Singapore's banks need a new technology risk management framework. Source: Shutterstock

Singapore’s banks need a new technology risk management framework. Source: Shutterstock

Singapore’s MAS issues new consultation paper on technology risk

FINANCIAL services regulators around the world have been trying to encourage institutions to digitally transform their operations.

The Monetary Authority of Singapore (MAS), however, is going one step further to put in place a new framework to monitor and manage their technological risk.

Currently in the consultation stage, the aim of the new MAS Technology Risk Management Guidelines is to promote the adoption of sound practices for the management of technology risk.

Once released, financial institutions will be expected to implement the measures that are relevant to their operating environment.

The framework, outlined in part four of the guideline, says that financial institutions need to establish a risk management framework to manage technology risks in a consistent and systematic manner.

As part of the framework, effective risk management practices and internal controls should be instituted to achieve data confidentiality and integrity, system security and reliability, as well as resilience in its IT operating environment.

MAS’ new guidelines also advise financial institutions to identify a risk owner, accountable for ensuring proper risk treatment measures are implemented and enforced, for each kind of technology risk.

The risk owner may be assumed by a function or group of functions within the institution, who is accountable and given the authority to manage technology risks.

The guidelines advise that organizations pay attention to the following components when formulating their new technology risk management framework:

# 1 | Risk identification

MAS suggests that financial institutions must look out for threats and vulnerabilities that IT environments pose to the organization and the risks they create.

Security threats such as internal sabotage, malware, data theft, and unauthorized financial transactions could have a severe impact on organizations, and hence, the MAS cautions institutions against those as a critical first step.

# 2 | Risk assessment

Following risk identification, MAS advises organizations to perform an analysis and quantify the potential impact and consequences of these risks on the overall business and operations.

To facilitate the prioritization of technology risks, a set of criteria measuring and determining the likelihood and impact of threats and vulnerabilities should be established.

MAS also suggests that institutions take into consideration financial, operational, legal, reputational and regulatory factors in assessing technology risks.

# 3 | Risk treatment

For each type of risk identified, MAS advises that each institution must develop and implement risk mitigation and control strategies that are consistent with the value of the information assets and the level of risk tolerance.

While the MAS provides quite a bit of advice on ensuring that risk is not only mitigated effectively but also that organizations really put in efforts to assess its risk tolerance for damages and losses in the event that a given risk-related event materializes.

# 4 | Risk monitoring, review, and reporting

MAS advises that organizations monitor and review technology risks, which include risks that customers are exposed to, changes in business strategy, systems, environmental or operating conditions.

The regulator also says that institutions must report key risks to the board of directors and senior management to enable them to prepare for eventualities and put safeguards in place to minimize overall damage.