A Brave new World: The governance of IT-risk is now firmly placed in operational risk

Basel Committee on Banking Supervision (BCBS) recently published a consultative document for the revision to the Principles for the Sound Management of Operational Risk (PSMOR). On a high level, the principles cover the same topics as before but there are some clarifications and some substantial changes. The substantial changes are foremost related to to what is commonly known as New Product Approval Process (NPAP) and information and communication technology (ICT). NPAP is replaced by a change management approach and a new principle requires robust ICT governance.

Below is FCG’s short comments on the proposed ICT governance changes:

Since the launch of the PSMOR, the traditional banking industry has been going through a structural change, towards digitalisation. As customers ask for more and more online services, the banks not only provide traditional services online but developed new digital banking services. This makes proper ICT governance paramount, which is also what principle 10 is stating in the revised version of the principles. The requirement in PSMOR regarding ICT governance is new compared to the previous version.

An ICT governance framework should cover everything from strategy and goals (that are aligned with the banks overall business strategy and goals) to organization and all the way over to processes, instructions, control environment and, of course, security. This is to enable and ensure that ICT supports and delivers value to the bank’s strategic goals in an efficient, risk balanced and secure manner. An important part of this work is to ensure that the ICT governance framework is consistent with the institutions risk appetite and tolerance statement and that ICT risks are considered in the bank’s risk framework and identified, assessed and controlled as all other risks. As a note it is the Board of Directors responsibility, in the proposed revision which is in line with EBA/GL/2019/04, to ensure the ICT risks are part of the banks risk framework and that ICT risks are continuously evaluated.

As more and more banks go online and cybercrime against the financial sector is on the rise and the dependencies between financial institution and third-party IT outsourcing firms increases, questions regarding ICT naturally become very important. The principles for sound operational risk management marks the topic’s importance not only by addressing ICT as a principle of its own, but also confirms that it a responsibility for the board of Directors.