Operational IT planning should identify and assess risk exposure to ensure policies, procedures, and controls remain effective. Information security risk assessments are required. Risk assessments should cover all IT risk management functions including security, outsourcing, and business continuity. Senior management should ensure IT-related risk identification and assessment efforts at the enterprise-wide level are coordinated and consistent throughout the organization.
Senior management can use risk assessment data to make informed risk management decisions based on a full understanding of the operational risks. Small institutions with less complex systems may have a more simplified risk assessment process. Regardless of the complexity, the process should be formal and should adapt to changes in the IT environment. Examiners should measure the effectiveness of the process by evaluating management’s understanding and awareness of risk, the adequacy of formal risk assessments, and the effectiveness of the resulting policies and internal controls.