Back

Establish and maintain the factors and context for risk to the organization.


CONTROL ID
12230
CONTROL TYPE
Audits and Risk Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk assessment program., CC ID: 00687

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should ensure that registration of a payee in a high-risk transaction should only be allowed through secure channels with adequate identity checks conducted by AIs. However, AIs may regard small-value funds transfers (see subsection 6.1.1 below) as not being high-risk transactions. (§ 4.1.6, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • For Internet banking, AIs should require 2FA at least once to authenticate customers' identity for each login session before performing high-risk transactions. High-risk transactions should cover, at least, high-risk funds transfers, which include: (§ 4.1.4, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • As mentioned in subsection 4.1.4, AIs should implement 2FA to authenticate the customer's identity before effecting a high-risk funds transfer transaction. Nevertheless, AIs also have the flexibility to offer a service where small-value funds transfer transactions to unregistered payees are not rega… (§ 6.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • The TRM function has a role to assist business units and IT functions in performing the technology risk management process which identifies, measures, monitors and controls technology-related risks. In addition, this function helps to ensure awareness of, and compliance with, the AI’s IT control p… (2.3.3, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • To facilitate risk reporting to management, the FI should develop IT risk metrics to highlight systems, processes or infrastructure that have the highest risk exposure. An overall technology risk profile of the organisation should also be provided to the board of directors and senior management. In … (§ 4.5.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should perform an analysis of the potential impact and consequences of the threats and vulnerabilities on the overall business and operations. The FI should take into consideration financial, operational, legal, reputational and regulatory factors in assessing technology risks. (§ 4.3.1, Technology Risk Management Guidelines, January 2021)
  • Financial institutions should ensure that they continuously monitor threats and vulnerabilities relevant to their business processes, supporting functions and information assets and should regularly review the risk scenarios impacting them. (3.3.3 21, Final Report EBA Guidelines on ICT and security risk management)
  • identify and assess the ICT and security risks to which a financial institution is exposed; (3.3.1 13(b), Final Report EBA Guidelines on ICT and security risk management)
  • Financial institutions should identify the ICT and security risks that impact the identified and classified business functions, supporting processes and information assets, according to their criticality. This risk assessment should be carried out and documented annually or at shorter intervals if r… (3.3.3 20, Final Report EBA Guidelines on ICT and security risk management)
  • relevant internal and external factors, including business and ICT administrative functions; (3.4.5 38(a), Final Report EBA Guidelines on ICT and security risk management)
  • the applicable policy covers all significant elements for the risk management of the identified material ICT risks; (Title 3 3.3.1 49.b, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • whether the institution is implementing material changes to its ICT systems and/or ICT function (e.g. as a result of mergers, acquisitions, divestments or the replacement of its core ICT systems), which may adversely impact the stability or orderly functioning of the ICT systems and can result in ma… (Title 3 3.2.1 39.d, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangeme… (4.5 33, Final Report on EBA Guidelines on outsourcing arrangements)
  • risk identification, assessment and management in accordance with Section 12.2; (4.7 42(c)(iii), Final Report on EBA Guidelines on outsourcing arrangements)
  • identify and assess all of the relevant risks of the outsourcing arrangement in accordance with Section 12.2; (4.12 61(c), Final Report on EBA Guidelines on outsourcing arrangements)
  • the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); (4.6 40(c), Final Report on EBA Guidelines on outsourcing arrangements)
  • All firms will wish to protect themselves and their customers from fraud. Management oversight, risk assessment and fraud data will aid this, as will tailored controls on the ground. We expect a firm to consider the full implications of the breadth of fraud risks it faces, which may have wider effec… (4.2.1 ¶ 1, Financial Crime Guide: A Firm’s Guide to Countering Financial Crime Risks, Release 11)
  • Analyze the existing climate and individual mindsets about how the workforce perceives risk, its impact on their work and the organization as a whole, and how effectively risk management is integrated with the decision-making and running of the business. (OCEG GRC Capability Model, v 3.0, L3.3 Analyze Risk Culture, OCEG GRC Capability Model, v 3.0)
  • Establish and maintain an encryption and key management risk program that includes provisions for risk assessment, risk treatment, risk context, monitoring, and feedback. (CEK-07, Cloud Controls Matrix, v4.0)
  • define the external and internal factors that create the uncertainty that gives rise to risk, (§ 4.1 ¶ 4 2), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal aud… (§ 5.2 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization should establish the external and internal context of the risk management process by considering the factors mentioned in 5.4.1. (§ 6.3.3 ¶ 4, ISO 31000 Risk management - Guidelines, 2018)
  • When designing the framework for managing risk, the organization should examine and understand its external and internal context. (§ 5.4.1 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • To set risk criteria, the following should be considered: - the nature and type of uncertainties that can affect outcomes and objectives (both tangible and intangible); - how consequences (both positive and negative) and likelihood will be defined and measured; - time-related factors;
