©2013 CliftonLarsonAllen LLP cliftonlarsonallen.com Risk Assessment - Balancing Risk While Enhancing Controls
©20
13 C
lifto
nLar
sonA
llen
LLP
©20
13 C
lifto
nLar
sonA
llen
LLP
cliftonlarsonallen.com
Risk Assessment - Balancing Risk While Enhancing Controls
©20
13 C
lifto
nLar
sonA
llen
LLP
Session Objectives
• Define risk and risk assessment. • Execution of assessment and approach • Impact on controls and future state improvements • Vendor management • IT Security
2
©20
13 C
lifto
nLar
sonA
llen
LLP
What is Risk?
• Risk may be caused by an event (or series of events) that can adversely affect the achievement of your objectives.
• Risks are generally thought to be associated with taking actions; however, risks can also occur when no action is taken in the form of missed opportunities.
• Risk is measured by impact and vulnerability and results in mitigated value.
3
©20
13 C
lifto
nLar
sonA
llen
LLP
What is Risk Assessment?
• A systematic process for utilizing professional judgments to evaluate probable adverse conditions and/or events and their potential effects on your organization.
• A process for risk identification and prioritization of the credit union’s key business risks (i.e. operational, financial, strategic).
• Enterprise-wide risk assessment is defined as assessing risk for all functional business areas of an organization.
4
©20
13 C
lifto
nLar
sonA
llen
LLP
Polling Questions #1
• Does your Credit Union perform an enterprise wide risk assessment?
5
©20
13 C
lifto
nLar
sonA
llen
LLP
Business Justification for Risk Management
• Credit unions need to understand overall inherent levels of risk embedded within their processes and activities.
• It is important for the credit union to then recognize and prioritize significant risks and identify the weakest critical controls.
• Resulting in improved operations. – Policies and procedures – Internal control design – Efficiencies of processes
6
©20
13 C
lifto
nLar
sonA
llen
LLP
Benefits of a Risk Assessment Program • Helps ensure that the greatest risks to the credit union are
identified and addressed on a continuing basis. • Helps personnel throughout the credit union better
understand risks to business operations and teaches them to avoid risky practices.
• Reduces the assumption of risk as it identifies key areas where actual risks lie.
• Helps track risks and vulnerabilities to the organization as changes occur over time.
• Improve overall Organizational Value
7
©20
13 C
lifto
nLar
sonA
llen
LLP
Develop Risk Model A risk model framework is defined by six types of risk:
• Strategic: The risk that business objectives will not be met due to poorly defined
business strategies, poorly communicated strategies, or the inability to execute these strategies due to inadequate organizational structure, infrastructure or alignment.
• Operational: The risk that operational processes are not achieving the objectives they were designed for to support the business model. This risk addresses inefficient operations, poor alignment of processes with objectives and strategies, failure to protect assets, etc.
• Financial: The risk that financial reporting is inaccurate, incomplete, or untimely due to a variety of factors including the pace of change, the amount of uncertainty, the presence of a large error, or the pressure on management to meet certain expectations.
8
©20
13 C
lifto
nLar
sonA
llen
LLP
Develop Risk Model (continued) • Compliance: The risk that legal and regulatory requirements associated with
mandated Federal and State regulations, statutes, and standards are not in compliance.
• Technology: The risk that IT systems/applications are unavailable and/or there is lack of integrity with the data and information to support decision making. This risk also considers the level of use, sophistication, complexity, robustness, ease of use and speed, and accuracy of recovery/replacement of systems.
• Human Capital: This risk addresses the type of behaviors encouraged by management; the methods used to reward employees; the approach to consistently enforce policies and procedures; the selection, screening, and training of employees; and the reason and frequency of turnover.
9
©20
13 C
lifto
nLar
sonA
llen
LLP
Major Types of Risk and Risk Areas (Examples) Financial operations The risks associated with the organization’s financial viability and the way the organization maintains its financial records.
