cfpb readiness series: making risk assessment work for you · prepare for a cfpb examination....
TRANSCRIPT
![Page 1: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/1.jpg)
CFPB Readiness Series:
Making Risk Assessment Work For You
![Page 2: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/2.jpg)
Who is KirkpatrickPrice?
KirkpatrickPrice is a licensed CPA firm, providing assurance services to over 250 clients in more than 40 states, Canada, Asia and Europe. The firm has over 10 years of experience in information assurance by performing assessments, audits, and tests that strengthen information security, and compliance controls.
![Page 3: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/3.jpg)
Welcome
Todd Stephenson is an Information Security Specialist helping collection agencies and law firms prepare for a CFPB examination.
– Certified Information Systems Auditor (CISA)
– Information Security Specialist
– Over four years working with the ARM industry
![Page 4: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/4.jpg)
• A systematic process of evaluating the potential risks that may be involved in a projected activity or undertaking.
• It involves evaluating:
– Operational risks
– Compliance risks
– Reputational risks
What is Risk Assessment?
![Page 5: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/5.jpg)
• The CFPB is mandated
• Why should you care?
– To maintain revenue and business operations –Operational Risk
– Insure future growth and opportunities –Reputational Risk
– Avoid costly lawsuits and fines –Compliance Risk
Why Care About Risk
Assessment?
![Page 6: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/6.jpg)
Risk Assessment is
Interconnected
![Page 7: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/7.jpg)
A Look at Vendor Risk
• “The Office of the Comptroller of the Currency (OCC) expects a bank to practice effective risk management …A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”
OCC: Third-Party Relationships: Risk Management Guidance (OCC 2013-29)
![Page 8: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/8.jpg)
A Look at Vendor Risk
• “The institution’s officials are expected to have a clearly defined system of risk management controls built into the management system that governs the institution’s compliance operations, including controls over activities conducted by affiliates and third-party vendors.”
FDIC Compliance Manual — January 2014
![Page 9: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/9.jpg)
Making it Work for You
• Confidence– I know where my risks are and I’ve addressed
them. I sleep better at night.
• Clear Direction– I know what we need to be doing and what we
don’t need to be doing.• Ex: Internal Audit
• Cost savings– Ex: My vendor has a SOC 2 or PCI RoC and CFPB
![Page 10: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/10.jpg)
Welcome
Jessie Skibbe is a former Chief Compliance Officer with 10 years of ARM industry experience. As Director of Compliance Services for KirkpatrickPrice, she is focused on assisting clients in meeting regulatory compliance & information security objectives.
– ACA Certified Credit & Collections Compliance Officer (CCCO)
– ISC2 Certified Information Systems Security Professional (CISSP)
– DBA Certified Receivables Compliance Professional (CRCP)
– PCI SSC Qualified Security Assessor (QSA)
![Page 11: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/11.jpg)
• Business Continuity Planning– Disaster Preparation
– Identifying Critical Business Components
• Information Security Compliance– PCI DSS
– ISO 27001
– SSAE 16
– HIPAA
Common Uses for Risk
Assessment
![Page 12: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/12.jpg)
• Where do I begin?
– Begin by having a clear understanding of what federal, state and local laws are applicable to you.
• State Law Resources:– http://www.acainternational.org/state-collection-laws-and-
practices.aspx
– http://www.nationallist.com/white_papers
– Stay up to date
• Review consent order and recent litigation.
Compliance Risk Assessment
![Page 13: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/13.jpg)
• What’s Next?
– Determine the most likely way a violation of these laws will occur.
• Consumer telephone calls
• Letters
• Non-compliant vendors
Compliance Risk Assessment
![Page 14: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/14.jpg)
• Begin the process
– Policies and Procedures
• Risk Assessment Policy
• Risk Assessment Procedure
• Risk Assessment Template
– Document Document Document
• Remediation action needed
• Changes as a result of the risk assessment
Compliance Risk Assessment
![Page 15: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/15.jpg)
Compliance Risk Assessment
![Page 16: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/16.jpg)
Compliance Risk Assessment
![Page 17: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/17.jpg)
• Next Steps– Perform Third-Party Risk Assessments
– Internal Audit Procedures
– Internal Monitoring Procedures
– Third-Party Audit Procedures
– Third-Party Monitoring Procedures
• Risk Levels should determine what to monitor and how often
Compliance Risk Assessment
![Page 18: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/18.jpg)
Third-Party Risk Assessment
![Page 19: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/19.jpg)
Thank you for attending
Q & AFor further information contact:
Todd Stephenson
800.977.3154 Ext. 202
Jessie Skibbe
800.977.3154 Ext 103
![Page 20: CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination. –Certified Information Systems Auditor (CISA) –Information Security Specialist](https://reader034.vdocument.in/reader034/viewer/2022043023/5f3f3fd4c7e548327241946c/html5/thumbnails/20.jpg)
Coming up Next
CFPB Readiness Series: Developing Your Vendor Audit Framework and Questionnaire
When: May 29, 2014 at 2:30pm EST