Show:
Risk Management 101
SOX
Issue Management
Policies and Standards
Risk Management 101 (Continued)
100

All bankers have this responsibility

What is managing risk?

100

Legislation enacted to drive strong controls over financial reporting for publicly traded companies

What is Sarbanes-Oxley (SOX)?

100

Control gaps that are within our risk appetite (moderate or low)

What are control weaknesses?

100

Documents that outline expected behaviors to guide and direct people.

What are policies?

100

Moderate for Information Technology and Information Security Risk

What is our risk appetite for information risk?

200

The two subcategories of information risk managed by Webster Technology

What are Information Technology and Information Security?

200

KPMG

Who is Webster's external auditor?

200

Control gaps that exceed our moderate risk appetite (high or critical)

What are issues?

200

Documents outlining established, finite and quantifiable requirements to meet control objectives

What are standards?

200

Preventative, Detective, Directive, and Corrective

What are the types of controls?

300

A process review documenting process flows, identifying risks and controls, and assessing control effectiveness.

What is a Risk and Control Self-Assessment (RCSA)?

300

To identify SOX controls in place for a key process or system that supports the bank's financial statements

What is the purpose of a SOX walkthrough?

300

Tracked in the IT Risk Repository and out-of-appetite issue remediation is monitored in LogicManager.

Where are issues and control weaknesses tracked?

300

Established uniform technical criteria, processes and methods, such as required configurations (hardening standards).

What are technical standards?

300

Minimal, low, moderate, high and critical

What are the levels of risk in our enterprise risk taxonomy?

400

By implementing appropriate controls

How are risks managed?
400
Control owners attest to the operating effectiveness of their SOX controls this often

What is quarterly?

400

High/critical issues require remediation plans within 30 days. Moderate/low findings are prioritized by process owners against other process improvements

How should process owners address issues and control weaknesses?

400

Detailed documentation of steps to meet the requirements of the standards, intended for day-to-day use.

What are procedures?

400

Risk acceptance, Remediation, Transfer/Sharing, Avoidance

What are the types of risk treatment?

500

Through boundaries and thresholds expressed in the Risk Appetite Statement

How does management determine whether risks it assumes are warranted?

500

An application that stores information that feeds Webster's financial statements

What is an in-scope SOX application?

500

Self-Identified, by Control Functions (2nd or 3rd lines of defense), or by third parties (external auditors or regulators).

How might issues or control weaknesses be identified?

500

A document that identifies the top risks in key technology processes, control objectives, and quantitative measures of effectiveness at mitigating those risks.

What is the risk appetite statement (RAS)?

500

Through relevant measures of risk management effectiveness (key risk indicators and key control indicators)

How do we assess risk management effectiveness?