Excerpt of FAQs from the Webinar "IT Risk Assessments: Understanding the Process"
â€¢ Who should be conducting a risk assessment? Can we do this in-house or do we need to have this done by someone external to our institution?
â€¢ How do I know if the risk assessment weâ€™ve conducted is appropriate? More so, will it be accepted by our regulators?
â€¢ How far do I need to go to assess third-party vendors as part of our assessment?
â€¢ Do regulators have preferences of one type of risk assessment; the qualitative vs. the quantitative?
â€¢ You mentioned that the qualitative approach works in the majority of institutions, you also mentioned this is subjective in nature. If it is subjective, how do I make decisions based on the outcome of this assessment?
â€¢ Do I only need to cover only systems and processes that are specific to bank customers, or do I need to cover other systems and processes as well, such as human resources, department systems, or systems used by our accounting and finance groups?
â€¢ How often do we do our risk assessment? Is this dependant on our size or the results of our initial risk assessment? I.E. dependant on â€œfairâ€ or â€œunfairâ€ results.