- consiste… (§ 6.3.4 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • Risk analysis should consider factors such as: - the likelihood of events and consequences; - the nature and magnitude of consequences; - complexity and connectivity; - time-related factors and volatility; - the effectiveness of existing controls; - sensitivity and confidence levels. (§ 6.4.3 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • When planning the approach, considerations include: - objectives and decisions that need to be made; - outcomes expected from the steps to be taken in the process; - time, location, specific inclusions and exclusions; - appropriate risk assessment tools and techniques; - resources required, responsi… (§ 6.3.2 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • The governing body should ensure that it considers the effect of uncertainty on the organizational purpose and associated strategic outcomes. (§ 6.9.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should ensure that it considers the effect of uncertainty on the organizational purpose and associated strategic outcomes. (Table 1 Column 4 Row 10, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • a holistic view is taken by the organization, including consideration of all relevant types of risk; (§ 6.9.3.4 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the organization's risk landscape; (§ 6.3.3.1.1 ¶ 2 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The organization should identify potential events that are related to the development or use of AI and can result in a variety of tangible or intangible consequences. (§ 6.4.2.4 ¶ 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • In addition to the guidance provided in ISO 31000:2018, 6.3.1, for organizations using AI the scope of the AI risk management, the context of the AI risk management process and the criteria to evaluate the significance of risk to support decision-making processes should be extended to identify where… (§ 6.3.1 ¶ 2, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • actions to address these risks and opportunities, taking into account how these risks and opportunities can change with time; (Section 6.1.1 ¶ 2(a), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the implications of the mixed responsibilities involved (including the associated risks and how the mixed responsibilities can be effectively discharged with accountability for those responsible); (Section 8.8 ¶ 3(b), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • not meeting the service requirements; (§ 6.1.2 ¶ 1(a)(2), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • all risks, at the needed level of detail, are considered; (§ 6.1.2 Guidance ¶ 9 Bullet 1, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • As with any powerful tool that offers benefits, the potential for harm also exists. Therefore, the use of AI should be included in the organization's risk assessment. (§ 5.1 ¶ 6, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • The organization considers potential effects of business context on risk profile. (Principle 6: Analyzes Business Context, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The risk appetite is informed by the organization's role in critical infrastructure. (GV.SF-4.1, CRI Profile, v1.2)
  • The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. (Risk Management (GV.RM), CRI Profile, v1.2)
  • The organization has a cyber risk management framework that is reviewed and approved by the Board and is informed by the organization's risk tolerances and its role in critical infrastructure. (Strategy and Framework (GV.SF), CRI Profile, v1.2)
  • The risk appetite is informed by the organization's role in critical infrastructure. (GV.SF-4.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Identified risks that may affect the achievement of the service organization's service commitments and system requirements also encompass fraud, such as management override of identified controls at the service organization, misappropriation of assets by service organization personnel, creation by s… (¶ 3.85, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The practitioner should obtain an understanding of relevant portions of internal control over compliance sufficient to plan the engagement and to assess control risk for compliance with specified requirements. In planning the examination, such knowledge should be used to identify types of potential … (AT-C Section 315.15, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Aligns IT and business objectives. (App A Objective 9:3 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether there are established performance benchmarks and standards for the IT function and whether they serve to help management identify problem areas, particularly in system or data center availability, operating conditions, response times, and error rates. (App A Objective 13:2, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Include risk profiles identifying and defining the risk and control factors to assess and the risk management and control structures for each IT product, service, or function; and (TIER I OBJECTIVES AND PROCEDURES Objective 8:2. Bullet 1, FFIEC IT Examination Handbook - Audit, April 2012)
  • Frame risk. Establish the context for risk-based decisions and the current state of the enterprise's information and communications technology and services and the associated supply chain. (2. ¶ 1 Bullet 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • The use of a RESTRICTED authenticator requires that the implementing organization assess, understand, and accept the risks associated with that RESTRICTED authenticator and acknowledge that risk will likely increase over time. It is the responsibility of the organization to determine the level of ac… (5.2.10 ¶ 3, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions (Risk Management Strategy (GV.RM), The NIST Cybersecurity Framework, v2.0)
  • There are several Enterprise Risk Management (ERM) models available to help organizations integrate risk management and internal control activities into a common framework. Section 270.24 of the Office of Management and Budget (OMB) Circular No. A-11 defines "risk" as the effect of uncertainty on ob… (Section II ¶ 1, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)