Title
Guidelines on Technology Risk Management
Law
Bsp Circular No. 511, S. Of 2006
Decision Date
Feb 3, 2006
BSP Circular No. 511 establishes guidelines for banks to effectively manage technology-related risks, emphasizing an integrated approach to identify, measure, and control operational, strategic, reputation, and compliance risks associated with technology use.
technology risk
risk management
operational risk

Policy objective and regulatory expectations

  • Banks using technology-related products, services, delivery channels, and processes are exposed to risks covered under the BSP risk supervision framework, particularly Operational, Strategic, Reputation, and Compliance risk.
  • BSP requires banks to develop the knowledge and skills needed to understand and effectively manage technology-related risks.
  • Technology-related risks are evaluated under the categories of risks identified in the BSP Risk Assessment System.
  • Banks must treat technology-related risk management as an integral approach within the bank’s overall risk management framework to reflect the bank’s overall risk profile.
  • Bank management must use a rigorous analytic process to identify and quantify technology-related risks to the extent possible and to establish risk controls to manage risk exposures.

Technology-related risks: required categories

  • The Circular defines Operational Risk as risk to earnings or capital arising from problems with service or product delivery, functioning through internal controls, information systems, employee integrity, and operating processes.
  • Operational Risk exists in all products and services, and technology can create operational risk through deficiencies in system design, implementation, or ongoing maintenance.
  • The Circular defines Strategic Risk as risk to earnings or capital arising from adverse business decisions or improper implementation of those decisions.
  • The Circular defines Reputation Risk as risk to earnings or capital arising from negative public opinion affecting the institution’s ability to establish new relationships or continue servicing existing relationships.
  • The Circular defines Compliance Risk as risk to earnings or capital arising from violations of, or non-conformance with laws, rules, regulations, prescribed practices, or ethical standards, including situations where applicable rules are ambiguous or untested.
  • The Circular describes Compliance Risk exposure to fines, civil money penalties, payment of damages, and voiding of contracts.

Operational risk drivers and consequences

  • Operational risk increases when system design, implementation, or maintenance is deficient.
  • Incompatible internal and external systems, and incompatible equipment and software, expose a bank to operational risk.
  • Operational risk increases when outside contractors design technology that does not fit the bank’s systems or customer demands.
  • Operational risk may increase when vendors perform core bank functions (such as loan underwriting and credit scoring) without adequate controls to monitor vendor activities.
  • Operational risk can increase after mergers or acquisitions when combined computer systems produce inaccurate or incomplete information or fail to operate properly.
  • Failure to establish adequate security measures, contingency plans, testing, and auditing standards increases operational risk.

Strategic, reputation, and compliance risk drivers

  • Strategic risk arises when management does not adequately plan for, manage, and monitor performance of technology-related products, services, processes, and delivery channels.
  • Strategic risk may arise when management fails to understand, support, or use technology essential for the bank, or depends on technology that is not reliable.
  • In controlling strategic risk, banks must consider the business environment, including senior management and technical staff knowledge and skills, resources, ability to understand and support technologies, supplier activities and ability to support technology, and anticipated technology life cycle.
  • Reputation risk arises when technology-based banking products, services, delivery channels, or processes generate adverse public opinion that seriously affects earnings or impairs capital.
  • Examples of reputation risk include flawed security systems compromising customer privacy, inadequate contingency and business resumption plans, fraud undermining public trust, and large-scale litigation causing severe reputation damage and significant liability.
  • Compliance risk arises when banks fail to comply with disclosure requirements, disclose confidential information to outside parties, lack systems for mandatory reporting statutes, or automate lending decisions without proper testing or verified data quality.
  • Compliance risk may arise when credit scoring models used to automate lending decisions rely on flawed data or have flawed program design.
  • Banks must monitor how laws for paper-based transactions apply to electronic-based transactions and information exchanges, including changes in compliance issues arising from new technologies.
  • Internet-based transactions may raise novel questions regarding jurisdictional authority over those transactions, requiring careful monitoring and response to relevant legal and regulatory changes.

