BNM Publishes Policy Document on Risk Management in Technology

All financial institutions shall observe minimum prescribed standards in the policy document to prevent the exploitation of weak links in interconnected networks and systems that may cause detriment to other financial institutions and the wider financial system. The control measures set out in Appendices 1 to 5 serve as a guide for sound practices in defined areas. Financial institutions should be prepared to explain the risk management practices that depart from the control measures outlined in the Appendices and to demonstrate their effectiveness in addressing the technology risk exposure.

A financial institution must ensure that the technology risk management framework is an integral part of its enterprise risk management framework. The technology risk management framework must include the following:

• Clear definition of technology risk
• Clear assignment of responsibilities for the management of technology risk at different levels and across functions, with appropriate governance and reporting arrangements
• Identification of technology risks to which the financial institution is exposed, including risks from the adoption of new or emerging technology
• Risk classification of all information assets or systems, based on the "criticality"
• Risk measurement and assessment approaches and methodologies
• Risk control and mitigation
• Continuous monitoring to timely detect and address any material risks

Related Link: Policy Document (PDF)

Effective Date: January 01, 2020

Keywords: Asia Pacific, Malaysia, Banking, Insurance, Technology Risk, Governance, Operational Risk, Proportionality, BNM