Financial institutions: draft of framework on IT governance & risk management unveiled

The State Bank of Pakistan (SBP) Tuesday issued the draft of framework on it governance & risk management for Financial Institutions for comments/feedback from interested parties. According to SBP, the framework is based on international standards and recognised principles of international practice for technology governance and risk management and shall serve as SBP's baseline requirement for all Financial Institutions (FIs). It aims at providing enabling regulatory environment for managing risks associated with the use of technology.
The framework will apply to all FIs which includes commercial banks (public and private sector), Islamic banks, Development Finance Institutions (DFIs), and Microfinance Banks (MFBs). The framework is not "one-size-fits-all" and implementation of the same shall be risk-based and commensurate with size, nature and types of products and services and complexity of IT operations of the individual FIs.
The instructions are focused on enhancing the proactive and reactive environments in FIs to various facets and dimensions of the information technology, security, operations, audit and related domains and to create overall safe and secure technology operations in FIs which will benefit and enhance the confidence of all the stakeholders. The FIs are expected to assess and conduct a gap analysis between their current status and the guidelines and draw a time-bound action plan to address the gaps and comply with the guidelines.
The SBP has invited the interested parties, institutions or individuals, from banking sector, IT industry, academia and other stakeholders to review the proposed draft framework and provide comments/feedback, if any. The draft framework is open for comments/feedback from interested parties till March 31, 2017. The FIs will ensure compliance with this framework while introducing new products either all by themselves; or in the form of co-branding or in partnership with other entities. After implementation, the framework will apply to all FIs which includes commercial banks (public and private sector banks), Islamic banks, Development Finance Institutions (DFIs), and Microfinance Banks (MFBs).
As technology becomes an integral part of the business and operations of FIs, such technology usage and dependence, if not properly managed, may heighten technology risks.
With a vision to provide baseline technology governance and risk management principles to the financial institutions, SBP has developed the framework on 'Information Technology Governance & Risk Management in Financial Institutions' to keep abreast with the aggressive and widespread adoption of technology in the financial service industry and consequently strengthen existing regulatory framework for IT risk supervision. This framework shall be integrated with the financial institutions' overall enterprise risk management program. SBP expects FIs to have the knowledge and skills necessary to understand and effectively manage technology risks. These institutions are required to have an integrated approach to risk management to identify, measure, monitor and control risks.