Information Technology Assessment Criteria

Printed . This content is updated regularly, please refer back to https://bcfsa.ca to ensure that you are relying on the most up-to-date resources.

Select the section you’d like to navigate to.

Go to Description of Centralized Activity
Go to Definition of Net Risk
Go to Quality of Risk Management Criteria

Description of Centralized Activity

Information Technology (“IT”) activity includes key enterprise-wide functions such as:

Operations (e.g., banking, accounting, payment, Loan Origination System (“LOS”), underwriting and office systems);
Information security (e.g., cybersecurity);
Business continuity (e.g., disaster recovery); and
Outsourcing of technology services (e.g., maintenance agreements).

IT is integral to the operations of all provincially regulated financial institutions (“PRFIs”)^[1] at the process level, activity level and enterprise level. Typically, the management and control of IT is centralized for efficiency and effectiveness, such as maintaining the systems, managing critical information, and developing new market opportunities and business models (online and mobile banking, email money transfer, etc.) through new technology platforms.

^{[1] 1 PRFIs for the purposes of this guideline include (i) BC credit unions, (ii) insurance and trust companies incorporated or licensed to do business in BC (excluding extra provincial companies) and (iii) administrators of BC pension plans.}

Definition of Net Risk

The net risk of IT is determined by assessing the risks inherent in the activity and then the effectiveness with which those risks are being managed.

The primary inherent risk in IT is operational risk; however, compliance and strategic risks are also considered secondary risks. These inherent risks are mitigated by operational management, oversight functions, senior management, and the board of directors.

A PRFI’s net risk for IT is assessed as low, moderate, above average, or high.

Low Net Risk	The PRFI has risk management that substantially mitigates risk inherent in its IT activities down to levels that have low probability of an adverse impact on the PRFI due to exposure to and uncertainty arising from potential future events. Normally, PRFIs in this category will have a predominance of IT sub-activities with low inherent risks and acceptable quality of risk management. Other combinations are possible; for example, moderate inherent risk with strong quality of risk management.
Moderate Net Risk	The PRFI has risk management that sufficiently mitigates risks inherent in its IT down to levels that collectively have an average probability of adverse impact on the PRFI in the foreseeable future. Normally, PRFIs in this category will have a predominance of IT sub-activities rated as low or moderate inherent risks with acceptable quality of risk management. Other combinations may be possible, for example, low inherent risk with a quality of risk management that needs improvement.
Above Average Net Risk	The PRFI has weaknesses in its quality of risk management that, although not serious enough to present an immediate threat to solvency, give rise to above average IT net risk in several of its sub-activities. As a result, net risks in its IT collectively have an above average probability of an adverse impact on the PRFI in the foreseeable future. Normally, PRFIs in this category will have several of the IT sub-activities rated as moderate inherent risk with a quality of risk management that needs improvement. Other combinations may be possible, for example, a combination of low inherent risk with weak quality of risk management.
High Net Risk	The PRFI has weaknesses in its risk management that may pose a serious threat in its financial viability or solvency and give rise to high net risk in several of the IT sub-activities. As a result, net risks in its sub-activities collectively have a high probability of material adverse impact on the PRFI in the foreseeable future. Normally, PRFIs in this category will have one or more IT sub-activities rated as above average inherent risk with a quality of risk management that needs improvement. Other combinations may be possible, for example, a combination of moderate inherent risk with weak quality of risk management.

Quality of Risk Management Criteria

The following statements describe the criteria for assessing a PRFI’s adequacy of IT risk management policies and practices. The application and weighting of the individual criteria will depend on the nature, scope, complexity, and risk profile of the PRFI.

