Posts

Risk Reduction: #1 Concern of Bank Boards

The Bank Director’s 2014 Risk Practices Survey reveals some very interesting information about the risk management programs that bank boards have in place.

11DIt’s classically challenging for many banks to assess how risk management practices affect the institution. However, banks that have worked at measuring the impact of a risk management program report favorable outcomes on financial performance.

Survey Findings

  • 97 percent of the respondents reported the bank has a chief risk officer in place or equivalent.
  • 63 percent said that a separate risk committee on the board oversaw risks.
  • 64 percent of banks that have the separate risk committee reported that the bank’s strategic plan plus risk mitigation strategies got reviewed; the other 36 percent weren’t doing this.
  • 30 percent of the respondents believed that the bank’s risk appetite statement encompasses all potential risks.
  • Of this 30 percent, less than half actually use it to supply limits to the board and management.
  • The survey found that the risk appetite statement, risk dashboard and the enterprise risk assessment tools aren’t getting fully used.
  • And only 30 percent analyze their bank’s risk appetite statement’s impact on financial execution.
  • 17 percent go over the bank’s risk profile monthly at the board and executive level, and about 50 percent review such only quarterly; 23 percent twice or once per year.
  • 57 percent of directors believe the board can benefit from more training in the area of new regulations’ impact and possible risk to the bank.
  • 53 percent want more understanding of newer risks like cyber security issues.
  • Senior execs want the board to have more training in overseeing the risk appetite and related issues.
  • 55 percent believe that the pace and volume of regulatory change are the biggest factors in leading to risk evaluation failures.
  • Maintenance of data infrastructure and technology to support risk decision making is a leading risk management challenge, say over 50 percent of responding bank officers, and 40 percent of survey participants overall.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Evaluating Physical and Information Security Risks

When it comes to protecting an organization’s information, flaws with this can involve either implementing strong technology to protect too much trivial data, or inadequate protection of important and sensitive data.

7WIn short, not enough attention is cast upon a company’s most important information; there’s a gap between the IT department and the operational units of the business.

A thorough risk assessment is warranted in these cases. Once all the risks are identified, strategies can be created by personnel to prioritize risk minimization. This is risk management.

Risk has several components: assets, threats and weaknesses. Businesses must address (risk-assess) all components—internally, rather than externally by outsourcing.

A risk assessment identifies all potential risks, then analyzes what might happen in the event of a hazard.

A BIA (business impact analysis) is the process by which potential impacts are determined that result from the impediment of critical business activities. With a BIA, the results of disrupted business processes (which can include losses or delayed deliveries, among many others) are predicted; information is collected to come up with recovery strategies.

The objective is to maximize cost/benefit: identify the most relevant risks and reduce them with minimal investment.

The strategy is to determine what risks this company may face in a given year (e.g., digitized information, reputation, paper documents, employee safety).

Next is to formulate a list of possible sources of threats (employees, hackers, customers and competitors, to name some) based on the experiences of many in the organization. There are also risk assessment plan guidelines online.

Then next is a risk assessment chart. A list of assets must be compiled (e.g., employees, machinery/equipment, IT, raw materials, etc.) in a left column. Then opposite each asset, put down its associated hazards that could yield an impact. Each hazard is broken down into high probability-low impact and low probability-high impact.

Review the impacts for vulnerabilities that may make the asset prone to a loss. Here you’ll find opportunities for threat prevention or mitigation. Probability of occurrence can be specified with L for low, M for medium, H for high.

Information from the BIA would go towards rating the impact on “Operations.” Make an “entity” column for estimations of potential impacts (e.g., financial, brand/reputation, contractual). “Overall Hazard Rating” combines “probability of occurrence” and the highest scoring that impacts operations, employees, property, etc.

A worst case scenario? Do nothing. After all, a failure to plan is a planned failure.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.