• Financial close and reporting close and consolidation • Accounting operations • ALM • Budgeting, • Fixed assets, • ACH • ATM/debit card servicing • Investments • Accounts payable, • Corporate cards/employee reimbursement • Wire processing • segregation of duties • Reconciliations • Journal entries • Chart of accounts • Employee expenses
Governance The risks associated with governance and oversight
• Policies and procedures • Strategic planning • Supervisory Committee roles and responsibilities
Branch Operations The risks associated with member services and branch
operations • Lending • Branch controls review/monitoring • Teller and vault operations • Call center • IRA/CD administration • Deposit accounts • Member deposit • Account opening • Dormant and escheatment operations • Safety and security
10
©20
13 C
lifto
nLar
sonA
llen
LLP
Employment and staffing The risks associated with the organization’s delivery and management of its human resources including employed, contracted, and credentialed providers.
• Labor Relations • Wage and Hourly - Compensation • Employment Practices – Hiring and Firing • Education, Training, Development • Staffing – Retention, Recruitment, Performance Evaluations, Levels • Pension and Benefits - Insurance • Worker’s Compensation
Organization and strategic Environment The risks associated with external factors, strategic direction, and issues related to organizational structure and culture.
• Strategy – M&A • Public Relations • Reputational • Mission • Market Forces (Competition) • Disaster Planning • Physical Security • Emerging Technologies (Innovations) • Systems Integration
Major Types of Risk and Risk Areas (cont.)
11
©20
13 C
lifto
nLar
sonA
llen
LLP
IT computing environment Risks associated with the organization’s IT systems • Hardware • Software • System interfaces • Databases • System and data criticality (system’s importance to
the organization) • System and data sensitivity • Data backup and recovery process
Logical access • Password Administration • Direct access to data • Physical access to data centers/facilities/equipment • Lack of segregation of duties
Network security and availability • System security policies • System security architecture
Operational environment of IT systems • Functional requirements of IT system • Users of the IT system • Management of data changes
Major Types of IT Risk and IT Risk Areas (Examples)
12
©20
13 C
lifto
nLar
sonA
llen
LLP
Develop Risk Model (continued)
13
• Next, we define criteria to use as a tool in ranking risks based on the impact the risk could have on the organization and the vulnerability that a risk would occur by evaluating the underlying attributes of the process and by assessing the effectiveness of the control environment around that process.
• The criteria are defined in terms of high, moderate, and low.
Areas of Focus Definitions
• Financial • Stakeholder • Reputation • Legal / Regulatory • Operations
• Control Efficiency & Operating Effectiveness • Speed of Response • Complexity • People • Operational Efficiency • System Capability • Rate of Change
• High Risk • Moderate Risk • Low Risk
Impact
Vulnerability
Measurement Scale
©20
13 C
lifto
nLar
sonA
llen
LLP
Execute Risk Assessment Approach • Planning & Data Gathering:
Validate objectives, scope, and approach; understanding of expectations, develop a project plan, etc.
• Interviews / Surveys: Identifying various participants, including key process owners and conduct interviews and/or surveys. Key risks are gathered and documented during this stage.
• Ranking of Risks: Using the risk model we rank each identified risk as high, moderate, or low based on the defined impact and vulnerability criteria.
• Validation of Risks: Discuss and validate all risks identified, including risk rankings and recommendations with the credit union.
• Reporting Results: Develop a report that is inclusive of the risk assessment methodology; the scope, objectives, and approach taken; and the specific risks identified including recommendations and risk ranking.
14
©20
13 C
lifto
nLar
sonA
llen
LLP Framework for Assessing Risk and Organizing Risk Response
Focus on vulnerabilities to value loss or creation – not just likelihood Set Risk Appetite
(Thresholds)
Illustrative
Assess Impact
Key Performance Indicators • Qualitative • Quantitative
Outcomes • Financial • Reputation • Legal Regulatory • Stakeholder Expectations
Set Priorities • Likelihood • Degree of difficulty • Cost / ROI • Time to implement
Select Risk Response • Acceptance • Avoidance • Prevention
• Detection • Correction • Escalation
MARCI Chart – Risk Mapping
Assess Vulnerability
• Control effectiveness • Cost of risk experience • Prevailing failure modes / contributing factors • Complexity and change • Risk management capability (detect, prevent, correct,
escalate)
15
©20
13 C
lifto
nLar
sonA
llen
LLP Illustrative Basic Risk Dashboard Using a Risk
“Heat Map” The risk assessment process facilitates the identification of risks by rating the Impact, Vulnerability and Speed of Onset.