Technology risk management process structure

  • The technology risk management process is designed to help banks identify, measure, monitor, and control technology risk exposure.
  • The process has three essential elements: Planning, Implementing, and Measuring and Monitoring Performance.
  • The Circular assigns responsibility to the Board of Directors and a Senior Management Committee to ensure an effective planning process exists, technology is implemented properly with appropriate controls, and measurement and monitoring identify ways to manage risk exposure.
  • The process should be more complex for larger institutions, especially those with major technology-related initiatives.
  • For each IT project, banks must adopt specific milestones and corresponding timelines up to full IT project implementation.

Planning requirements and oversight

  • Technology planning involves strategic, business, and project planning.
  • The strategic plan establishes the overall role of technology relative to the bank’s mission and assesses the type of technology needed to fulfill that role.
  • The business plan integrates new technology into existing lines of business and determines the level of technology best suited for particular business lines.
  • The project plan establishes resource needs, timelines, benchmarks, and other information needed to convert the business plan into operation.
  • Banks must periodically assess their uses of technology as part of overall business planning to maintain consistency with overall strategic goals.
  • Planning must consider cost of designing, developing, testing, and operating systems whether internally or externally.
  • Planning must consider the ability to resume operations swiftly with all data intact after system failure or unauthorized intrusions.
  • Planning must consider adequacy of internal controls, including controls for third-party providers.
  • Planning must consider the ability to determine when a specific risk exposure exceeds the institution’s ability to manage and control that risk.
  • Banks may use vendors for specialized expertise but must plan how they will manage risks associated with these relationships, while management remains responsible for vendor performance and actions.
  • The Board of Directors and Senior Management Committee must review, approve, and monitor technology projects that may significantly impact operations, earnings, or capital.
  • Senior management must have more involvement and knowledge for day-to-day operations of these projects than the board.
  • At least one key senior manager must have knowledge and skills to critically evaluate the design, operation, and oversight of technology projects.
  • The board must be fully informed by the Senior Management Committee on an ongoing basis regarding technology project risks.
  • Banks using technology extensively must have sufficient expertise and knowledge among managers and staff for critical review and oversight, project coordination, and periodic reporting to the board of technology initiatives.
  • Banks must inventory existing systems and operations to determine whether they satisfy current and projected needs and whether changes are required for new technologies.
  • Banks must review current and developing industry standards to ensure compatibility and interoperability.
  • Timing is critical: banks must determine when to deploy new technology and manage risks from deploying too slowly or too rapidly.
  • Before adopting new technologies, management must identify weaknesses or deficiencies in the bank’s ability to use them and consider whether staff can operate new and existing systems simultaneously.
  • Banks must ensure project objectives are neither too ambiguous nor too ambitious and must control risk exposure through practical planning.
  • Planning must include dividing projects into manageable segments and establishing specific decision points to modify or terminate projects.
  • Planning must establish contingency and exit plans if a new project does not proceed as planned.
  • Management must assess and quantify, where possible, the costs and benefits of adopting new technology, including risks, financial consequences, and likelihood of risks occurring, and the cost to start, run, and terminate a project.
  • Technology planning must include gathering and analysis of relevant information considering existing systems, consumer expectations, and competitive forces.

