| Booklet:
Management Section: Introduction Subsection: |
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||
The
“Management Booklet” is one of several that comprise the Federal
Financial Institutions Examination Council (FFIEC) Information Technology
Examination Handbook (IT Handbook). This booklet rescinds and replaces
Chapter 9 “Management” and Chapter 11 “Management Information
Systems (MIS) Review” of the 1996 FFIEC Information Systems Examination
Handbook. This booklet provides guidance to examiners and financial institution
management.
The
examination procedures in this booklet assist examiners in evaluating
financial institution risk management processes to ensure effective information
technology (IT) management.
Effective IT management in financial institutions maximizes the benefits
from technology and supports enterprise-wide goals and objectives. The
IT department typically leads back-office operations, network administration,
and systems development and acquisition efforts. IT management also provides
expertise in choosing and operating technology solutions for an institution’s
lines of business such as commercial credit and asset management, or enterprise-wide
activities such as security and business continuity planning. This dual
role and the increasing use of technology raise the importance of IT management
in effective corporate governance.
Management of IT in financial institutions is critical to the performance
and success of an institution. Sound management of technology involves
more than containing costs and controlling operational risks. An institution
capable of aligning its IT infrastructure to support its business strategy
adds value to its organization and positions itself for sustained success.
The board of directors and executive management should understand and
take responsibility for IT management as a critical component of their
overall corporate governance efforts.
The IT Governance Institute defines IT governance as “…an
integral part of enterprise governance and consists of the leadership
and organizational structures and processes that ensure that the organization’s
IT sustains and extends the organization’s strategies and objectives.”
Due to the reliance on technology, effective IT management practices play
an integral role in achieving many goals related to corporate governance.
The ability to manage technology effectively in isolation no longer exists.
Institutions should integrate IT management into the strategic planning
function of each line of business within the institution. Financial institutions
face many challenges in today’s marketplace that increase the importance
of IT management.
|
|
Technology is becoming a commodity that is pervasive across all institutions and all business units within an institution. |
|
|
Institution systems connect with customers, business lines, third parties, and the public. |
|
|
Technology has created interdependencies among the infrastructure, applications, web content, and the decision-making process necessary to support the delivery of new products and services. |
|
|
Timely and accurate information is critical to meeting business requirements throughout the organization. |
|
|
The industry continues to experience rapid changes in technologies prompting new investment in infrastructure, systems, and applications. |
|
|
New technology requires new expertise, which creates competition for the necessary talent, knowledge, and skill sets. |
Effective IT management can leverage opportunities from these challenges
while strengthening an institution’s ability to manage risk. Advances
in technology can result in the ability to offer new products and services
to customers, to increase efficiency of operations, to ease the sharing
of information between business lines, and to better prepare the institution
for future competition. The board of directors and executive management
should also understand that new technology and changes in technology could
introduce new sources of risk to the institution. External connectivity
with non-bank systems, reliance on third parties, involvement in e-commerce,
and adoption of new payment systems are some examples that may introduce
new or increased operational risk associated with the confidentiality,
integrity, and availability of systems and information. Changes in technology
may not only introduce new operational risks to manage, but can also introduce
an institution to increased risk to its reputation or legal standing.
Therefore, IT management is an essential component of effective corporate
governance and operational risk management.
This booklet has four parts. First, it provides an overview of how IT
management relates to operational and non-operational risks. Second, it
describes the structural issues associated with IT oversight. After reviewing
the risks and structural issues, the booklet next describes a process
for managing technology related risks. The final section provides additional
guidance for companies providing technology services to financial institutions.
|
