Niki Neese, VP Account Management
Welcome to the fourth edition of the 2009 Safe Systems Newsletter!
As I have discussed earlier, we have incorporated a compliance topic to the Quarterly System Review that we perform with your financial institution. The main objective of adding the compliance topic is to present you with information on the latest compliance trends that we see throughout our customer base.
For the fourth quarter of ’09, our strategic focus will be defining certain risks that are part of your risk assessment program. Over the past year, we have seen a significant increase in the amount of focus given to institutions’ risk assessments and the importance of properly addressing each category. When you implement new technology, it is critical that you perform a risk assessment on each functional area that the technology may impact. As part of your IT or Steering Committee meetings, your institution should do the following:
1. Identify Risk
2. Measure Risk
3. Monitor Risk
4. Control Risk
Management is ultimately responsible for the implementation, integrity, and maintenance of risk management systems. Therefore it is imperative that the board of directors is adequately informed about risk-taking activities. The problem that we have seen among our clients is that they assess the risk after the technology has been implemented. It is important that you begin the risk assessment process when you begin discussions of adding new technology or services to your institution. Our goal this quarter is to provide your institution with our insight and guidance on certain types of risks and their respective definitions. Often times we see institutions struggle with understanding the actual definition and how it specifically relates to their institution.
Below are four broad risk categories that will be a part of our compliance checklist this quarter.
1. Operational and Transactional Risk – the risk of loss to earnings or capital resulting from inadequate or failed internal processes, people and systems, or from external events.
2. Regulatory and Compliance Risk – the current and prospective risk to earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies, and procedures, or ethical standards.
3. Strategic Risk – the current and prospective impact on earnings or capital arising from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes.
4. Reputation Risk – the risk that negative publicity regarding an institution’s business practices will lead to a loss of revenue through client attrition or the inability of the institution to generate new customers.
Per the FFIEC IT Examination Handbook, Information Security Booklet:
A strong security program reduces levels of reputation, operational, legal, and strategic risk by limiting the institution’s vulnerability to intrusion attempts and maintaining customer confidence and trust in the institution. Security concerns can quickly erode customer confidence and potentially decrease the adoption rate and rate of return on investment for strategically important products or services. Examiners and risk managers should incorporate security issues into their risk assessment process for each risk category.
We suggest that you review your risk assessment on a quarterly basis and address any changes or future implementations that your institution might be evaluating. The existence of risk is not necessarily a problem; even the existence of high risk in any area is not necessarily a concern, so long as the institution’s management effectively manages that level of risk.
Again, we welcome your suggestions on topics that you would like for us to consider in the upcoming quarterly newsletters. Please email us at email@example.com with your comments and suggestions. We thank you for your support and participation.