0003246
Basel Committee on Banking Supervision Guidelines Corporate governance principles for banks
Basel Committee on Banking Supervision
Best Practice Guideline
Free
BCBS 328 Guidelines of Corporate Governance Principles for Banks
Basel Committee on Banking Supervision Guidelines Corporate governance principles for banks
2015-07-01
The document as a whole was last reviewed and released on 2021-01-19T00:00:00-0800.
0003246
Free
Basel Committee on Banking Supervision
Best Practice Guideline
BCBS 328 Guidelines of Corporate Governance Principles for Banks
Basel Committee on Banking Supervision Guidelines Corporate governance principles for banks
2015-07-01
The document as a whole was last reviewed and released on 2021-01-19T00:00:00-0800.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Basel Committee on Banking Supervision Guidelines Corporate governance principles for banks that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Basel Committee on Banking Supervision Guidelines Corporate governance principles for banks are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Acquisition or sale of facilities, technology, and services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 | Business Processes | Preventive | |
| Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Business Processes | Preventive | |
| Establish, implement, and maintain payment transaction security measures. CC ID 13088 [The board should ensure that transactions with related parties (including internal group transactions) are reviewed to assess risk and are subject to appropriate restrictions (eg by requiring that such transactions be conducted on arm's length terms) and that corporate or business resources of the bank are not misappropriated or misapplied. Principle 1: 27.] | Technical Security | Preventive | |
| Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 | Business Processes | Preventive | |
| Restrict transaction activities, as necessary. CC ID 16334 | Business Processes | Preventive | |
| Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 | Communicate | Preventive | |
| Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 | Business Processes | Preventive | |
| Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 | Business Processes | Preventive | |
| Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 | Business Processes | Preventive | |
| Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 | Establish/Maintain Documentation | Preventive | |
| Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 | Business Processes | Preventive | |
| Encrypt electronic commerce transactions and messages. CC ID 08621 | Configuration | Preventive | |
| Protect the integrity of application service transactions. CC ID 12017 | Business Processes | Preventive | |
| Include required information in electronic commerce transactions and messages. CC ID 15318 | Data and Information Management | Preventive | |
| Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 | Business Processes | Preventive | |
| Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 | Communicate | Preventive | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition/Sale of Assets or Services | Preventive | |
| Conduct an acquisition feasibility study prior to acquiring assets. CC ID 01129 | Acquisition/Sale of Assets or Services | Detective | |
| Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. CC ID 01135 [Mergers and acquisitions, divestitures and other changes to a bank's organisational structure can pose special risk management challenges to the bank. In particular, risks can arise from conducting due diligence that fails to identify post-merger risks or activities conflicting with the bank's strategic objectives or risk appetite. The risk management function should be actively involved in assessing risks that could arise from mergers and acquisitions and inform the board and senior management of its findings Principle 7: 125.] | Testing | Detective | |
| Refrain from implementing systems that are beyond the organization's risk acceptance level. CC ID 13054 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740 | Testing | Detective | |
| Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741 | Testing | Detective | |
| Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742 | Testing | Detective | |
| Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743 | Testing | Detective | |
| Test new software or upgraded software for security vulnerabilities. CC ID 01898 | Testing | Detective | |
| Test new software or upgraded software for compatibility with the current system. CC ID 11654 | Testing | Detective | |
| Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655 | Testing | Detective | |
| Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899 | Testing | Detective | |
| Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744 | Testing | Detective | |
| Correct defective acquired goods or services. CC ID 06911 | Acquisition/Sale of Assets or Services | Corrective | |
| Authorize new assets prior to putting them into the production environment. CC ID 13530 | Process or Activity | Preventive | |
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 | Establish/Maintain Documentation | Preventive | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [A risk committee should: should oversee that management has in place processes to promote the bank's adherence to the approved risk policies. Principle 3: 71. Bullet 8] | Communicate | Preventive | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [{is independent} A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: an internal audit function independent from the first and second lines of defence. Principle 1: 38. Bullet 3] | Establish Roles | Preventive | |
| Manage supply chain audits. CC ID 01203 | Audits and Risk Management | Preventive | |
| Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and Risk Management | Preventive | |
| Rotate auditors, as necessary. CC ID 15589 | Audits and Risk Management | Preventive | |
| Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 [{matters requiring attention}Accordingly, the board should: approve the annual financial statements and require a periodic independent review of critical areas; Principle 1: 26. Bullet 9 {is responsible}The audit committee is, in particular, responsible for: approving, or recommending to the board or shareholders for their approval, the appointment, remuneration and dismissal of external auditors; Principle 3: 69. Bullet 4 {is responsible} The audit committee is, in particular, responsible for: reviewing and approving the audit scope and frequency; Principle 3: 69. Bullet 5 {is responsible} The audit committee is, in particular, responsible for: overseeing the financial reporting process; Principle 3: 69. Bullet 2 The internal audit function should provide independent assurance to the board and should support board and senior management in promoting an effective governance process and the long-term soundness of the bank. Principle 10: ¶ 1] | Establish Roles | Preventive | |
| Assign the Board of Directors to address audit findings. CC ID 12396 [Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: Principle 4: 94. The board and senior management should respect and promote the independence of the internal audit function by ensuring that: internal audit reports are provided to the board or its audit committee without management filtering and that the internal auditors have direct access to the board or the board's audit committee; Principle 10: 142. Bullet 1 The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively. Principle 10: 139.] | Human Resources Management | Corrective | |
| Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Establish Roles | Preventive | |
| Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Establish Roles | Preventive | |
| Report audit findings by the internal audit manager directly to senior management. CC ID 01152 | Testing | Detective | |
| Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 [{remuneration system} The board, together with its compensation committee where one exists, should approve the compensation of senior executives, including the CEO, CRO and head of internal audit, and should oversee development and operation of compensation policies, systems and related control processes. Principle 11: 146.] | Establish Roles | Preventive | |
| Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Establish Roles | Preventive | |
| Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Establish Roles | Preventive | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Establish Roles | Preventive | |
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [The third line of defence consists of an independent and effective internal audit function. Among other things, it provides independent review and objective assurance on the quality and effectiveness of the bank's internal control system, the first and second lines of defence and the risk governance framework including links to organisational culture, as well as strategic and business planning, compensation and decision-making processes. Internal auditors must be competent and appropriately trained and not involved in developing, implementing or operating the risk management function or other first or second line of defence functions (see Principle 9). Principle 1: 43. The board and senior management contribute to the effectiveness of the internal audit function by requiring that audit staff collectively have or can access knowledge, skills and resources commensurate with the business activities and risks of the bank; Principle 10: 141. Bullet 4 The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively. Principle 10: 139.] | Audits and Risk Management | Preventive | |
| Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Establish/Maintain Documentation | Preventive | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Establish/Maintain Documentation | Preventive | |
| Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Establish/Maintain Documentation | Preventive | |
| Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Establish/Maintain Documentation | Preventive | |
| Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Establish/Maintain Documentation | Preventive | |
| Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Establish/Maintain Documentation | Preventive | |
| Review the external audit scope, as necessary. CC ID 01202 | Audits and Risk Management | Preventive | |
| Review the external audit assertion for accuracy. CC ID 06977 | Testing | Detective | |
| Review the risk assessments as compared to the in scope controls. CC ID 06978 [Banks should regularly compare actual performance against risk estimates (ie backtesting) to assist in judging the accuracy and effectiveness of the risk management process and making necessary adjustments. Principle 7: 121.] | Testing | Detective | |
| Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and Risk Management | Detective | |
| Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Establish/Maintain Documentation | Preventive | |
| Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Establish/Maintain Documentation | Preventive | |
| Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Establish/Maintain Documentation | Preventive | |
| Review the external auditor's qualifications. CC ID 01197 | Audits and Risk Management | Preventive | |
| Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 | Audits and Risk Management | Preventive | |
| Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Establish/Maintain Documentation | Preventive | |
| Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Establish/Maintain Documentation | Preventive | |
| Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Behavior | Preventive | |
| Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Behavior | Preventive | |
| Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Establish/Maintain Documentation | Preventive | |
| Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 [In order to fulfil its responsibilities, the board of the parent company should: establish an effective internal audit function that ensures audits are being performed within or for all subsidiaries and part of the group and group itself; and Principle 5: 96. Bullet 9 {risk management function}{compliance function}Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior management should recognise and respect the independent duties of the risk management, compliance and internal audit functions and should not interfere in their exercise of such duties. Principle 4: 93. Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Establish/Maintain Documentation | Preventive | |
| Assign the audit to impartial auditors. CC ID 07118 [The third line of defence consists of an independent and effective internal audit function. Among other things, it provides independent review and objective assurance on the quality and effectiveness of the bank's internal control system, the first and second lines of defence and the risk governance framework including links to organisational culture, as well as strategic and business planning, compensation and decision-making processes. Internal auditors must be competent and appropriately trained and not involved in developing, implementing or operating the risk management function or other first or second line of defence functions (see Principle 9). Principle 1: 43. {risk management function}{compliance function}Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior management should recognise and respect the independent duties of the risk management, compliance and internal audit functions and should not interfere in their exercise of such duties. Principle 4: 93. Bullet 1 The board and senior management should respect and promote the independence of the internal audit function by ensuring that: Principle 10: 142. The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively. Principle 10: 139.] | Establish Roles | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and Risk Management | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and Risk Management | Detective | |
| Exercise due professional care during the planning and performance of the audit. CC ID 07119 [The board and senior management contribute to the effectiveness of the internal audit function by requiring internal auditors to adhere to national and international professional standards, such as those established by the Institute of Internal Auditors; Principle 10: 141. Bullet 3] | Behavior | Preventive | |
| Include resource requirements in the audit program. CC ID 15237 | Establish/Maintain Documentation | Preventive | |
| Include risks and opportunities in the audit program. CC ID 15236 | Establish/Maintain Documentation | Preventive | |
| Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and Risk Management | Preventive | |
| Establish and maintain audit terms. CC ID 13880 [The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively. Principle 10: 139.] | Establish/Maintain Documentation | Preventive | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Process or Activity | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 [{be comprehensive}{be accurate} Risk reporting systems should be dynamic, comprehensive and accurate, and should draw on a range of underlying assumptions. Risk monitoring and reporting should not only occur at the disaggregated level (including material risk residing in subsidiaries) but should also be aggregated to allow for a bank-wide or integrated perspective of risk exposures. Risk reporting systems should be clear about any deficiencies or limitations in risk estimates, as well as any significant embedded assumptions (eg regarding risk dependencies or correlations). Principle 8: 130.] | Establish/Maintain Documentation | Preventive | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Establish/Maintain Documentation | Preventive | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and Risk Management | Preventive | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and Risk Management | Preventive | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and Risk Management | Preventive | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and Risk Management | Preventive | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and Risk Management | Preventive | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and Risk Management | Preventive | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and Risk Management | Preventive | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 | Establish/Maintain Documentation | Preventive | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Establish/Maintain Documentation | Preventive | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Establish/Maintain Documentation | Preventive | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and Risk Management | Preventive | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 | Establish/Maintain Documentation | Preventive | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Establish/Maintain Documentation | Preventive | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Establish/Maintain Documentation | Preventive | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Establish/Maintain Documentation | Preventive | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Establish/Maintain Documentation | Preventive | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Establish/Maintain Documentation | Preventive | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Establish/Maintain Documentation | Preventive | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Establish/Maintain Documentation | Preventive | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Establish/Maintain Documentation | Preventive | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Establish/Maintain Documentation | Preventive | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Establish/Maintain Documentation | Preventive | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Establish/Maintain Documentation | Preventive | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Establish/Maintain Documentation | Preventive | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Establish/Maintain Documentation | Preventive | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Establish/Maintain Documentation | Preventive | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Establish/Maintain Documentation | Preventive | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Establish/Maintain Documentation | Preventive | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Establish/Maintain Documentation | Preventive | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Establish/Maintain Documentation | Detective | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Establish/Maintain Documentation | Preventive | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Establish/Maintain Documentation | Preventive | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Establish/Maintain Documentation | Preventive | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and Risk Management | Detective | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Establish/Maintain Documentation | Preventive | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Establish/Maintain Documentation | Preventive | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and Risk Management | Preventive | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Business Processes | Preventive | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and Risk Management | Detective | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and Risk Management | Preventive | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Establish/Maintain Documentation | Preventive | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and Risk Management | Preventive | |
| Include audit subject matter in the audit program. CC ID 07103 | Establish/Maintain Documentation | Preventive | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Investigate | Preventive | |
| Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Establish/Maintain Documentation | Preventive | |
| Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Establish/Maintain Documentation | Preventive | |
| Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Establish/Maintain Documentation | Preventive | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Establish/Maintain Documentation | Preventive | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and Risk Management | Preventive | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Establish/Maintain Documentation | Preventive | |
| Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and Risk Management | Preventive | |
| Include in scope information in the audit program. CC ID 16198 | Establish/Maintain Documentation | Preventive | |
| Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Establish/Maintain Documentation | Preventive | |
| Provide a representation letter in support of the audit assertion. CC ID 07158 | Establish/Maintain Documentation | Preventive | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and Risk Management | Preventive | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Establish/Maintain Documentation | Preventive | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Establish/Maintain Documentation | Preventive | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Establish/Maintain Documentation | Preventive | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Establish/Maintain Documentation | Preventive | |
| Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Establish/Maintain Documentation | Preventive | |
| Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Establish/Maintain Documentation | Preventive | |
| Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Establish/Maintain Documentation | Preventive | |
| Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Establish/Maintain Documentation | Preventive | |
| Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Establish/Maintain Documentation | Preventive | |
| Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Establish/Maintain Documentation | Preventive | |
| Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Establish/Maintain Documentation | Preventive | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Establish/Maintain Documentation | Detective | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Establish/Maintain Documentation | Preventive | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Establish/Maintain Documentation | Preventive | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Establish/Maintain Documentation | Preventive | |
| Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Establish/Maintain Documentation | Preventive | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Establish/Maintain Documentation | Preventive | |
| Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Establish/Maintain Documentation | Preventive | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 [requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: the quality of risk reporting to the board and senior management; and Principle 10: 141. Bullet 6 sub bullet 2] | Establish/Maintain Documentation | Preventive | |
| Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Establish/Maintain Documentation | Preventive | |
| Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Establish/Maintain Documentation | Preventive | |
| Include the in scope procedures in the audit assertion. CC ID 06972 | Establish/Maintain Documentation | Preventive | |
| Include the in scope records produced in the audit assertion. CC ID 06968 | Establish/Maintain Documentation | Preventive | |
| Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Establish/Maintain Documentation | Preventive | |
| Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Establish/Maintain Documentation | Preventive | |
| Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Establish/Maintain Documentation | Preventive | |
| Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Establish/Maintain Documentation | Preventive | |
| Include in scope change controls in the audit assertion. CC ID 06976 | Establish/Maintain Documentation | Preventive | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Establish/Maintain Documentation | Preventive | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Communicate | Preventive | |
| Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Establish/Maintain Documentation | Preventive | |
| Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [The internal audit function should provide independent assurance to the board and should support board and senior management in promoting an effective governance process and the long-term soundness of the bank. Principle 10: ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include the expectations for the audit report in the audit terms. CC ID 07148 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Establish/Maintain Documentation | Preventive | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Establish/Maintain Documentation | Corrective | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Communicate | Preventive | |
| Include materiality levels in the audit terms. CC ID 01238 | Establish/Maintain Documentation | Preventive | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Establish/Maintain Documentation | Preventive | |
| Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Establish/Maintain Documentation | Preventive | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Business Processes | Preventive | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and Risk Management | Detective | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Business Processes | Preventive | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Behavior | Preventive | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and Risk Management | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 [ensuring that the activities and structure are subject to regular internal and external audit reviews. Principle 5: 102. Bullet 5] | Audits and Risk Management | Preventive | |
| Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Actionable Reports or Measurements | Preventive | |
| Document any after the fact changes to the engagement file. CC ID 07002 | Establish/Maintain Documentation | Preventive | |
| Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Establish/Maintain Documentation | Preventive | |
| Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Establish/Maintain Documentation | Preventive | |
| Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Records Management | Preventive | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Testing | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and Risk Management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and Risk Management | Detective | |
| Audit policies, standards, and procedures. CC ID 12927 | Audits and Risk Management | Preventive | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Investigate | Detective | |
| Audit information systems, as necessary. CC ID 13010 | Investigate | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Investigate | Detective | |
| Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Testing | Detective | |
| Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Testing | Detective | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and Risk Management | Detective | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Process or Activity | Detective | |
| Edit the audit assertion for accuracy. CC ID 07030 | Establish/Maintain Documentation | Preventive | |
| Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Establish/Maintain Documentation | Preventive | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Testing | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Process or Activity | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Testing | Detective | |
| Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Testing | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 [requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: the effectiveness of the bank's system of internal controls. Principle 10: 141. Bullet 6 sub bullet 3] | Testing | Detective | |
| Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and Risk Management | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and Risk Management | Detective | |
| Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and Risk Management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and Risk Management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Process or Activity | Preventive | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and Risk Management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and Risk Management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and Risk Management | Detective | |
| Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Testing | Detective | |
| Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Establish/Maintain Documentation | Preventive | |
| Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Testing | Preventive | |
| Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and Risk Management | Preventive | |
| Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and Risk Management | Preventive | |
| Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and Risk Management | Preventive | |
| Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and Risk Management | Preventive | |
| Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and Risk Management | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Communicate | Preventive | |
| Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Testing | Preventive | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Human Resources Management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Process or Activity | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Process or Activity | Preventive | |
| Identify interviewees. CC ID 16290 | Process or Activity | Preventive | |
| Conduct interviews, as necessary. CC ID 07188 | Testing | Detective | |
| Verify statements made by interviewees are correct. CC ID 16299 | Behavior | Detective | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Process or Activity | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Process or Activity | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Process or Activity | Detective | |
| Explain the goals of the interview to the interviewee. CC ID 07189 | Behavior | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Process or Activity | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Process or Activity | Corrective | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Establish/Maintain Documentation | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Establish/Maintain Documentation | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Establish/Maintain Documentation | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Establish/Maintain Documentation | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Establish/Maintain Documentation | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Establish/Maintain Documentation | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and Risk Management | Preventive | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Establish/Maintain Documentation | Preventive | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Establish/Maintain Documentation | Preventive | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Establish/Maintain Documentation | Preventive | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Establish/Maintain Documentation | Preventive | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and Risk Management | Detective | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and Risk Management | Preventive | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Testing | Detective | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Establish/Maintain Documentation | Preventive | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Establish/Maintain Documentation | Preventive | |
| Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Testing | Detective | |
| Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Monitor and Evaluate Occurrences | Preventive | |
| Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Establish Roles | Preventive | |
| Respond to questions or clarification requests regarding the audit. CC ID 08902 | Business Processes | Preventive | |
| Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Monitor and Evaluate Occurrences | Preventive | |
| Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Business Processes | Preventive | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Process or Activity | Preventive | |
| Review the subject matter expert's findings. CC ID 16559 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Establish/Maintain Documentation | Preventive | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [The board and senior management contribute to the effectiveness of the internal audit function by providing the function with full and unconditional access to any records, file data and physical properties of the bank, including access to management information systems and records and the minutes of all consultative and decision-making bodies; Principle 10: 141. Bullet 1] | Audits and Risk Management | Preventive | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Investigate | Detective | |
| Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 [The board and senior management should respect and promote the independence of the internal audit function by ensuring that: internal audit reports are provided to the board or its audit committee without management filtering and that the internal auditors have direct access to the board or the board's audit committee; Principle 10: 142. Bullet 1 The board and senior management should respect and promote the independence of the internal audit function by ensuring that: the head of the internal audit function's primary reporting line is to the board (or its audit committee), which is also responsible for the selection, oversight of the performance and, if necessary, dismissal of the head of this function; Principle 10: 142. Bullet 2] | Business Processes | Preventive | |
| Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and Risk Management | Corrective | |
| Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and Risk Management | Preventive | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Establish/Maintain Documentation | Preventive | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain organizational audit reports. CC ID 06731 | Establish/Maintain Documentation | Preventive | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Establish/Maintain Documentation | Detective | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and Risk Management | Preventive | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and Risk Management | Preventive | |
| Include audit subject matter in the audit report. CC ID 14882 | Establish/Maintain Documentation | Preventive | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Establish/Maintain Documentation | Preventive | |
| Identify the audit team members in the audit report. CC ID 15259 | Human Resources Management | Detective | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Establish/Maintain Documentation | Preventive | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Establish/Maintain Documentation | Preventive | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Establish/Maintain Documentation | Preventive | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Establish/Maintain Documentation | Preventive | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Establish/Maintain Documentation | Preventive | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Establish/Maintain Documentation | Preventive | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Establish/Maintain Documentation | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Establish/Maintain Documentation | Preventive | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Establish/Maintain Documentation | Preventive | |
| Include the word independent in the title of audit reports. CC ID 07003 | Actionable Reports or Measurements | Preventive | |
| Include the date of the audit in the audit report. CC ID 07024 | Actionable Reports or Measurements | Preventive | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Establish/Maintain Documentation | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Actionable Reports or Measurements | Preventive | |
| Include any discussions of significant findings in the audit report. CC ID 13955 | Establish/Maintain Documentation | Preventive | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Establish/Maintain Documentation | Preventive | |
| Include the audit criteria in the audit report. CC ID 13945 | Establish/Maintain Documentation | Preventive | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Establish/Maintain Documentation | Preventive | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Establish/Maintain Documentation | Preventive | |
| Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Actionable Reports or Measurements | Preventive | |
| Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Establish/Maintain Documentation | Preventive | |
| Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Establish/Maintain Documentation | Preventive | |
| Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Establish/Maintain Documentation | Preventive | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Establish/Maintain Documentation | Preventive | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Establish/Maintain Documentation | Preventive | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Establish/Maintain Documentation | Preventive | |
| Include a statement of the character of the engagement in the audit report. CC ID 07166 | Establish/Maintain Documentation | Preventive | |
| Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Establish/Maintain Documentation | Preventive | |
| Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Establish/Maintain Documentation | Preventive | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Establish/Maintain Documentation | Preventive | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Establish/Maintain Documentation | Preventive | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Establish/Maintain Documentation | Preventive | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and Risk Management | Preventive | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Establish/Maintain Documentation | Preventive | |
| Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Establish/Maintain Documentation | Preventive | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and Risk Management | Detective | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Establish/Maintain Documentation | Preventive | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Establish/Maintain Documentation | Preventive | |
