Management should analyze the survey of the IT operations environment and the inventory of technology resources to identify threats and vulnerabilities to IT operations. The assessment process should identify:
- Internal and external risks;
- Risks associated with individual platforms, systems, or processes as well as those of a systemic nature; and
- The quality and quantity of controls.
To the extent possible, the assessment process should quantify the probability of a threat or vulnerability and the financial consequences of such an event.
IT operations comprise the framework of service and product delivery to internal and external customers and are intrinsic to much of the risk management undertaken by the institution. For these reasons, management should not limit the risk assessment process to risks associated with specific platforms, their operating systems, resident applications and utilities, the connecting network, associated human processes, and the control environment. Management should also consider the interdependencies between these elements. Threats and vulnerabilities have the potential to quickly compromise interconnected and interdependent systems and processes.
The environmental survey and technology inventory provide the foundation for the risk identification and assessment processes. Once the survey and inventory are complete, management can employ a variety of techniques to identify and assess risks, including performing self-assessments, incorporating concerns identified in internal and external audits, reviewing business impact analyses prepared for contingency planning, assessing the findings of vulnerability assessments conducted for information security purposes, and understanding the concerns identified by insurance underwriters for establishing premiums. In risk identification and assessment management should emphasize events or activities that could disrupt operations, negatively affect earnings or reputation, or that might be categorized in the following general areas:
- Technology investment mistakes including improper implementation, failure of a supplier, inappropriate definition of business requirements, incompatibility with existing systems, or obsolescence of software (including loss of hardware or software support);
- Systems development and implementation problems including inadequate project management, cost and time overruns, programming errors, failure to integrate or migrate from existing systems, or failure of a system to meet business requirements;
- Systems capacity including lack of capacity planning, insufficient capacity for systems resiliency, or software inadequate to accommodate growth;
- Systems failures including interdependency risk, or network, interface, hardware, software, or internal telecommunications failure; and
- Systems security breaches including external or internal security breaches, programming fraud, or computer viruses.
The individual risk assessment factors management should consider are numerous and varied. The combination of factors used should be appropriate to the size, scale, complexity, and nature of the institution and its activities. These factors include:
- Importance and business criticality;
- Extent of system or process change;
- Source of system access (internal or external, including Internet, dial-up, or WAN);
- Source of application (commercial off the shelf (COTS), in-house developed, combination of these two, etc.);
- Scope and criticality of systems or number of business units affected;
- Sophistication of processing type (batch, real-time, client/server, parallel distributed);
- Transaction volume and dollar value of transactions;
- Classification or sensitivity of data processed or used;
- Impact to data (read, download, upload, update or alter);
- Experience level and capability of functional area management;
- Number of staff members and staff stability;
- Number of users and customers;
- Changes in the legal, regulatory, or compliance environments;
- Presence of new or emerging risks from developing technology or technology obsolescence; and
- Presence of audit or control self-assessment weaknesses.
Prioritizing Risk Mitigation Efforts