Analogy To Risk Assessment
I am known to drive quite the collection of vehicles, from antique to modern and there are quite significant differences in the range. Give me the antique anytime in an accident. I was once in an accident in one of the antiques and that vehicle today rolls on whereas the other newer vehicle involved went to the scrap yard the day of the accident. If maintained properly and consistently, the antiques will outlast the newer ones any time. The newer ones have a gear ratio getting you there quicker, but come an accident or issue, the new ones leave you sitting as they are simply more disposable and replaceable. The key is you must replace them. They are not made to be other than disposable.
Risk assessments are much the same. We know we have to have them. Vendors can provide you with them turnkey. Consider the Identity Theft Red Flags of November 9, 2007 (72 FR 63718) and the associated risk assessment (12 CFR 334.90 (c). At any point in time you could have purchased and/or had this assessment done by a vendor for your institution and you would have been there at that point. But if this assessment you purchased was never maintained by the vendor as your institution and its risk changed due to product delivery, ID theft risk losses, and changes in ID theft risk controls, it became a scrap yard item pretty quickly. In daily risk assessment usage and in an exam, a risk assessment never maintained is worthless.
But you could have maintained a risk assessment and still be rolling along. In the ID theft risk assessment alone, think of the variable factors involved likely involving significant change over time. To name just a few:
- Type and volume of covered accounts
- Methods to open and access
- ID theft experience
- ID theft risk factors including wire transfers and notices of warnings from a Consumer Reporting Agency
- ID theft risk associated with suspicious documents
- ID theft risk associated with consumer report inconsistent patterns of activity
- ID theft risk associated with suspicious personal identifying information
- ID theft risk associated with dishonest employees, spyware, phishing, hacking or pharming
You and/or your BSA officer are right there daily and know your history of ID theft at your institution as well as changes in controls implemented in response to technology changes, product delivery changes, or lessons learned from actual ID theft at your institution.
So, who could better keep the ID theft risk assessment maintained than you at your institution? Hence, make sure you have a risk assessment vehicle that is maintainable and maintained. If so, you will continue to roll along.