The overall types of impact of the risk can be based on multiple impact including:
Financial Reputation Legal/Regulatory Members Employees Operations
The overall vulnerability of the risk can be based on factors such as:
Existing controls and mitigation efforts Risk management capability Prior risk experience
Speed of Onset is based on how quickly the risk could occur
16
©20
13 C
lifto
nLar
sonA
llen
LLP
Impact on Controls • Facilitate Process and Internal Controls Discussions
– Discussions with key managers and stakeholders associated with the agreed upon process areas.
– Facilitate discussions and to gain an understanding of the current state processes and internal controls, personnel involved, and supporting technology.
• Document Current State Processes and Internal Controls – Document the current state processes and internal controls, as necessary, to
mitigate relevant risks as defined by the discussion. – Identify flow of a process, various internal control points that exist within each
process, and identify significant risks. • Walkthrough of Processes, Internal Controls and Supporting Documentation
– A walkthrough is the method of discussing all relevant processes and internal controls with key stakeholders and observing and/or inspecting the documentation available to validate whether appropriate documentation appears to be in place.
17
©20
13 C
lifto
nLar
sonA
llen
LLP
Outcomes and Improvements • Design Analysis and Recommendations.
– Determine the areas where additional internal controls may be needed, and, as needed, compare the operations to widely accepted best practices.
– The design analysis will allow us to identify specific actions that will result in recommendations for improvement.
• Work procedures include: ◊ Determine if current internal controls are designed appropriately to
mitigate the identified risks. ◊ Determine adequacy of the design of internal controls that currently exist
as it relates to effective and efficient achievement of the specified purpose.
◊ Provide detailed recommendations for future state improvements to internal controls.
◊ Identify inefficient and ineffective processes and departures from existing policies and procedures — assess current management processes to identify issues and their underlying cause (i.e. people, process, or technology). 18
©20
13 C
lifto
nLar
sonA
llen
LLP
Polling Questions #2
• Does your Credit Union review vendor management controls as part of the risk assessment?
19
©20
13 C
lifto
nLar
sonA
llen
LLP
Vendor Management
20
©20
13 C
lifto
nLar
sonA
llen
LLP Vendor Risk Management Objective
• Ensure that the oversight of service providers utilized by the organization are properly managed are selected based on the result of a risk assessment process and structured due diligence procedures.
• Services obtained from a third-party that involves significant operations must be supported by a written agreement that outlines specific responsibilities
• In addition, service providers must be monitored on an ongoing and periodic basis for quality and service delivery with an emphasis on the internal control environment within the service provider organization.
©20
13 C
lifto
nLar
sonA
llen
LLP Who is Responsible?
• Identify a key liaison who has adequate knowledge of risks associated with outsourcing to perform the following: – Establishing and maintaining a centralized list of all third-
party vendors – Verify signed contract and/or service level agreements exist – Evaluating prospective service providers based on
requirements ◊ Sensitivity of data accessed, processed or maintained by the service
provider ◊ Volume of transactions ◊ Criticality of the service to the organization’s product offering(s)
– Obtaining and reviewing SSAE 16 reports
©20
13 C
lifto
nLar
sonA
llen
LLP What Should be Assessed?
