Risk Management in Technology (RMIT) for Digital Bank

Bank Negara Malaysia's (RMIT) Policy Guideline mandates a digital bank to ensure that its Technology Risk Management Framework is an integral part of the digital bank’s Enterprise Risk Management Framework (ERM). The TRMF of a digital bank must include the following:

• clear definition of technology risk;
• clear responsibilities assigned for the management of technology risk at different levels and across functions, with appropriate governance and reporting arrangements;
• the identification of technology risks to which the financial institution is exposed, including risks from the adoption of new or emerging technology;
• risk classification of all information assets/systems based on its criticality;
• risk measurement and assessment approaches and methodologies;
• risk controls and mitigations; and
• continuous monitoring to timely detect and address any material risks.

A digital bank must establish an independent enterprise-wide technology risk management function which is responsible for—

• implementing the Technology Risk Management Framework (TRMF) and Cyber Resilience Framework (CRF);
• advising on critical technology projects and ensuring critical issues that may have an impact on the financial institution’s risk tolerance are adequately deliberated or escalated in a timely manner; and
• providing independent views to the board and senior management on third party assessments, where necessary.

Are the technology system and platform for your digital bank secured? Is your digital bank managing the technology risks? How do your digital banking technology platform and systems compare to Industry standards?

Controls form an essential part of managing the use of technology by digital bank. Yet there is a balance of to be achieved between reducing risks and maximizing efficiency. Comparing a new digital bank at foundation stage to that of similar established digital banks can help the new digital bank get the optimum benefits from the identified controls. Benchmarking has a proven track records in improving quality and performance.

How can we help?

Technology is the lifetime of digital banks. Our Technology Risk Management Assessment (‘TRMA’) is a structured approach to assessing the risks and controls that will enable digital banks to assess the adequacy of the controls environments. 

The TRMA is typically carried out for digital banks to ensure that key technology risks and exposures are given appropriate focus. We will consolidate, refine and build upon our existing understanding of digital bank's technology and system environment and the relative importance to the business area of each major element. We will then with the management and the Board of the digital bank to formulate an agreed universe of technology related risks applicable to the operations of the digital bank. Subsequently, we identify and prioritize significant areas of technology risk exposure on which to focus on for the current time and subsequent periods. Lastly, we will formulate an assessment of technology risks and controls, and provide practical recommendations to address any major control shortfalls identified by the review.

As part of our assessment, we will use benchmark the technology risk management practices of the digital bank against similar digital banks worldwide. Our risk management benchmarking methodology has been developed to:

• Consolidate, refine and build upon our existing understanding of digital bank's technology and system environment and the relative importance to the business of each major element.
• Provide a means of benchmarking a digital bank's key technology risks and controls against other digital banks.

A digital bank must designate a Chief Information Security Officer (CISO), to be responsible for the technology risk management function of the digital bank. The digital bank must ensure that the CISO has sufficient authority, independence and resources. The terms of reference of the CISO shall—

• be independent from day-to-day technology operations;
• keep apprised of current and emerging technology risks which could potentially affect the financial institution’s risk profile and
• be appropriately certified.

We provide CISO-As-A-Service (CAAS) and will be responsible for ensuring the digital bank’s information assets and technologies are adequately protected, which includes—implementing the TRMF and CRF;

• formulating appropriate policies for the effective implementation of TRMF and CRF;
• enforcing compliance with these policies, frameworks and other technology-related regulatory requirements; and
• advising senior management on technology risk and security matters, including developments in the financial institution’s technology security risk profile in relation to its business and operations.

 Our CAAS maximize the values of your IT investments and information assets with help from our senior qualified resources. We work with digital banks to achieve measurable security enhancements and performance improvements, and to reduce administrative cost.

From assessing a digital bank's risk and designing controls to implementing effective security and technology governance processes, we are here to help you safeguard your information assets.