1.A Bank’s effective use and sound implementation of technology can contribute to the control environment. However, use of technology-related products, activities, processes and delivery channels exposes a Bank to strategic, operational and reputational risks and the possibility of material financial loss. Automated processes introduce risks that must be addressed through technology governance and infrastructure risk management programmes, including an information security management system.
2.A Bank must have an integrated approach to identifying, measuring, monitoring and managing technology risk. Technology risk management includes but is not limited to:
a.Governance and oversight controls that ensure technology, including outsourcing arrangements, are aligned with and supportive of the Bank’s business objectives;
b.Establishment and maintenance of appropriate information technology policies, procedures and processes to identify, assess, monitor and manage technology risks;
c.Establishment of a risk appetite statement and limits as well as performance expectations to assist in controlling and managing risk;
d.Implementation of an effective control environment;
e.Monitoring processes that test for compliance with policy thresholds or limits; and
f.Establishment and maintenance of appropriate and sound information technology infrastructure to meet the current and projected business requirements of the Bank under normal circumstances and in periods of stress and which ensures data and system integrity, security and availability.