| Include recommended corrective actions in the audit report. CC ID 16197 | Establish/Maintain Documentation | Preventive | |
| Include risks and opportunities in the audit report. CC ID 16196 | Establish/Maintain Documentation | Preventive | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 | Establish/Maintain Documentation | Preventive | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Establish/Maintain Documentation | Preventive | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Establish/Maintain Documentation | Preventive | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Establish/Maintain Documentation | Preventive | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and Risk Management | Preventive | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Establish/Maintain Documentation | Preventive | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Establish/Maintain Documentation | Preventive | |
| Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Actionable Reports or Measurements | Preventive | |
| Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Establish/Maintain Documentation | Preventive | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Establish/Maintain Documentation | Preventive | |
| Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Establish/Maintain Documentation | Preventive | |
| Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Establish/Maintain Documentation | Preventive | |
| Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Establish/Maintain Documentation | Preventive | |
| Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Establish/Maintain Documentation | Preventive | |
| Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Establish/Maintain Documentation | Preventive | |
| Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Establish/Maintain Documentation | Preventive | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Establish/Maintain Documentation | Preventive | |
| Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and Risk Management | Preventive | |
| Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Establish/Maintain Documentation | Preventive | |
| Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Establish/Maintain Documentation | Preventive | |
| Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Establish/Maintain Documentation | Preventive | |
| Include the scope and work performed in the audit report. CC ID 11621 | Audits and Risk Management | Preventive | |
| Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and Risk Management | Detective | |
| Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Establish/Maintain Documentation | Detective | |
| Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and Risk Management | Detective | |
| Review past audit reports. CC ID 01155 | Establish/Maintain Documentation | Detective | |
| Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Establish/Maintain Documentation | Detective | |
| Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Establish/Maintain Documentation | Detective | |
| Resolve disputes before creating the audit summary. CC ID 08964 | Behavior | Preventive | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Establish/Maintain Documentation | Preventive | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Establish/Maintain Documentation | Preventive | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Establish/Maintain Documentation | Preventive | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 | Establish/Maintain Documentation | Corrective | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Investigate | Detective | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Process or Activity | Detective | |
| Include an audit opinion in the audit report. CC ID 07017 | Establish/Maintain Documentation | Preventive | |
| Include qualified opinions in the audit report. CC ID 13928 | Establish/Maintain Documentation | Preventive | |
| Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Establish/Maintain Documentation | Preventive | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Establish/Maintain Documentation | Corrective | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Establish/Maintain Documentation | Preventive | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Business Processes | Corrective | |
| Include items that were excluded from the audit report in the audit report. CC ID 07007 | Establish/Maintain Documentation | Preventive | |
| Include the organization's privacy practices in the audit report. CC ID 07029 | Establish/Maintain Documentation | Preventive | |
| Include items that pertain to third parties in the audit report. CC ID 07008 | Establish/Maintain Documentation | Preventive | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Establish/Maintain Documentation | Preventive | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Establish/Maintain Documentation | Preventive | |
| Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Establish/Maintain Documentation | Preventive | |
| Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Establish/Maintain Documentation | Preventive | |
| Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Establish/Maintain Documentation | Preventive | |
| Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Establish/Maintain Documentation | Preventive | |
| Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Establish/Maintain Documentation | Preventive | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Establish/Maintain Documentation | Corrective | |
| Disclose any audit irregularities in the audit report. CC ID 06995 | Actionable Reports or Measurements | Preventive | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Establish/Maintain Documentation | Preventive | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Establish/Maintain Documentation | Preventive | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Human Resources Management | Preventive | |
| Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 [{is responsible} The audit committee is, in particular, responsible for: receiving key audit reports and ensuring that senior management is taking necessary corrective actions in a timely manner to address control weaknesses, non-compliance with policies, laws and regulations, and other problems identified by auditors and other control functions; Principle 3: 69. Bullet 6] | Log Management | Detective | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Communicate | Preventive | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Communicate | Preventive | |
| Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Behavior | Preventive | |
| Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Establish/Maintain Documentation | Preventive | |
| Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Establish/Maintain Documentation | Preventive | |
| Review the issues of non-compliance from past audit reports. CC ID 01148 | Establish/Maintain Documentation | Detective | |
| Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Business Processes | Preventive | |
| Submit an audit report that is complete. CC ID 01145 | Testing | Detective | |
| Accept the audit report. CC ID 07025 | Establish/Maintain Documentation | Preventive | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [The board and senior management contribute to the effectiveness of the internal audit function by requiring timely and effective correction of audit issues by senior management; and Principle 10: 141. Bullet 5 When a supervisor requires a bank to take remedial action, the supervisor should set a timetable for completion. Supervisors should have escalation procedures in place to require more stringent or accelerated remedial action in the event that a bank does not adequately address the deficiencies identified or the supervisor deems that further action is warranted. Principle 13: 167.] | Establish/Maintain Documentation | Corrective | |
| Assign responsibility for remediation actions. CC ID 13622 | Human Resources Management | Preventive | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Actionable Reports or Measurements | Corrective | |
| Review management's response to issues raised in past audit reports. CC ID 01149 [{is responsible} The audit committee is, in particular, responsible for: receiving key audit reports and ensuring that senior management is taking necessary corrective actions in a timely manner to address control weaknesses, non-compliance with policies, laws and regulations, and other problems identified by auditors and other control functions; Principle 3: 69. Bullet 6] | Audits and Risk Management | Detective | |
| Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 [When a supervisor requires a bank to take remedial action, the supervisor should set a timetable for completion. Supervisors should have escalation procedures in place to require more stringent or accelerated remedial action in the event that a bank does not adequately address the deficiencies identified or the supervisor deems that further action is warranted. Principle 13: 167.] | Establish/Maintain Documentation | Preventive | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 [{risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.] | Testing | Detective | |
| Evaluate the competency of auditors. CC ID 15253 | Human Resources Management | Detective | |
| Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and Risk Management | Detective | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain the audit plan. CC ID 01156 | Testing | Detective | |
| Include the audit criteria in the audit plan. CC ID 15262 | Establish/Maintain Documentation | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Establish/Maintain Documentation | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Establish/Maintain Documentation | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Establish/Maintain Documentation | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Establish/Maintain Documentation | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Establish/Maintain Documentation | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Establish/Maintain Documentation | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Establish/Maintain Documentation | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Establish/Maintain Documentation | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Communicate | Preventive | |
| Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 [Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. Principle 4: 93. Banks should have an effective independent risk management function, under the direction of a chief risk officer (CRO), with sufficient stature, independence, resources and access to the board. Principle 6: ¶ 1 {internal control system}{risk management system}The board and senior management contribute to the effectiveness of the internal audit function by requiring the function to independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes; Principle 10: 141. Bullet 2 {risk management function}requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: the effectiveness of the risk management and compliance functions; Principle 10: 141. Bullet 6 sub bullet 1 {risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.] | Establish/Maintain Documentation | Preventive | |
| Include the scope of risk management activities in the risk management program. CC ID 13658 [{specific risk modelling}{risk monitoring} Risk measurement and modelling techniques should be used in addition to, but should not replace, qualitative risk analysis and monitoring. The risk management function should keep the board and senior management apprised of the assumptions used in and potential shortcomings of the bank's risk models and analyses. This would ensure better understanding of risks and exposures and may allow quicker action to address and mitigate risks. Principle 7: 119.] | Establish/Maintain Documentation | Preventive | |
| Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Business Processes | Detective | |
| Integrate the risk management program with the organization's business activities. CC ID 13661 [The board should ensure that transactions with related parties (including internal group transactions) are reviewed to assess risk and are subject to appropriate restrictions (eg by requiring that such transactions be conducted on arm's length terms) and that corporate or business resources of the bank are not misappropriated or misapplied. Principle 1: 27. {risk management function}{compliance function}Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior management should recognise and respect the independent duties of the risk management, compliance and internal audit functions and should not interfere in their exercise of such duties. Principle 4: 93. Bullet 1 If adequate risk management processes are not in place, a new product, service, business line or third-party relationship or major transaction should be delayed until the bank is able to appropriately address the activity. There should also be a process to assess risk and performance relative to initial projections and to adapt the risk management treatment accordingly as the business matures. Principle 7: 123. ¶ 2 {risk measurement}{are necessary} Effective risk identification and measurement approaches are likewise necessary in subsidiary banks and affiliates. Material risk-bearing affiliates and subsidiaries should be captured by the bankwide risk management system and should be a part of the overall risk governance framework. Principle 7: 124.] | Business Processes | Preventive | |
| Integrate the risk management program into daily business decision-making. CC ID 13659 [The bank's RAS should communicate the board's risk appetite effectively throughout the bank, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the bank. Principle 1: 36. Bullet 4 Business units are the first line of defence. They take risks and are responsible and accountable for the ongoing management of such risks. This includes identifying, assessing and reporting such exposures, taking into account the bank's risk appetite and its policies, procedures and controls. The manner in which the business line executes its responsibilities should reflect the bank's existing risk culture. The board should promote a strong culture of adhering to limits and managing risk exposures. Principle 1: 40. The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: Principle 6: 105. The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: influencing and, when necessary, challenging decisions that give rise to material risk; and Principle 6: 105. Bullet 6] | Business Processes | Preventive | |
| Include managing mobile risks in the risk management program. CC ID 13535 | Establish/Maintain Documentation | Preventive | |
| Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and Risk Management | Preventive | |
| Include regular updating in the risk management system. CC ID 14990 | Business Processes | Preventive | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 [Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. Principle 4: 93. {risk management framework} Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank's risk management and internal control infrastructure should keep pace with changes to the bank's risk profile, to the external risk landscape and in industry practice Principle 7: ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Establish/Maintain Documentation | Preventive | |
| Include data quality in the risk management strategies. CC ID 15308 | Data and Information Management | Preventive | |
| Include the use of alternate service providers in the risk management strategies. CC ID 13217 | Establish/Maintain Documentation | Preventive | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Establish/Maintain Documentation | Preventive | |
| Include off-site storage in the risk mitigation strategies. CC ID 13213 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and Risk Management | Detective | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and Risk Management | Detective | |
| Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and Risk Management | Detective | |
| Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 | Establish Roles | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 [Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Establish/Maintain Documentation | Preventive | |
| Address past incidents in the risk assessment program. CC ID 12743 | Audits and Risk Management | Preventive | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Human Resources Management | Detective | |
| Include the need for risk assessments in the risk assessment program. CC ID 06447 | Establish/Maintain Documentation | Preventive | |
| Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the factors and context for risk to the organization. CC ID 12230 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 [{strategic plan}{capital plan} The board should take an active role in defining the risk appetite and ensuring its alignment with the bank's strategic, capital and financial plans and compensation practices. The bank's risk appetite should be clearly conveyed through an RAS that can be easily understood by all relevant parties: the board itself, senior management, bank employees and the supervisor. Principle 1: 35.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Communicate | Preventive | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Communicate | Preventive | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Acquisition/Sale of Assets or Services | Corrective | |
| Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Business Processes | Preventive | |
| Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Business Processes | Preventive | |
| Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Business Processes | Preventive | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Process or Activity | Preventive | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Establish/Maintain Documentation | Preventive | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Establish/Maintain Documentation | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Establish/Maintain Documentation | Preventive | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Establish/Maintain Documentation | Preventive | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Communicate | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Establish/Maintain Documentation | Preventive | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Establish/Maintain Documentation | Preventive | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Establish/Maintain Documentation | Preventive | |
| Use the risk taxonomy when managing risk. CC ID 12280 [{business environment}{risk environment} The degree of sophistication of the bank's risk management infrastructure – including, in particular, a sufficiently robust data infrastructure, data architecture and information technology infrastructure – should keep pace with developments such as balance sheet and revenue growth; increasing complexity of the bank's business, risk configuration or operating structure; geographical expansion; mergers and acquisitions; or the introduction of new products or business lines. Principle 7: 117.] | Behavior | Preventive | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the risk assessment policy. CC ID 14117 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Communicate | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Establish/Maintain Documentation | Preventive | |
| Analyze the organization's information security environment. CC ID 13122 | Technical Security | Preventive | |
| Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Establish/Maintain Documentation | Preventive | |
| Document cybersecurity risks. CC ID 12281 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account information classification. CC ID 06477 | Establish/Maintain Documentation | Preventive | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Human Resources Management | Preventive | |
| Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and Risk Management | Preventive | |
| Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Establish/Maintain Documentation | Preventive | |
| Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Establish/Maintain Documentation | Preventive | |
| Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Establish/Maintain Documentation | Preventive | |
| Document organizational risk criteria. CC ID 12277 | Establish/Maintain Documentation | Preventive | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Technical Security | Preventive | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Investigate | Detective | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and Risk Management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and Risk Management | Detective | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and Risk Management | Preventive | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Establish/Maintain Documentation | Preventive | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and Risk Management | Preventive | |
| Approve the threat and risk classification scheme. CC ID 15693 | Business Processes | Preventive | |
| Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and Risk Management | Preventive | |
| Include language that is easy to understand in the risk assessment report. CC ID 06461 | Establish/Maintain Documentation | Preventive | |
| Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Establish/Maintain Documentation | Preventive | |
| Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 [Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Establish/Maintain Documentation | Preventive | |
| Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Establish/Maintain Documentation | Preventive | |
| Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and Risk Management | Preventive | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Communicate | Preventive | |
| Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: assessing these risks and measuring the bank's exposure to them; Principle 6: 105. Bullet 2 {risk management framework} Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank's risk management and internal control infrastructure should keep pace with changes to the bank's risk profile, to the external risk landscape and in industry practice Principle 7: ¶ 1 Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113. Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113. {risk management function}{review and approval process}{entail} A full and frank assessment of risks under a variety of scenarios as well as an assessment of potential shortcomings in the ability of the bank's risk management and internal controls to effectively manage associated risks; Principle 7: 123. ¶ 1 Bullet 1] | Testing | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Establish/Maintain Documentation | Preventive | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Establish/Maintain Documentation | Preventive | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 [the results of stress tests and scenario analyses should also be communicated to, and given appropriate consideration by, relevant business lines and individuals within the bank. Principle 7: 120. Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and Risk Management | Preventive | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 | Establish/Maintain Documentation | Detective | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and Risk Management | Preventive | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 | Establish/Maintain Documentation | Detective | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and Risk Management | Preventive | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 [{notification system} The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: establishing an early warning or trigger system for breaches of the bank's risk appetite or limits; Principle 6: 105. Bullet 5] | Establish/Maintain Documentation | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 [{risk committee}{risk limit}{risk mitigation plan} The committee should receive regular reporting and communication from the CRO and other relevant functions about the bank's current risk profile, current state of the risk culture, utilisation against the established risk appetite, and limits, limit breaches and mitigation plans (see Principle 6). Principle 3: 74.] | Communicate | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and Risk Management | Detective | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Communicate | Preventive | |
| Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Business Processes | Preventive | |
| Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [The bank's RAS should communicate the board's risk appetite effectively throughout the bank, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the bank. Principle 1: 36. Bullet 4 An effective risk governance framework requires robust communication within the bank about risk, both across the organisation and through reporting to the board and senior management. Principle 8: ¶ 1 An effective risk governance framework requires robust communication within the bank about risk, both across the organisation and through reporting to the board and senior management. Principle 8: ¶ 1 The risk committee of the board is responsible for advising the board on the bank's overall current and future risk appetite, overseeing senior management's implementation of the RAS, reporting on the state of risk culture in the bank, and interacting with and overseeing the CRO. Principle 3: 72. There should be effective communication and coordination between the audit committee and the risk committee to facilitate the exchange of information and effective coverage of all risks, including emerging risks, and any needed adjustments to the risk governance framework of the bank. Principle 3: 75. Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: breaches of risk limits or compliance rules; Principle 4: 94. Bullet 3 The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: reporting to senior management and the board or risk committee on all these items, including but not limited to proposing appropriate risk-mitigating actions. Principle 6: 105. Bullet 7 In operating within a group structure, the board of the parent company should be aware of the material risks and issues that might affect both the bank as a whole and its subsidiaries. It should exercise adequate oversight over subsidiaries while respecting the independent legal and governance responsibilities that might apply to subsidiary boards. Principle 5: 95. The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. {specific risk modelling}{risk monitoring} Risk measurement and modelling techniques should be used in addition to, but should not replace, qualitative risk analysis and monitoring. The risk management function should keep the board and senior management apprised of the assumptions used in and potential shortcomings of the bank's risk models and analyses. This would ensure better understanding of risks and exposures and may allow quicker action to address and mitigate risks. Principle 7: 119. Mergers and acquisitions, divestitures and other changes to a bank's organisational structure can pose special risk management challenges to the bank. In particular, risks can arise from conducting due diligence that fails to identify post-merger risks or activities conflicting with the bank's strategic objectives or risk appetite. The risk management function should be actively involved in assessing risks that could arise from mergers and acquisitions and inform the board and senior management of its findings Principle 7: 125. Ongoing communication about risk issues, including the bank's risk strategy, throughout the bank is a key tenet of a strong risk culture. A strong risk culture should promote risk awareness and encourage open communication and challenge about risk-taking across the organisation as well as vertically to and from the board and senior management. Senior management should actively communicate and consult with the control functions on management's major plans and activities so that the control functions can effectively discharge their responsibilities. Principle 8: 126. {risk information}{interested personnel}{appropriate authority} Material risk-related ad hoc information that requires immediate decisions or reactions should be promptly presented to senior management and, as appropriate, the board, the responsible officers and, where applicable, the heads of control functions so that suitable measures and activities can be initiated at an early stage. Principle 8: 128. {be timely}{be accurate}{be clear}{be concise} Information should be communicated to the board and senior management in a timely, accurate and understandable manner so that they are equipped to take informed decisions. While ensuring that the board and senior management are sufficiently informed, management and those responsible for the risk management function should avoid voluminous information that can make it difficult to identify key issues. Rather, information should be prioritised and presented in a concise, fully contextualised manner. The board should assess the relevance and the process for maintaining the accuracy of the information it receives and determine if additional or less information is needed. Principle 8: 127. Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129. {refrain from violating} The bank should also disclose key points concerning its risk exposures and risk management strategies without breaching necessary confidentiality. When involved in material and complex or non-transparent activities, the bank should disclose adequate information on their purpose, strategies, structures, and related risks and controls. Principle 12: 155.] | Behavior | Preventive | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Investigate | Detective | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and Risk Management | Preventive | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 [As part of its quantitative and qualitative analysis, the bank should utilise stress tests and scenario analyses to better understand potential risk exposures under a variety of adverse circumstances: Principle 7: 120. If adequate risk management processes are not in place, a new product, service, business line or third-party relationship or major transaction should be delayed until the bank is able to appropriately address the activity. There should also be a process to assess risk and performance relative to initial projections and to adapt the risk management treatment accordingly as the business matures. Principle 7: 123. ¶ 2] | Audits and Risk Management | Detective | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Establish/Maintain Documentation | Preventive | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Establish/Maintain Documentation | Preventive | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Establish/Maintain Documentation | Preventive | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Establish/Maintain Documentation | Preventive | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Establish/Maintain Documentation | Preventive | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Communicate | Preventive | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Establish/Maintain Documentation | Preventive | |
| Document organizational risk tolerance in a risk register. CC ID 09961 | Establish/Maintain Documentation | Preventive | |
| Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Business Processes | Preventive | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 | Business Processes | Preventive | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [{be independent} The second line of defence includes an independent risk management function. The risk management function complements the business line's risk activities through its monitoring and reporting responsibilities. Among other things, it is responsible for overseeing the bank's risk-taking activities and assessing risks and issues independently from the business line. The function should promote the importance of senior management and business line managers in identifying and assessing risks critically rather than relying only on surveillance conducted by the risk management function. Among other things, the finance function plays a critical role in ensuring that business performance and profit and loss results are accurately captured and reported to the board, management and business lines that will use such information as a key input to risk and business decisions. Principle 1: 41. The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: identifying material individual, aggregate and emerging risks; Principle 6: 105. Bullet 1 The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: assessing these risks and measuring the bank's exposure to them; Principle 6: 105. Bullet 2 Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113. Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113. {risk measurement}{quantitative consideration}{qualitative consideration} Risk identification and measurement should include both quantitative and qualitative elements. Risk measurements should also include qualitative, bank-wide views of risk relative to the bank's external operating environment. Banks should also consider and evaluate harder-to-quantify risks, such as reputation risk. Principle 7: 114. {risk measurement}{quantitative consideration}{qualitative consideration} Risk identification and measurement should include both quantitative and qualitative elements. Risk measurements should also include qualitative, bank-wide views of risk relative to the bank's external operating environment. Banks should also consider and evaluate harder-to-quantify risks, such as reputation risk. Principle 7: 114. {risk measurement}{are necessary} Effective risk identification and measurement approaches are likewise necessary in subsidiary banks and affiliates. Material risk-bearing affiliates and subsidiaries should be captured by the bankwide risk management system and should be a part of the overall risk governance framework. Principle 7: 124. {risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.] | Audits and Risk Management | Preventive | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [The bank's RAS should establish the individual and aggregate level and types of risk that the bank is willing to assume in advance of and in order to achieve its business activities within its risk capacity; Principle 1: 36. Bullet 2 {be comprehensive}{be accurate} Risk reporting systems should be dynamic, comprehensive and accurate, and should draw on a range of underlying assumptions. Risk monitoring and reporting should not only occur at the disaggregated level (including material risk residing in subsidiaries) but should also be aggregated to allow for a bank-wide or integrated perspective of risk exposures. Risk reporting systems should be clear about any deficiencies or limitations in risk estimates, as well as any significant embedded assumptions (eg regarding risk dependencies or correlations). Principle 8: 130.] | Audits and Risk Management | Preventive | |
| Identify the material risks in the risk assessment report. CC ID 06482 [Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113.] | Audits and Risk Management | Preventive | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [The bank's RAS should define the boundaries and business considerations in accordance with which the bank is expected to operate when pursuing the business strategy; and Principle 1: 36. Bullet 3] | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and Risk Management | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Investigate | Detective | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 [Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129.] | Audits and Risk Management | Detective | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Actionable Reports or Measurements | Detective | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and Risk Management | Detective | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [Accordingly, the board should: Establish, along with senior management and the CRO, the bank's risk appetite, taking into account the competitive and regulatory landscape and the bank's long-term interests, risk exposure and ability to manage risk effectively; Principle 1: 26. Bullet 5 {strategic plan}{capital plan} The board should take an active role in defining the risk appetite and ensuring its alignment with the bank's strategic, capital and financial plans and compensation practices. The bank's risk appetite should be clearly conveyed through an RAS that can be easily understood by all relevant parties: the board itself, senior management, bank employees and the supervisor. Principle 1: 35. (quantitative consideration}The bank's RAS should include both quantitative and qualitative considerations; Principle 1: 36. Bullet 1 In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: promoting risk awareness within a strong risk culture, conveying the board's expectation that it does not support excessive risk-taking and that all employees are responsible for helping the bank operate within the established risk appetite and risk limits; Principle 1: 30. Bullet 2 Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113. establishing adequate procedures and processes to identify and manage all material risks arising from these structures, including lack of management transparency, operational risks introduced by interconnected and complex funding structures, intragroup exposures, trapped collateral and counterparty risk. The bank should only approve structures if the material risks can be properly identified, assessed and managed; and Principle 5: 102. Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Investigate | Preventive | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 [{strategic plan}{capital plan} The board should take an active role in defining the risk appetite and ensuring its alignment with the bank's strategic, capital and financial plans and compensation practices. The bank's risk appetite should be clearly conveyed through an RAS that can be easily understood by all relevant parties: the board itself, senior management, bank employees and the supervisor. Principle 1: 35. The bank's RAS should communicate the board's risk appetite effectively throughout the bank, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the bank. Principle 1: 36. Bullet 4 {is appropriate} In a group structure, the board of the parent company has the overall responsibility for the group and for ensuring the establishment and operation of a clear governance framework appropriate to the structure, business and risks of the group and its entities. The board and senior management should know and understand the bank group's organisational structure and the risks that it poses. Principle 5: ¶ 1 {refrain from violating} The bank should also disclose key points concerning its risk exposures and risk management strategies without breaching necessary confidentiality. When involved in material and complex or non-transparent activities, the bank should disclose adequate information on their purpose, strategies, structures, and related risks and controls. Principle 12: 155.] | Behavior | Preventive | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [{risk management function}{review and approval process}{entail} A full and frank assessment of risks under a variety of scenarios as well as an assessment of potential shortcomings in the ability of the bank's risk management and internal controls to effectively manage associated risks; Principle 7: 123. ¶ 1 Bullet 1] | Establish/Maintain Documentation | Detective | |
