RISK ASSESSMENT QUESTIONNAIRES Purpose: To establish a risk rating for systems in a bank, and then rank the system

by risk. Sources: Concepts obtained from FFIEC IS Examination Handbook, OCC Bulletin 98-3, and OCC Bulletin 99-9. Methodology: Collect responses from business and IT areas using the two questionnaires shown below. Use the Reference Chart shown below to understand how the information collected in the questionnaires can be used to assign risk ratings on the Risk Chart. Using a numeric risk rating that makes sense in your environment (we use a scale of 1-5, with 5 being a high risk) assign a numeric rate to row item. When you have completed a chart for each system within your environment, you will be able to rank the systems by risk exposure.

System Name ________________ Risk Chart Risk Factors 1. Quantity of Risk Transaction Dollar Exposure Transaction Volume Complexity of Hardware and Software Volume and Risk exposures relative to internal control exceptions Potential for financial loss due to: error or fraud; competitive disadvantage; incomplete information; operational disruption; or personnel factors (experience / staffing/ turnover). Out-sourcing (Controls over external activities) Internet or other new business activities 2. Quality of Risk Separation of Risk Taking and Risk Management responsibilities Ongoing Risk Identification and Risk Measurement Systems to monitor risk Policies for oversight responsibility of the systems and Policies for Systems Development and Policies for Change Management Monitoring Systems Capacity Assuring the Integrity and Security of Systems Documenting System (programming) History Effective Internal Accounting Controls Effective Recovery Planning, Training & Testing Other Risks Which Are Identified by the Auditor

Explanation

Rating

Reference Chart (Risk Chart with References to the Questionnaires) Risk Factors Explanation Rating IT Risk Questionnaire Item 1. Quantity of Risk Transaction Dollar Exposure Transaction Volume Complexity of Hardware and Software Volume and Risk exposures relative to internal control exceptions Potential for financial loss due to: error or fraud; competitive disadvantage; incomplete information; operational disruption; or personnel factors (experience / staffing/ turnover). Out-sourcing (Controls over external activities) Internet or other new business activities 2. Quality of Risk Separation of Risk Taking Management responsibilities and Risk 8, 9 4, 7 8, 16 13, 14, 15 1, 15 3 6, 8 4, 6 2 2 4, 12 3 1, 3, 5, 10 Business Area Questionnaire Item

Source (Where the risk is mentioned)

FFIEC IS Exam Handbook page 22 FFIEC IS Exam Handbook page 22 FFIEC IS Exam Handbook page 22 FFIEC IS Exam Handbook page 22 FFIEC IS Exam Handbook page 22 FFIEC IS Exam Handbook page 23 FFIEC IS Exam Handbook page 23 FFIEC IS Exam Handbook page 23 FFIEC IS Exam Handbook pages 2-3 to 2-4 OCC 98-3 (p. 11, 12) FFIEC IS Exam Handbook pages 2-3, 2-4 FFIEC IS Exam Handbook page 24 FFIEC IS Exam Handbook page 24 FFIEC IS Exam Handbook page 24 OCC 99-9, OCC 98-3 (p. 11, 12)

1 8

6 12

Ongoing Risk Identification and Risk Measurement Systems to monitor risk Policies for oversight responsibility of the Systems and Policies for Systems Development and Policies for Change Management Monitoring Systems Capacity Assuring the Integrity and Security of Systems Documenting History System (programming)

5 4 2

1 7, 9, 15

Effective Internal Accounting Controls Effective Recovery Planning, Training & Testing Other Risks Which Are Identified by the Auditor 6

8 10, 11

System Name ________________ BUSINESS AREA QUESTIONNAIRE 1. Does the capacity and functionality of this system support the Banks strategic objectives? 2. What are the high risk conditions in your area? Please quantify the potential dollar exposure related to misuse or errors connected to operating this system. How many transactions are created in your area using this system (please define your answer in the time frame which you judge to be most meaningful, daily, weekly, quarterly, etc.)? What are the primary controls you use to monitor business processed through this system? Which of these do you consider to be high risk? Are the controls effective (i.e., timely accurate, meaningful, etc.)? Have there been any control exceptions this year which were not caught by this systems controls? How many changes to this system have been implemented this year (both hardware and software)? How would you rate the potential for financial loss due to any of the following: Human error or fraud: low medium high Competitive disadvantage: low medium high Incomplete information: low medium high Operational disruption: low medium high Please provide reasonable details regarding your responses: Is the development or administration of this system outsourced? Do you feel that control over the outsourcing arrangements are adequate to provide safe and efficient services? Who in your department is in charge of monitoring the security of this system? Who is the backup? To whom are security problems reported? Does the system support your requirements for: administrative controls (e.g., transaction controls, limit controls, accounting controls, etc.); and due diligence assessments? Is IT support for this system adequate? Are the Banks training support and user documentation for this system adequate? When was the last business recovery test which involved this system? Was this system described in the recovery test plans, logs, and sign-offs from that test? Are there output samples from this system which were made during that test? Are new systems or significant system changes planned for the remainder of this year, or next year? What are the most significant threats to this system? Would they include some of the following: denial or disruption of systems services, unauthorized monitoring of systems services, disclosure of proprietary or private information, modification or destruction of related computer capabilities (i.e., programming codes, networks, databases), and the manipulation of computer, or communications services resulting in fraud, financial loss or other criminal violations? Does this system support your departmental goals to comply with banking reporting requirements and regulations, customer privacy, and other compliance-related business objectives. What would be the best way to improve security or quality for this system?

3.

4. 5.

6. 7. 8. 9. 10. 11.

12. 13.

14.

15.

16. Do you have risk taking and/or risk management responsibility? If so, how are the separation risk king and risk management responsibilities enforced or monitored by the system? Is this an effective control?

System Name ________________ IT Questionnaire 1. How many years experience does the IT staff have supporting this system? How many people are qualified to support this system? If system support outsourced, please state the vendor name and contact information here. 2. 3. 4. How would you rate the systems documentation for this system? Poor, average, great? How often was this system changed last year? No changes, fewer than six changes, six or more changes? What are the IT controls for assuring the security of this system? Do they address risks (identified in OCC 99-9) such as, entering data incorrectly, changing data, deleting data, destroying data or programs with logic bombs, crashing systems, holding data hostage, destroying hardware or facilities? Who is in charge of monitoring the security of this system? Who is the backup? To whom are security problems reported? What are the IT controls for assuring the systems capacity, and the integrity or quality of this system? Who is in charge of monitoring the integrity or quality of this system? Who is the backup? To whom are integrity or quality problems reported? What are the IT controls for assuring the continuity and rapid recovery of this system? When was the last recovery test for this system? Is this system described in the recovery test plans, logs, and sign-offs from that test? Are there output samples from this system which were made during that test? Are significant system changes planned for the remainder of this year or in the next year? What are the most significant threats to this system? Would they include some of the following (as noted in OCC 99-9): denial or disruption of systems services, unauthorized monitoring of systems services, disclosure of proprietary, or private information, modification or destruction of related computer capabilities (i.e., programming codes, network databases), and the manipulation of computer, or communications services resulting in fraud, financial loss or other federal criminal violation? What would be the best way to improve security or quality for this system?

5.

6.

7. 8.

9.