Type of Risk

Item at Risk

Nature of Risk

Business/Corporate Risks
Loss of income

Revenue/key staff

Poor budgeting and financial mismanagement; market downturns; loss of market s

Loss of service/down time

Systems and products

Faults/malfunctions

Reputation/History/Management

Reputation & credit rating

Inefficiency; bad press; high staff turn-over; failure of management processes

Insider Fraud/Employee Dishonest Funds/Customer Data/company assets

Loss of sensitive data

Loss of funds
Loss of property

Loss of key staff

Decision-makers

Resignation; head-hunting

Outsourcing/sub-contracting

Reputation/data/assets/services

Shares in risks from exposures of third party contractor

Cash
* Cash in ATM
* Cash in Transit
* Cash in Possession

Theft, burglary, ram raids, insider fraud, skimming, forced withdrawals

Armed robbery; insider fraud
Robbery, insider fraud, muggings

Physical Assets
* ATMs
* Support Technology
* Vehicles

Vandalism, ram raids, ATM burglaries

Damage during attack
Armed robberies, attacks on vehicle

Staff

Armed robberies, muggings, abduction or kidnapping

Environmental Risks
Crime/location

Accident/Health & Safety

Physical assets; key staff; staff; vehicles Loss of life or disablement through accident or ill-health; damage to vehicles

Fire/Disaster

Physical assets; Business Continuity

Damage to property and physical assets

Deterioration/depreciation

Physical assets

Natural wastage and depreciation in value; environmental damage

ATM Risk Matrix

Degree of Exposure

Depends on size of business

Risk Mitigation in Place

Loss of income insurance policy; cost management; proactive use of business intellige
Cyber security policy

Depends on level of business incompetence

Corporate Governance System

Depends on level of access of inside fraudster

Employee screening, monitoring etc

Depends on degree of dependency on key individuals

succession planning; strong emphasis on team work; incentives & motivation; remune

Depends on degree of dependence on third party

Background checks prior to partnering; third-party security policy; contractual prot

Security policy & technology

Depends on security technology in place and amount o Maximum limit
Depends on security arrangements, amount of cash & ca
Security guards, banknote degradation technology,
Depends on amount of cash and security arrangements?
Physical security
Depends on location, crime history in area and security Security technology; insurance policy
Depends on value of technology
Insurance policy
Depends on value and security system in place
Insurance policy
Depends on location, crime history in area

Passive compliance policy

Depends on healthy & safety policy, location

Insurance policy; health & safety policy;staff travel policy; insurance policies

Depends on location, proximity to fire station, etc

Disaster recovery policy

Depends on location, quality of model

Regular maintenance regime

Best Practices Available for Risk?

Yes - Best Practices for ATM Business Efficiency

Yes - ATM Cyber Security and General Cyber Security best practices
Yes - Corporate Governance (GC) guidelines
Yes - Preventing Insider Fraud

Yes - Corporate Governance culture

Yes - guidelines for stakeholder relations in Corporate Governance manual

Yes - ATM Lifecycle security best practices

Yes - ATM Cash Security best practices
Yes - ATM Cash Security best practices
No
Yes - ATM Physical Security Version 2
Yes - ATM Physical Security Version 2
Manufacturer's guidelines
No
Staff training

Yes - as part of Health & Safety Policy

Yes - as part of Disaster Recovery Policy
Yes - Best Practices for ATM Business Efficiency

