity plans. The IT Handbook's "Business Continuity
Planning Booklet" has additional information on this topic.
Senior management and the board should ensure cooperation
between management and IT audit. It should also ensure timely and
accurate response to audit concerns and exceptions. The IT audit
area should report directly to the board of directors or a
designated committee of the board comprised of outside directors.
The board is responsible for overseeing the audit department's
performance and compensation. Audit's key role is to review risk
within each of the departments. Audit should verify that management
has implemented effective control processes. Audit should have no
role in implementing controls and should not have primary
responsibility for enforcing policy.
Management should have processes in place to monitor and enforce
policy compliance. Audit should verify those processes function
effectively and report to the board. The board, in turn, should
ensure auditors have the necessary expertise and that audit
coverage is adequate, timely, and independent. IT audit coverage
should include system development and acquisition projects. See the
IT Handbook's "Audit Booklet" for additional discussion of this
Senior management should ensure the involvement of regulatory
compliance staff whenever a new system or application affects
compliance with regulations. New implementations or application
changes can cause noncompliance through inaccurate interest rate
calculations, inadequate or inaccurate disclosures, weak security
controls over the storage or transmission of customer information,
and poor customer verification procedures. The compliance function
should review any new system or significant change for regulatory