III     IT Risk Management

Action Summary

Financial institution management should develop an effective ITRM process that supports the broader risk management process. As part of the ITRM process, management should perform the following:

  • Identify risks to information and technology assets within the financial institution or controlled by third-party providers.
  • Measure the level of risk.
  • Mitigate the risks to an acceptable residual risk level in conformance with the board's risk appetite.
  • Monitor changing risk levels and report the results of the process to the board and senior management.


The ITRM process supports the enterprise-wide risk management framework through four activities: (1) risk identification, (2) risk measurement, (3) risk mitigation, and (4) risk monitoring and reporting. Risk identification generally documents inventories of systems and information necessary to financial institution operations and defines the potential threats to the institution's systems and operations. Risk measurement is a process of determining the likelihood of an adverse event or threat occurring and the potential impact of such an event on the institution. Risk mitigation includes the implementation of appropriate controls to reduce the potential for risk and bring the level of risk in line with the board's risk appetite. Monitoring and reporting provide the board and senior management with regular updates demonstrating the effectiveness of the risk management process.

Management should identify, measure, mitigate, monitor, and report IT risks that threaten the safety and soundness of an institution. An effective ITRM process is regularly updated and aligns IT and business objectives. This process should have a higher level of formality in more complex institutions.

The ITRM process is not complete without consideration of the overall IT environment. Management may need to consider risks associated with IT environments from two different perspectives:

  • A centralized IT environment supports lines of business across shared infrastructure.
  • A decentralized IT environment supports lines of business with separately managed infrastructure.

The following sections detail the processes involved in each of the ITRM activities.


Previous Section
II.A Operational Risk
Next Section
III.A Risk Identification