| Document the results of the gap analysis. CC ID 16271 | Establish/Maintain Documentation | Preventive | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and Risk Management | Preventive | |
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Process or Activity | Detective | |
| Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Process or Activity | Detective | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 [{be timely}{be accurate}{be clear}{be concise} Information should be communicated to the board and senior management in a timely, accurate and understandable manner so that they are equipped to take informed decisions. While ensuring that the board and senior management are sufficiently informed, management and those responsible for the risk management function should avoid voluminous information that can make it difficult to identify key issues. Rather, information should be prioritised and presented in a concise, fully contextualised manner. The board should assess the relevance and the process for maintaining the accuracy of the information it receives and determine if additional or less information is needed. Principle 8: 127.] | Audits and Risk Management | Preventive | |
| Determine the effectiveness of risk control measures. CC ID 06601 | Testing | Detective | |
| Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. Principle 4: 93. The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: reporting to senior management and the board or risk committee on all these items, including but not limited to proposing appropriate risk-mitigating actions. Principle 6: 105. Bullet 7 In addition to identifying and measuring risk exposures, the risk management function should evaluate possible ways to mitigate these exposures. In some cases, the risk management function may direct that risk be reduced or hedged to limit exposure. In other cases, such as when there is a decision to accept or take risk that is beyond risk limits (ie on a temporary basis) or take risk that cannot be hedged or mitigated, the risk management function should report material exemptions to the board and monitor the positions to ensure that they remain within the bank's framework of limits and controls or within exception approval. Either approach may be appropriate depending on the issue at hand, provided that the independence of the risk management function is not compromised. Principle 7: 122. stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets. They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results; and Principle 7: 120. Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Establish/Maintain Documentation | Preventive | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and Risk Management | Preventive | |
| Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and Risk Management | Preventive | |
| Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and Risk Management | Preventive | |
| Include the risk treatment strategy in the risk treatment plan. CC ID 12159 [Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Establish/Maintain Documentation | Preventive | |
| Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Establish/Maintain Documentation | Corrective | |
| Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Establish/Maintain Documentation | Preventive | |
| Include change control processes in the risk treatment plan. CC ID 11981 | Establish/Maintain Documentation | Preventive | |
| Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Establish/Maintain Documentation | Preventive | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Establish/Maintain Documentation | Preventive | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Establish/Maintain Documentation | Preventive | |
| Include risk assessment results in the risk treatment plan. CC ID 11978 | Establish/Maintain Documentation | Preventive | |
| Include a description of usage in the risk treatment plan. CC ID 11977 | Establish/Maintain Documentation | Preventive | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Communicate | Preventive | |
| Approve the risk treatment plan. CC ID 13495 | Audits and Risk Management | Preventive | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 [Developing and conveying the bank's risk appetite is essential to reinforcing a strong risk culture. The risk governance framework should outline actions to be taken when stated risk limits are breached, including disciplinary actions for excessive risk-taking, escalation procedures and board of director notification. Principle 1: 34. Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166. If adequate risk management processes are not in place, a new product, service, business line or third-party relationship or major transaction should be delayed until the bank is able to appropriately address the activity. There should also be a process to assess risk and performance relative to initial projections and to adapt the risk management treatment accordingly as the business matures. Principle 7: 123. ¶ 2] | Establish/Maintain Documentation | Preventive | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 | Establish/Maintain Documentation | Corrective | |
| Review and approve the risk assessment findings. CC ID 06485 | Establish/Maintain Documentation | Preventive | |
| Include risk responses in the risk management program. CC ID 13195 | Establish/Maintain Documentation | Preventive | |
| Document residual risk in a residual risk report. CC ID 13664 | Establish/Maintain Documentation | Corrective | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Business Processes | Preventive | |
| Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Establish/Maintain Documentation | Preventive | |
| Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Establish/Maintain Documentation | Preventive | |
| Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Business Processes | Preventive | |
| Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and Risk Management | Detective | |
| Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and Risk Management | Preventive | |
| Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Establish/Maintain Documentation | Preventive | |
| Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Communicate | Preventive | |
| Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Communicate | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 | Establish/Maintain Documentation | Preventive | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Establish/Maintain Documentation | Preventive | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Communicate | Preventive | |
| Evaluate the cyber insurance market. CC ID 12695 | Business Processes | Preventive | |
| Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Business Processes | Preventive | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Business Processes | Preventive | |
| Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Establish/Maintain Documentation | Preventive | |
| Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the supply chain risk management policy. CC ID 14709 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the supply chain risk management policy. CC ID 14707 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the supply chain risk management policy. CC ID 14706 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Communicate | Preventive | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Establish/Maintain Documentation | Preventive | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Establish/Maintain Documentation | Preventive | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Establish/Maintain Documentation | Preventive | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Establish/Maintain Documentation | Preventive | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Communicate | Preventive | |
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Human Resources Management | Preventive | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Process or Activity | Detective | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Communicate | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [Accordingly, the board should: approve the selection and oversee the performance of the CEO, key members of senior management and heads of the control functions; Principle 1: 26. Bullet 10 The board should select the CEO and may select other key personnel, including members of senior management. Principle 1: 45. {is responsible}The audit committee is, in particular, responsible for: providing oversight of and interacting with the bank's internal and external auditors; Principle 3: 69. Bullet 3 In operating within a group structure, the board of the parent company should be aware of the material risks and issues that might affect both the bank as a whole and its subsidiaries. It should exercise adequate oversight over subsidiaries while respecting the independent legal and governance responsibilities that might apply to subsidiary boards. Principle 5: 95. Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the board. Principle 6: 111. Senior management is responsible for delegating duties to staff and should establish a management structure that promotes accountability and transparency throughout the bank. Principle 4: 92. The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76. The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76. Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.] | Establish Roles | Preventive | |
| Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 | Establish Roles | Preventive | |
| Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources Management | Preventive | |
| Define the scope for the security operations center. CC ID 15713 | Establish/Maintain Documentation | Preventive | |
| Designate an alternate for each organizational leader. CC ID 12053 | Human Resources Management | Preventive | |
| Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Behavior | Preventive | |
| Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 | Human Resources Management | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [The board has overall responsibility for the bank, including approving and overseeing management's implementation of the bank's strategic objectives, governance framework and corporate culture. Principle 1: ¶ 1 The board should establish and be satisfied with the bank's organisational structure. This will enable the board and senior management to carry out their responsibilities and facilitate effective decision-making and good governance. This includes clearly laying out the key responsibilities and authorities of the board itself and of senior management and of those responsible for the risk management and control functions. Principle 1: 24. {refrain from delegating} The board has ultimate responsibility for the bank's business strategy and financial soundness, key personnel decisions, internal organisation and governance structure and practices, and risk management and compliance obligations. The board may delegate some of its functions, though not its responsibilities, to board committees where appropriate. Principle 1: 23. {refrain from delegating} The board has ultimate responsibility for the bank's business strategy and financial soundness, key personnel decisions, internal organisation and governance structure and practices, and risk management and compliance obligations. The board may delegate some of its functions, though not its responsibilities, to board committees where appropriate. Principle 1: 23. The board should have oversight of the whistleblowing policy mechanism and ensuring that senior management addresses legitimate issues that are raised. The board should take responsibility for ensuring that staff who raise concerns are protected from detrimental treatment or reprisals. Principle 1: 32. Bullet 2 The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42. {hold accountable} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: Principle 1: 46. {hold accountable} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: Principle 1: 46. The board should maintain and periodically update organisational rules, by-laws, or other similar documents setting out its organisation, rights, responsibilities and key activities. Principle 3: 58. {capital plan}Accordingly, the board should: approve the approach and oversee the implementation of key policies pertaining to the bank's capital adequacy assessment process, capital and liquidity plans, compliance policies and obligations, and the internal control system; Principle 1: 26. Bullet 7 Board members should be and remain qualified, individually and collectively, for their positions. They should understand their oversight and corporate governance role and be able to exercise sound, objective judgment about the affairs of the bank. Principle 2: ¶ 1 {is sufficient} The board should structure itself in terms of leadership, size and the use of committees so as to effectively carry out its oversight role and other responsibilities. This includes ensuring that the board has the time and means to cover all necessary subjects in sufficient depth and have a robust discussion of issues. Principle 3: 57. In the interest of greater transparency and accountability, a board should disclose the committees it has established, their mandates and their composition (including members who are considered to be independent). Principle 3: 65. {is responsible} The audit committee is, in particular, responsible for: framing policy on internal audit and financial reporting, among other things; Principle 3: 69. Bullet 1 The board should oversee the implementation and operation of policies to identify potential conflicts of interest. Where these conflicts cannot be prevented, they should be properly managed (based on the permissibility of relationships or transactions under sound corporate policies consistent with national law and supervisory standards). Principle 3: 82. The board should oversee and be satisfied with the process by which appropriate public disclosure is made, and/or information is provided to supervisors, relating to the bank's policies on conflicts of interest and potential material conflicts of interest. Principle 3: 84. Under the direction and oversight of the board, senior management should carry out and manage the bank's activities in a manner consistent with the business strategy, risk appetite, remuneration and other policies approved by the board. Principle 4: ¶ 1 Senior management contributes substantially to a bank's sound corporate governance through personal conduct (eg by helping to establish the "tone at the top" along with the board). Members of senior management should provide adequate oversight of those they manage, and ensure that the bank's activities are consistent with the business strategy, risk appetite and the policies approved by the board. Principle 4: 91. The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: question and critically review explanations and information provided by senior management; Principle 1: 46. Bullet 3 {is appropriate} In a group structure, the board of the parent company has the overall responsibility for the group and for ensuring the establishment and operation of a clear governance framework appropriate to the structure, business and risks of the group and its entities. The board and senior management should know and understand the bank group's organisational structure and the risks that it poses. Principle 5: ¶ 1 In order to fulfil its responsibilities, the board of the parent company should: approve policies and clear strategies for establishing new structures and legal entities, and ensure that they are consistent with the policies and interests of the group; Principle 5: 96. Bullet 5 In order to fulfil its responsibilities, the board of the parent company should: approve policies and clear strategies for establishing new structures and legal entities, and ensure that they are consistent with the policies and interests of the group; Principle 5: 96. Bullet 5 In order to help board members acquire, maintain and enhance their knowledge and skills, and fulfil their responsibilities, the board should ensure that members participate in induction programmes and have access to ongoing training on relevant issues which may involve internal or external resources. The board should dedicate sufficient time, budget and other resources for this purpose, and draw on external expertise as needed. More extensive efforts should be made to train and keep updated those members with more limited financial, regulatory or risk-related experience. Principle 2: 55. continually maintaining and reviewing appropriate policies, procedures and processes governing the approval and maintenance of those structures or activities, including fully vetting the purpose, the associated risks and the bank's ability to manage those risks prior to setting up new structures and initiating associated activities; Principle 5: 102. Bullet 2 Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the board. Principle 6: 111. The bank's board of directors is responsible for overseeing the management of the bank's compliance risk. The board should establish a compliance function and approve the bank's policies and processes for identifying, assessing, monitoring and reporting and advising on compliance risk. Principle 9: ¶ 1 In order to fulfil its responsibilities, the board of the parent company should: establish a group structure (including the legal entity and business structure) and a corporate governance framework with clearly defined roles and responsibilities, including those at the parent company level and at the subsidiary level as may be appropriate based on the complexity and significance of the subsidiary; Principle 5: 96. Bullet 1 Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.] | Establish Roles | Preventive | |
| Establish and maintain board committees, as necessary. CC ID 14789 [To increase efficiency and allow deeper focus in specific areas, a board may establish certain specialised board committees. The committees should be created and mandated by the full board. The number and nature of committees depend on many factors, including the size of the bank and its board, the nature of the business areas of the bank, and its risk profile. Principle 3: 63.] | Human Resources Management | Preventive | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 [The chair of the board plays a crucial role in the proper functioning of the board. The chair provides leadership to the board and is responsible for its effective overall functioning, including maintaining a relationship of trust with board members. The chair should possess the requisite experience, competencies and personal qualities in order to fulfil these responsibilities. The chair should ensure that board decisions are taken on a sound and well informed basis. The chair should encourage and promote critical discussion and ensure that dissenting views can be freely expressed and discussed within the decision-making process. The chair should dedicate sufficient time to the exercise of his or her responsibilities. Principle 3: 61.] | Establish/Maintain Documentation | Preventive | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 [{performance standard} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: set appropriate performance and remuneration standards for senior management consistent with the long-term strategic objectives and the financial soundness of the bank; Principle 1: 46. Bullet 4] | Human Resources Management | Preventive | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 [{international business activity}{economic forces}{legal environment} the board collectively should have a reasonable understanding of local, regional and, if appropriate, global economic and market forces and of the legal and regulatory environment. International experience, where relevant, should also be considered; and Principle 2: 49. Bullet 2 To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: periodically review its structure, size and composition as well as committees' structures and coordination; Principle 3: 59. Bullet 1 {is sufficient} The board should structure itself in terms of leadership, size and the use of committees so as to effectively carry out its oversight role and other responsibilities. This includes ensuring that the board has the time and means to cover all necessary subjects in sufficient depth and have a robust discussion of issues. Principle 3: 57. Boards should have a clear and rigorous process for identifying, assessing and selecting board candidates. Unless required otherwise by law, the board (not management) nominates candidates and promotes appropriate succession planning of board members. Principle 2: 50. The bank should have in place a nomination committee or similar body, composed of a sufficient number of independent board members, which identifies and nominates candidates after having taken into account the criteria described above. Further details about the nomination committee and other board committees are discussed in paragraph 76. Principle 2: 54. The bank should have in place a nomination committee or similar body, composed of a sufficient number of independent board members, which identifies and nominates candidates after having taken into account the criteria described above. Further details about the nomination committee and other board committees are discussed in paragraph 76. Principle 2: 54. To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: assess the ongoing suitability of each board member periodically (at least annually), also taking into account his or her performance on the board; Principle 3: 59. Bullet 2 The chair of the board plays a crucial role in the proper functioning of the board. The chair provides leadership to the board and is responsible for its effective overall functioning, including maintaining a relationship of trust with board members. The chair should possess the requisite experience, competencies and personal qualities in order to fulfil these responsibilities. The chair should ensure that board decisions are taken on a sound and well informed basis. The chair should encourage and promote critical discussion and ensure that dissenting views can be freely expressed and discussed within the decision-making process. The chair should dedicate sufficient time to the exercise of his or her responsibilities. Principle 3: 61. Where there are shareholders with power to appoint board members, the board should ensure that such individuals understand their duties. Board members have responsibilities to the bank's overall interests, regardless of who appoints them. In cases where board members are selected by a controlling shareholder, the board may wish to set out specific procedures or conduct periodic reviews to facilitate the appropriate discharge of responsibility by all board members. Principle 2: 56. At a minimum, the audit committee as a whole should possess a collective balance of skills and expert knowledge – commensurate with the complexity of the banking organisation and the duties to be performed – and should have relevant experience in financial reporting, accounting and auditing. Where needed, the audit committee has access to external expert advice. Principle 3: 70. At a minimum, the audit committee as a whole should possess a collective balance of skills and expert knowledge – commensurate with the complexity of the banking organisation and the duties to be performed – and should have relevant experience in financial reporting, accounting and auditing. Where needed, the audit committee has access to external expert advice. Principle 3: 70. Supervisors should evaluate the processes and criteria used by banks in the selection of board members and senior management and, as they judge necessary, obtain information about the expertise and character of board members and senior management. The fit and proper criteria should include those discussed in Principle 2 of this document. The individual and collective suitability of board members and senior management should be subject to ongoing attention by supervisors. Principle 13: 161.] | Establish/Maintain Documentation | Preventive | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 [The board should appoint members to specialised committees with the goal of achieving an appropriate mix of skills and experience that, in combination, allow the committees to fully understand, objectively evaluate and bring fresh thinking to the relevant issues. Principle 3: 78. The selection process should include reviewing whether board candidates: possess the knowledge, skills, experience and, particularly in the case of non-executive directors, independence of mind given their responsibilities on the board and in the light of the bank's business and risk profile; Principle 2: 51(i). In order to fulfil its responsibilities, the board of the parent company should: define an appropriate subsidiary board and management structure which takes into account the material risks to which the group, its businesses and its subsidiaries are exposed; Principle 5: 96. Bullet 2 Supervisors should evaluate the processes and criteria used by banks in the selection of board members and senior management and, as they judge necessary, obtain information about the expertise and character of board members and senior management. The fit and proper criteria should include those discussed in Principle 2 of this document. The individual and collective suitability of board members and senior management should be subject to ongoing attention by supervisors. Principle 13: 161. Supervisors should evaluate the processes and criteria used by banks in the selection of board members and senior management and, as they judge necessary, obtain information about the expertise and character of board members and senior management. The fit and proper criteria should include those discussed in Principle 2 of this document. The individual and collective suitability of board members and senior management should be subject to ongoing attention by supervisors. Principle 13: 161. (reputation) The selection process should include reviewing whether board candidates: have a record of integrity and good repute; Principle 2: 51(ii). The selection process should include reviewing whether board candidates: have the ability to promote a smooth interaction between board members. Principle 2: 51(iv). The selection process should include reviewing whether board candidates: have sufficient time to fully carry out their responsibilities; and Principle 2: 51(iii).] | Establish/Maintain Documentation | Preventive | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 [{capital plan}Accordingly, the board should: approve the approach and oversee the implementation of key policies pertaining to the bank's capital adequacy assessment process, capital and liquidity plans, compliance policies and obligations, and the internal control system; Principle 1: 26. Bullet 7] | Human Resources Management | Preventive | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources Management | Preventive | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Establish Roles | Preventive | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 [Board candidates should not have any conflicts of interest that may impede their ability to perform their duties independently and objectively and subject them to undue influence from: Principle 2: 52. Board candidates should not have any conflicts of interest that may impede their ability to perform their duties independently and objectively and subject them to undue influence from: other persons (such as management or other shareholders); Principle 2: 52. Bullet 1 Board candidates should not have any conflicts of interest that may impede their ability to perform their duties independently and objectively and subject them to undue influence from: past or present positions held; or Principle 2: 52. Bullet 2 Board candidates should not have any conflicts of interest that may impede their ability to perform their duties independently and objectively and subject them to undue influence from: personal, professional or other economic relationships with other members of the board or management (or with other entities within the group). Principle 2: 52. Bullet 3 {is sufficient} The board must be suitable to carry out its responsibilities and have a composition that facilitates effective oversight. For that purpose, the board should be comprised of a sufficient number of independent directors. Principle 2: 47. {be independent}{non-executive member} A committee chair should be an independent, non-executive board member. Principle 3: 67. {be independent}{have in place} To promote checks and balances, the chair of the board should be an independent or non-executive board member. In jurisdictions where the chair is permitted to assume executive duties, the bank should have measures in place to mitigate any adverse impact on the bank's checks and balances, eg by designating a lead board member, a senior independent board member or a similar position and having a larger number of non-executives on the board. Principle 3: 62.] | Human Resources Management | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [{be independent} The second line of defence includes an independent risk management function. The risk management function complements the business line's risk activities through its monitoring and reporting responsibilities. Among other things, it is responsible for overseeing the bank's risk-taking activities and assessing risks and issues independently from the business line. The function should promote the importance of senior management and business line managers in identifying and assessing risks critically rather than relying only on surveillance conducted by the risk management function. Among other things, the finance function plays a critical role in ensuring that business performance and profit and loss results are accurately captured and reported to the board, management and business lines that will use such information as a key input to risk and business decisions. Principle 1: 41. Accordingly, the board should: oversee the bank's adherence to the RAS, risk policy and risk limits; Principle 1: 26. Bullet 6 {be aware} Senior management – and the board, as appropriate – should be cognisant of these challenges and take action to avoid or mitigate them by: Principle 5: 102. Large, complex and internationally active banks, and other banks, based on their risk profile and local governance requirements, should have a senior manager (CRO or equivalent) with overall responsibility for the bank's risk management function. In banking groups, there should be a group CRO in addition to subsidiary-level risk officers. Because some banks may have an officer who fulfils the function of a CRO under a different title, reference in this document to the CRO is intended to incorporate equivalent positions, provided they meet the independence and other requirements set out herein. Principle 6: 108. The bank's board of directors is responsible for overseeing the management of the bank's compliance risk. The board should establish a compliance function and approve the bank's policies and processes for identifying, assessing, monitoring and reporting and advising on compliance risk. Principle 9: ¶ 1] | Human Resources Management | Preventive | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources Management | Preventive | |
| Rotate members of the board of directors, as necessary. CC ID 14803 [{board committee}{rotate} Each committee should have a charter or other instrument that sets out its mandate, scope and working procedures. This includes how the committee will report to the full board, what is expected of committee members and any tenure limits for serving on the committee. The board should consider the occasional rotation of members and of the chair of such committees, as this can help avoid undue concentration of power and promote fresh perspectives. Principle 3: 64.] | Human Resources Management | Corrective | |
| Define and assign board committees, as necessary. CC ID 14787 [In jurisdictions permitting or requiring executive members on the board, the board of a bank should work to ensure the needed objectivity in each committee, such as by having only non-executives and, to the extent possible, a majority of independent members. Principle 3: 79.] | Human Resources Management | Preventive | |
| Define and assign risk committees, as necessary. CC ID 14795 [A risk committee should: be required for systemically important banks and is strongly recommended for other banks based on a bank's size, risk profile or complexity; Principle 3: 71. Bullet 1] | Human Resources Management | Preventive | |
| Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 [{board committee} Each committee should have a charter or other instrument that sets out its mandate, scope and working procedures. This includes how the committee will report to the full board, what is expected of committee members and any tenure limits for serving on the committee. The board should consider the occasional rotation of members and of the chair of such committees, as this can help avoid undue concentration of power and promote fresh perspectives. Principle 3: 64.] | Establish/Maintain Documentation | Preventive | |
| Define and assign audit committees, as necessary. CC ID 14788 [An audit committee should: be required for systemically important banks and is strongly recommended for other banks based on an organisation's size, risk profile or complexity; Principle 3: 68. Bullet 1] | Human Resources Management | Preventive | |
| Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 [An audit committee should: include members who have experience in audit practices, financial reporting and accounting. Principle 3: 68. Bullet 5 An audit committee should: be made up entirely of independent or non-executive board members; and Principle 3: 68. Bullet 4] | Human Resources Management | Preventive | |
| Define and assign compensation committees, as necessary. CC ID 14793 [Systemically important financial institutions should have a board compensation committee as an integral part of their governance structure and organisation to oversee the compensation system's design and operation. Principle 11: 144. The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76. The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76.] | Human Resources Management | Preventive | |
| Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 | Establish Roles | Preventive | |
| Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources Management | Preventive | |
| Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 | Establish Roles | Preventive | |
| Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources Management | Preventive | |
| Define and assign the business unit manager's roles and responsibilities. CC ID 00810 | Establish Roles | Preventive | |
| Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 | Establish Roles | Preventive | |
| Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 [Banks should have an effective independent risk management function, under the direction of a chief risk officer (CRO), with sufficient stature, independence, resources and access to the board. Principle 6: ¶ 1 The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management function. This includes the ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board in its engagement with and oversight of the development of the bank's risk appetite and RAS and for translating the risk appetite into a risk limits structure. The CRO, together with management, should be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation). Principle 6: 109. The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management function. This includes the ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board in its engagement with and oversight of the development of the bank's risk appetite and RAS and for translating the risk appetite into a risk limits structure. The CRO, together with management, should be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation). Principle 6: 109. The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management function. This includes the ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board in its engagement with and oversight of the development of the bank's risk appetite and RAS and for translating the risk appetite into a risk limits structure. The CRO, together with management, should be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation). Principle 6: 109.] | Human Resources Management | Preventive | |
| Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources Management | Preventive | |
| Define and assign the technology security leader's roles and responsibilities. CC ID 01897 | Establish Roles | Preventive | |
| Define and assign the security staff roles and responsibilities. CC ID 11750 | Establish/Maintain Documentation | Preventive | |
| Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources Management | Preventive | |
| Define and assign the property management leader's roles and responsibilities. CC ID 00669 | Establish Roles | Preventive | |
| Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 | Establish Roles | Preventive | |
| Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 | Establish Roles | Preventive | |
| Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 | Establish Roles | Preventive | |
| Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 | Establish/Maintain Documentation | Preventive | |
| Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 | Establish Roles | Preventive | |
| Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources Management | Preventive | |
| Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources Management | Preventive | |
| Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources Management | Preventive | |
| Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 | Human Resources Management | Preventive | |
| Assign a contact person to all business units. CC ID 07144 [The compliance function should advise the board and senior management on the bank's compliance with applicable laws, rules and standards and keep them informed of developments in the area. It should also help educate staff about compliance issues, act as a contact point within the bank for compliance queries from staff members, and provide guidance to staff on the appropriate implementation of applicable laws, rules and standards in the form of policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines. Principle 9: 135.] | Establish Roles | Preventive | |
| Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Business Processes | Preventive | |
| Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources Management | Preventive | |
| Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources Management | Preventive | |
| Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources Management | Preventive | |
| Define and assign workforce roles and responsibilities. CC ID 13267 [The organisation and procedures and decision-making of senior management should be clear and transparent and designed to promote effective management of the bank. This includes clarity on the role, authority and responsibility of the various positions within senior management, including that of the CEO. Principle 4: 88. Senior management is responsible for delegating duties to staff and should establish a management structure that promotes accountability and transparency throughout the bank. Principle 4: 92. In order to fulfil its responsibilities, the board of the parent company should: establish a group structure (including the legal entity and business structure) and a corporate governance framework with clearly defined roles and responsibilities, including those at the parent company level and at the subsidiary level as may be appropriate based on the complexity and significance of the subsidiary; Principle 5: 96. Bullet 1 In order to fulfil its responsibilities, the board of the parent company should: establish a group structure (including the legal entity and business structure) and a corporate governance framework with clearly defined roles and responsibilities, including those at the parent company level and at the subsidiary level as may be appropriate based on the complexity and significance of the subsidiary; Principle 5: 96. Bullet 1] | Human Resources Management | Preventive | |
| Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 | Human Resources Management | Preventive | |
| Assign roles and responsibilities for physical security, as necessary. CC ID 13113 | Establish Roles | Preventive | |
| Document the use of external experts. CC ID 16263 | Human Resources Management | Preventive | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [The board should establish and be satisfied with the bank's organisational structure. This will enable the board and senior management to carry out their responsibilities and facilitate effective decision-making and good governance. This includes clearly laying out the key responsibilities and authorities of the board itself and of senior management and of those responsible for the risk management and control functions. Principle 1: 24. As part of the overall corporate governance framework, the board is responsible for overseeing a strong risk governance framework. An effective risk governance framework includes a strong risk culture, a well developed risk appetite articulated through the RAS, and well defined responsibilities for risk management in particular and control functions in general. Principle 1: 33. The development of an effective RAS should be driven by both top-down board leadership and bottom-up management involvement. While the definition of risk appetite may be initiated by senior management, successful implementation depends upon effective interactions between the board, senior management, risk management and operating businesses, including the chief financial officer (CFO). Principle 1: 37. A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: Principle 1: 38. A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: the business line; Principle 1: 38. Bullet 1 {risk management} Depending on the bank's nature, size and complexity, and the risk profile of its activities, the specifics of how these three lines of defence are structured can vary. Regardless of the structure, responsibilities for each line of defence should be well defined and communicated. Principle 1: 39. {is independent} A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: a risk management function and a compliance function independent from the first line of defence; and Principle 1: 38. Bullet 2 Business units are the first line of defence. They take risks and are responsible and accountable for the ongoing management of such risks. This includes identifying, assessing and reporting such exposures, taking into account the bank's risk appetite and its policies, procedures and controls. The manner in which the business line executes its responsibilities should reflect the bank's existing risk culture. The board should promote a strong culture of adhering to limits and managing risk exposures. Principle 1: 40. A risk committee should: is required to review the bank's risk policies at least annually; and Principle 3: 71. Bullet 7 The risk committee of the board is responsible for advising the board on the bank's overall current and future risk appetite, overseeing senior management's implementation of the RAS, reporting on the state of risk culture in the bank, and interacting with and overseeing the CRO. Principle 3: 72. The risk committee of the board is responsible for advising the board on the bank's overall current and future risk appetite, overseeing senior management's implementation of the RAS, reporting on the state of risk culture in the bank, and interacting with and overseeing the CRO. Principle 3: 72. The risk committee of the board is responsible for advising the board on the bank's overall current and future risk appetite, overseeing senior management's implementation of the RAS, reporting on the state of risk culture in the bank, and interacting with and overseeing the CRO. Principle 3: 72. A risk committee should: should include members who have experience in risk management issues and practices; Principle 3: 71. Bullet 5 {risk committee}{capital management} The committee's work includes oversight of the strategies for capital and liquidity management as well as for all relevant risks of the bank, such as credit, market, operational and reputational risks, to ensure they are consistent with the stated risk appetite. Principle 3: 73. {risk committee}{capital management} The committee's work includes oversight of the strategies for capital and liquidity management as well as for all relevant risks of the bank, such as credit, market, operational and reputational risks, to ensure they are consistent with the stated risk appetite. Principle 3: 73. internal stress tests should cover a range of scenarios based on reasonable assumptions regarding dependencies and correlations. Senior management should define and approve and, as applicable, the board should review and provide effective challenge to the scenarios that are used in the bank's risk analyses; Principle 7: 120. Bullet 1 Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97. Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97. The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76.] | Human Resources Management | Preventive | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 [A risk committee should: should include a majority of members who are independent; Principle 3: 71. Bullet 4] | Human Resources Management | Preventive | |
| Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources Management | Preventive | |
| Identify and define all critical roles. CC ID 00777 | Establish Roles | Preventive | |
| Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Establish Roles | Preventive | |
| Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources Management | Preventive | |
| Assign the role of security management to applicable controls. CC ID 06444 | Establish Roles | Preventive | |
| Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources Management | Preventive | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources Management | Preventive | |
| Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources Management | Preventive | |
| Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Communicate | Preventive | |
| Define and assign the data controller's roles and responsibilities. CC ID 00471 | Establish Roles | Preventive | |
| Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources Management | Preventive | |
| Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources Management | Preventive | |
| Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources Management | Preventive | |
| Assign the role of data controller to applicable controls. CC ID 00354 | Establish Roles | Preventive | |
| Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources Management | Preventive | |
| Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Establish Roles | Preventive | |
| Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Establish Roles | Preventive | |
| Assign the role of logical access control to applicable controls. CC ID 00772 | Establish Roles | Preventive | |
| Assign the role of asset physical security to applicable controls. CC ID 00770 | Establish Roles | Preventive | |
| Assign the role of data custodian to applicable controls. CC ID 04789 | Establish Roles | Preventive | |
| Assign the role of the Quality Management committee to applicable controls. CC ID 00769 [{unauthorized action}{dual authorization control}{legal and regulatory requirements} In order to avoid actions beyond the authority of the individual or even fraud, internal controls also place reasonable checks on managerial and employee discretion. Even in smaller banks, for example, key management decisions should be taken by more than one person. Internal reviews should also determine the extent of a bank's compliance with company policies and procedures as well as with legal and regulatory policies. Adequate escalation procedures are a key element of the internal control system. Principle 7: 116.] | Establish Roles | Preventive | |
| Assign interested personnel to the Quality Management committee. CC ID 07193 | Establish Roles | Preventive | |
| Assign the roles and responsibilities for the asset management system. CC ID 14368 | Establish/Maintain Documentation | Preventive | |
| Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Establish Roles | Preventive | |
| Assign the role of fire protection management to applicable controls. CC ID 04891 | Establish Roles | Preventive | |
| Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Establish Roles | Preventive | |
| Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Establish Roles | Preventive | |
| Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Establish Roles | Preventive | |
| Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources Management | Preventive | |
| Define and assign roles and responsibilities for dispute resolution. CC ID 13626 | Human Resources Management | Preventive | |
| Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources Management | Preventive | |
| Analyze workforce management. CC ID 12844 | Human Resources Management | Detective | |
| Include compensation structures in the analysis of workforce management. CC ID 12902 [Accordingly, the board should: oversee the bank's approach to compensation, including monitoring and reviewing executive compensation and assessing whether it is aligned with the bank's risk culture and risk appetite; and Principle 1: 26. Bullet 11 {performance standard} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: set appropriate performance and remuneration standards for senior management consistent with the long-term strategic objectives and the financial soundness of the bank; Principle 1: 46. Bullet 4 {future profit} Remuneration should reflect risk-taking and risk outcomes. Practices by which remuneration is paid for potential future revenues whose timing and likelihood remain uncertain should be carefully evaluated by means of both qualitative and quantitative key indicators. The remuneration framework should provide for variable remuneration to be adjusted to take into account the full range of risks, including breaches of risk appetite limits, internal procedures or legal requirements. Principle 11: 149. {future profit} Remuneration should reflect risk-taking and risk outcomes. Practices by which remuneration is paid for potential future revenues whose timing and likelihood remain uncertain should be carefully evaluated by means of both qualitative and quantitative key indicators. The remuneration framework should provide for variable remuneration to be adjusted to take into account the full range of risks, including breaches of risk appetite limits, internal procedures or legal requirements. Principle 11: 149. {future profit} Remuneration should reflect risk-taking and risk outcomes. Practices by which remuneration is paid for potential future revenues whose timing and likelihood remain uncertain should be carefully evaluated by means of both qualitative and quantitative key indicators. The remuneration framework should provide for variable remuneration to be adjusted to take into account the full range of risks, including breaches of risk appetite limits, internal procedures or legal requirements. Principle 11: 149. The remuneration structure should be in line with the business and risk strategy, objectives, values and long-term interests of the bank. It should also incorporate measures to prevent conflicts of interest. Remuneration programmes should encourage a sound risk culture in which risk-taking behaviour is appropriate and which encourages employees to act in the interest of the company as a whole (also taking into account client interests) rather than for themselves or only their business lines. In particular, incentives embedded within remuneration structures should not incentivise staff to take excessive risk. Principle 11: 148.] | Human Resources Management | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 [Members of senior management should be selected through an appropriate promotion or recruitment process which takes into account the qualifications required for the position in question. For those senior management positions for which the board of directors is required to review or select candidates through an interview process, senior management should provide sufficient information to the board. Principle 4: 90.] | Establish/Maintain Documentation | Preventive | |
| Categorize the gender of all employees. CC ID 15609 | Human Resources Management | Preventive | |
| Categorize all employees by racial groups and ethnic groups. CC ID 15627 | Human Resources Management | Preventive | |
| Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 [The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: be actively engaged in succession plans for the CEO and other key positions, as appropriate, and ensure that appropriate succession plans are in place for senior management positions. Principle 1: 46. Bullet 6 The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: be actively engaged in succession plans for the CEO and other key positions, as appropriate, and ensure that appropriate succession plans are in place for senior management positions. Principle 1: 46. Bullet 6 Boards should have a clear and rigorous process for identifying, assessing and selecting board candidates. Unless required otherwise by law, the board (not management) nominates candidates and promotes appropriate succession planning of board members. Principle 2: 50.] | Human Resources Management | Preventive | |
| Establish and maintain Personnel Files for all employees. CC ID 12438 | Human Resources Management | Preventive | |
| Include credit check results in each employee's personnel file. CC ID 12447 | Human Resources Management | Preventive | |
| Include any criminal records in each employee's personnel file. CC ID 12446 | Human Resources Management | Preventive | |
| Include all employee information in each employee's personnel file. CC ID 12445 | Human Resources Management | Preventive | |
| Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444 | Human Resources Management | Preventive | |
| Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441 | Human Resources Management | Preventive | |
| Include referral follow-up results in each employee's personnel file. CC ID 12440 | Human Resources Management | Preventive | |
| Include background check results in each employee's personnel file. CC ID 12439 | Human Resources Management | Preventive | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Establish/Maintain Documentation | Preventive | |
| Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761 | Human Resources Management | Preventive | |
| Require all new hires to sign the Code of Conduct. CC ID 06665 | Establish/Maintain Documentation | Preventive | |
| Require all new hires to sign Acceptable Use Policies. CC ID 06662 | Establish/Maintain Documentation | Preventive | |
| Require new hires to sign nondisclosure agreements. CC ID 06668 | Establish/Maintain Documentation | Preventive | |
| Train all new hires, as necessary. CC ID 06673 | Behavior | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personnel security policy. CC ID 14025 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the personnel security policy. CC ID 14154 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the personnel security policy. CC ID 14114 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the personnel security policy. CC ID 14113 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the personnel security policy. CC ID 14112 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the personnel security policy. CC ID 14111 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the personnel security policy. CC ID 14110 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain personnel security procedures. CC ID 14058 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141 | Communicate | Preventive | |
| Establish, implement, and maintain security clearance level criteria. CC ID 00780 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain staff position risk designations. CC ID 14280 | Human Resources Management | Preventive | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The board should be comprised of individuals with a balance of skills, diversity and expertise, who collectively possess the necessary qualifications commensurate with the size, complexity and risk profile of the bank Principle 2: 48. Members of senior management should have the necessary experience, competencies and integrity to manage the businesses and people under their supervision. They should receive access to regular training to maintain and enhance their competencies and stay up to date on developments relevant to their areas of responsibility. Principle 4: 89. The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. As part of their evaluation of the overall corporate governance in a bank, supervisors should also endeavour to assess the governance effectiveness of the board and senior management, especially with respect to the risk culture of the bank. An assessment of governance effectiveness aims to determine the extent to which the board and senior management demonstrate effective behaviours that contribute to good governance. This includes consideration of the behavioural dynamic of the board and senior management, such as how the "tone at the top" and the cultural values of the bank are communicated and put into practice, how information flows to and from the board and senior management, and how potential serious problems are identified and addressed throughout the organisation. The evaluation of governance effectiveness includes review of any board and management assessments, surveys and other information often used by banks in assessing their internal culture, as well as supervisory interviews, observations and qualitative judgments. In arriving at such judgments, supervisors need to be particularly mindful of consistency of treatment across the banks they supervise. Supervisory staff should have the necessary skills to evaluate these issues and arrive at the complex judgments involved in assessing governance effectiveness. Principle 13: 162. Members of senior management should be selected through an appropriate promotion or recruitment process which takes into account the qualifications required for the position in question. For those senior management positions for which the board of directors is required to review or select candidates through an interview process, senior management should provide sufficient information to the board. Principle 4: 90. Members of senior management should be selected through an appropriate promotion or recruitment process which takes into account the qualifications required for the position in question. For those senior management positions for which the board of directors is required to review or select candidates through an interview process, senior management should provide sufficient information to the board. Principle 4: 90.] | Testing | Detective | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources Management | Detective | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Establish Roles | Preventive | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Establish Roles | Preventive | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Establish/Maintain Documentation | Preventive | |
| Perform a background check during personnel screening. CC ID 11758 | Human Resources Management | Detective | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources Management | Preventive | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Establish/Maintain Documentation | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources Management | Preventive | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources Management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 | Establish/Maintain Documentation | Preventive | |
| Perform a drug test during personnel screening. CC ID 06648 | Testing | Preventive | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources Management | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources Management | Preventive | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources Management | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Communicate | Preventive | |
| Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources Management | Preventive | |
| Document the personnel risk assessment results. CC ID 11764 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Establish/Maintain Documentation | Preventive | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources Management | Detective | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources Management | Preventive | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources Management | Preventive | |
| Document the security clearance procedure results. CC ID 01635 | Establish/Maintain Documentation | Detective | |
| Identify and watch individuals that pose a risk to the organization. CC ID 10674 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Establish/Maintain Documentation | Preventive | |
| Terminate user accounts when notified that an individual is terminated. CC ID 11614 | Technical Security | Corrective | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 | Technical Security | Corrective | |
| Assign an owner of the personnel status change and termination procedures. CC ID 11805 | Human Resources Management | Preventive | |
| Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309 | Data and Information Management | Corrective | |
| Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 | Human Resources Management | Preventive | |
| Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677 [Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the board. Principle 6: 111. Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the board. Principle 6: 111. The board and senior management should respect and promote the independence of the internal audit function by ensuring that: if the chief audit executive is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. Principle 10: 142. Bullet 3 The board and senior management should respect and promote the independence of the internal audit function by ensuring that: if the chief audit executive is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. Principle 10: 142. Bullet 3] | Behavior | Preventive | |
| Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 | Communicate | Preventive | |
| Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 | Human Resources Management | Preventive | |
| Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 | Human Resources Management | Corrective | |
| Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 | Behavior | Preventive | |
| Conduct exit interviews upon termination of employment. CC ID 14290 | Human Resources Management | Preventive | |
| Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 | Establish/Maintain Documentation | Preventive | |
| Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 | Human Resources Management | Detective | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Establish Roles | Preventive | |
| Assign and staff all roles appropriately. CC ID 00784 [{is sufficient} The risk management function should have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines. Staff should have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank's activities. Staff should have access to regular training. Principle 6: 107. {is sufficient} The risk management function should have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines. Staff should have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank's activities. Staff should have access to regular training. Principle 6: 107.] | Testing | Detective | |
| Delegate authority for specific processes, as necessary. CC ID 06780 | Behavior | Preventive | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [An audit committee should: have a chair who is independent and is not the chair of the board or of any other committee; Principle 3: 68. Bullet 3 {be independent} A risk committee should: should be distinct from the audit committee, but may have other related tasks, such as finance; Principle 3: 71. Bullet 2 {be independent} A risk committee should: should have a chair who is an independent director and not the chair of the board or of any other committee; Principle 3: 71. Bullet 3 {separation of function} There is a potential conflict of interest where a bank is both owned by the state and subject to banking supervision of the state. If such conflicts of interest do exist, there should be full administrative separation of the ownership and banking supervision functions in order to minimise political interference in the supervision of the bank. Principle 3: 86. {be independent} An audit committee should: be distinct from other committees; Principle 3: 68. Bullet 2 {be independent}{have in place} To promote checks and balances, the chair of the board should be an independent or non-executive board member. In jurisdictions where the chair is permitted to assume executive duties, the bank should have measures in place to mitigate any adverse impact on the bank's checks and balances, eg by designating a lead board member, a senior independent board member or a similar position and having a larger number of non-executives on the board. Principle 3: 62. {refrain from interfering}{be independent} To be effective, the compliance function must have sufficient authority, stature, independence, resources and access to the board. Management should respect the independent duties of the compliance function and not interfere with their fulfilment. As previously noted, there should be no "dual hatting" by the head of the compliance function. Principle 9: 137. {refrain from interfering}{be independent} To be effective, the compliance function must have sufficient authority, stature, independence, resources and access to the board. Management should respect the independent duties of the compliance function and not interfere with their fulfilment. As previously noted, there should be no "dual hatting" by the head of the compliance function. Principle 9: 137. {be independent} There should be no "dual hatting" by the heads of these functions. Principle 10: 140.] | Testing | Detective | |
| Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Technical Security | Preventive | |
| Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [{is sufficient} The risk management function should have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines. Staff should have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank's activities. Staff should have access to regular training. Principle 6: 107.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 [Accordingly, the board should: oversee the bank's approach to compensation, including monitoring and reviewing executive compensation and assessing whether it is aligned with the bank's risk culture and risk appetite; and Principle 1: 26. Bullet 11 Systemically important financial institutions should have a board compensation committee as an integral part of their governance structure and organisation to oversee the compensation system's design and operation. Principle 11: 144. The bank's remuneration structure should support sound corporate governance and risk management. Principle 11: ¶ 1 The remuneration structure should be in line with the business and risk strategy, objectives, values and long-term interests of the bank. It should also incorporate measures to prevent conflicts of interest. Remuneration programmes should encourage a sound risk culture in which risk-taking behaviour is appropriate and which encourages employees to act in the interest of the company as a whole (also taking into account client interests) rather than for themselves or only their business lines. In particular, incentives embedded within remuneration structures should not incentivise staff to take excessive risk. Principle 11: 148. The remuneration structure should be in line with the business and risk strategy, objectives, values and long-term interests of the bank. It should also incorporate measures to prevent conflicts of interest. Remuneration programmes should encourage a sound risk culture in which risk-taking behaviour is appropriate and which encourages employees to act in the interest of the company as a whole (also taking into account client interests) rather than for themselves or only their business lines. In particular, incentives embedded within remuneration structures should not incentivise staff to take excessive risk. Principle 11: 148. The remuneration structure should be in line with the business and risk strategy, objectives, values and long-term interests of the bank. It should also incorporate measures to prevent conflicts of interest. Remuneration programmes should encourage a sound risk culture in which risk-taking behaviour is appropriate and which encourages employees to act in the interest of the company as a whole (also taking into account client interests) rather than for themselves or only their business lines. In particular, incentives embedded within remuneration structures should not incentivise staff to take excessive risk. Principle 11: 148.] | Human Resources Management | Preventive | |
| Establish and maintain an annual report on compensation. CC ID 14801 [{applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154. {applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.] | Establish/Maintain Documentation | Preventive | |
| Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 [{applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 [{applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154. {applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.] | Communicate | Preventive | |
| Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 [Remuneration systems form a key component of the governance and incentive structure through which the board and senior management promote good performance, convey acceptable risktaking behaviour and reinforce the bank's operating and risk culture. The board (or, by delegation, its compensation committee) is responsible for the overall oversight of management's implementation of the remuneration system for the entire bank. In addition, the board or its committee should regularly monitor and review outcomes to assess whether the bank-wide remuneration system is creating the desired incentives for managing risk, capital and liquidity. The board or subcommittee should review the remuneration plans, processes and outcomes at least annually. Principle 11: 143. Remuneration systems form a key component of the governance and incentive structure through which the board and senior management promote good performance, convey acceptable risktaking behaviour and reinforce the bank's operating and risk culture. The board (or, by delegation, its compensation committee) is responsible for the overall oversight of management's implementation of the remuneration system for the entire bank. In addition, the board or its committee should regularly monitor and review outcomes to assess whether the bank-wide remuneration system is creating the desired incentives for managing risk, capital and liquidity. The board or subcommittee should review the remuneration plans, processes and outcomes at least annually. Principle 11: 143. {remuneration system} The board, together with its compensation committee where one exists, should approve the compensation of senior executives, including the CEO, CRO and head of internal audit, and should oversee development and operation of compensation policies, systems and related control processes. Principle 11: 146.] | Establish/Maintain Documentation | Preventive | |
| Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 [Banks have to set specific provisions for employees with a significant influence on the overall risk profile, so-called material risk-takers. Remuneration payout schedules should be sensitive to risk outcomes over a multi-year horizon. For material risk-takers, this is often achieved through arrangements that defer a sufficiently large part of the compensation until risk outcomes become better known. This includes "malus/forfeiture" provisions, where compensation can be reduced or reversed based on realised risks or conduct events before compensation vests, and/or "clawback" provisions, under which compensation can be reduced or reversed after compensation vests if new facts emerge showing that the compensation paid was based on erroneous assumptions, such as misreporting, or if it is discovered that the employee has failed to comply with internal policies or legal requirements. In such cases, banks should take action as soon as practicable to recover forfeitable or recoupable amounts to improve the likelihood of successful recovery. "Golden hellos" or "golden parachutes", under which new or terminated executives or staff receive large payouts irrespective of performance, are generally not consistent with sound compensation practice. Principle 11: 150. Banks have to set specific provisions for employees with a significant influence on the overall risk profile, so-called material risk-takers. Remuneration payout schedules should be sensitive to risk outcomes over a multi-year horizon. For material risk-takers, this is often achieved through arrangements that defer a sufficiently large part of the compensation until risk outcomes become better known. This includes "malus/forfeiture" provisions, where compensation can be reduced or reversed based on realised risks or conduct events before compensation vests, and/or "clawback" provisions, under which compensation can be reduced or reversed after compensation vests if new facts emerge showing that the compensation paid was based on erroneous assumptions, such as misreporting, or if it is discovered that the employee has failed to comply with internal policies or legal requirements. In such cases, banks should take action as soon as practicable to recover forfeitable or recoupable amounts to improve the likelihood of successful recovery. "Golden hellos" or "golden parachutes", under which new or terminated executives or staff receive large payouts irrespective of performance, are generally not consistent with sound compensation practice. Principle 11: 150. Banks have to set specific provisions for employees with a significant influence on the overall risk profile, so-called material risk-takers. Remuneration payout schedules should be sensitive to risk outcomes over a multi-year horizon. For material risk-takers, this is often achieved through arrangements that defer a sufficiently large part of the compensation until risk outcomes become better known. This includes "malus/forfeiture" provisions, where compensation can be reduced or reversed based on realised risks or conduct events before compensation vests, and/or "clawback" provisions, under which compensation can be reduced or reversed after compensation vests if new facts emerge showing that the compensation paid was based on erroneous assumptions, such as misreporting, or if it is discovered that the employee has failed to comply with internal policies or legal requirements. In such cases, banks should take action as soon as practicable to recover forfeitable or recoupable amounts to improve the likelihood of successful recovery. "Golden hellos" or "golden parachutes", under which new or terminated executives or staff receive large payouts irrespective of performance, are generally not consistent with sound compensation practice. Principle 11: 150.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 [{be independent} For employees in control functions (eg risk, compliance and internal audit), remuneration should be determined independently of any business line overseen, and performance measures should be based principally on the achievement of their own objectives so as not to compromise their independence. Principle 11: 147. {remuneration standard} The FSB principles on compensation are intended to apply to significant financial institutions, but they are especially critical for large, systemically important firms. National jurisdictions may also apply the principles in a proportionate manner to smaller, less complex institutions. Banks are encouraged to implement the FSB principles, or consistent national provisions based on them. Principle 11: 145. Remuneration systems form a key component of the governance and incentive structure through which the board and senior management promote good performance, convey acceptable risktaking behaviour and reinforce the bank's operating and risk culture. The board (or, by delegation, its compensation committee) is responsible for the overall oversight of management's implementation of the remuneration system for the entire bank. In addition, the board or its committee should regularly monitor and review outcomes to assess whether the bank-wide remuneration system is creating the desired incentives for managing risk, capital and liquidity. The board or subcommittee should review the remuneration plans, processes and outcomes at least annually. Principle 11: 143.] | Establish/Maintain Documentation | Preventive | |
