proprietary & confidential © 2011 fidelity national information services, inc. and its...

Proprietary & Confidential© 2011 Fidelity National Information Services, Inc. and its subsidiaries.

Risk AssessmentsScott Yoshimura, Risk Management Consultant

Proprietary & Confidential

Background

• FIS Managed IT Services (formerly ProNet Solutions) – Provides outsourced technology platform management solutions to independent community banks.– Virtual Network Management Services– Managed Security Services– Hosted Services

• Advisory Services Group – Provides facilitative solutions for IT related risk management programs and business continuity.

• In 2013 we completed 262 assessments for 66 banks in 13 states


Agenda

• Risk Assessment Overview• In Depth Look– GLBA/Information Security– Vendor Management– Online Banking– Business Continuity– New Product Development

• In Depth Look– Facilitative Solution– What Examiners Are Looking For– Questions


Purpose of a Risk Assessment

• Quantify risk into a measurable format• Designed to – Evaluate risks

• Impact• Likelihood

– Prioritize risks– Evaluate the effectiveness of controls– Identify gaps


Benefits of a Risk Assessment

• Improve decision making– Identifying areas of weakness or concern– Valuation of risk to determine risk/return benefit

• Measure change– Changes in controls– Changes in environment– Changes in risk

• Risk awareness


Creating a Risk Assessment

• Board and Executive support– Risk awareness and mitigation within the culture– Leadership and guidance– Understanding and expertise



• Knowledge and resources– Develop– Identify– Evaluate– Remediate– Manage

• Research Applicable Regulations and Guidance– FFIEC– OCC– FRB


How to create a risk assessment

• What is the driving force?– Your purpose will define the quality and benefit of your assessment

• Do you have the knowledge? Is there new guidance?– Utilize your available resources to ensure you have the

required/recommended criteria

• Have a sound methodology– Ensure your process meets your criteria, but is understandable and

explainable to staff, your board and examiners



• Quantitative vs Qualitative– Quantitative: Requires numerical values for both impact and

likelihood using data from a variety of sources– Qualitative: Assessing risk and opportunity according to descriptive

scales

• Inherent vs Residual– Inherent Risk: The risk that an activity would pose if no controls

were in place– Residual Risk: The risk that remains after controls are taken into

account

• Risk Formula– Inherent Risk = Impact x Probability– Residual Risk = Inherent Risk x Control Risk


Weak vs Strong Assessment

Asset Impact Likelihood Risk

Servers High High High

Mobile Devices Moderate High Moderate-High

Shred Bin Moderate Moderate Moderate

Appraisals Low Low Low

Asset Confidentiality Integrity Availability Likelihood Inherent Risk

Strength of Controls

Residual Risk

Servers High High High High High High Moderate

Mobile Devices

Moderate – High

Moderate Moderate – Low

High Moderate – High

High Moderate – Low

Shred Bins High Low Low Moderate Moderate Low Moderate – High

Appraisals Low Moderate Moderate Low Moderate – Low

High Low



• Does your assessment do the following?– Identify subjects– Identify and evaluate threats– Identify and evaluate controls– Determine impact and likelihood– Determine areas of concern– Prioritize order of importance


Tips for Performing a Risk Assessment

• Ensure everyone involved in the process understands the purpose

• Relate it to their line of business• Ensure everyone evaluates based on the same risk appetite

level• Challenge and pose questions


Board Reporting

• Understanding of the process• Understanding of the risks• Understanding of the position of the bank and strength of

controls• Understanding of the areas of concern• Understanding of recommendations and action plan


What Examiners are Looking For

• Based on guidance• Sound methodology• Management involvement• Clear board communication


GLBA/Information Security – Regulatory Guidance• IT Examination Handbook – Financial institutions must maintain an

ongoing information security risk assessment program that effectively– Gathers data regarding the information and technology assets of the

organization, threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements;

– Analyzes the probability and impact associated with the known threats and vulnerabilities to their assets; and

– Prioritizes the risks present due to threats and vulnerabilities to determine the appropriate level of training, controls, and assurance necessary for effective mitigation.


