OM-1.3.8
The use of technology-related products, services, activities, processes and delivery channels exposes a bank to strategic, operational and reputational risks, and the possibility of material financial loss. Consequently, a bank should have an integrated approach to identifying, measuring, monitoring and managing technology risks. Sound technology risk management uses the same precepts as operational risk management and includes:
(a) Governance and oversight controls that ensure technology, including outsourcing arrangements, is aligned with, and supportive of, the bank's business objectives;
(b) Policy and procedures that facilitate identification and assessment of risk;
(c) Establishment of a risk appetite and tolerance statement, as well as performance expectations to assist in controlling and managing risk;
(d) Implementation of an effective control environment and the use of risk transfer strategies that mitigate risk; and
(e) Monitoring processes that test for compliance with policy thresholds or limits
Added: January 2020