Risk Management Blog

cybersecurity

7 Key Components of Successful ITM Risk Mitigation

Share on:

  • September 20 2018
  • Lowers & Associates

7 Key Components of Successful ITM Risk Mitigation

by Lowers & Associates | September 20, 2018
ITM Risk Mitigation

Interactive Teller Machines (ITMs) offer new business opportunities to banks, and therefore to CIT carriers. A significant side benefit to the CIT carrier is the chance to take on an even bigger role in cash management in partnerships with banks. But with the larger role comes a larger responsibility to manage the risks that go with a deeper integration into the financial institution.

Here are 7 key components of a program where CIT carriers evaluate risks and then develop and implement procedures to address them.

1. Risk Assessment

The first step in ITM risk mitigation is a risk assessment. CIT carriers need to review the entire process of cash-in-transit from beginning to end to identify the places where losses might occur, estimate a likelihood for each, and determine cost-benefit priorities. Crew and bystander safety will always be of paramount importance, but many characteristics of the routes such as cash transitions, surveillance capabilities, and communication security will be analyzed.

Carriers will be familiar with many of the ITM issues because they have been servicing ATMs, but there will be differences. Evaluated risks can be addressed in a number of ways.

2. Policies and Procedures

The risk mitigation policies a carrier sets up for ATMs may serve as a template for ITM policies, with additional or different elements incorporated as needed. For instance, the over-the-road assessment and policies to manage exposure due to timing and environmental conditions will be a basis for further development for ITMs, if the machines are co-located or if the ITMs replace ATMs.

Policies will cover over-the-road exposures, procedures for handling cash (which is more complex for the ITM), handling multiple machines in a single setting (especially important if several ITMs are serviced in sequence), maintenance issues, vehicle control issues, and reporting or sign-offs. Basic controls like dual control and separation of duties will be included. These policies constitute best practices for the specific carrier to manage cash with security.

3. Internal Audits

The aim of internal audits is to implement a running account of transactions and cash balances at key points in a route to maintain control of the disposition of cash. Audits performed by the carrier may use a variety of methods and they may be scheduled and routine by design, random or intermittent. In all cases, the policy should be communicated to affected staff to set expectations that the audits will occur.

4. External Audits

Audits performed by external agencies give a strong, credible check on internal procedures, adding a strong layer of security. Insurers and other third parties may require these audits as a condition of contract. The value of an external audit is that it can find failures in the system where employees and/or accomplices have intentionally voided internal controls. Random or unannounced audits may be especially effective in detecting fraud early.

5. Personnel Screening and Testing

CIT carrier crews require a special kind of employee. They must be detail oriented, persistently thorough in performing routines, yet able to respond creatively and independently when extreme events occur—they manage risks in real time. Employees like this are rare at any event, but in a tight labor market like today’s, it’s very challenging to find them. Employers need to resist the temptation to loosen background screening and testing criteria, perhaps ramping up the level of effort in recruitment instead.

In addition, an important risk management tool is to interview and/or screen current employees on a regular basis to find changes in life circumstances or attitude that could signal a disaffected employee. Finally, training and testing are essential to help front line people recognize and cope with emergent threats.

6. Access Controls

Access controls including keys, passwords, combinations and alarms should be monitored for operational effectiveness, and changed often enough to reduce the possibility of being defeated. Again, the essential interactive capability of ITMs increases the danger of these controls being breached, so a broader view of “access” is required. Controls based on environmental design or structure are harder to change, but it may be possible to make big risk improvements with relatively small changes.

7. Physical Security

Hardening a target to protect physical security is a classical response to risk, such as in a vault or armored truck. However, it is in the spaces between these hardened targets, where cash is carried that a clever larcenist will look to find weakness. The ITM can exacerbate these weaknesses because of its relatively long service interval, putting a premium on how surveillance, environmental design, and communication can be used to supplement the physical security of the ITM.

For a more comprehensive introduction to managing risk in ITM servicing, download our latest whitepaper on the topic, A CIT Carrier’s Guide to Building Your ITM Program.

ABOUT THE AUTHOR

Lowers & Associates provides comprehensive enterprise risk management solutions to organizations operating in high-risk, highly-regulated environments and organizations that value risk mitigation.
View all posts by Lowers & Associates >