OM-8.2.50
The use of technology related products, activities, processes and delivery channels exposes a bank to strategic, operational, and reputational risks and the possibility of material financial loss. Consequently, a bank should have an integrated approach to identifying, measuring, monitoring and managing technology risks. Sound technology risk management uses the same precepts as operational risk management and includes:
(a) Governance and oversight controls that ensure technology, including outsourcing arrangements, is aligned with and supportive of the bank's business objectives;
(b) Policies and procedures that facilitate identification and assessment of risk;
(c) Establishment of a risk appetite and tolerance statement as well as performance expectations to assist in controlling and managing risk;
(d) Implementation of an effective control environment and the use of risk transfer strategies that mitigate risk; and
(e) Monitoring processes that test for compliance with policy thresholds or limits.
Added: October 2012