Governor Tetangco today announced that the Monetary Board of the Bangko Sentral approved the issuance of a Circular embodying guidelines on Information Technology (IT) Risk Management. Thru that issuance, the Bangko Sentral communicates its expectation to banks to have an IT risk management process that can effectively identify, measure, monitor and control their technology risk exposure.
The Circular contains standards consistent with internationally accepted best practices for the technology-related risk management process. As such, it allows bank management greater latitude in the design of the process that is adequate and effective relative to the complexity and sophistication of the bank’s operations.
The Circular defines various types of technology-related risks to ensure common understanding among the BSP and the regulated entities. Technology related risks include operational risk, strategic risk, reputation risk, and compliance risk.
As enunciated in the Circular, there should be active involvement of the Board and the senior management in the technology risk management process. Their responsibilities with respect to project implementation should be well understood, whether project implementation is undertaken using in-house resources, or through outsourcing and external alliances. The importance of contingency planning and business resumption planning was emphasized to reduce a bank’s vulnerability to system failures, unauthorized intrusions, and other problems.
The important role of auditors in providing control mechanisms for detecting deficiencies and managing risks in the implementation of technology is underscored. Thus, the bank should be ready to provide auditors with adequate information regarding standards, policies, procedures, applications, and systems.
As bank regulator, the Bangko Sentral’s role is to ensure proper observance of the standards and adoption of a risk management system commensurate to the level and complexity of the perceived risks. Within the Supervision and Examination Sector, a specialized unit called the Core Information Technology Services Unit (CITSU) has been created to take the lead in assessing the extent of compliance with set standards under the Circular. The CITSU is staffed with personnel who have undergone the internationally accepted certification process for Information System Auditors.