Conducting An Information Technology Risk Assessment

Answer by Jimmy Sawyers:
Measuring IT risk calls for different approaches based on the situation. You can take a qualitative or quantitative approach. For example, if you are referring to performing the risk assessment for the GLBA, you could take a qualitative approach and write a narrative of the assessment, assigning risk categories (e.g., high, medium, low) to each area. Or, you could take a quantitative approach, assigning values based on: 1. The Threat Likelihood/Probability of Occurrence, and; 2. The Magnitude of Impact. These values can be multiplied to obtain a risk ranking.

Each individual area can then be categorized into a risk summary. Then, you can identify which risk areas you plan to mitigate through your Risk Mitigation Action Plan. This also serves as an excellent tool for board reporting and monitoring the plan’s progress.

We prefer the quantitative approach because you can establish very granular ratings for baselines and benchmarks, plus you can more easily involve several people in the exercise, gaining a consensus and avoiding one person setting the institution’s overall risk management program.

Another approach to IT risk assessment involves considering the bank’s complete IT environment and related sections to be included in the risk assessment. This approach allows a more comprehensive, yet general view of IT risk.

A Significance Ranking can be assigned (i.e., How significant is this area as it relates to the bank's overall IT environment? Consider recent developments within the industry, regulatory issuances and the importance of this area to the bank). Then, you can assign a second value, a Risk Factor, measuring the related risk in this particular bank. The two values can be multiplied to ascertain the Risk Rating for this item.

First published on BankersOnline.com 2/3/03