Information Security Risk Assessment – Valuation Table


Information Security Risk Assessment – Asset Analysis


Information Security Risk Assessment – Risks & Controls Worksheet


Information Security Risk Assessment – Vendor Analysis


What Examiners Are Looking For

• Inherent vs Residual Risk• Evaluation of threats• Evaluation of controls• Identification of key controls• Testing of controls


Information Security Risk Assessment – Controls Analysis


Vendor Management – Regulatory Guidance• FIL-44-2008 – Guidance for Managing Third Party Risk– This guidance outlines the potential risks that may arise from the

use of third parties and addresses the following four basic elements of an effective third-party risk management program: •Risk assessment •Due diligence in selecting a third party •Contract structuring and review •Oversight

• OCC Bulletin 2013-29 – Third Party Relationships, Risk Management Guidance

• Federal Reserve SR 13-19/CA 13-21 – Guidance on Managing Outsourcing Risk


Vendor Management – Program Review

• Oversight• New Vendor

Selection & Due Diligence

• Ongoing Monitoring & Due Diligence


Vendor Management – Valuation Table


Vendor Management – GLBA Analysis


Vendor Management – Significant Vendor Rating


Vendor Management – Critical Vendor Review

• Risk Assessment• Strategic Review• Due Diligence• Contingency

Planning• Contract

Structuring and Review

• Audit Requirements

• Monitoring & Oversight


Vendor Management – User Controls Considerations


Vendor Management – New Vendor Review

• Risk Assessment• Due Diligence• Contingency

Planning• Contract

Structuring and Review

• Monitoring & Oversight



• Risk assessment and proper due diligence prior to the selection of a vendor

• Consumer protection– Risk third party poses regarding consumer complaints– UDAAP/Fair Lending risks

• Ensure completion of enhanced due diligence (SSAE16)• Review and documentation of compliance with User Control

Considerations


Vendor Management – Consumer Protection


Online Banking – Regulatory Guidance

• 2005 FFIEC – Authentication in an Internet Banking Environment– The 2005 Guidance provided a risk management framework for

financial institutions offering Internet-based products and services to their customers.

• 2011 FFIEC – Supplement to Authentication in an Internet Banking Environment– The purpose of this Supplement to the 2005 Guidance (Supplement)

is to reinforce the Guidance’s risk management framework and update the Agencies’ expectations regarding customer authentication, layered security, or other controls in the increasingly hostile online environment.


Online Banking Risk Assessment – Program Review• Website Review• Vendor Due Diligence &

Suitability• Contracts &

Agreements• Customer Eligibility &

Review• Risk Assessments• Account Origination &

Customer Verification• Layered Security

Programs• Effectiveness of Certain

Authentication Techniques

• Monitoring & Reporting• Customer Awareness &

Education


Online Banking Risk Assessment – Valuation Table


Online Banking Risk Assessment – Transaction Analysis


Online Banking Risk Assessment – Risks & Controls Worksheet



• Consumer protection– UDAAP– GLBA

• Other considerations– Distributed Denial-of-Service (DDoS) Attacks– Corporate Account Takeover (CATO)


Business Continuity – Regulatory Guidance• FFIEC IT Examination Handbook

– A business impact analysis (BIA) is the first step in the business continuity planning process and should include the:• Assessment and prioritization of all business functions and processes, including

their interdependencies, as part of a work flow analysis;• Identification of the potential impact of business disruptions resulting from

uncontrolled, non-specific events on the institution's business functions and processes;

• Identification of the legal and regulatory requirements for the institution's business functions and processes;

• Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution's business functions and processes; and

• Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path.


Business Continuity – Business Impact Analysis



• Impact to the bank• Recovery Time Objectives (RTOs)• Recovery Point Objectives (RPOs)


New Product Assessment – Regulatory Guidance• OCC Bulletin 2004-20 – Risk Management of New, Expanded, or

Modified Bank Products and Services– An effective risk management process includes (1) performing adequate

due diligence prior to introducing the product, (2) developing and implementing controls and processes to ensure risks are properly measured, monitored, and controlled, and (3) developing and implementing appropriate performance monitoring and review systems


New Product Risk Assessment

• Strategic Review• Personnel• Risk Management

Review• Regulatory

Compliance• Information Security• Vendor Due

Diligence• Business Continuity• Policies &

Procedures• Reporting• Performance

Monitoring


New Product Risk Assessment



• Risk assessment on all new products/services• Third Party involvement• Consumer protection

– Consumer complaints– UDAAP/Fair Lending

Scott Yoshimura, Risk Management ConsultantAdvisory Services [email protected]

Thank You

proprietary & confidential © 2011 fidelity national information services, inc. and its...

Documents

pt color

pt text color

pt bullet color

pt endash color

slides font

title case bullets font

percent black bullet

date font