Implementation controls, procedures, and safeguards

  • Banks must establish necessary controls to avoid operational failures and unauthorized intrusions that could increase losses and damage reputation.
  • Banks must establish technology standards that set the overall direction for technology systems architecture and structure.
  • Banks must set priorities to coordinate and integrate projects among managers, work units, and team members.
  • Banks must define expectations, including user and resource requirements, cost estimates, project benchmarks, and expected delivery dates.
  • Project managers must inform the Senior Management Committee of obstacles as early as possible so controls are in place and corrective action can manage risk exposure.
  • Implementation must include controls comprising policies, procedures, practices, and organizational structures providing reasonable assurance that business objectives are achieved and undesired events are prevented or detected and corrected.
  • Banks must adopt adequate controls based on degree of exposure and potential risk of loss from technology use.
  • Controls must include clear and measurable performance goals, allocation of specific responsibilities for key project implementation, and independent mechanisms to measure risks and minimize excessive risk-taking.
  • Banks must re-evaluate technology-related controls periodically.
  • Bank information system security controls are particularly important and must include clearly defined measurable performance standards.
  • Banks must assign responsible personnel to ensure a comprehensive security program and protect mission-critical systems from unauthorized intrusions.
  • Banks must safeguard systems, to the extent possible, against fraud, negligence, and physical destruction of bank property.
  • Control points must include facilities, personnel, policies and procedures, network controls, system controls, and vendors.
  • Security precautions include access restrictions, background checks, separation of duties, and audit trails to protect system security within the bank and with vendors.
  • Security controls must be changed periodically as technologies and systems change or mature.
  • Banks must adopt and enforce policies and procedures to manage risk related to technology use, and must ensure they are current and well-documented.
  • Banks must test compliance with policies and procedures to correct problems before they become serious.
  • Banks must ensure key employees and vendors have expertise, skills, and training to perform necessary functions, with resource allocation for hiring, training, and succession planning for critical officers.
  • Training must include technical course work, attendance at industry conferences, participation in industry working groups, and time for staff to keep abreast of technological and market developments.
  • Training must include customer orientations so customers understand how to use or access technology products and services appropriately and soundly.
  • Banks must thoroughly test new technology systems and products to validate proper functioning and desired results.
  • Testing must verify effective operation with existing systems and include vendors where appropriate.
  • Pilot programs or prototypes must be used to help develop new technology applications before broad-scale use.
  • Testing must be conducted periodically to manage risk exposure.
  • Banks must design systems to reduce vulnerability to system failures, unauthorized intrusions, and other problems.
  • Banks must have back-up systems in place and maintain and test them regularly for readiness when needed.
  • Banks must establish business continuity plans before implementing new technology.
  • Business continuity plans must establish course of action for system failure or unauthorized intrusions and must integrate with other business continuity plans.
  • Continuity plans may address data recovery, alternate data-processing capabilities, emergency staffing, and customer service support.
  • Banks must establish a communication plan designating key personnel and an employee notification program.
  • Banks must include a public relations and outreach strategy to respond promptly to customer and media reaction to system failure or unauthorized intrusions.
  • Management must plan response to events outside the bank that may substantially affect customer confidence, such as a competitor’s operational failure using similar technology.
  • Banks must ensure proper oversight of outsourcing activities by having necessary controls to manage risks, ensuring vendors have expertise, experience, and financial strength, and defining and ensuring enforceable expectations and obligations for each party.
  • Banks must ensure it has audit rights for vendors to monitor performance under vendor contracts.
  • For alliances or joint ventures, management must perform adequate due diligence on partners’ competence and financial strength and must allocate resources to monitor and measure performance under third-party agreements.

Measurement, monitoring, auditing, and quality assurance

  • Banks must establish clearly defined measurement objectives and conduct periodic reviews to ensure goals and standards are met.
  • Measurement and standards must emphasize data integrity, requiring complete and accurate information before and after processing.
  • Banks must establish benchmarks appropriate to particular technology applications.
  • Banks must monitor and measure performance of technology-related products, services, delivery channels, and processes to avoid operational failures and mitigate damage if failures occur.
  • Banks must establish controls and identify and manage risks so the bank can adequately manage them.
  • To ensure accountability, management must specify which managers are responsible for business goals, objectives, and results of specific technology projects or systems.
  • Banks must establish independent controls to ensure risks are properly managed, separate from business units.
  • Technology processes must be reviewed periodically for quality and compliance with control requirements.
  • Auditors must be qualified to assess risks arising from specific uses of technology.
  • Management must provide auditors adequate information regarding standards, policies, procedures, applications, and systems.
  • Auditors must consult with management during planning to ensure thorough and cost-effective technology audits.
  • Management must establish procedures to ensure quality assurance efforts occur and that results are incorporated into future planning to manage and limit excessive risk taking.
  • Quality assurance procedures may include internal performance measures, focus groups, and customer surveys.
  • Banks must conduct quality assurance reviews whenever they engage in a significant combination with another institution or acquire another business.

Cross-referenced BSP issuances

  • The Circular references BSP Memorandum dated 22 January 2004 on back-up operations centers and data recovery sites.
  • The Circular references BSP Memorandum dated 3 April 2003 on updated business continuity plan.
  • The Circular references BSP Circular No. 268 dated 05 December 2000 on outsourcing.

Analyze Cases Smarter, Faster
Jur helps you analyze cases smarter to comprehend faster, building context before diving into full texts. AI-powered analysis, always verify critical details.

About Privacy Terms