Essential Elements	Criteria
Operational Management (First Line of Defence)	Organization and Structure 1.1 Appropriateness of the department’s (or business unit) organization and structure given the nature and scope of the PRFI’s IT activity. 1.2 Extent to which roles and responsibilities are clearly defined. 1.3 Appropriateness of segregation of duties and operational management’s span of control. 1.4 Extent to which operational management is independent from oversight functions and senior management. 1.5 Adequacy of the organization and structure to support risk culture in the department (or business unit). Resources, Staffing and Training 1.6 Adequacy of the IT resources, staffing and training given the nature and scope of the PRFI’s IT activity. 1.7 Extent to which staff understand IT and keep current with developments in their area of responsibility, including associated risks, emerging technology and new risk management techniques, as well as changes in the operating environment impacting the nature and level of risk. 1.8 Extent to which staff have the appropriate knowledge, experience, and skills for their roles. 1.9 Extent to which operational management have sufficient knowledge and experience in managing scope and complexity of the IT activities undertaken by the PRFI. 1.10 Appropriateness of the IT staff turnover. 1.11 Adequacy of the staff training programs. Policies, Procedures and Limits 1.12 Extent to which policies, procedures and limits are clearly defined, documented, and disseminated. 1.13 Extent to which policies and practices cover: • Project management; • Change management; • System availability / service levels; • Data governance; • Backup of critical data; • Patch management; • System maintenance (e.g., hardware maintenance, management and acquisition; software maintenance, management, acquisition/development and authorization); • Environmental controls of data centers or other critical infrastructure; and • Support (e.g., Help Desk). 1.14 Extent to which policies are consistent with IT business and strategic plans and business objectives. 1.15 Extent to which policies and practices address information security including areas such as Governance, Information Security Risk Management Program, Identify, Protect, Detect, Respond, Recover and Communication with stakeholders (see BCFSA Information Security Guideline for details). 1.16 Extent the business continuity plan supports the overall business continuity strategy and considers factors such as when it was last updated, coverage of key areas, personnel involved, backups, and scenarios. 1.17 Extent the business impact analysis (“BIA”) identifies critical business processes and their effects, maximum downtime, RTO (recovery time objectives), and RPO (recovery point objectives) and where the results of the BIA are considered in the business continuity plan. 1.18 Extent the business continuity plan is tested, results documented, and lessons learned shared and used to improve the business continuity plan. 1.19 Extent the disaster recovery plan supports the overall recovery strategy and consider factors such as when it was last updated, coverage of critical applications, personnel involved, backups, scenarios, alternative processing contract, and insurance coverage. Monitoring and Control 1.20 Extent to which adherence to policies, procedures, and limits is monitored and reported. 1.21 Appropriateness of how the nature, characteristics, and quality of IT activities are monitored and reported. 1.22 Adequacy of policy and procedures to ensure proper controls are in place to manage IT activities. 1.23 Extent to which the reporting is sufficiently granular, complete, and accurate. 1.24 Appropriateness of the performance of the IT activities are monitored and assessed against plan. 1.25 Extent to which any issues are resolved. Outsourcing 1.26 Extent of oversight over outsourced IT activities. 1.27 Extent to which the due diligence procedures and practices including security risk assessment are completed prior to entering the outsourcing arrangements. 1.28 Extent to which roles and responsibilities in policies and procedures of outsourcing agreements are clearly defined, documented, and disseminated. 1.29 Extent to which staff are knowledgeable, experienced, and skilled in managing outsourced activities. 1.30 Adequacy of the outsourcing agreement, including performance measures, reporting requirements, resolution of differences, notifications, complaint handling, contingency planning, inspection rights, confidentiality and security, compensation, insurance, and regulatory requirements. 1.31 Adequacy of the contingency measures for ensuring the continuation of the outsourced activities in the event of problems or events that affect the delivery of those services. 1.32 Extent to which the outsourcing arrangements are aligned with the PRFI’s IT business plans, objectives and risk parameters. 1.33 Adequacy of policies and practices in monitoring the performance of the outsourced activities. 1.34 Appropriateness of the reporting, meetings, and periodic reviews to ensure adherence to agreed IT practices and procedures.
2. Compliance Management (Second Line of Defence)	2.1 Extent to which compliance management is independent of day-to-day management of risks. 2.2 Adequacy of compliance policies and practices to ensure that the IT activities are in line with the PRFI’s industry and regulatory requirements (such as data privacy and protection and incident reporting) and are appropriate for executing its mandate. 2.3 Extent to which compliance policies and practices keep abreast of new and changing information technology as well as consumer behaviors and changes in the PRFI’s risk profile. 2.4 Extent to which compliance management promptly develop or amend the PRFI’s compliance policies as regulation / legislation is introduced or amended or as new or changing IT activities impose different requirements on the PRFI. 2.5 Extent to which compliance management documents new or amended IT compliance policies, and communicates them across the organization in a timely manner. 2.6 Extent to which compliance management monitors adherence to applicable laws, regulations, and guidelines pertaining to IT by staff. 2.7 Adequacy of the compliance management reporting to senior management and the board, and the practices for resolving significant issues in a timely manner. 2.8 Extent to which compliance practices pertaining to IT are regularly reviewed for continued effectiveness.