| Refrain from using employees' privacy choices to restrict employment. CC ID 12425 | Human Resources Management | Preventive | |
| Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 | Human Resources Management | Preventive | |
| Use rewards and career development to motivate personnel. CC ID 06906 | Behavior | Preventive | |
| Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria. CC ID 12825 [All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: the recruitment approach for the selection of members of the board and for ensuring an appropriate diversity of skills, backgrounds and viewpoints; and Principle 12: 153. Bullet 1 All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: the recruitment approach for the selection of members of the board and for ensuring an appropriate diversity of skills, backgrounds and viewpoints; and Principle 12: 153. Bullet 1] | Human Resources Management | Preventive | |
| Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 | Human Resources Management | Preventive | |
| Establish, implement, and maintain job applications. CC ID 16180 | Establish/Maintain Documentation | Preventive | |
| Include a space for the applicant's name on the job application. CC ID 16190 | Human Resources Management | Preventive | |
| Include a space for the applicant's current address on the job application. CC ID 16189 | Human Resources Management | Preventive | |
| Include a space for the applicant's social security number on the job application. CC ID 16188 | Human Resources Management | Preventive | |
| Include a space for the applicant's date of birth on the job application. CC ID 16186 | Human Resources Management | Preventive | |
| Include a space for previous employers and business relationships on the job application. CC ID 16185 | Human Resources Management | Preventive | |
| Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 | Human Resources Management | Preventive | |
| Include a space for the start date on the job application. CC ID 16187 | Human Resources Management | Preventive | |
| Include a space to explain legal penalties on the job application. CC ID 16183 | Human Resources Management | Preventive | |
| Approve the wording of job applications. CC ID 16182 | Human Resources Management | Preventive | |
| Include a space for past aliases and other used names on job applications. CC ID 12301 | Human Resources Management | Preventive | |
| Include a space for previous addresses and previous residences on the job application. CC ID 12302 | Human Resources Management | Preventive | |
| Include a space to explain employment gaps on the job application. CC ID 12303 | Human Resources Management | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 [{is sufficient} The risk management function should have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines. Staff should have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank's activities. Staff should have access to regular training. Principle 6: 107. In order to help board members acquire, maintain and enhance their knowledge and skills, and fulfil their responsibilities, the board should ensure that members participate in induction programmes and have access to ongoing training on relevant issues which may involve internal or external resources. The board should dedicate sufficient time, budget and other resources for this purpose, and draw on external expertise as needed. More extensive efforts should be made to train and keep updated those members with more limited financial, regulatory or risk-related experience. Principle 2: 55.] | Behavior | Preventive | |
| Establish, implement, and maintain an education methodology. CC ID 06671 [In order to help board members acquire, maintain and enhance their knowledge and skills, and fulfil their responsibilities, the board should ensure that members participate in induction programmes and have access to ongoing training on relevant issues which may involve internal or external resources. The board should dedicate sufficient time, budget and other resources for this purpose, and draw on external expertise as needed. More extensive efforts should be made to train and keep updated those members with more limited financial, regulatory or risk-related experience. Principle 2: 55.] | Business Processes | Preventive | |
| Support certification programs as viable training programs. CC ID 13268 | Human Resources Management | Preventive | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Establish/Maintain Documentation | Preventive | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Establish/Maintain Documentation | Preventive | |
| Submit applications for professional certification. CC ID 16192 | Training | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 | Behavior | Preventive | |
| Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Behavior | Preventive | |
| Tailor training to be taught at each person's level of responsibility. CC ID 06674 [Members of senior management should have the necessary experience, competencies and integrity to manage the businesses and people under their supervision. They should receive access to regular training to maintain and enhance their competencies and stay up to date on developments relevant to their areas of responsibility. Principle 4: 89. In order to help board members acquire, maintain and enhance their knowledge and skills, and fulfil their responsibilities, the board should ensure that members participate in induction programmes and have access to ongoing training on relevant issues which may involve internal or external resources. The board should dedicate sufficient time, budget and other resources for this purpose, and draw on external expertise as needed. More extensive efforts should be made to train and keep updated those members with more limited financial, regulatory or risk-related experience. Principle 2: 55.] | Behavior | Preventive | |
| Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Behavior | Preventive | |
| Document all training in a training record. CC ID 01423 | Establish/Maintain Documentation | Detective | |
| Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Behavior | Preventive | |
| Conduct tests and evaluate training. CC ID 06672 | Testing | Detective | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources Management | Preventive | |
| Review the current published guidance and awareness and training programs. CC ID 01245 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Establish/Maintain Documentation | Preventive | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Training | Detective | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Training | Preventive | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Training | Preventive | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Training | Detective | |
| Develop or acquire content to update the training plans. CC ID 12867 | Training | Preventive | |
| Designate training facilities in the training plan. CC ID 16200 | Training | Preventive | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Establish/Maintain Documentation | Preventive | |
| Include ethical culture in the training plan, as necessary. CC ID 12801 | Human Resources Management | Preventive | |
| Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Training | Preventive | |
| Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources Management | Preventive | |
| Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Training | Preventive | |
| Include risk management in the training plan, as necessary. CC ID 13040 | Training | Preventive | |
| Conduct Archives and Records Management training. CC ID 00975 | Behavior | Preventive | |
| Conduct personal data processing training. CC ID 13757 | Training | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Training | Preventive | |
| Include the cloud service usage standard in the training plan. CC ID 13039 | Training | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Communicate | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Establish/Maintain Documentation | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Establish/Maintain Documentation | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Training | Preventive | |
| Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 | Establish/Maintain Documentation | Preventive | |
| Include security policies and security standards in the security awareness program. CC ID 13045 | Establish/Maintain Documentation | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Training | Preventive | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Establish/Maintain Documentation | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Training | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Training | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Training | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Training | Preventive | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Establish/Maintain Documentation | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Establish/Maintain Documentation | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Establish/Maintain Documentation | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Establish/Maintain Documentation | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources Management | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources Management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Establish/Maintain Documentation | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources Management | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Training | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Establish/Maintain Documentation | Preventive | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Establish/Maintain Documentation | Preventive | |
| Conduct secure coding and development training for developers. CC ID 06822 | Behavior | Corrective | |
| Conduct tampering prevention training. CC ID 11875 | Training | Preventive | |
| Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Training | Preventive | |
| Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Training | Preventive | |
| Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Training | Preventive | |
| Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Training | Preventive | |
| Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Training | Preventive | |
| Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Training | Preventive | |
| Conduct crime prevention training. CC ID 06350 | Behavior | Preventive | |
| Analyze and evaluate training records to improve the training program. CC ID 06380 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: Principle 3: 83. The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: Principle 3: 83. The board should oversee and be satisfied with the process by which appropriate public disclosure is made, and/or information is provided to supervisors, relating to the bank's policies on conflicts of interest and potential material conflicts of interest. This should include information on the bank's approach to disclosing and managing material conflicts of interest that are not consistent with such policies, and conflicts that could arise because of the bank's affiliation or transactions with other entities within the group. Principle 3: 85. In order to fulfil its responsibilities, the board of the parent company should: ensure that the group's corporate governance framework includes appropriate processes and controls to identify and address potential intragroup conflicts of interest, such as those arising from intragroup transactions, in appropriate recognition of the interest of the group. Principle 5: 96. Bullet 10 The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: a rigorous review and approval process for members to follow before they engage in certain activities (such as serving on another board) so as to ensure that such activity will not create a conflict of interest; Principle 3: 83. Bullet 3] | Establish/Maintain Documentation | Preventive | |
| Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 [The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: adequate procedures for transactions with related parties so that they are made on an arm's length basis; and Principle 3: 83. Bullet 6 The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: examples of where conflicts can arise when serving as a board member; Principle 3: 83. Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 | Communicate | Preventive | |
| Include roles and responsibilities in the conflict of interest policy. CC ID 14790 [The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: a member's duty to avoid, to the extent possible, activities that could create conflicts of interest or the appearance of conflicts of interest; Principle 3: 83. Bullet 1 The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: a member's responsibility to abstain from voting on any matter where the member may have a conflict of interest or where the member's objectivity or ability to properly fulfil duties to the bank may be otherwise compromised; Principle 3: 83. Bullet 5 The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: a member's duty to promptly disclose any matter that may result, or has already resulted, in a conflict of interest; Principle 3: 83. Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Code of Conduct. CC ID 04897 | Establish/Maintain Documentation | Preventive | |
| Include definitions of ethics violations in the Code of Conduct. CC ID 14768 [{code of conduct} It should explicitly disallow illegal activity, such as financial misreporting and misconduct, economic crime including fraud, breach of sanctions, money laundering, anti-competitive practices, bribery and corruption, or the violation of consumer rights. Principle 1: 31. Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Include exercising due professional care in the Code of Conduct. CC ID 14210 [The members of the board should exercise their "duty of care" and "duty of loyalty" to the bank under applicable national laws and supervisory standards. Principle 1: 25. {code of conduct} It should make clear that employees are expected to conduct themselves ethically and perform their job with skill and due care and diligence in addition to complying with laws, regulations and company policies. Principle 1: 31. Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [{hold accountable} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: Principle 1: 46.] | Behavior | Corrective | |
| Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 | Communicate | Preventive | |
| Include definitions of desirable conduct in the Code of Conduct. CC ID 12846 [{are acceptable} A bank's code of conduct or code of ethics, or comparable policy, should define acceptable and unacceptable behaviours. Principle 1: 31.] | Establish/Maintain Documentation | Preventive | |
| Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435 [{disciplinary action} In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: confirming that employees, including senior management, are aware that appropriate disciplinary or other actions will follow unacceptable behaviours and transgressions. Principle 1: 30. Bullet 4] | Behavior | Preventive | |
| Establish, implement, and maintain performance reviews. CC ID 14777 | Business Processes | Detective | |
| Conduct performance reviews for the board of directors and board committees, as necessary. CC ID 14783 [To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: Principle 3: 59.] | Human Resources Management | Detective | |
| Take appropriate actions after performance reviews of board members, as necessary. CC ID 14799 [If a board member ceases to be qualified or is failing to fulfil his or her responsibilities, the board should take appropriate actions as permitted by law, which may include notifying their banking supervisor. Principle 2: 53.] | Human Resources Management | Preventive | |
| Conduct staff performance reviews, as necessary. CC ID 07205 [The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: assess whether senior management's collective knowledge and expertise remain appropriate given the nature of the business and the bank's risk profile; and Principle 1: 46. Bullet 5 {be independent} For employees in control functions (eg risk, compliance and internal audit), remuneration should be determined independently of any business line overseen, and performance measures should be based principally on the achievement of their own objectives so as not to compromise their independence. Principle 11: 147.] | Business Processes | Detective | |
| Analyze the documentation produced by staff during the performance review. CC ID 07207 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain an ethics program. CC ID 11496 | Human Resources Management | Preventive | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 [{manner}{party} The board should oversee and approve how and by whom legitimate material concerns shall be investigated and addressed by an objective independent internal or external body, senior management and/or the board itself. Principle 1: 32. Bullet 3] | Investigate | Preventive | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 [The board should oversee the implementation and operation of policies to identify potential conflicts of interest. Where these conflicts cannot be prevented, they should be properly managed (based on the permissibility of relationships or transactions under sound corporate policies consistent with national law and supervisory standards). Principle 3: 82.] | Behavior | Preventive | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Monitor and Evaluate Occurrences | Preventive | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Monitor and Evaluate Occurrences | Preventive | |
| Refrain from practicing false advertising. CC ID 14253 | Business Processes | Preventive | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 [Accordingly, the board should: oversee the integrity, independence and effectiveness of the bank's policies and procedures for whistleblowing. Principle 1: 26. Bullet 12 {confidential communication}{illegal activity}{unethical conduct} Employees should be encouraged and able to communicate, confidentially and without the risk of reprisal, legitimate concerns about illegal, unethical or questionable practices. This can be facilitated through a well communicated policy and adequate procedures and processes, consistent with national law, which allow employees to communicate material and bona fide concerns and observations of any violations in a confidential manner (eg whistleblower policy). This includes communicating material concerns to the bank's supervisor. Principle 1: 32. Bullet 1 Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: issues raised as a result of the bank's whistleblowing procedures. Principle 4: 94. Bullet 6] | Business Processes | Preventive | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Communicate | Preventive | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Establish/Maintain Documentation | Preventive | |
| Respond to ethics complaints of ethics violations. CC ID 11497 [The board should have oversight of the whistleblowing policy mechanism and ensuring that senior management addresses legitimate issues that are raised. The board should take responsibility for ensuring that staff who raise concerns are protected from detrimental treatment or reprisals. Principle 1: 32. Bullet 2] | Business Processes | Corrective | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 [The board should have oversight of the whistleblowing policy mechanism and ensuring that senior management addresses legitimate issues that are raised. The board should take responsibility for ensuring that staff who raise concerns are protected from detrimental treatment or reprisals. Principle 1: 32. Bullet 2] | Behavior | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Business Processes | Preventive | |
| Establish, implement, and maintain communication protocols. CC ID 12245 [{be clear}{be comprehensible} Disclosure should be accurate, clear and presented such that shareholders, depositors, other relevant stakeholders and market participants can consult the information easily. Timely public disclosure is desirable on a bank's public website, in its annual and periodic financial reports, or by other appropriate means. It is good practice to have an annual corporate governance-specific and comprehensive statement in a clearly identifiable section of the annual report depending on the applicable financial reporting framework. All material developments that arise between regular reports should be disclosed to the bank supervisor and relevant stakeholders as required by law without undue delay. Principle 12: 156.] | Establish/Maintain Documentation | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Business Processes | Preventive | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 [{be clear}{be comprehensible} Disclosure should be accurate, clear and presented such that shareholders, depositors, other relevant stakeholders and market participants can consult the information easily. Timely public disclosure is desirable on a bank's public website, in its annual and periodic financial reports, or by other appropriate means. It is good practice to have an annual corporate governance-specific and comprehensive statement in a clearly identifiable section of the annual report depending on the applicable financial reporting framework. All material developments that arise between regular reports should be disclosed to the bank supervisor and relevant stakeholders as required by law without undue delay. Principle 12: 156.] | Establish/Maintain Documentation | Preventive | |
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Process or Activity | Detective | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Establish/Maintain Documentation | Preventive | |
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Communicate | Preventive | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Process or Activity | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Process or Activity | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Communicate | Preventive | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Communicate | Preventive | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Process or Activity | Preventive | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Communicate | Preventive | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Communicate | Preventive | |
| Route notifications, as necessary. CC ID 12832 | Process or Activity | Preventive | |
| Substantiate notifications, as necessary. CC ID 12831 | Process or Activity | Preventive | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Business Processes | Preventive | |
| Prioritize notifications, as necessary. CC ID 12830 | Process or Activity | Preventive | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 [To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: use the results of these assessments as part of the ongoing improvement efforts of the board and, where required by the supervisor, share results with the supervisor. Principle 3: 59. Bullet 4] | Actionable Reports or Measurements | Preventive | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Communicate | Preventive | |
| Establish and maintain the organization's survey method. CC ID 12869 | Process or Activity | Preventive | |
| Document the findings from surveys. CC ID 16309 | Establish/Maintain Documentation | Preventive | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Process or Activity | Preventive | |
| Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Establish/Maintain Documentation | Preventive | |
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Monitor and Evaluate Occurrences | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 [Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97.] | Business Processes | Preventive | |
| Include transactions and events as a part of internal reporting. CC ID 12413 | Business Processes | Preventive | |
| Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 [Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: changes in business strategy, risk strategy/risk appetite; Principle 4: 94. Bullet1] | Communicate | Preventive | |
| Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Establish/Maintain Documentation | Preventive | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Establish/Maintain Documentation | Preventive | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Establish/Maintain Documentation | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
| Develop instructions for setting organizational objectives and strategies. CC ID 12931 [The board should establish and be satisfied with the bank's organisational structure. This will enable the board and senior management to carry out their responsibilities and facilitate effective decision-making and good governance. This includes clearly laying out the key responsibilities and authorities of the board itself and of senior management and of those responsible for the risk management and control functions. Principle 1: 24.] | Establish/Maintain Documentation | Preventive | |
| Analyze the business environment in which the organization operates. CC ID 12798 [Accordingly, the board should: actively engage in the affairs of the bank and keep up with material changes in the bank's business and the external environment as well as act in a timely manner to protect the long-term interests of the bank; Principle 1: 26. Bullet 1] | Business Processes | Preventive | |
| Identify the internal factors that may affect organizational objectives. CC ID 12957 [In discharging these responsibilities, the board should take into account the legitimate interests of depositors, shareholders and other relevant stakeholders. It should also ensure that the bank maintains an effective relationship with its supervisors. Principle 1: 28.] | Process or Activity | Preventive | |
| Include key processes in the analysis of the internal business environment. CC ID 12947 | Process or Activity | Preventive | |
| Include existing information in the analysis of the internal business environment. CC ID 12943 | Process or Activity | Preventive | |
| Include resources in the analysis of the internal business environment. CC ID 12942 | Process or Activity | Preventive | |
| Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Process or Activity | Preventive | |
| Include incentives in the analysis of the internal business environment. CC ID 12940 | Process or Activity | Preventive | |
| Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Process or Activity | Preventive | |
| Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Process or Activity | Preventive | |
| Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Process or Activity | Preventive | |
| Align assets with business functions and the business environment. CC ID 13681 | Business Processes | Preventive | |
| Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Communicate | Preventive | |
| Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Monitor and Evaluate Occurrences | Preventive | |
| Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 [Accordingly, the board should: actively engage in the affairs of the bank and keep up with material changes in the bank's business and the external environment as well as act in a timely manner to protect the long-term interests of the bank; Principle 1: 26. Bullet 1] | Monitor and Evaluate Occurrences | Preventive | |
| Analyze the external environment in which the organization operates. CC ID 12799 [having a centralised process for approving the creation of new legal entities and subsidiaries based on established criteria, including the ability to monitor and fulfil each entity's regulatory, tax, financial reporting, governance and other requirements and for the dissolution of dormant subsidiaries; Principle 5: 102. Bullet 3 having a centralised process for approving the creation of new legal entities and subsidiaries based on established criteria, including the ability to monitor and fulfil each entity's regulatory, tax, financial reporting, governance and other requirements and for the dissolution of dormant subsidiaries; Principle 5: 102. Bullet 3] | Business Processes | Preventive | |
| Identify the external forces that may affect organizational objectives. CC ID 12960 | Process or Activity | Preventive | |
| Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Monitor and Evaluate Occurrences | Preventive | |
| Include environmental requirements in the analysis of the external environment. CC ID 12965 | Business Processes | Preventive | |
| Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 [Accordingly, the board should: actively engage in the affairs of the bank and keep up with material changes in the bank's business and the external environment as well as act in a timely manner to protect the long-term interests of the bank; Principle 1: 26. Bullet 1] | Monitor and Evaluate Occurrences | Preventive | |
| Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Business Processes | Preventive | |
| Include society in the analysis of the external environment. CC ID 12963 | Business Processes | Preventive | |
| Include opportunities in the analysis of the external environment. CC ID 12954 | Business Processes | Preventive | |
| Include third party relationships in the analysis of the external environment. CC ID 12952 | Business Processes | Preventive | |
| Include industry forces in the analysis of the external environment. CC ID 12904 | Business Processes | Preventive | |
| Include threats in the analysis of the external environment. CC ID 12898 | Business Processes | Preventive | |
| Include geopolitics in the analysis of the external environment. CC ID 12897 | Business Processes | Preventive | |
| Include legal requirements in the analysis of the external environment. CC ID 12896 | Business Processes | Preventive | |
| Include technology in the analysis of the external environment. CC ID 12837 | Business Processes | Preventive | |
| Include analyzing the market in the analysis of the external environment. CC ID 12836 | Business Processes | Preventive | |
| Conduct a context analysis to define objectives and strategies. CC ID 12864 [avoiding setting up complicated structures that lack economic substance or business purpose; Principle 5: 102. Bullet 1] | Business Processes | Preventive | |
| Establish, implement, and maintain organizational objectives. CC ID 09959 | Establish/Maintain Documentation | Preventive | |
| Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 [Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: the bank's performance and financial condition; Principle 4: 94. Bullet 2] | Business Processes | Preventive | |
| Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [The board should be prepared to discuss with, and as necessary report to, the bank's supervisor and the host country supervisors the policies and strategies adopted regarding the establishment and maintenance of these structures and activities. Principle 5: 104. Ongoing communication about risk issues, including the bank's risk strategy, throughout the bank is a key tenet of a strong risk culture. A strong risk culture should promote risk awareness and encourage open communication and challenge about risk-taking across the organisation as well as vertically to and from the board and senior management. Senior management should actively communicate and consult with the control functions on management's major plans and activities so that the control functions can effectively discharge their responsibilities. Principle 8: 126. Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.] | Establish/Maintain Documentation | Preventive | |
| Identify threats that could affect achieving organizational objectives. CC ID 12827 | Business Processes | Preventive | |
| Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Process or Activity | Preventive | |
| Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Process or Activity | Preventive | |
| Review the organization's approach to managing information security, as necessary. CC ID 12005 | Business Processes | Preventive | |
| Monitor regulatory trends to maintain compliance. CC ID 00604 | Monitor and Evaluate Occurrences | Detective | |
| Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 [Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129.] | Communicate | Preventive | |
| Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Communicate | Corrective | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 | Establish/Maintain Documentation | Preventive | |
| Correct errors and deficiencies in a timely manner. CC ID 13501 [Accordingly, the board should: actively engage in the affairs of the bank and keep up with material changes in the bank's business and the external environment as well as act in a timely manner to protect the long-term interests of the bank; Principle 1: 26. Bullet 1] | Business Processes | Corrective | |
| Include quality gates and testing milestones in the Quality Management program. CC ID 06825 [To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: use the results of these assessments as part of the ongoing improvement efforts of the board and, where required by the supervisor, share results with the supervisor. Principle 3: 59. Bullet 4] | Systems Design, Build, and Implementation | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [The bank's board of directors is responsible for overseeing the management of the bank's compliance risk. The board should establish a compliance function and approve the bank's policies and processes for identifying, assessing, monitoring and reporting and advising on compliance risk. Principle 9: ¶ 1 {refrain from interfering}{be independent} To be effective, the compliance function must have sufficient authority, stature, independence, resources and access to the board. Management should respect the independent duties of the compliance function and not interfere with their fulfilment. As previously noted, there should be no "dual hatting" by the head of the compliance function. Principle 9: 137.] | Establish/Maintain Documentation | Preventive | |
| Define the scope of the security policy. CC ID 07145 | Data and Information Management | Preventive | |
| Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 | Business Processes | Preventive | |
| Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Establish/Maintain Documentation | Preventive | |
| Correlate Information Systems with applicable controls. CC ID 01621 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
| Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 | Establish/Maintain Documentation | Preventive | |
| Include the effective date on all organizational policies. CC ID 06820 | Establish/Maintain Documentation | Preventive | |
| Analyze organizational policies, as necessary. CC ID 14037 | Establish/Maintain Documentation | Detective | |
| Include threats in the organization’s policies, standards, and procedures. CC ID 12953 | Establish/Maintain Documentation | Preventive | |
| Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Business Processes | Preventive | |
| Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain an Authority Document list. CC ID 07113 | Establish/Maintain Documentation | Preventive | |
| Map in scope assets and in scope records to external requirements. CC ID 12189 | Establish/Maintain Documentation | Detective | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [The compliance function should advise the board and senior management on the bank's compliance with applicable laws, rules and standards and keep them informed of developments in the area. It should also help educate staff about compliance issues, act as a contact point within the bank for compliance queries from staff members, and provide guidance to staff on the appropriate implementation of applicable laws, rules and standards in the form of policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines. Principle 9: 135. Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 [In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: confirming that appropriate steps have been or are being taken to communicate throughout the bank the corporate values, professional standards or codes of conduct it sets, together with supporting policies; and Principle 1: 30. Bullet 3 The organisation and procedures and decision-making of senior management should be clear and transparent and designed to promote effective management of the bank. This includes clarity on the role, authority and responsibility of the various positions within senior management, including that of the CEO. Principle 4: 88. All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: Principle 12: 153. All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: Principle 12: 153. {applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.] | Communicate | Preventive | |
| Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Establish/Maintain Documentation | Preventive | |
| Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Establish/Maintain Documentation | Preventive | |
| Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Establish/Maintain Documentation | Preventive | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Establish/Maintain Documentation | Preventive | |
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Establish/Maintain Documentation | Corrective | |
| Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Establish/Maintain Documentation | Preventive | |
| Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Establish/Maintain Documentation | Preventive | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Establish/Maintain Documentation | Preventive | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Establish/Maintain Documentation | Preventive | |
| Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Establish/Maintain Documentation | Detective | |
| Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Establish Roles | Preventive | |
| Approve all compliance documents. CC ID 06286 | Establish/Maintain Documentation | Preventive | |
| Align the Authority Document list with external requirements. CC ID 06288 | Establish/Maintain Documentation | Preventive | |
| Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Establish Roles | Preventive | |
| Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Establish/Maintain Documentation | Preventive | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 [In addition to identifying and measuring risk exposures, the risk management function should evaluate possible ways to mitigate these exposures. In some cases, the risk management function may direct that risk be reduced or hedged to limit exposure. In other cases, such as when there is a decision to accept or take risk that is beyond risk limits (ie on a temporary basis) or take risk that cannot be hedged or mitigated, the risk management function should report material exemptions to the board and monitor the positions to ensure that they remain within the bank's framework of limits and controls or within exception approval. Either approach may be appropriate depending on the issue at hand, provided that the independence of the risk management function is not compromised. Principle 7: 122.] | Establish/Maintain Documentation | Preventive | |
| Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Establish/Maintain Documentation | Detective | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 | Establish/Maintain Documentation | Preventive | |
| Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 [In addition to identifying and measuring risk exposures, the risk management function should evaluate possible ways to mitigate these exposures. In some cases, the risk management function may direct that risk be reduced or hedged to limit exposure. In other cases, such as when there is a decision to accept or take risk that is beyond risk limits (ie on a temporary basis) or take risk that cannot be hedged or mitigated, the risk management function should report material exemptions to the board and monitor the positions to ensure that they remain within the bank's framework of limits and controls or within exception approval. Either approach may be appropriate depending on the issue at hand, provided that the independence of the risk management function is not compromised. Principle 7: 122.] | Business Processes | Preventive | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Establish/Maintain Documentation | Preventive | |
| Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Establish Roles | Preventive | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Behavior | Preventive | |
| Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 | Behavior | Preventive | |
| Estimate the costs of implementing the compliance framework. CC ID 07191 | Business Processes | Preventive | |
| Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Establish Roles | Preventive | |
| Establish and maintain a compliance oversight committee. CC ID 00765 [In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: setting and adhering to corporate values that create expectations that all business should be conducted in a legal and ethical manner, and overseeing the adherence to such values by senior management and other employees; Principle 1: 30. Bullet 1 {capital plan}Accordingly, the board should: approve the approach and oversee the implementation of key policies pertaining to the bank's capital adequacy assessment process, capital and liquidity plans, compliance policies and obligations, and the internal control system; Principle 1: 26. Bullet 7] | Establish Roles | Detective | |
| Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 [{board committees} Committees should maintain appropriate records of their deliberations and decisions (eg meeting minutes or summaries of matters reviewed, recommendations made and decisions taken). Such records should document the committees' fulfilment of their responsibilities and help the supervisor or those responsible to assess the effectiveness of these committees. Principle 3: 66. {board committees} Committees should maintain appropriate records of their deliberations and decisions (eg meeting minutes or summaries of matters reviewed, recommendations made and decisions taken). Such records should document the committees' fulfilment of their responsibilities and help the supervisor or those responsible to assess the effectiveness of these committees. Principle 3: 66. The board should maintain appropriate records (eg meeting minutes or summaries of matters reviewed, recommendations made. decisions taken and dissenting opinions) of its deliberations and decisions. These should be made available to the supervisor when required. Principle 3: 60. The board should maintain appropriate records (eg meeting minutes or summaries of matters reviewed, recommendations made. decisions taken and dissenting opinions) of its deliberations and decisions. These should be made available to the supervisor when required. Principle 3: 60. All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: whether the bank has set up board committees and the number of times key standing committees have met. Principle 12: 153. Bullet 2 All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: whether the bank has set up board committees and the number of times key standing committees have met. Principle 12: 153. Bullet 2] | Establish/Maintain Documentation | Detective | |
| Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 | Establish/Maintain Documentation | Preventive | |
| Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 | Establish/Maintain Documentation | Detective | |
| Assign the review of project plans for critical projects to the compliance oversight committee. CC ID 01182 | Establish Roles | Preventive | |
| Assign the corporate governance of Information Technology to the compliance oversight committee. CC ID 01178 | Establish Roles | Preventive | |
| Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 | Establish Roles | Preventive | |
| Involve the Board of Directors or senior management in Information Governance. CC ID 00609 | Establish Roles | Preventive | |
| Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 | Human Resources Management | Preventive | |
| Address Information Security during the business planning processes. CC ID 06495 | Data and Information Management | Preventive | |
| Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 | Establish/Maintain Documentation | Preventive | |
| Assign reviewing and approving Quality Management standards to the appropriate oversight committee. CC ID 07192 | Establish Roles | Preventive | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 [Accordingly, the board should: oversee the development of and approve the bank's business objectives and strategy and monitor their implementation; Principle 1: 26. Bullet 2] | Establish/Maintain Documentation | Preventive | |
| Determine progress toward the objectives of the strategic plan. CC ID 12944 [Accordingly, the board should: oversee the development of and approve the bank's business objectives and strategy and monitor their implementation; Principle 1: 26. Bullet 2 The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: monitor that senior management's actions are consistent with the strategy and policies approved by the board, including the risk appetite; Principle 1: 46. Bullet 1 Senior management contributes substantially to a bank's sound corporate governance through personal conduct (eg by helping to establish the "tone at the top" along with the board). Members of senior management should provide adequate oversight of those they manage, and ensure that the bank's activities are consistent with the business strategy, risk appetite and the policies approved by the board. Principle 4: 91.] | Process or Activity | Preventive | |
| Include acting with integrity in the strategic plan. CC ID 12870 [{applicable requirements} An independent compliance function is a key component of the bank's second line of defence. This function is responsible for, among other things, ensuring that the bank operates with integrity and in compliance with applicable, laws, regulations and internal policies. Principle 9: 132.] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592 | Communicate | Preventive | |
| Include the outsource partners in the strategic plan, as necessary. CC ID 13960 | Establish/Maintain Documentation | Preventive | |
| Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a planning policy. CC ID 14673 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain planning procedures. CC ID 14698 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 | Communicate | Preventive | |
| Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 | Communicate | Preventive | |
| Include compliance requirements in the planning policy. CC ID 14688 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the planning policy. CC ID 14687 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the planning policy. CC ID 14686 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the planning policy. CC ID 14685 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the planning policy. CC ID 14684 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the planning policy. CC ID 14683 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security planning policy. CC ID 14027 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security planning policy. CC ID 14131 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security planning policy. CC ID 14130 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the security planning policy. CC ID 14129 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security planning policy. CC ID 14128 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security planning policy. CC ID 14127 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security planning policy. CC ID 14126 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 | Communicate | Preventive | |
| Establish, implement, and maintain security planning procedures. CC ID 14060 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 | Communicate | Preventive | |
| Establish, implement, and maintain a decision management strategy. CC ID 06913 [individual board members' attitude should facilitate communication, collaboration and critical debate in the decision-making process. Principle 2: 49. Bullet 3 The organisation and procedures and decision-making of senior management should be clear and transparent and designed to promote effective management of the bank. This includes clarity on the role, authority and responsibility of the various positions within senior management, including that of the CEO. Principle 4: 88. Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Establish/Maintain Documentation | Preventive | |
| Align the reporting methodology with the decision management strategy. CC ID 15659 | Business Processes | Preventive | |
| Include an economic impact analysis in the decision management strategy. CC ID 14015 | Establish/Maintain Documentation | Preventive | |
| Include cost benefit analysis in the decision management strategy. CC ID 14014 | Establish/Maintain Documentation | Preventive | |
| Include criteria for compliance in the decision-making criteria. CC ID 12951 | Establish/Maintain Documentation | Preventive | |
| Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 | Establish/Maintain Documentation | Preventive | |
| Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 | Establish/Maintain Documentation | Preventive | |
| Include criteria for setting priorities in the decision-making criteria. CC ID 12938 | Establish/Maintain Documentation | Preventive | |
| Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 | Process or Activity | Preventive | |
| Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 | Process or Activity | Preventive | |
| Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 [Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Process or Activity | Preventive | |
| Identify and document the events that initiate the decision management strategy. CC ID 06914 | Establish/Maintain Documentation | Detective | |
| Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 | Process or Activity | Preventive | |
| Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 [In discharging these responsibilities, the board should take into account the legitimate interests of depositors, shareholders and other relevant stakeholders. It should also ensure that the bank maintains an effective relationship with its supervisors. Principle 1: 28. {are relevant} board members should have a range of knowledge and experience in relevant areas and have varied backgrounds to promote diversity of views. Relevant areas of competence may include, but are not limited to capital markets, financial analysis, financial stability issues, financial reporting, information technology, strategic planning, risk management, compensation, regulation, corporate governance and management skills; Principle 2: 49. Bullet 1 Board members should be and remain qualified, individually and collectively, for their positions. They should understand their oversight and corporate governance role and be able to exercise sound, objective judgment about the affairs of the bank. Principle 2: ¶ 1] | Behavior | Preventive | |
| Take actions in accordance with the decision-making criteria. CC ID 12909 [The chair of the board plays a crucial role in the proper functioning of the board. The chair provides leadership to the board and is responsible for its effective overall functioning, including maintaining a relationship of trust with board members. The chair should possess the requisite experience, competencies and personal qualities in order to fulfil these responsibilities. The chair should ensure that board decisions are taken on a sound and well informed basis. The chair should encourage and promote critical discussion and ensure that dissenting views can be freely expressed and discussed within the decision-making process. The chair should dedicate sufficient time to the exercise of his or her responsibilities. Principle 3: 61.] | Process or Activity | Preventive | |
| Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 | Communicate | Preventive | |
| Establish, implement, and maintain an information technology process framework. CC ID 13648 | Establish/Maintain Documentation | Preventive | |
| Include maturity models in the Information Technology process framework. CC ID 13652 | Establish/Maintain Documentation | Preventive | |
| Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651 | Establish/Maintain Documentation | Preventive | |
| Include Information Technology process structures in the Information Technology process framework. CC ID 13650 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a tactical plan. CC ID 12785 | Establish/Maintain Documentation | Preventive | |
| Include acting with integrity in the tactical plan. CC ID 12871 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 | Establish/Maintain Documentation | Preventive | |
| Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 | Establish/Maintain Documentation | Preventive | |
| Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 | Human Resources Management | Preventive | |
| Include the transparency goals in the Information Governance Plan. CC ID 10056 | Establish/Maintain Documentation | Preventive | |
| Include the information integrity goals in the Information Governance Plan. CC ID 10057 | Establish/Maintain Documentation | Preventive | |
| Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 | Establish/Maintain Documentation | Preventive | |
| Align business continuity objectives with the business continuity policy. CC ID 12408 | Establish/Maintain Documentation | Preventive | |
| Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 | Business Processes | Corrective | |
| Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 | Business Processes | Preventive | |
| Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 | Establish/Maintain Documentation | Preventive | |
| Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Establish/Maintain Documentation | Preventive | |
| Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 | Establish/Maintain Documentation | Preventive | |
| Document the business case and return on investment in each Information Technology project plan. CC ID 06846 | Establish/Maintain Documentation | Preventive | |
| Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Business Processes | Preventive | |
| Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 | Establish/Maintain Documentation | Preventive | |
| Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 | Establish/Maintain Documentation | Preventive | |
| Assign senior management to approve business cases. CC ID 13068 | Human Resources Management | Preventive | |
| Include milestones for each project phase in the Information Technology project plan. CC ID 12621 | Establish/Maintain Documentation | Preventive | |
| Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Establish/Maintain Documentation | Corrective | |
| Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 | Establish/Maintain Documentation | Preventive | |
| Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 | Establish/Maintain Documentation | Preventive | |
| Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 | Establish/Maintain Documentation | Preventive | |
| Include a search plan in the counterterror protective security plan. CC ID 06865 | Establish/Maintain Documentation | Preventive | |
| Include an evacuation plan in the counterterror protective security plan. CC ID 06940 | Establish/Maintain Documentation | Preventive | |
| Include a continuity plan in the counterterror protective security plan. CC ID 07031 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 | Establish/Maintain Documentation | Preventive | |
| Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 | Monitor and Evaluate Occurrences | Detective | |
| Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 | Actionable Reports or Measurements | Preventive | |
| Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 | Actionable Reports or Measurements | Preventive | |
| Include significant security risks in the Information Technology Plan status reports. CC ID 06939 | Actionable Reports or Measurements | Preventive | |
| Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 | Actionable Reports or Measurements | Preventive | |
| Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors. CC ID 13094 | Human Resources Management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492 [The compliance function should advise the board and senior management on the bank's compliance with applicable laws, rules and standards and keep them informed of developments in the area. It should also help educate staff about compliance issues, act as a contact point within the bank for compliance queries from staff members, and provide guidance to staff on the appropriate implementation of applicable laws, rules and standards in the form of policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines. Principle 9: 135.] | Business Processes | Preventive | |
| Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 | Behavior | Preventive | |
| Establish, implement, and maintain a financial management program. CC ID 13228 [Accordingly, the board should: require that the bank maintain a robust finance function responsible for accounting and financial data; Principle 1: 26. Bullet 8 {is responsible} The audit committee is, in particular, responsible for: overseeing the establishment of accounting policies and practices by the bank; and Principle 3: 69. Bullet 7] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Establish/Maintain Documentation | Preventive | |
| Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Communicate | Preventive | |
| Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Business Processes | Preventive | |
| Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Business Processes | Preventive | |
| Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Business Processes | Preventive | |
| Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Investigate | Detective | |
| Attach the required information to each funds transfer. CC ID 16756 | Business Processes | Preventive | |
| Verify all required information is attached to each funds transfer. CC ID 16755 | Business Processes | Detective | |
| Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Business Processes | Preventive | |
| Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Testing | Preventive | |
| Include communication protocols in the financial management program. CC ID 16763 | Establish/Maintain Documentation | Preventive | |
| Include ongoing monitoring in the financial management program. CC ID 16762 | Process or Activity | Preventive | |
| Employ tools to manage settlement and funding flows. CC ID 16743 | Process or Activity | Preventive | |
| Refrain from setting up anonymous financial accounts. CC ID 16721 | Business Processes | Preventive | |
| Identify and maintain positions in financial accounts. CC ID 16751 | Business Processes | Preventive | |
| Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Establish/Maintain Documentation | Preventive | |
| Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Process or Activity | Preventive | |
| Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Establish/Maintain Documentation | Preventive | |
| Document the rationale for the amount of financial resources being held. CC ID 16688 | Establish/Maintain Documentation | Preventive | |
| Supplement financial resources, as necessary. CC ID 16685 | Business Processes | Preventive | |
| Establish, implement, and maintain collateral procedures. CC ID 16653 | Establish/Maintain Documentation | Preventive | |
| Include the use of appropriate models in the collateral procedures. CC ID 16687 | Establish/Maintain Documentation | Preventive | |
| Define the collateral requirements in the collateral procedures. CC ID 16686 | Establish/Maintain Documentation | Preventive | |
| Test the collateral requirements for appropriateness. CC ID 16681 | Testing | Preventive | |
| Limit the types of assets accepted as collateral. CC ID 16602 | Business Processes | Preventive | |
| Avoid the use of concentrated holdings of assets. CC ID 16651 | Business Processes | Preventive | |
| Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Testing | Preventive | |
| Include stress scenarios in the stress test plan. CC ID 16659 | Testing | Preventive | |
| Analyze the effectiveness of the stress test plan. CC ID 16657 | Process or Activity | Detective | |
| Perform stress testing in accordance with the stress test plan. CC ID 16652 | Testing | Preventive | |
| Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Communicate | Preventive | |
| Identify and document the financial resources available for use. CC ID 16643 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain credit loss procedures. CC ID 16683 | Establish/Maintain Documentation | Preventive | |
| Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a securities trading program. CC ID 16626 | Business Processes | Preventive | |
| Include fairness and equitability standards in the securities trading program. CC ID 16690 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the securities trading program. CC ID 16689 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Establish/Maintain Documentation | Preventive | |
| Include performance guarantees in the capital restoration plan. CC ID 16616 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions taken in the capital restoration plan. CC ID 16612 | Establish/Maintain Documentation | Preventive | |
| Include required information in the capital restoration plan. CC ID 16609 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain valuation procedures. CC ID 16634 | Establish/Maintain Documentation | Preventive | |
| Include investment information in approval requests for investments. CC ID 16590 | Business Processes | Preventive | |
| Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain lending policies. CC ID 16608 | Establish/Maintain Documentation | Preventive | |
| Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Process or Activity | Preventive | |
| Include the requirements for risk assessments in the lending policy. CC ID 16730 | Establish/Maintain Documentation | Preventive | |
| Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Establish/Maintain Documentation | Preventive | |
| Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Establish/Maintain Documentation | Preventive | |
| Include pricing structures in the lending policy. CC ID 16724 | Establish/Maintain Documentation | Preventive | |
| Include monitoring requirements in the lending policy. CC ID 16710 | Establish/Maintain Documentation | Preventive | |
| Include loan origination procedures in the lending policy. CC ID 16709 | Establish/Maintain Documentation | Preventive | |
| Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Establish/Maintain Documentation | Preventive | |
| Include loan requirements in the lending policy. CC ID 16706 | Establish/Maintain Documentation | Preventive | |
| Include appraisals and evaluations in the lending policy. CC ID 16705 | Establish/Maintain Documentation | Preventive | |
| Include terms and conditions in the lending policy. CC ID 16695 | Establish/Maintain Documentation | Preventive | |
| Include the scope and distribution of loans in the lending policy. CC ID 16693 | Establish/Maintain Documentation | Preventive | |
| Include geographic areas in the lending policy. CC ID 16691 | Establish/Maintain Documentation | Preventive | |
| Include underwriting guidelines in the lending policy. CC ID 16619 | Establish/Maintain Documentation | Preventive | |
| Include credit review in the underwriting guidelines. CC ID 16765 | Establish/Maintain Documentation | Preventive | |
| Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Establish/Maintain Documentation | Preventive | |
| Include documentation requirements in the lending policy. CC ID 16617 | Establish/Maintain Documentation | Preventive | |
| Include the purpose of the loan in the loan documentation. CC ID 16747 | Establish/Maintain Documentation | Preventive | |
| Include the source of repayment in the loan documentation. CC ID 16746 | Establish/Maintain Documentation | Preventive | |
| Include approval requirements in the lending policy. CC ID 16615 | Establish/Maintain Documentation | Preventive | |
| Include reporting requirements in the lending policy. CC ID 16614 | Establish/Maintain Documentation | Preventive | |
| Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Establish/Maintain Documentation | Preventive | |
| Include loan administration procedures in the lending policy. CC ID 16610 | Establish/Maintain Documentation | Preventive | |
| Include loan participation agreements in the loan administration procedures. CC ID 16745 | Establish/Maintain Documentation | Preventive | |
| Include termination procedures in the loan participation agreement. CC ID 16753 | Establish/Maintain Documentation | Preventive | |
| Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Establish/Maintain Documentation | Preventive | |
| Include servicing agreements in the loan administration procedures. CC ID 16744 | Establish/Maintain Documentation | Preventive | |
| Include claims processing in the loan administration procedures. CC ID 16742 | Establish/Maintain Documentation | Preventive | |
| Include forbearance management in the loan administration procedures. CC ID 16741 | Establish/Maintain Documentation | Preventive | |
| Include foreclosure management in the loan administration procedures. CC ID 16740 | Establish/Maintain Documentation | Preventive | |
| Include delinquency management in the loan administration procedures. CC ID 16739 | Establish/Maintain Documentation | Preventive | |
| Include customer due diligence in the loan administration procedures. CC ID 16736 | Process or Activity | Preventive | |
| Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Establish/Maintain Documentation | Preventive | |
| Include loan closing in the loan administration procedures. CC ID 16734 | Establish/Maintain Documentation | Preventive | |
| Include payoff statements in the loan administration procedures. CC ID 16733 | Establish/Maintain Documentation | Preventive | |
| Include payment processing in the loan administration procedures. CC ID 16732 | Establish/Maintain Documentation | Preventive | |
| Include loan reviews in the loan administration procedures. CC ID 16703 | Establish/Maintain Documentation | Preventive | |
| Include collections in the loan administration procedures. CC ID 16701 | Establish/Maintain Documentation | Preventive | |
| Include collateral inspections in the loan administration procedures. CC ID 16699 | Establish/Maintain Documentation | Preventive | |
| Include disbursements in the loan administration procedures. CC ID 16697 | Establish/Maintain Documentation | Preventive | |
| Review and approve lending policies. CC ID 16607 | Business Processes | Preventive | |
| Establish, implement, and maintain a dividend policy. CC ID 16569 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the dividend policy. CC ID 16570 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain margin systems. CC ID 16601 | Business Processes | Preventive | |
| Include valuation models in the margin system. CC ID 16663 | Data and Information Management | Preventive | |
| Include procedures for collecting price data in the margin system. CC ID 16662 | Data and Information Management | Preventive | |
| Include reliable sources for price data in the margin system. CC ID 16661 | Data and Information Management | Preventive | |
| Validate the margin system on a regular basis. CC ID 16660 | Testing | Detective | |
| Assess the properties of the margin model used in the margin system. CC ID 16658 | Process or Activity | Detective | |
| Monitor the performance of the margin system. CC ID 16655 | Monitor and Evaluate Occurrences | Detective | |
| Analyze the performance of the margin system. CC ID 16654 | Process or Activity | Detective | |
| Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Business Processes | Preventive | |
| Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Establish/Maintain Documentation | Preventive | |
| Determine the amount of assets to be held in escrow. CC ID 16575 | Investigate | Detective | |
| Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Communicate | Preventive | |
| Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Establish/Maintain Documentation | Preventive | |
| Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Establish/Maintain Documentation | Preventive | |
| Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Establish/Maintain Documentation | Preventive | |
| Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Establish/Maintain Documentation | Preventive | |
| Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Data and Information Management | Preventive | |
| Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Data and Information Management | Preventive | |
| Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Data and Information Management | Preventive | |
| Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Data and Information Management | Preventive | |
| Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Data and Information Management | Preventive | |
| Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Data and Information Management | Preventive | |
| Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Data and Information Management | Preventive | |
| Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Data and Information Management | Preventive | |
| Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Data and Information Management | Preventive | |
| Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Data and Information Management | Preventive | |
| Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Establish/Maintain Documentation | Preventive | |
| Include the call date in the securities transaction notification. CC ID 16680 | Establish/Maintain Documentation | Preventive | |
| Include service charges and commissions in the securities transaction notification. CC ID 16702 | Establish/Maintain Documentation | Preventive | |
| Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Establish/Maintain Documentation | Preventive | |
| Include the call price in the securities transaction notification. CC ID 16678 | Establish/Maintain Documentation | Preventive | |
| Include debits and credits in the securities transaction notification. CC ID 16677 | Establish/Maintain Documentation | Preventive | |
| Include transactions in the securities transaction notification. CC ID 16676 | Establish/Maintain Documentation | Preventive | |
| Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Establish/Maintain Documentation | Preventive | |
| Include yield information in the securities transaction notification. CC ID 16673 | Establish/Maintain Documentation | Preventive | |
| Include redemption information in the securities transaction notification. CC ID 16672 | Establish/Maintain Documentation | Preventive | |
| Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Establish/Maintain Documentation | Preventive | |
| Include the type of call in the securities transaction notification. CC ID 16668 | Establish/Maintain Documentation | Preventive | |
| Include an account statement in the securities transaction notification. CC ID 16666 | Establish/Maintain Documentation | Preventive | |
| Include the yield to maturity in the securities transaction notification. CC ID 16665 | Establish/Maintain Documentation | Preventive | |
| Include the execution price in the securities transaction notification. CC ID 16664 | Establish/Maintain Documentation | Preventive | |
| Include the organization's role in the securities transaction notification. CC ID 16646 | Establish/Maintain Documentation | Preventive | |
| Include the name of the broker in the securities transaction notification. CC ID 16647 | Establish/Maintain Documentation | Preventive | |
| Include the name of the customer in the securities transaction notification. CC ID 16625 | Establish/Maintain Documentation | Preventive | |
| Include the organization's name in the securities transaction notification. CC ID 16624 | Establish/Maintain Documentation | Preventive | |
| Include confirmations in the securities transaction notification. CC ID 16623 | Establish/Maintain Documentation | Preventive | |
| Include remunerations in the securities transaction notification. CC ID 16622 | Establish/Maintain Documentation | Preventive | |
| Include requested information in the securities transaction notification. CC ID 16641 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Communicate | Preventive | |
| Include the execution date in the securities transaction notification. CC ID 16620 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain financial reports. CC ID 14770 [{matters requiring attention}Accordingly, the board should: approve the annual financial statements and require a periodic independent review of critical areas; Principle 1: 26. Bullet 9 Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Establish/Maintain Documentation | Preventive | |
| Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Establish/Maintain Documentation | Preventive | |
| Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Establish/Maintain Documentation | Preventive | |
| Include the business need justification for lost value in the financial report. CC ID 15588 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Communicate | Preventive | |
| Include financial statements in the financial report, as necessary. CC ID 14775 | Establish/Maintain Documentation | Preventive | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 | Establish/Maintain Documentation | Preventive | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Establish/Maintain Documentation | Preventive | |
| Include material contingencies in the financial statement. CC ID 16596 | Establish/Maintain Documentation | Preventive | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Establish/Maintain Documentation | Preventive | |
| Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Establish/Maintain Documentation | Preventive | |
| Include assets and liabilities in the call report. CC ID 16729 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Communicate | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain Security Control System monitoring and reporting procedures. CC ID 12506 [Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: internal control failures; Principle 4: 94. Bullet 4] | Establish/Maintain Documentation | Preventive | |
| Include detecting and reporting the failure of a change detection mechanism in the Security Control System monitoring and reporting procedures. CC ID 12525 | Establish/Maintain Documentation | Preventive | |
| Include detecting and reporting the failure of audit logging in the Security Control System monitoring and reporting procedures. CC ID 12513 | Establish/Maintain Documentation | Preventive | |
| Include detecting and reporting the failure of an anti-malware solution in the Security Control System monitoring and reporting procedures. CC ID 12512 | Establish/Maintain Documentation | Preventive | |
| Include detecting and reporting the failure of a segmentation control in the Security Control System monitoring and reporting procedures. CC ID 12511 | Establish/Maintain Documentation | Preventive | |
| Include detecting and reporting the failure of a physical access control in the Security Control System monitoring and reporting procedures. CC ID 12510 | Establish/Maintain Documentation | Preventive | |
| Include detecting and reporting the failure of a logical access control in the Security Control System monitoring and reporting procedures. CC ID 12509 | Establish/Maintain Documentation | Preventive | |
| Include detecting and reporting the failure of an Intrusion Detection and Prevention System in the Security Control System monitoring and reporting procedures. CC ID 12508 | Establish/Maintain Documentation | Preventive | |
| Include detecting and reporting the failure of a security testing tool in the Security Control System monitoring and reporting procedures. CC ID 15488 | Establish/Maintain Documentation | Preventive | |
| Include detecting and reporting the failure of a firewall in the Security Control System monitoring and reporting procedures. CC ID 12507 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: ongoing monitoring of the risk-taking activities and risk exposures in line with the board approved risk appetite, risk limits and corresponding capital or liquidity needs (ie capital planning); Principle 6: 105. Bullet 4 The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management function. This includes the ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board in its engagement with and oversight of the development of the bank's risk appetite and RAS and for translating the risk appetite into a risk limits structure. The CRO, together with management, should be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation). Principle 6: 109. establishing adequate procedures and processes to identify and manage all material risks arising from these structures, including lack of management transparency, operational risks introduced by interconnected and complex funding structures, intragroup exposures, trapped collateral and counterparty risk. The bank should only approve structures if the material risks can be properly identified, assessed and managed; and Principle 5: 102. Bullet 4 {be comprehensive}{be accurate} Risk reporting systems should be dynamic, comprehensive and accurate, and should draw on a range of underlying assumptions. Risk monitoring and reporting should not only occur at the disaggregated level (including material risk residing in subsidiaries) but should also be aggregated to allow for a bank-wide or integrated perspective of risk exposures. Risk reporting systems should be clear about any deficiencies or limitations in risk estimates, as well as any significant embedded assumptions (eg regarding risk dependencies or correlations). Principle 8: 130.] | Establish/Maintain Documentation | Preventive | |
