RSA FSCA, RSA CB issued joint standard on principles for information technology (IT) governance and risk management that financial institutions must comply with.
Joint standard issued in line with sound practices and processes in managing IT risk.
Follows Jun. 2021, FSCA proposed standard on IT risk management, see #108090.
Application
Joint standard applies to financial institutions, i.e. bank, controlling company, insurer.
Institutions must ensure any risks re IT risk from juristic persons, branches structured under the bank or controlling company (local and foreign), including all relevant subsidiaries, catered for and mitigated in application of requirements of joint standard.
Minimum requirements and principles set out in joint standard must be implemented to reflect the nature, size, complexity and risk profile of a financial institution.
Joint standard must be read in conjunction with all relevant financial sector laws.
IT Strategy
Financial institutions must ensure IT strategy is approved by governing body.
Strategy must align with overall business strategy; must be regularly reviewed (at least annually), re market, industry, technology, other relevant developments.
Risk Management Framework
IT risk management framework must be set up to manage risks systematically.
May form part of the enterprise risk management framework of a financial institution.
Must be approved by the governing body and reviewed regularly, but at least annually