As with severity and impact, controls should be rated on a scale (ex: very important, important, or not very important). This relationship can be expressed with the following formula:Ĭontrol effectiveness = Control impact * % ineffectiveĪ control’s impact is the expected value of its risk mitigation. This comes down to two factors: the impact of the control and how likely it is to work. That makes it important to have a method for determining how effective controls are. It decreases when controls are effective. Residual risk is greatest when the inherent risk is high and the controls for mitigating the risk aren’t effective. Residual risk = Inherent risk * Control effectiveness It’s all about understanding the relationship between risk and controls. This score helps the organization review its risk tolerance against its strategic objectives. In the case of a cyber breach, it’s the risk that remains after considering deterrence measures. Residual risk is the risk that remains after controls are taken into account. Inherent risk = Impact of an event * Probability Residual Risk For example, think of the risk of a cyberattack if the institution didn’t have any defenses in place. Inherent risk scores represent the level of risk an institution would face if there weren’t controls to mitigate it. For example, high can be assigned a 3, moderate can be a 2 and low can be a one. These scales can easily be converted into numbers and plugged into equations for assessing inherent and residual risk. An audit finding from the past year may indicate a risk is highly likely/probable, while one from five years ago with no repeat findings may indicate an unlikely or remote risk. A guideline for probability might include frequency of audit findings. Have one scale for assessing likelihood (ex: “high,” “moderate,” and “low”) and one for severity (ex: “catastrophic,” “significant,” “moderate,” “minor,” and “insignificant”) along with requirements for applying them. So how do you show your work? You need guidelines and scales. The more likely or severe an event, the greater the risk. For example, a cyber breach seems a very likely occurrence when there’s no firewalls, anti-virus software, or intrusion detection software to prevent it. Likelihood is how probable it is that an event will occur. For example, a cyberbreach could have a catastrophic impact. The impact is an estimate of the harm that could be caused by an event. A risk assessment should evaluate both likelihood and impact. Notice there’s a theme (which I took the liberty of highlighting for emphasis). The result of risk measurement leads to the prioritization of potential risks based on severity and likelihood of occurrence. Risk measurement - A process to determine the likelihood of an adverse event or threat occurring and the potential impact of such an event on the institution.The risk assessment includes an analysis of threats based on the impact to the institution, its customers, and financial markets, rather than the nature of the threat. Risk assessment - A prioritization of potential business disruptions based on severity and likelihood of occurrence.Risk analysis - The process of identifying risks, determining their probability and impact, and identifying areas needing safeguards.The FFIEC IT Examination Handbook glossary shows us exactly what we need to evaluate: Risk assessments aren’t nearly as subjective as they may appear on the surface. That’s why they make the same request as your eighth-grade math teacher: Show your work. If you don’t put in the work to systematically evaluate risk, you’re creating even more risk.ĭeep down you know this and so do examiners. It’s an essential tool for mitigating risk and assessing controls. Assessing risk is not a check the box activity. Guessing at risk assessments is a dangerous practice. But you don’t need a phony fortune-telling toy to know that “outlook not so good” for this practice. Many bankers make a gut call, acting as the institution’s de facto Magic 8 Ball. Assessing risk can feel like a subjective task.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |