Question & AnswerQ&A (BSP CIRCULAR NO. 511, S. OF 2006)
The main purpose is to ensure that banks have the necessary knowledge and skills to understand and effectively manage technology-related risks through a comprehensive risk management process.
The primary types of risks identified are Operational Risk, Strategic Risk, Reputation Risk, and Compliance Risk.
Operational Risk is the risk to earnings or capital arising from problems with service or product delivery due to deficiencies in system design, implementation, maintenance, or controls related to technology systems and processes.
The Board of Directors is responsible for ensuring an effective planning process, reviewing, approving and monitoring technology projects, and being kept fully informed by senior management about technology risks affecting the bank.
The three essential elements are Planning, Implementing, and Measuring and Monitoring Performance.
Contingency and business resumption planning reduce vulnerability to system failures or unauthorized intrusions by ensuring backup systems, communication plans, and strategies to maintain operations and customer service during disruptions.
Because banks may rely on vendors for critical functions, adequate controls and monitoring of vendors' expertise, performance, and compliance are essential to manage risks associated with outsourcing or external partnerships.
Compliance risks include violations or non-conformance with laws, regulations, or ethical standards due to improper disclosure, automated processes with flawed data or design, and challenges adapting paper-based laws to electronic transactions.
Banks should thoroughly test new technology systems to validate proper functioning, including compatibility with existing systems, using pilot programs or prototypes and undertaking periodic retesting to manage risk exposure.
Bank management should ensure key employees and vendors have the necessary expertise and training to perform their functions effectively, including technical education, industry participation, and customer orientations for technology use.