III.B     Risk Measurement

Action Summary

Financial institution management should develop risk measurement processes that include the following elements:

  • Measuring risk using qualitative, quantitative, or a hybrid of methods.
  • Recognizing that risks do not exist in isolation.
  • Prioritizing the risks based on the results of risk measurement.


Risk measurement typically is performed according to policies governing the enterprise-wide risk management process. Measurement is helpful in estimating the likelihood of an adverse event and its potential impact across the institution. Measurement across the financial institution is particularly important when an event impacts shared services and infrastructure or a shared customer base.

Measurements may be qualitative, quantitative, or a hybrid of both. Qualitative measures rely on experience, judgment, and intuition and are subject to potential flaws due to bias and other factors. Types of qualitative assessments include questionnaires or surveys to measure risk. Quantitative measures, on the other hand, are based on numerical values, such as dollar amounts or number of systems out of compliance. Quantitative measurement methods may include top-down and all-encompassing measures as well as measures that are limited to discrete activities and management choices. Hybrid measurements are frequently used and typically combine qualitative and quantitative measures to provide a more comprehensive analytical approach. A hybrid assessment could include a survey of staff to gain individual insight combined with numerical data inputs. Important considerations when evaluating hybrid measures include those presented above for both qualitative and quantitative measures.

Regardless of the method used, management should estimate the likelihood of occurrence and severity of the impact of the identified risk. When analyzing the potential impact, management should consider financial, reputation, or other impact to the institution. Organizational impacts are highly variable and not always easy to quantify. They include such considerations as lost revenue, data recovery and reconstruction expense, costs of litigation and potential judgments, loss of market share, and increases to premiums or denials of insurance coverage.

There are a variety of techniques, including the use of applications, to measure risk. Applications to provide measurement-related information may be developed in-house, acquired, or both. IT's role in development and acquisition should be consistent with the guidance in the IT Handbook's "Development and Acquisition" booklet.

The following are common types of risks that often have significant impact:

  • Security breaches: Including internal and external breaches, weak program code used to perpetrate fraud, and computer viruses.
  • System failures: Including telecommunication failures, LAN and WAN failures, hardware and software failures, interconnectivity failures, and backup system failures.
  • External events: Including weather-related events, earthquakes, pandemics, terrorism, cyber attacks, cut utility lines (e.g., telecommunication, water, and power), or widespread power outages.
  • Insider events: Including intentional or unintentional acts by staff, such as carelessness, social engineering that results in inappropriate access or the installation of malware, and improper changes to transactions, systems, or databases.
  • Development and acquisition issues: Including strategic platform or supplier risk, inappropriate definition of business requirements, incompatibility with existing systems, inadequate project management, programming errors (internal or external), change management issues, failure to integrate and/or migrate systems or applications successfully, or obsolescence of software.
  • Capacity planning issues: Including inadequate capacity planning or inaccurate forecasts of growth.
  • Third-party provider issues: Including deficiencies in the oversight of third-party providers in areas such as reporting, breach notification, business continuity and resilience testing, and subcontracting (fourth-party) risk management.

The institution should recognize that no risk exists in isolation; there are interdependencies among risks. This reinforces the need for an integrated approach for risk management. To ensure accurate risk measurement, management should ensure that risk assessments are updated regularly, and as changes occur, to address new technologies, products, services, and connections before deployment.

The IT department can have a specialized and unique role in the measurement and prioritization of IT-related threats, based on its expertise in the development, application, and use of IT. Institution management should use that expertise, as well as the expertise provided by others (e.g., auditors, third-party providers, and other third parties), in the risk measurement process. Once management identifies and measures the institution's IT risk, it should rank the risks and prioritize its response.


Previous Section
III.A.1 Ongoing Data Collection
Next Section
III.C Risk Mitigation