3. Risk Management (Second Line of Defence)	3.1 Extent to which risk management is independent of day-to-day management of IT risks. 3.2 Adequacy of policies and practices to identify, assess, monitor, and manage current and emerging IT risks and ensure there is alignment between IT risks and enterprise risks. 3.3 Appropriateness of the risk metrics for each sub-activity, and in aggregate, across the whole IT activity. 3.4 Extent to which risk management policies and practices and/or risk metrics for IT are documented, communicated, and integrated with the PRFI’s day-to-day operations. 3.5 Adequacy of policies and practices to monitor IT activities against risk metrics, to follow-up on material variances in timely manner and to respond effectively to significant events. 3.6 Adequacy of policies and practices to model and measure the PRFI’s IT risks, including scenario and/or stress testing. 3.7 Adequacy of the risk management reporting to senior management and the board pertaining to IT and the practices for resolving significant issues in a timely manner. 3.8 Appropriateness of the risk culture across the IT department (or business unit). 3.9 Extent to which risk management policies and practices are regularly reviewed for continued effectiveness, taking account of changes in the IT environment and risk appetite of the PRFI.
4. Internal Audit (Third Line of Defence)	4.1 Appropriateness of the internal audit staff knowledge, experience, and skills for auditing the information technology of the PRFI. 4.2 Extent to which internal audit’s management is competent to review and oversee the IT internal audit work. 4.3 Adequacy of the internal audit program to verify that IT policies and procedures have been implemented effectively across all activities. 4.4 Appropriateness of the scope and frequency of the audit program based on level of IT risk exposures. 4.5 Extent to which findings identified and reported in the audit process are addressed by senior management in a timely and effective manner. 4.6 Extent to which high risk issues are raised to the attention of the board with timely follow up.
5. Senior Management and Board Oversight (Corporate Governance)	Senior Management 5.1 Extent to which the board has delegated to CEO the responsibility for developing and implementing IT policies and practices. 5.2 Adequacy of policies and practices delegating responsibilities for developing IT policies and practices from the CEO to other members of senior management. 5.3 Appropriateness of the PRFI’s IT organizational structure to fulfill IT mandates. 5.4 Appropriateness of the IT mandates for senior management positions and the extent to which there are clearly defined lines of authority, responsibility, and accountability. Extent to which these mandates are communicated across the PRFI. 5.5 Extent to which senior management committees are used to oversee the IT activities. 5.6 Appropriateness of senior management’s IT qualifications, knowledge, skills, and experience. 5.7 Extent to which senior management has a good understanding of the nature, level, and trend of the key risks in the IT activity and its key controls. 5.8 Adequacy of IT reporting to the Board and the practices for resolving significant issues in a timely manner. 5.9 Extent to which compensation programs promote prudent risk-taking in the IT activity and are aligned with long-term strategic objectives. 5.10 Extent to which management reporting which senior management receives is sufficient to fulfill its responsibilities. 5.11 Extent to which senior management ensures IT activities including outsourcing are aligned with the PRFI’s IT strategy and risk management policies. 5.12 Extent to which senior management regularly reviews the IT environment and ensures proper internal controls are in place and are operating effectively. 5.13 Extent to which the Senior Management has demonstrated effectiveness in carrying out its duties and managing the IT activities, including areas such as benefits delivery, risk management, and resource management. Board of Directors 5.14 Extent to which the board understands, reviews, and approves the IT policies and ensures these policies are responsive to changes in the operating environment and supports the PRFI’s risk appetite. 5.15 Appropriateness of the board’s knowledge and experience in overseeing the IT activity, including the composition of any board committee responsible for information technology. 5.16 Extent to which the board understands, reviews, and approves IT objectives, strategies, plans, and major projects / investment. 5.17 Adequacy of the board’s IT reports, including timely, clear, accurate and relevant information to ensure responsibilities delegated to a committee and senior management are being discharged effectively and for the directors to make informed and sound decisions. 5.18 Extent to which the board understands IT operational risk and the controls to manage this risk as well as other significant risks arising from the IT activity. 5.19 Extent to which the board keeps up to date regarding clients’ needs, market trends, security threats, emerging risks, competitor activities and new information technology oversight practices. 5.20 Adequacy of the board’s practices to establish and monitor the senior management involved in IT, including performance (e.g., execution of IT strategy), hiring, and compensation. 5.21 Extent in which the board reviews the effectiveness of the oversight functions upon which the board relies on for IT risk management, control, and compliance assurances. 5.22 Extent to which the board acts independently and has demonstrated effectiveness in carrying out its direction and oversight of the IT activities including areas such as governance, benefits delivery, risk management, and resource management.