Section: IT Risk Management Process

IT controls result from an effective, risk assessment process. Therefore, the ability to mitigate IT risks is dependent upon risk assessments. Senior management should identify, measure, control, and monitor technology to avoid risks that threaten the safety and soundness of an institution. The institution should (1) plan for use of technology, (2) assess the risk associated with technology, (3) decide how to implement the technology, and (4) establish a process to measure and monitor risk that is taken on. All organizations should have:

An effective planning process that aligns IT and business objectives;An ongoing risk assessment process that evaluates the environment and potential changes; Technology implementation procedures that include appropriate controls; and Measurement and monitoring efforts that effectively identify ways to manage risk exposure. This process will typically require a higher level of formality in more complex institutions with major technology-related initiatives.

The risk identification and management process for technology-related risks is not complete without consideration of the overall IT environment in which the technology resides. Management may need to consider risks associated with IT environments from two different perspectives:If the IT function is decentralized, and business units manage the risk, then management should coordinate risk management efforts through common organization-wide expectations. If the IT department is a centralized function that supports business lines across shared infrastructure, management should centralize their IT risk management efforts.