| Monitor the organization's exposure to threats, as necessary. CC ID 06494 [{risk management framework} Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank's risk management and internal control infrastructure should keep pace with changes to the bank's risk profile, to the external risk landscape and in industry practice Principle 7: ¶ 1] | Monitor and Evaluate Occurrences | Preventive | |
| Monitor and evaluate environmental threats. CC ID 13481 | Monitor and Evaluate Occurrences | Detective | |
| Implement a fraud detection system. CC ID 13081 | Business Processes | Preventive | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Process or Activity | Corrective | |
| Monitor for new vulnerabilities. CC ID 06843 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a compliance testing strategy. CC ID 00659 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Testing | Preventive | |
| Test compliance controls for proper functionality. CC ID 00660 | Testing | Detective | |
| Establish, implement, and maintain a system security plan. CC ID 01922 | Testing | Preventive | |
| Include a system description in the system security plan. CC ID 16467 | Establish/Maintain Documentation | Preventive | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Establish/Maintain Documentation | Preventive | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Establish/Maintain Documentation | Preventive | |
| Include the information types in the system security plan. CC ID 14696 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the system security plan. CC ID 14274 | Establish/Maintain Documentation | Preventive | |
| Include threats in the system security plan. CC ID 14693 | Establish/Maintain Documentation | Preventive | |
| Include network diagrams in the system security plan. CC ID 14273 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Establish/Maintain Documentation | Preventive | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Establish/Maintain Documentation | Preventive | |
| Include remote access methods in the system security plan. CC ID 16441 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Communicate | Preventive | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Establish/Maintain Documentation | Preventive | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Establish/Maintain Documentation | Preventive | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Establish/Maintain Documentation | Preventive | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Process or Activity | Preventive | |
| Include security controls in the system security plan. CC ID 14239 | Establish/Maintain Documentation | Preventive | |
| Create specific test plans to test each system component. CC ID 00661 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Establish/Maintain Documentation | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Establish/Maintain Documentation | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Establish/Maintain Documentation | Preventive | |
| Approve the system security plan. CC ID 14241 | Business Processes | Preventive | |
| Adhere to the system security plan. CC ID 11640 | Testing | Detective | |
| Review the test plans for each system component. CC ID 00662 | Establish/Maintain Documentation | Preventive | |
| Validate all testing assumptions in the test plans. CC ID 00663 | Testing | Detective | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Establish/Maintain Documentation | Preventive | |
| Require testing procedures to be complete. CC ID 00664 | Testing | Detective | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Establish/Maintain Documentation | Preventive | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Testing | Preventive | |
| Implement automated audit tools. CC ID 04882 | Acquisition/Sale of Assets or Services | Preventive | |
| Assign senior management to approve test plans. CC ID 13071 | Human Resources Management | Preventive | |
| Analyze system audit reports and determine the need to perform more tests. CC ID 00666 | Testing | Detective | |
| Monitor devices continuously for conformance with production specifications. CC ID 06201 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain a testing program. CC ID 00654 [As part of its quantitative and qualitative analysis, the bank should utilise stress tests and scenario analyses to better understand potential risk exposures under a variety of adverse circumstances: Principle 7: 120.] | Behavior | Preventive | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Establish/Maintain Documentation | Preventive | |
| Conduct Red Team exercises, as necessary. CC ID 12131 | Technical Security | Detective | |
| Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Communicate | Preventive | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Communicate | Preventive | |
| Test security systems and associated security procedures, as necessary. CC ID 11901 | Technical Security | Detective | |
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Human Resources Management | Preventive | |
| Document improvement actions based on test results and exercises. CC ID 16840 | Establish/Maintain Documentation | Preventive | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Testing | Detective | |
| Define the test requirements for each testing program. CC ID 13177 [internal stress tests should cover a range of scenarios based on reasonable assumptions regarding dependencies and correlations. Senior management should define and approve and, as applicable, the board should review and provide effective challenge to the scenarios that are used in the bank's risk analyses; Principle 7: 120. Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Testing | Preventive | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Testing | Preventive | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Testing | Preventive | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Testing | Preventive | |
| Identify risk management measures when testing in scope systems. CC ID 14960 | Process or Activity | Detective | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Establish/Maintain Documentation | Preventive | |
| Scan organizational networks for rogue devices. CC ID 00536 | Testing | Detective | |
| Scan the network for wireless access points. CC ID 00370 | Testing | Detective | |
| Document the business need justification for authorized wireless access points. CC ID 12044 | Establish/Maintain Documentation | Preventive | |
| Scan wireless networks for rogue devices. CC ID 11623 | Technical Security | Detective | |
| Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 | Testing | Detective | |
| Implement incident response procedures when rogue devices are discovered. CC ID 11880 | Technical Security | Corrective | |
| Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 | Monitor and Evaluate Occurrences | Corrective | |
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 | Configuration | Preventive | |
| Isolate rogue devices after a rogue device has been detected. CC ID 07061 | Configuration | Corrective | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Establish/Maintain Documentation | Preventive | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Communicate | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Communicate | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Communicate | Preventive | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Establish/Maintain Documentation | Preventive | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Testing | Preventive | |
| Perform conformity assessments, as necessary. CC ID 15095 | Testing | Detective | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Technical Security | Detective | |
| Define the test frequency for each testing program. CC ID 13176 | Establish/Maintain Documentation | Preventive | |
| Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 [stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets. They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results; and Principle 7: 120. Bullet 3 the results of stress tests and scenario analyses should also be communicated to, and given appropriate consideration by, relevant business lines and individuals within the bank. Principle 7: 120. Bullet 4 Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129.] | Communicate | Preventive | |
| Establish, implement, and maintain a penetration test program. CC ID 01105 | Behavior | Preventive | |
| Align the penetration test program with industry standards. CC ID 12469 | Establish/Maintain Documentation | Preventive | |
| Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 | Establish Roles | Preventive | |
| Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 | Testing | Preventive | |
| Retain penetration test results according to internal policy. CC ID 10049 | Records Management | Preventive | |
| Retain penetration test remediation action records according to internal policy. CC ID 11629 | Records Management | Preventive | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Testing | Detective | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Testing | Corrective | |
| Perform penetration tests, as necessary. CC ID 00655 | Testing | Detective | |
| Perform internal penetration tests, as necessary. CC ID 12471 | Technical Security | Detective | |
| Perform external penetration tests, as necessary. CC ID 12470 | Technical Security | Detective | |
| Include coverage of all in scope systems during penetration testing. CC ID 11957 | Testing | Detective | |
| Test the system for broken access controls. CC ID 01319 | Testing | Detective | |
| Test the system for broken authentication and session management. CC ID 01320 | Testing | Detective | |
| Test the system for insecure communications. CC ID 00535 | Testing | Detective | |
| Test the system for cross-site scripting attacks. CC ID 01321 | Testing | Detective | |
| Test the system for buffer overflows. CC ID 01322 | Testing | Detective | |
| Test the system for injection flaws. CC ID 01323 | Testing | Detective | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Process or Activity | Preventive | |
| Test the system for Denial of Service. CC ID 01326 | Testing | Detective | |
| Test the system for insecure configuration management. CC ID 01327 | Testing | Detective | |
| Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 | Testing | Detective | |
| Test the system for cross-site request forgery. CC ID 06296 | Testing | Detective | |
| Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 | Technical Security | Detective | |
| Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Technical Security | Detective | |
| Verify segmentation controls are operational and effective. CC ID 12545 | Audits and Risk Management | Detective | |
| Repeat penetration testing, as necessary. CC ID 06860 | Testing | Detective | |
| Test the system for covert channels. CC ID 10652 | Testing | Detective | |
| Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Technical Security | Detective | |
| Reduce the maximum bandwidth of covert channels. CC ID 10655 | Technical Security | Corrective | |
| Test systems to determine which covert channels might be exploited. CC ID 10654 | Testing | Detective | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include facilities in the business line testing strategy. CC ID 13253 | Establish/Maintain Documentation | Preventive | |
| Include electrical systems in the business line testing strategy. CC ID 13251 | Establish/Maintain Documentation | Preventive | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Establish/Maintain Documentation | Preventive | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Establish/Maintain Documentation | Preventive | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Establish/Maintain Documentation | Preventive | |
| Include environmental controls in the business line testing strategy. CC ID 13246 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Establish/Maintain Documentation | Preventive | |
| Perform vulnerability scans, as necessary. CC ID 11637 | Technical Security | Detective | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Testing | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 | Technical Security | Detective | |
| Rank discovered vulnerabilities. CC ID 11940 | Investigate | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Technical Security | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Technical Security | Detective | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Communicate | Preventive | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Records Management | Preventive | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Technical Security | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Testing | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Technical Security | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Technical Security | Detective | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Configuration | Corrective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Technical Security | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Technical Security | Detective | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Business Processes | Preventive | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Testing | Preventive | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Technical Security | Detective | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Behavior | Corrective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 | Technical Security | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Technical Security | Detective | |
| Test the system for unvalidated input. CC ID 01318 | Testing | Detective | |
| Test the system for proper error handling. CC ID 01324 | Testing | Detective | |
| Test the system for insecure data storage. CC ID 01325 | Testing | Detective | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Testing | Detective | |
| Approve the vulnerability management program. CC ID 15722 | Process or Activity | Preventive | |
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Establish Roles | Preventive | |
| Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 | Technical Security | Preventive | |
| Test the system for insecure cryptographic storage. CC ID 11635 | Technical Security | Detective | |
| Perform self-tests on cryptographic modules within the system. CC ID 06537 | Testing | Detective | |
| Perform power-up tests on cryptographic modules within the system. CC ID 06538 | Testing | Detective | |
| Perform conditional tests on cryptographic modules within the system. CC ID 06539 | Testing | Detective | |
| Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 | Configuration | Detective | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 | Technical Security | Corrective | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Configuration | Corrective | |
| Recommend mitigation techniques based on penetration test results. CC ID 04881 | Establish/Maintain Documentation | Corrective | |
| Correct or mitigate vulnerabilities. CC ID 12497 | Technical Security | Corrective | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Technical Security | Corrective | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Actionable Reports or Measurements | Detective | |
| Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 [stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets. They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results; and Principle 7: 120. Bullet 3] | Business Processes | Preventive | |
| Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Audits and Risk Management | Preventive | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42.] | Monitor and Evaluate Occurrences | Detective | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [{unauthorized action}{dual authorization control}{legal and regulatory requirements} In order to avoid actions beyond the authority of the individual or even fraud, internal controls also place reasonable checks on managerial and employee discretion. Even in smaller banks, for example, key management decisions should be taken by more than one person. Internal reviews should also determine the extent of a bank's compliance with company policies and procedures as well as with legal and regulatory policies. Adequate escalation procedures are a key element of the internal control system. Principle 7: 116.] | Establish/Maintain Documentation | Preventive | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Business Processes | Detective | |
| Determine the causes of compliance violations. CC ID 12401 | Investigate | Corrective | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Establish/Maintain Documentation | Preventive | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Investigate | Detective | |
| Correct compliance violations. CC ID 13515 | Process or Activity | Corrective | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Investigate | Detective | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166.] | Behavior | Corrective | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 [{manner} The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: the way in which the board will deal with any non-compliance with the policy. Principle 3: 83. Bullet 7] | Human Resources Management | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Communicate | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a security program metrics program. CC ID 01660 | Establish/Maintain Documentation | Preventive | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 [{be transparent} The governance of the bank should be adequately transparent to its shareholders, depositors, other relevant stakeholders and market participants. Principle 12: ¶ 1] | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of security management roles that have been assigned. CC ID 01671 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Actionable Reports or Measurements | Detective | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an audit metrics program. CC ID 01664 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Actionable Reports or Measurements | Detective | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Establish/Maintain Documentation | Preventive | |
| Monitor the performance of the governance, risk, and compliance capability. CC ID 12857 [Business units are the first line of defence. They take risks and are responsible and accountable for the ongoing management of such risks. This includes identifying, assessing and reporting such exposures, taking into account the bank's risk appetite and its policies, procedures and controls. The manner in which the business line executes its responsibilities should reflect the bank's existing risk culture. The board should promote a strong culture of adhering to limits and managing risk exposures. Principle 1: 40. The board should define appropriate governance structures and practices for its own work, and put in place the means for such practices to be followed and periodically reviewed for ongoing effectiveness. Principle 3: ¶ 1 In order to fulfil its responsibilities, the board of the parent company should: ensure that the group's corporate governance framework includes appropriate processes and controls to identify and address potential intragroup conflicts of interest, such as those arising from intragroup transactions; Principle 5: 96. Bullet 4 {risk management function}{review and approval process}{entail} An assessment of the extent to which the bank's risk management, legal and regulatory compliance, information technology, business line and internal control functions have adequate tools and the expertise necessary to measure and manage related risks. Principle 7: 123. ¶ 1 Bullet 2 Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158.] | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 [{law, rule, or regulation}{negatively impact} While the strategic objectives, risk governance framework, corporate values and corporate governance principles of the subsidiary should align with that of the parent company (referred to here as "group policies"), the subsidiary board should make necessary adjustments where a group policy conflicts with an applicable legal or regulatory provision or prudential rule, or would be detrimental to the sound and prudent management of the subsidiary. Principle 5: 98.] | Monitor and Evaluate Occurrences | Detective | |
| Align corrective actions with the level of environmental impact. CC ID 15193 | Business Processes | Preventive | |
| Include risks and opportunities in the corrective action plan. CC ID 15178 | Establish/Maintain Documentation | Preventive | |
| Include environmental aspects in the corrective action plan. CC ID 15177 | Establish/Maintain Documentation | Preventive | |
| Include the completion date in the corrective action plan. CC ID 13272 | Establish/Maintain Documentation | Preventive | |
| Include monitoring in the corrective action plan. CC ID 11645 | Monitor and Evaluate Occurrences | Detective | |
| Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [The bank's corporate values should recognise the critical importance of timely and frank discussion and escalation of problems to higher levels within the organisation. Principle 1: 32. The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42. Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: breaches of risk limits or compliance rules; Principle 4: 94. Bullet 3 {legal concern}Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: legal or regulatory concerns; and Principle 4: 94. Bullet 5 The compliance function should advise the board and senior management on the bank's compliance with applicable laws, rules and standards and keep them informed of developments in the area. It should also help educate staff about compliance issues, act as a contact point within the bank for compliance queries from staff members, and provide guidance to staff on the appropriate implementation of applicable laws, rules and standards in the form of policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines. Principle 9: 135. The compliance function is independent from management to avoid undue influence or obstacles as that function performs its duties. The compliance function should directly report to the board, as appropriate, on the bank's efforts in the above areas and on how the bank is managing its compliance risk. Principle 9: 136.] | Actionable Reports or Measurements | Corrective | |
Operational and Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 | Establish/Maintain Documentation | Preventive | |
| Test the recovery plan, as necessary. CC ID 13290 | Testing | Detective | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 [stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets. They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results; and Principle 7: 120. Bullet 3] | Establish/Maintain Documentation | Detective | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Accordingly, the board should: oversee implementation of the bank's governance framework and periodically review that it remains appropriate in the light of material changes to the bank's size, complexity, geographical footprint, business strategy, markets and regulatory requirements; Principle 1: 26. Bullet 4 As part of the overall corporate governance framework, the board is responsible for overseeing a strong risk governance framework. An effective risk governance framework includes a strong risk culture, a well developed risk appetite articulated through the RAS, and well defined responsibilities for risk management in particular and control functions in general. Principle 1: 33. The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42. To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: either separately or as part of these assessments, periodically review the effectiveness of its own governance practices and procedures, determine where improvements may be needed, and make any necessary changes; and Principle 3: 59. Bullet 3 Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166. The board should define appropriate governance structures and practices for its own work, and put in place the means for such practices to be followed and periodically reviewed for ongoing effectiveness. Principle 3: ¶ 1 {are adequate}In order to fulfil its responsibilities, the board of the parent company should: assess whether the group's corporate governance framework includes adequate policies, processes and controls and whether the framework addresses risk management across the businesses and legal entity structures; Principle 5: 96. Bullet 3 {are adequate}In order to fulfil its responsibilities, the board of the parent company should: assess whether the group's corporate governance framework includes adequate policies, processes and controls and whether the framework addresses risk management across the businesses and legal entity structures; Principle 5: 96. Bullet 3 The bank's risk governance framework should include policies, supported by appropriate control procedures and processes, designed to ensure that the bank's risk identification, aggregation, mitigation and monitoring capabilities are commensurate with the bank's size, complexity and risk profile. Principle 7: 112. {risk measurement}{are necessary} Effective risk identification and measurement approaches are likewise necessary in subsidiary banks and affiliates. Material risk-bearing affiliates and subsidiaries should be captured by the bankwide risk management system and should be a part of the overall risk governance framework. Principle 7: 124. {internal control system}{risk management system}The board and senior management contribute to the effectiveness of the internal audit function by requiring the function to independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes; Principle 10: 141. Bullet 2 The board and senior management contribute to the effectiveness of the internal audit function by requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: Principle 10: 141. Bullet 6 {risk management function}requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: the effectiveness of the risk management and compliance functions; Principle 10: 141. Bullet 6 sub bullet 1 Supervisors should provide guidance for and supervise corporate governance at banks, including through comprehensive evaluations and regular interaction with boards and senior management, should require improvement and remedial action as necessary, and should share information on corporate governance with other supervisors. Principle 13: ¶ 1 {have in place} Supervisors should have processes in place to fully evaluate a bank's corporate governance. Such evaluations may be conducted through regular reviews of written materials and reports, interviews with board members and bank personnel, examinations, self-assessments by the bank, and other types of on- and off-site monitoring. The evaluations should also include regular communication with a bank's board of directors, senior management, those responsible for the risk, compliance and internal audit functions, and external auditors. Principle 13: 159. In reviewing corporate governance in the context of a group structure, supervisors should take into account the corporate governance responsibilities of both the parent company and subsidiaries, in accordance with Principle 5 of this document. Principle 13: 163. In order to fulfil its responsibilities, the board of the parent company should: establish a group structure (including the legal entity and business structure) and a corporate governance framework with clearly defined roles and responsibilities, including those at the parent company level and at the subsidiary level as may be appropriate based on the complexity and significance of the subsidiary; Principle 5: 96. Bullet 1 Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158.] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 [There should be effective communication and coordination between the audit committee and the risk committee to facilitate the exchange of information and effective coverage of all risks, including emerging risks, and any needed adjustments to the risk governance framework of the bank. Principle 3: 75. Supervisors should provide guidance for and supervise corporate governance at banks, including through comprehensive evaluations and regular interaction with boards and senior management, should require improvement and remedial action as necessary, and should share information on corporate governance with other supervisors. Principle 13: ¶ 1 {have in place} Supervisors should have processes in place to fully evaluate a bank's corporate governance. Such evaluations may be conducted through regular reviews of written materials and reports, interviews with board members and bank personnel, examinations, self-assessments by the bank, and other types of on- and off-site monitoring. The evaluations should also include regular communication with a bank's board of directors, senior management, those responsible for the risk, compliance and internal audit functions, and external auditors. Principle 13: 159. Supervisors should interact regularly with boards of directors, individual board members, senior managers and those responsible for the risk management, compliance and internal audit functions. This should include scheduled meetings and ad hoc exchanges, through a variety of communication vehicles (eg e-mail, telephone, in-person meetings). The purpose of the interactions is to support timely and open dialogue between the bank and supervisors on a range of issues, including the bank's strategies, business model and risks, the effectiveness of corporate governance at the bank, the bank's culture, management issues and succession planning, compensation and incentives, and other supervisory findings or expectations that supervisors believe should be particularly important to board members. Supervisors should also provide insights to the bank on its operations relative to its peers, market developments and emerging systemic risks. Principle 13: 164.] | Behavior | Preventive | |
| Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Establish/Maintain Documentation | Preventive | |
| Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 [{applicable requirements} In order to fulfil its responsibilities, the board of the parent company should: have sufficient resources to monitor the compliance of subsidiaries with all applicable legal, regulatory and governance requirements; Principle 5: 96. Bullet 7 {risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.] | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Establish/Maintain Documentation | Preventive | |
| Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Process or Activity | Preventive | |
| Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 | Process or Activity | Preventive | |
| Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Audits and Risk Management | Preventive | |
| Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 [As part of the overall corporate governance framework, the board is responsible for overseeing a strong risk governance framework. An effective risk governance framework includes a strong risk culture, a well developed risk appetite articulated through the RAS, and well defined responsibilities for risk management in particular and control functions in general. Principle 1: 33. Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166. Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166. {is independent} A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: a risk management function and a compliance function independent from the first line of defence; and Principle 1: 38. Bullet 2 {is responsible}The audit committee is, in particular, responsible for: reviewing the third-party opinions on the design and effectiveness of the overall risk governance framework and internal control system. Principle 3: 69. Bullet 8 {is appropriate} In a group structure, the board of the parent company has the overall responsibility for the group and for ensuring the establishment and operation of a clear governance framework appropriate to the structure, business and risks of the group and its entities. The board and senior management should know and understand the bank group's organisational structure and the risks that it poses. Principle 5: ¶ 1 The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: subject to the review and approval of the board, developing and implementing the enterprisewide risk governance framework, which includes the bank's risk culture, risk appetite and risk limits; Principle 6: 105. Bullet 3 Supervisors should provide guidance for and supervise corporate governance at banks, including through comprehensive evaluations and regular interaction with boards and senior management, should require improvement and remedial action as necessary, and should share information on corporate governance with other supervisors. Principle 13: ¶ 1 Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97. The bank's senior management is responsible for establishing a compliance policy that contains the basic principles to be approved by the board and explains the main processes by which compliance risks are to be identified and managed through all levels of the organisation. Principle 9: 133. Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158. Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158.] | Human Resources Management | Preventive | |
| Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Human Resources Management | Preventive | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Establish/Maintain Documentation | Preventive | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the compliance policy. CC ID 14812 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Communicate | Preventive | |
| Include management commitment in the compliance policy. CC ID 14808 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Communicate | Preventive | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 [The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: meet regularly with senior management; Principle 1: 46. Bullet 2 Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. Principle 4: 93. {organizational silos} Banks should avoid organisational "silos" that can impede effective sharing of information across an organisation and can result in decisions being taken in isolation from the rest of the bank. Overcoming these information-sharing obstacles may require the board, senior management and control functions to re-evaluate established practices in order to encourage greater communication. Principle 8: 131.] | Business Processes | Preventive | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Behavior | Preventive | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 [{risk management framework} Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank's risk management and internal control infrastructure should keep pace with changes to the bank's risk profile, to the external risk landscape and in industry practice Principle 7: ¶ 1 {internal control system}{risk management system}The board and senior management contribute to the effectiveness of the internal audit function by requiring the function to independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes; Principle 10: 141. Bullet 2 Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.] | Establish/Maintain Documentation | Preventive | |
| Define the scope for the internal control framework. CC ID 16325 | Business Processes | Preventive | |
| Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Actionable Reports or Measurements | Corrective | |
| Review the relevance of information supporting internal controls. CC ID 12420 | Business Processes | Detective | |
| Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Establish Roles | Preventive | |
| Assign resources to implement the internal control framework. CC ID 00816 | Business Processes | Preventive | |
| Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 [As part of the overall corporate governance framework, the board is responsible for overseeing a strong risk governance framework. An effective risk governance framework includes a strong risk culture, a well developed risk appetite articulated through the RAS, and well defined responsibilities for risk management in particular and control functions in general. Principle 1: 33.] | Establish Roles | Preventive | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Business Processes | Preventive | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Establish/Maintain Documentation | Preventive | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Establish/Maintain Documentation | Preventive | |
| Leverage actionable information to support internal controls. CC ID 12414 | Business Processes | Preventive | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Establish/Maintain Documentation | Preventive | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Establish/Maintain Documentation | Preventive | |
| Include threat assessment in the internal control framework. CC ID 01347 | Establish/Maintain Documentation | Preventive | |
| Automate threat assessments, as necessary. CC ID 06877 | Configuration | Preventive | |
| Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Establish/Maintain Documentation | Preventive | |
| Automate vulnerability management, as necessary. CC ID 11730 | Configuration | Preventive | |
| Include personnel security procedures in the internal control framework. CC ID 01349 | Establish/Maintain Documentation | Preventive | |
| Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Establish/Maintain Documentation | Preventive | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Establish/Maintain Documentation | Preventive | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 | Establish/Maintain Documentation | Preventive | |
| Share security information with interested personnel and affected parties. CC ID 11732 | Communicate | Preventive | |
| Evaluate information sharing partners, as necessary. CC ID 12749 | Process or Activity | Preventive | |
| Include security incident response procedures in the internal control framework. CC ID 01359 | Establish/Maintain Documentation | Preventive | |
| Include incident response escalation procedures in the internal control framework. CC ID 11745 | Establish/Maintain Documentation | Preventive | |
| Include continuous user account management procedures in the internal control framework. CC ID 01360 | Establish/Maintain Documentation | Preventive | |
| Include emergency response procedures in the internal control framework. CC ID 06779 | Establish/Maintain Documentation | Detective | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Communicate | Preventive | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Communicate | Preventive | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Establish/Maintain Documentation | Preventive | |
