III.B Risk Assessment
Management should evaluate the likelihood and impact of potential disruptions and events. As part of this evaluation, management should consider the geographical area where the entity operates. Additionally, management should consider the risks and threats that could affect the entity’s third-party service providers. Once management identifies scenarios; evaluates specific threats to the controls, strategies, and plans; and understands the entity’s risk exposure, management should develop risk treatment strategies (including risk acceptance or risk transfer) based on the entity’s risk appetite.
Examiners should review the risk assessment and determine whether it addresses the impact and likelihood of disruptions of the entity’s information services, technology, personnel, facilities, and services provided by third parties. Specifically, examiners should review whether the following types of events are included in the risk assessment:
- Natural events such as fires, floods, severe weather, air contaminants, and hazardous spills.
- Technical events such as communication failure, power failure, equipment and software failure, transportation system disruptions, and water system disruptions.
- Malicious activity, including fraud, theft, blackmail, sabotage, cyber attacks, and terrorism.
- International events that may affect services (e.g., political instability and economic disruptions).
- Low likelihood and high impact events (e.g., terrorist attacks or pandemic events).
Risk assessment is the process of identifying risks to operations, organizational assets, individuals, and other organizations. Risk assessments incorporate threat and vulnerability analyses and address the appropriate mitigations. As part of risk assessment processes, information from the ERM can be leveraged, such as business process documentation, critical risks, impacts, and tolerances. Management should use risk assessments to identify, measure, and mitigate risk exposures to critical functions and processes identified by the BIA. Furthermore, the risk assessment process may result in changes to the BIA. For example, management may prioritize business processes based on their importance to strategic goals and safe and sound practices; however, after developing threat models, results may necessitate prompt alteration of initial priorities or recovery plans.
III.A.3 Impact of Disruption
III.B.1 Risk Identification