• In addition, the organization will evaluate the service providers: – Financial position – Marketplace position – Dependency on key personnel – Use of subcontractors – Location of applications/data (off shore*) – Dependency on subcontractors – Availability/security of systems – Redundancy/reliability of communications – Disaster recovery/business continuity
©20
13 C
lifto
nLar
sonA
llen
LLP What to Assess for SSAE 16 Reports
• When assessing the SSAE 16 look for the following governance level controls: – Report type – Appropriateness of coverage of the report – Time period of coverage – IT applications and/or transaction flow – Specific controls tested and whether the control objective
listed meets your control objective – The service auditor’s opinion on the operating effectiveness
of the controls
©20
13 C
lifto
nLar
sonA
llen
LLP What to Assess for SSAE 16 Reports
• The following SSAE 16 controls should be tested on an annual basis (or term of the SSAE16 report): – Appropriateness of controls included in testing – Quality of the firm executing – Variance in time resulting in additional procedures needed to
be completed – Any changes in the current control structure since the last
report – Evaluation and completion of User Consideration Controls
◊ Identify controls and test procedures ◊ Execute testing ◊ Document results
©20
13 C
lifto
nLar
sonA
llen
LLP
Examples of Critical Vendors
• Core Processor • Payroll Provider • Online or mobile banking • Bill Pay • External Statement Processor • Other (off-site storage, credit card, electronic BOD,
etc.)
©20
13 C
lifto
nLar
sonA
llen
LLP
Vendor Management Process
• Planning • Due diligence and third-party selection • Contract Negotiation • Ongoing Monitoring • Termination • Oversight and Accountability • Documentation and Reporting • Independent Reviews
©20
13 C
lifto
nLar
sonA
llen
LLP
Polling Questions #3
• Does your Credit Union perform an IT risk assessment?
28
©20
13 C
lifto
nLar
sonA
llen
LLP
IT Security
29
©20
13 C
lifto
nLar
sonA
llen
LLP
FFIEC Cybersecurity Self Assessment
• Two years in development! • Voluntary verbiage is removed… now mandatory
2016. • Will be an examination tool • Consistent approach to know your risks • Measure over Time
©20
13 C
lifto
nLar
sonA
llen
LLP FFIEC Cybersecurity Self Assessment
©20
13 C
lifto
nLar
sonA
llen
LLP FFIEC Cybersecurity Self Assessment
©20
13 C
lifto
nLar
sonA
llen
LLP FFIEC Cybersecurity Self Assessment
©20
13 C
lifto
nLar
sonA
llen
LLP FFIEC Cybersecurity Self Assessment
©20
13 C
lifto
nLar
sonA
llen
LLP
Key Actions: Determine Enough • Test the Key Controls (from the risk assessments)
• Penetration Testing (Breach Simulation) • Vulnerability Assessment (collaborative,
comprehensive) • General Controls Review (BCP, Vendor, Change,
Board)
©20
13 C
lifto
nLar
sonA
llen
LLP
Testing Controls: Pen-Testing
• Definition: Breach Simulation. • What would happen if an attacker targeted my
Financial Institution? • Can this question be answered if those responsible
for breach detection and response are aware of the timing of testing?
©20
13 C
lifto
nLar
sonA
llen
LLP
Pen-Testing: Vendor Misrepresentation
• What if your vendor’s penetration testing has no penetration testing?
• Symptoms of REAL Pen-Testing:
• Starts with Social Engineering
• Performed Covertly
• Same Methods as Actual Attacks
• Persists until compromise and/or DA
©20
13 C
lifto
nLar
sonA
llen
LLP Testing Controls: Vulnerability
Assessment
• Definition: Collaborative, comprehensive exercise to identify vulnerable systems and misconfigurations
• What systems are susceptible to compromise? • Can this question be answered if only a subset of
systems are evaluated?
• Internal vs External
• Sampling
©20
13 C
lifto
nLar
sonA
llen
LLP Testing Controls: General Controls
Review
• Definition: Collaborative evaluation of compliance with guidance and ‘best practices’.
• Are my policies and practices compliant? • Exam Focus: Vendor Management, Risk
Assessment, BCP, Board Oversight, Incident Response…
©20
13 C
lifto
nLar
sonA
llen
LLP
40
©20
13 C
lifto
nLar
sonA
llen
LLP
cliftonlarsonallen.com
twitter.com/ CLA_CPAs
facebook.com/ cliftonlarsonallen
linkedin.com/company/ cliftonlarsonallen
Brian Pye Principal (612)-397-3139 [email protected]
40