2023 IT Examiner School

Internal Use Only

Risk Assessment Process

Identify and value information assets

Identify potential internal/external threats and/or vulnerabilities

Assess likelihood & impact of threats/vulnerabilities

Risk Response (Accept, Transfer, Reduce, Ignore)

Assess sufficiency of risk control policies, procedures, information systems, etc.

Internal Use Only

Weighing Threats

• Institutions may choose between • Qualitative Assessment • Quantitative Assessment • Combination of both, but Qualitative

• Management may place more weight on one type of threat than another.

• When reviewing the institution's risk values, interact with management if something does not make sense.