QuestionsQuestions (BSP CIRCULAR NO. 511, S. OF 2006)
It was approved by the Monetary Board under Resolution No. 69 dated 19 January 2006, and it adopts guidelines on technology risk management to ensure banks have knowledge and skills to understand and effectively manage technology-related risks.
It takes effect fifteen (15) days after publication in the Official Gazette or in a newspaper of general circulation.
The circular highlights Operational, Reputation, Compliance, and Strategic risk (and notes technology-related products/services may expose banks to all risks under the BSP risk supervision framework, particularly these).
Operational risk is the risk to earnings or capital arising from problems with service or product delivery, functionally tied to internal controls, information systems, employee integrity, and operating processes.
Examples include incompatible internal/external systems and incompatible equipment/software; inadequate monitoring of vendors performing core functions like loan underwriting/credit scoring; merger/acquisition causing combined computer systems to produce inaccurate/incomplete information; and failure to establish security measures, contingency plans, testing, and auditing standards.
Strategic risk is the risk to earnings or capital arising from adverse business decisions or improper implementation, tied to the fit between strategic goals, business strategies, resources, and implementation quality. It can arise when management does not adequately plan for, manage, and monitor technology performance, or depends on unreliable technology.
Consider the bank’s knowledge/skills of senior management and technical staff; existing and planned resources; ability to understand/support technologies; suppliers’ ability to support; and anticipated technology life cycle.
Reputation risk is risk to earnings or capital arising from negative public opinion, affecting relationships and potentially causing litigation/financial loss. Technology scenarios include flawed security systems compromising customer privacy; inadequate contingency/business resumption affecting service after failures; fraud undermining trust; and large-scale litigation.
Compliance risk is risk to earnings or capital arising from violations/non-conformance with laws, rules, regulations, prescribed practices, or ethical standards, including ambiguous or untested rules. Examples include failure to comply with disclosure requirements or confidential information handling; failure to have systems for mandatory reporting; and automation of lending decisions via credit scoring models that are not properly tested or rely on flawed data/design.
Banks must consider how laws designed for paper-based transactions apply to electronic transactions/information exchange, and should monitor novel issues such as jurisdictional authority over internet-based transactions.
Planning; Implementing; and Measuring and Monitoring Performance.
They must ensure an effective planning process exists, technology is implemented properly with appropriate controls, and measurement/monitoring efforts identify ways to manage risk exposure; they should review/approve/monitor major technology projects with significant impact.
Strategic plan; business plan; and project plan.
Examples include: assessing cost of designing/developing/testing/operating (internally or externally); ability to resume quickly with all data intact after failure/unauthorized intrusion; adequacy of internal controls including controls for third-party providers; and ability to determine when a risk exposure exceeds the institution’s capacity to manage/control it.
Large banks should have sufficient expertise among managers/staff for critical review/oversight; projects should be coordinated to adhere to policies/standards/controls; knowledgeable senior managers should periodically report technology initiatives to the board.
It requires controls based on degree of exposure and potential loss, including clear and measurable performance goals, allocation of responsibilities for implementation, independent mechanisms to measure risks and minimize excessive risk-taking, and periodic reevaluation.
Security measures must be clearly defined with measurable performance standards; responsible personnel must ensure a comprehensive security program; mission-critical systems must be protected against unauthorized intrusions; and safeguarding should cover fraud/negligence/physical destruction risks, including access restrictions, background checks, separation of duties, and audit trails—also for vendors.
New systems/products must be thoroughly tested to validate proper functioning and desired results, including verification of effective operation with existing systems and, when applicable, with vendors; pilot programs/prototypes may be used; testing should also be conducted periodically.
Banks must have business continuity plans in place before implementing new technology, covering actions during system failure/unauthorized intrusions, integrated with other business continuity plans; addressing data recovery, alternate processing capability, emergency staffing, and customer service support; including communication and designated key personnel notification; and including public relations/outreach strategy.
Management must ensure adequate controls for outsourcing risks, verify vendors’ expertise/experience/financial strength, define and ensure enforceable expectations/obligations, ensure audit rights over vendors, and note that management remains responsible for vendors’ performance/actions while they work for the bank.