is anyone aware of any articles, templates, etc. that can be used as a guideline for documenting an IT risk assessment from a FDICIA (impacting balance sheet risks) perspective? Thank you.

I've actually spent some time looking through the web and other resources to locate an easy-to-understand instruction set for risk management, with an eye toward FDICIA. (Although, frankly, any risk management program will address FDICIA concerns). There just aren’t many “smaller fit” solutions available.

There are larger Risk Assessment products/programs that focus on the need for operational risk management. The approach is implementing robust analytics, that lead eventually to more efficient use of capital and personnel, thereby impacting balance sheet risks. But from their enterprise-level view, these tend to overlook specific guidance for IT risks.

It is interesting to note that banks wouldn't think of operating without loan reviews, a credit risk committee, lending policies, etc. These are risk management program elements, so the general know-how is out there. However, because IT is managed separately and preceived differently, the risks are not incorporated and go unmanaged.

The best I can offer at this point are building block elements taken from direct program building experience.

Key Ingredients of a good Operational Risk Management Program

1. Senior Management Support and Leadership -- Establish a formal structure and governance [with a charter, goals, responsibilities, roles, etc.] designed to build upon, streamline and eliminate redundant risk management and compliance efforts.
2. Business Unit Ownership -- Ensure your business unit managers are incorporating the risk assessment process into normal activities and reporting relationships across their departments.
3. Risk Committee — Designed to review business-line self-assessments and monitor risk information from audit, information security, compliance, etc.
4. Good Process -- The heart of the program is risk data collection, appropriate ranking of operational and IT risks, evaluation of mitigating controls, authorization of solution implementation

It’s a difficult topic. Millions of words have been put on paper to explain the risk analysis and management process. Typing in “Risk Management” at Google will provide 108 Million hits. Is there an instant “plug and play” Operational or IT Risk Management program? I haven’t seen it yet.
At Applied Intent, LLC we are working to address the challenge of building a risk program that covers the risk bases AND is manageable for a community bank. Naturally, you’ll hear about it when we do.