Technology is a risk to capital adequacy
05 June 2017
The European Banking Authority (EBA) has now published its final guidelines on the assessment of Information and Communication Technology (ICT) risk. The guidelines will apply from 1 January 2018 and establish ICT as a fundamental risk that will be examined under the Supervisory Review and Evaluation Process (SREP) after this date. Regulators may request that additional capital be held where financial institutions are unable to demonstrate how ICT risks to critical systems are identified, managed and understood.
EU regulators have two months from the date the guidelines are translated into the official EU languages and published to declare whether they intend to ‘comply’. The Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have indicated that they expect significant effort from organisations to demonstrate alignment to the guidelines in support of SREP.
What areas will you need to focus on?
The guidelines indicate how regulators will assess financial institution’s ICT governance and risk management practices as part of broader operational risk. The specific areas include:
- The financial institution’s governance and strategy on ICT;
- An inherent risk assessment to identify risks to critical ICT systems based on the services the financial institution provides and it’s ICT landscape;
- A control assessment to establish whether the risks to critical ICT systems are appropriately mitigated. A control framework is incorporated in the guidelines and the expectation is that all necessary controls are in place.
How is it going to work?
The principle of proportionality will be applied by regulators to ensure that the scope, frequency and depth of the supervisory engagement is appropriate for the size, structure and operating environment of the financial institution.
Regulators will use other sources of information in their assessment including the financial institution’s ICT risk and control self-assessments, ICT risk related management information, ICT related internal and external audit findings.
On conclusion of the assessment, regulators will form an opinion on the financial institution’s ICT risk exposure which will feed into the assessment of operational risk to capital under SREP. If ICT risk is considered material, it could be assessed and scored individually as a subcategory of operational risk.
How can you prepare?
This change adds to the heightened focus by regulators on technology risks in the sector. Financial institutions should:
- Ensure that ICT is robustly embedded within the operational risk management framework whilst also ensuring coverage of the associated risks within the financial institution’s risk appetite and the Internal Capital Adequacy Assessment Process (ICAAP).
- Build on the work of the General Data Protection Regulation (GDPR) and ring fencing, ensure a process exists to identify the ICT systems and services that are critical to the financial institution and that these are clearly documented by legal entity.
- Ensure the financial, business, regulatory, reputational and regulatory impact of ICT risks is clearly understood and documented for the financial institution’s critical ICT systems.
- Develop robust processes to test key technology risk scenarios to provide a level of assurance over the internal control environment.
- Develop a narrative to substantiate how ICTs risk to critical systems are identified, managed and communicated and understood by the Board.
In our next blog, we discuss the evolving regulatory expectations specific to technology risk.