Type of Risk

Item at Risk

Nature of Risk

Business/Corporate Risks
Loss of income

Revenue/key staff

Poor budgeting and financial mismanagement; market downturns; loss of market s

Loss of service/down time

Systems and products

Faults/malfunctions

Reputation/History/Management

Reputation & credit rating

Inefficiency; bad press; high staff turn-over; failure of management processes

Insider Fraud/Employee Dishonest Funds/Customer Data/company assets

Loss of sensitive data

Loss of funds
Loss of property

Loss of key staff

Decision-makers

Resignation; head-hunting

Outsourcing/sub-contracting

Reputation/data/assets/services

Shares in risks from exposures of third party contractor

Cash
* Cash in ATM
* Cash in Transit
* Cash in Possession

Theft, burglary, ram raids, insider fraud, skimming, forced withdrawals

Armed robbery; insider fraud
Robbery, insider fraud, muggings

Physical Assets
* ATMs
* Support Technology
* Vehicles

Vandalism, ram raids, ATM burglaries

Damage during attack
Armed robberies, attacks on vehicle

Staff

Armed robberies, muggings, abduction or kidnapping

Environmental Risks
Crime/location

Accident/Health & Safety

Physical assets; key staff; staff; vehicles Loss of life or disablement through accident or ill-health; damage to vehicles

Fire/Disaster

Physical assets; Business Continuity

Damage to property and physical assets

Deterioration/depreciation

Physical assets

Natural wastage and depreciation in value; environmental damage

Industry Confidence

Business reputation

Retailer uses ATM for Money laundering

Retailer uses ATM for distribution of Counterfeit money
Operator uses ATM network for either/both the above

Legislation/Regulation

Profits

Increased costs of business

ATM Risk Matrix

Degree of Exposure

Depends on size of business

Risk Mitigation in Place

Loss of income insurance policy; cost management; proactive use of business intelligence support fun
Cyber security policy; Cyber Crime/Cyber Liability insurance policies

Depends on level of business incompetence

Corporate Governance System

Depends on level of access of inside fraudster

Employee screening, monitoring, employee dishonesty, Errors & Omissions, CyberCrime/CyberLiabili

Depends on degree of dependency on key individuals

succession planning; strong emphasis on team work; incentives & motivation; remuneration at curr

Depends on degree of dependence on third party

Background checks prior to partnering; third-party security policy; contractual protections; manag

Security policy & technology

Depends on security technology in place and amount o Maximum limit
Depends on security arrangements, amount of cash & cash
Security guards, banknote degradation technology, ATM vault cash insurance, armoured carrier/CIT
Depends on amount of cash and security arrangementsEmployee dishonesty
Physical security
Depends on location, crime history in area and security Security technology; insurance policy
Depends on value of technology
Insurance policy
Depends on value and security system in place
ATM vault cash insurance, armoured carrier/CIT policies, Employee Dishonesty, Automobile Liabilit
Depends on location, crime history in area

Passive compliance policy; workers' compensation/employee liability insurance

Depends on healthy & safety policy, location

Insurance policy; health & safety policy;staff travel policy; insurance policies

Depends on location, proximity to fire station, etc

Disaster recovery policy

Depends on location, quality of model

Regular maintenance regime

Depends on size of "insider" fraud & degree of negativePersonnel screening, certification and inspection
Depends on size of "insider" fraud & degree of negativePersonnel screening, certification and inspection
Depends on size of "insider" fraud & degree of negativeOperator screening, registration, certification and inspection
Depends on public reputation in each market

Industry self-regulation and adherence to best practices; government relations work by ATMIA

Best Practices Available for Risk?

Yes - Best Practices for ATM Business Efficiency

Yes - ATM Cyber Security and General Cyber Security best practices
Yes - Corporate Governance (GC) guidelines
Yes - Preventing Insider Fraud

Yes - Corporate Governance culture

Yes - guidelines for stakeholder relations in Corporate Governance manual

Yes - ATM Lifecycle security best practices

Yes - ATM Cash Security best practices
Yes - ATM Cash Security best practices
No
Yes - ATM Physical Security Version 2
Yes - ATM Physical Security Version 2
Manufacturer's guidelines
No
Staff training

Yes - as part of Health & Safety Policy

Yes - as part of Disaster Recovery Policy
Yes - Best Practices for ATM Business Efficiency
No - need cooperation with Law enforcement, Switch processor, and transaction processor
No - need cooperation with Law enforcement, Switch processor, and transaction processor
No - need cooperation with Law enforcement, Switch processor, and transaction processor
ATMIA has regional regulatory monitoring in place in North America and Europe which needs extending