| Include physical safeguards in the information security program. CC ID 12375 | Establish/Maintain Documentation | Preventive | |
| Include technical safeguards in the information security program. CC ID 12374 | Establish/Maintain Documentation | Preventive | |
| Include administrative safeguards in the information security program. CC ID 12373 | Establish/Maintain Documentation | Preventive | |
| Include system development in the information security program. CC ID 12389 | Establish/Maintain Documentation | Preventive | |
| Include system maintenance in the information security program. CC ID 12388 | Establish/Maintain Documentation | Preventive | |
| Include system acquisition in the information security program. CC ID 12387 | Establish/Maintain Documentation | Preventive | |
| Include access control in the information security program. CC ID 12386 | Establish/Maintain Documentation | Preventive | |
| Review and approve access controls, as necessary. CC ID 13074 | Process or Activity | Detective | |
| Include operations management in the information security program. CC ID 12385 | Establish/Maintain Documentation | Preventive | |
| Include communication management in the information security program. CC ID 12384 | Establish/Maintain Documentation | Preventive | |
| Include environmental security in the information security program. CC ID 12383 | Establish/Maintain Documentation | Preventive | |
| Include physical security in the information security program. CC ID 12382 | Establish/Maintain Documentation | Preventive | |
| Include human resources security in the information security program. CC ID 12381 | Establish/Maintain Documentation | Preventive | |
| Include asset management in the information security program. CC ID 12380 | Establish/Maintain Documentation | Preventive | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Establish/Maintain Documentation | Preventive | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Establish/Maintain Documentation | Preventive | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Establish/Maintain Documentation | Preventive | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Establish/Maintain Documentation | Preventive | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Establish/Maintain Documentation | Preventive | |
| Include how the information security department is organized in the information security program. CC ID 12379 | Establish/Maintain Documentation | Preventive | |
| Include risk management in the information security program. CC ID 12378 | Establish/Maintain Documentation | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Establish/Maintain Documentation | Preventive | |
| Provide management direction and support for the information security program. CC ID 11999 | Process or Activity | Preventive | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain an information security policy. CC ID 11740 | Establish/Maintain Documentation | Preventive | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Business Processes | Preventive | |
| Include business processes in the information security policy. CC ID 16326 | Establish/Maintain Documentation | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Establish/Maintain Documentation | Preventive | |
| Include information security objectives in the information security policy. CC ID 13493 | Establish/Maintain Documentation | Preventive | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Establish/Maintain Documentation | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 | Process or Activity | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Business Processes | Preventive | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Establish/Maintain Documentation | Preventive | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Process or Activity | Preventive | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Establish Roles | Preventive | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Human Resources Management | Preventive | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Establish/Maintain Documentation | Preventive | |
| Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Human Resources Management | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Communicate | Preventive | |
| Establish, implement, and maintain a social media governance program. CC ID 06536 | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Business Processes | Preventive | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Business Processes | Preventive | |
| Refrain from accepting instant messages from unknown senders. CC ID 12537 | Behavior | Preventive | |
| Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Establish/Maintain Documentation | Preventive | |
| Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Establish/Maintain Documentation | Preventive | |
| Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Establish/Maintain Documentation | Preventive | |
| Perform social network analysis, as necessary. CC ID 14864 | Investigate | Detective | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Establish/Maintain Documentation | Preventive | |
| Include assigning and approving operations in operational control procedures. CC ID 06382 | Establish/Maintain Documentation | Preventive | |
| Include startup processes in operational control procedures. CC ID 00833 | Establish/Maintain Documentation | Preventive | |
| Include change control processes in the operational control procedures. CC ID 16793 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a data processing run manual. CC ID 00832 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Establish/Maintain Documentation | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 [Cooperation and appropriate information-sharing among relevant public authorities, including bank supervisors and conduct authorities, can significantly contribute to the effectiveness of these authorities in their respective roles. Such information-sharing is particularly important between home and host supervisors of cross-border banking entities. Cooperation can occur on a bilateral basis, in the form of a supervisory college or through periodic meetings among supervisors at which corporate governance matters should be discussed. Such communication can help supervisors improve their assessment of the overall governance of a bank and the risks it faces, particularly in a group context, and help other authorities assess the risks posed to the broader financial system. Information shared should be relevant for supervisory purposes and be provided within the constraints of confidentiality and other applicable laws. Special arrangements, such as a memorandum of understanding, may be warranted to govern the sharing of information among supervisors or between supervisors and other authorities. Principle 13: 168. Cooperation and appropriate information-sharing among relevant public authorities, including bank supervisors and conduct authorities, can significantly contribute to the effectiveness of these authorities in their respective roles. Such information-sharing is particularly important between home and host supervisors of cross-border banking entities. Cooperation can occur on a bilateral basis, in the form of a supervisory college or through periodic meetings among supervisors at which corporate governance matters should be discussed. Such communication can help supervisors improve their assessment of the overall governance of a bank and the risks it faces, particularly in a group context, and help other authorities assess the risks posed to the broader financial system. Information shared should be relevant for supervisory purposes and be provided within the constraints of confidentiality and other applicable laws. Special arrangements, such as a memorandum of understanding, may be warranted to govern the sharing of information among supervisors or between supervisors and other authorities. Principle 13: 168.] | Records Management | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Business Processes | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Business Processes | Preventive | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Establish/Maintain Documentation | Corrective | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Communicate | Preventive | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a job schedule exceptions list. CC ID 00835 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Establish/Maintain Documentation | Preventive | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Establish/Maintain Documentation | Preventive | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Establish/Maintain Documentation | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Establish/Maintain Documentation | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Establish/Maintain Documentation | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Establish/Maintain Documentation | Preventive | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 | Establish/Maintain Documentation | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Establish/Maintain Documentation | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Establish/Maintain Documentation | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Establish/Maintain Documentation | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Establish/Maintain Documentation | Preventive | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Technical Security | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Establish/Maintain Documentation | Preventive | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Data and Information Management | Preventive | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Establish/Maintain Documentation | Preventive | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Establish/Maintain Documentation | Preventive | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Establish/Maintain Documentation | Preventive | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Establish/Maintain Documentation | Preventive | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Establish/Maintain Documentation | Corrective | |
| Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Establish/Maintain Documentation | Preventive | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Establish/Maintain Documentation | Preventive | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Communicate | Preventive | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Establish/Maintain Documentation | Preventive | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Business Processes | Preventive | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Establish/Maintain Documentation | Preventive | |
| Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Establish/Maintain Documentation | Preventive | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Establish/Maintain Documentation | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 | Data and Information Management | Preventive | |
| Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Communicate | Preventive | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Establish/Maintain Documentation | Preventive | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 | Establish/Maintain Documentation | Preventive | |
| Include use limitations in the use of information agreement. CC ID 06244 | Establish/Maintain Documentation | Preventive | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Establish/Maintain Documentation | Preventive | |
| Include information recipients in the use of information agreement. CC ID 06245 | Establish/Maintain Documentation | Preventive | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Establish/Maintain Documentation | Preventive | |
| Include disclosure of information in the use of information agreement. CC ID 11830 | Establish/Maintain Documentation | Preventive | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Establish/Maintain Documentation | Preventive | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Establish/Maintain Documentation | Preventive | |
| Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Establish/Maintain Documentation | Preventive | |
| Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{risk management function}{compliance function}Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior management should recognise and respect the independent duties of the risk management, compliance and internal audit functions and should not interfere in their exercise of such duties. Principle 4: 93. Bullet 1] | Business Processes | Preventive | |
| Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Process or Activity | Preventive | |
| Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Process or Activity | Preventive | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 [Accordingly, the board should: oversee implementation of the bank's governance framework and periodically review that it remains appropriate in the light of material changes to the bank's size, complexity, geographical footprint, business strategy, markets and regulatory requirements; Principle 1: 26. Bullet 4 In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: Principle 1: 30. To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: Principle 3: 59. To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: either separately or as part of these assessments, periodically review the effectiveness of its own governance practices and procedures, determine where improvements may be needed, and make any necessary changes; and Principle 3: 59. Bullet 3 In the case of a significant regulated subsidiary (due to its risk profile or systemic importance or due to its size relative to the parent company), the board of the significant subsidiary should take such further steps as are necessary to help the subsidiary meet its own corporate governance responsibilities and the legal and regulatory requirements that apply to it. Principle 5: 99. As part of their evaluation of the overall corporate governance in a bank, supervisors should also endeavour to assess the governance effectiveness of the board and senior management, especially with respect to the risk culture of the bank. An assessment of governance effectiveness aims to determine the extent to which the board and senior management demonstrate effective behaviours that contribute to good governance. This includes consideration of the behavioural dynamic of the board and senior management, such as how the "tone at the top" and the cultural values of the bank are communicated and put into practice, how information flows to and from the board and senior management, and how potential serious problems are identified and addressed throughout the organisation. The evaluation of governance effectiveness includes review of any board and management assessments, surveys and other information often used by banks in assessing their internal culture, as well as supervisory interviews, observations and qualitative judgments. In arriving at such judgments, supervisors need to be particularly mindful of consistency of treatment across the banks they supervise. Supervisory staff should have the necessary skills to evaluate these issues and arrive at the complex judgments involved in assessing governance effectiveness. Principle 13: 162.] | Process or Activity | Preventive | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 [A risk committee should: should discuss all risk strategies on both an aggregated basis and by type of risk and make recommendations to the board thereon, and on the risk appetite; Principle 3: 71. Bullet 6 In order to fulfil its responsibilities, the board of the parent company should: maintain an effective relationship with both the home regulator and, through the subsidiary board or direct contact, with the regulators of all subsidiaries; Principle 5: 96. Bullet 8 The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. The board and senior management are primarily responsible for the governance of the bank, and supervisors should assess their performance in this regard. This section sets forth several principles that can assist supervisors in assessing corporate governance and foster good corporate governance in banks. Principle 13: 157. As part of their evaluation of the overall corporate governance in a bank, supervisors should also endeavour to assess the governance effectiveness of the board and senior management, especially with respect to the risk culture of the bank. An assessment of governance effectiveness aims to determine the extent to which the board and senior management demonstrate effective behaviours that contribute to good governance. This includes consideration of the behavioural dynamic of the board and senior management, such as how the "tone at the top" and the cultural values of the bank are communicated and put into practice, how information flows to and from the board and senior management, and how potential serious problems are identified and addressed throughout the organisation. The evaluation of governance effectiveness includes review of any board and management assessments, surveys and other information often used by banks in assessing their internal culture, as well as supervisory interviews, observations and qualitative judgments. In arriving at such judgments, supervisors need to be particularly mindful of consistency of treatment across the banks they supervise. Supervisory staff should have the necessary skills to evaluate these issues and arrive at the complex judgments involved in assessing governance effectiveness. Principle 13: 162. {define} The frequency of interactions with the above persons may vary according to the size, complexity, structure, economic significance and risk profile of the bank. On that basis, supervisors may, for example, meet with the full board of directors annually, but more frequently with the chairman or lead or senior independent director and with key committee chairs. For systemically important banks, interaction should occur more frequently, particularly with members of the board and members of senior management, and those responsible for the risk management, compliance and internal audit functions. Principle 13: 165. Supervisors should interact regularly with boards of directors, individual board members, senior managers and those responsible for the risk management, compliance and internal audit functions. This should include scheduled meetings and ad hoc exchanges, through a variety of communication vehicles (eg e-mail, telephone, in-person meetings). The purpose of the interactions is to support timely and open dialogue between the bank and supervisors on a range of issues, including the bank's strategies, business model and risks, the effectiveness of corporate governance at the bank, the bank's culture, management issues and succession planning, compensation and incentives, and other supervisory findings or expectations that supervisors believe should be particularly important to board members. Supervisors should also provide insights to the bank on its operations relative to its peers, market developments and emerging systemic risks. Principle 13: 164. Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.] | Process or Activity | Preventive | |
| Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Process or Activity | Preventive | |
| Analyze the organizational culture. CC ID 12899 | Process or Activity | Preventive | |
| Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 [Ongoing communication about risk issues, including the bank's risk strategy, throughout the bank is a key tenet of a strong risk culture. A strong risk culture should promote risk awareness and encourage open communication and challenge about risk-taking across the organisation as well as vertically to and from the board and senior management. Senior management should actively communicate and consult with the control functions on management's major plans and activities so that the control functions can effectively discharge their responsibilities. Principle 8: 126.] | Process or Activity | Detective | |
| Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Process or Activity | Detective | |
| Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 [In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: setting and adhering to corporate values that create expectations that all business should be conducted in a legal and ethical manner, and overseeing the adherence to such values by senior management and other employees; Principle 1: 30. Bullet 1 Accordingly, the board should: play a lead role in establishing the bank's corporate culture and values; Principle 1: 26. Bullet 3] | Process or Activity | Detective | |
| Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Behavior | Preventive | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Business Processes | Preventive | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Business Processes | Preventive | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Business Processes | Preventive | |
| Include skill development in the analysis of the organizational culture. CC ID 12913 | Behavior | Preventive | |
| Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Behavior | Preventive | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Business Processes | Preventive | |
| Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Behavior | Preventive | |
| Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Behavior | Preventive | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Process or Activity | Corrective | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{applicable requirements} An independent compliance function is a key component of the bank's second line of defence. This function is responsible for, among other things, ensuring that the bank operates with integrity and in compliance with applicable, laws, regulations and internal policies. Principle 9: 132.] | Establish/Maintain Documentation | Preventive | |
| Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Communicate | Preventive | |
| Review systems for compliance with organizational information security policies. CC ID 12004 | Business Processes | Preventive | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158.] | Behavior | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Establish/Maintain Documentation | Preventive | |
| Limit data leakage. CC ID 00356 | Data and Information Management | Preventive | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Monitor and Evaluate Occurrences | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 [The board should ensure that transactions with related parties (including internal group transactions) are reviewed to assess risk and are subject to appropriate restrictions (eg by requiring that such transactions be conducted on arm's length terms) and that corporate or business resources of the bank are not misappropriated or misapplied. Principle 1: 27.] | Monitor and Evaluate Occurrences | Corrective | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Monitor and Evaluate Occurrences | Detective | |
| Validate transactions using identifiers and credentials. CC ID 13203 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Technical Security | Preventive | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an access classification scheme. CC ID 00509 | Establish/Maintain Documentation | Preventive | |
| Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme. CC ID 00510 [Cooperation and appropriate information-sharing among relevant public authorities, including bank supervisors and conduct authorities, can significantly contribute to the effectiveness of these authorities in their respective roles. Such information-sharing is particularly important between home and host supervisors of cross-border banking entities. Cooperation can occur on a bilateral basis, in the form of a supervisory college or through periodic meetings among supervisors at which corporate governance matters should be discussed. Such communication can help supervisors improve their assessment of the overall governance of a bank and the risks it faces, particularly in a group context, and help other authorities assess the risks posed to the broader financial system. Information shared should be relevant for supervisory purposes and be provided within the constraints of confidentiality and other applicable laws. Special arrangements, such as a memorandum of understanding, may be warranted to govern the sharing of information among supervisors or between supervisors and other authorities. Principle 13: 168.] | Establish/Maintain Documentation | Preventive | |
| Include business security requirements in the access classification scheme. CC ID 00002 | Establish/Maintain Documentation | Preventive | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 | Establish/Maintain Documentation | Preventive | |
| Include third party access in the access classification scheme. CC ID 11786 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system and information integrity policy. CC ID 14034 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system and information integrity procedures. CC ID 14051 [{be timely}{be accurate}{be clear}{be concise} Information should be communicated to the board and senior management in a timely, accurate and understandable manner so that they are equipped to take informed decisions. While ensuring that the board and senior management are sufficiently informed, management and those responsible for the risk management function should avoid voluminous information that can make it difficult to identify key issues. Rather, information should be prioritised and presented in a concise, fully contextualised manner. The board should assess the relevance and the process for maintaining the accuracy of the information it receives and determine if additional or less information is needed. Principle 8: 127.] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142 | Communicate | Preventive | |
| Identify and control all network access controls. CC ID 00529 | Technical Security | Preventive | |
| Secure the Domain Name System. CC ID 00540 | Configuration | Preventive | |
| Implement segregation of duties. CC ID 11843 [The compliance function is independent from management to avoid undue influence or obstacles as that function performs its duties. The compliance function should directly report to the board, as appropriate, on the bank's efforts in the above areas and on how the bank is managing its compliance risk. Principle 9: 136. {be independent} While it is common for risk managers to work closely with individual business units, the risk management function should be sufficiently independent of the business units and should not be involved in revenue generation. Such independence is an essential component of an effective risk management function, as is having access to all business lines that have the potential to generate material risk to the bank as well as to relevant risk-bearing subsidiaries and affiliates. Principle 6: 106.] | Technical Security | Preventive | |
| Enforce information flow control. CC ID 11781 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information flow procedures. CC ID 04542 [{organizational silos} Banks should avoid organisational "silos" that can impede effective sharing of information across an organisation and can result in decisions being taken in isolation from the rest of the bank. Overcoming these information-sharing obstacles may require the board, senior management and control functions to re-evaluate established practices in order to encourage greater communication. Principle 8: 131. {applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.] | Establish/Maintain Documentation | Preventive | |
| Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 | Data and Information Management | Preventive | |
| Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 | Data and Information Management | Preventive | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 [In order to fulfil its responsibilities, the board of the parent company should: assess whether there are effective systems in place to facilitate the exchange of information among the various entities, to manage the risks of the separate subsidiaries or group entities as well as of the group as a whole, and to ensure effective supervision of the group; Principle 5: 96. Bullet 6 In order to fulfil its responsibilities, the board of the parent company should: assess whether there are effective systems in place to facilitate the exchange of information among the various entities, to manage the risks of the separate subsidiaries or group entities as well as of the group as a whole, and to ensure effective supervision of the group; Principle 5: 96. Bullet 6] | Establish/Maintain Documentation | Preventive | |
| Perform content sanitization on data-in-transit. CC ID 16512 | Data and Information Management | Preventive | |
| Perform content conversion on data-in-transit. CC ID 16510 | Data and Information Management | Preventive | |
| Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Data and Information Management | Preventive | |
| Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554 | Data and Information Management | Preventive | |
| Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 | Data and Information Management | Preventive | |
| Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Log Management | Preventive | |
| Review and approve information exchange system connections. CC ID 07143 | Technical Security | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Testing | Detective | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 | Business Processes | Preventive | |
| Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Establish/Maintain Documentation | Preventive | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Establish/Maintain Documentation | Preventive | |
| Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Business Processes | Preventive | |
| Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Establish/Maintain Documentation | Preventive | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 | Establish/Maintain Documentation | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Process or Activity | Detective | |
| Document that supply chain members investigate security events. CC ID 13348 | Investigate | Detective | |
| Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064 | Process or Activity | Detective | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Communicate | Preventive | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Establish/Maintain Documentation | Preventive | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Establish/Maintain Documentation | Detective | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Establish/Maintain Documentation | Detective | |
| Request attestation of compliance from third parties. CC ID 12067 | Establish/Maintain Documentation | Detective | |
| Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 | Business Processes | Detective | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Business Processes | Preventive | |
| Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 | Business Processes | Detective | |
| Document the third parties compliance with the organization's system hardening framework. CC ID 04263 | Technical Security | Detective | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 | Business Processes | Preventive | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Establish/Maintain Documentation | Preventive | |
| Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Establish/Maintain Documentation | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Preventive | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Corrective | |
| Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 [{applicable requirements} In order to fulfil its responsibilities, the board of the parent company should: have sufficient resources to monitor the compliance of subsidiaries with all applicable legal, regulatory and governance requirements; Principle 5: 96. Bullet 7 {risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.] | Operational management | Preventive | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Conduct an acquisition feasibility study prior to acquiring assets. CC ID 01129 | Acquisition or sale of facilities, technology, and services | Detective | |
| Refrain from implementing systems that are beyond the organization's risk acceptance level. CC ID 13054 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Correct defective acquired goods or services. CC ID 06911 | Acquisition or sale of facilities, technology, and services | Corrective | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 [To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: use the results of these assessments as part of the ongoing improvement efforts of the board and, where required by the supervisor, share results with the supervisor. Principle 3: 59. Bullet 4] | Leadership and high level objectives | Preventive | |
| Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 | Leadership and high level objectives | Preventive | |
| Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 | Leadership and high level objectives | Preventive | |
| Include significant security risks in the Information Technology Plan status reports. CC ID 06939 | Leadership and high level objectives | Preventive | |
| Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 | Leadership and high level objectives | Preventive | |
| Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Detective | |
| Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Detective | |
| Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Detective | |
| Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Detective | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 [{be transparent} The governance of the bank should be adequately transparent to its shareholders, depositors, other relevant stakeholders and market participants. Principle 12: ¶ 1] | Monitoring and measurement | Detective | |
| Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Detective | |
| Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Detective | |
| Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Detective | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Preventive | |
| Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Detective | |
| Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Detective | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Detective | |
| Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Detective | |
| Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Detective | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Detective | |
| Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Detective | |
| Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Detective | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Monitoring and measurement | Detective | |
| Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [The bank's corporate values should recognise the critical importance of timely and frank discussion and escalation of problems to higher levels within the organisation. Principle 1: 32. The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42. Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: breaches of risk limits or compliance rules; Principle 4: 94. Bullet 3 {legal concern}Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: legal or regulatory concerns; and Principle 4: 94. Bullet 5 The compliance function should advise the board and senior management on the bank's compliance with applicable laws, rules and standards and keep them informed of developments in the area. It should also help educate staff about compliance issues, act as a contact point within the bank for compliance queries from staff members, and provide guidance to staff on the appropriate implementation of applicable laws, rules and standards in the form of policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines. Principle 9: 135. The compliance function is independent from management to avoid undue influence or obstacles as that function performs its duties. The compliance function should directly report to the board, as appropriate, on the bank's efforts in the above areas and on how the bank is managing its compliance risk. Principle 9: 136.] | Monitoring and measurement | Corrective | |
| Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Audits and risk management | Preventive | |
| Include the word independent in the title of audit reports. CC ID 07003 | Audits and risk management | Preventive | |
| Include the date of the audit in the audit report. CC ID 07024 | Audits and risk management | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Audits and risk management | Preventive | |
| Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Audits and risk management | Preventive | |
| Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Audits and risk management | Preventive | |
| Disclose any audit irregularities in the audit report. CC ID 06995 | Audits and risk management | Preventive | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Corrective | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Detective | |
| Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Corrective | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Verify segmentation controls are operational and effective. CC ID 12545 | Monitoring and measurement | Detective | |
| Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Preventive | |
| Manage supply chain audits. CC ID 01203 | Audits and risk management | Preventive | |
| Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and risk management | Preventive | |
| Rotate auditors, as necessary. CC ID 15589 | Audits and risk management | Preventive | |
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [The third line of defence consists of an independent and effective internal audit function. Among other things, it provides independent review and objective assurance on the quality and effectiveness of the bank's internal control system, the first and second lines of defence and the risk governance framework including links to organisational culture, as well as strategic and business planning, compensation and decision-making processes. Internal auditors must be competent and appropriately trained and not involved in developing, implementing or operating the risk management function or other first or second line of defence functions (see Principle 9). Principle 1: 43. The board and senior management contribute to the effectiveness of the internal audit function by requiring that audit staff collectively have or can access knowledge, skills and resources commensurate with the business activities and risks of the bank; Principle 10: 141. Bullet 4 The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively. Principle 10: 139.] | Audits and risk management | Preventive | |
| Review the external audit scope, as necessary. CC ID 01202 | Audits and risk management | Preventive | |
| Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and risk management | Detective | |
| Review the external auditor's qualifications. CC ID 01197 | Audits and risk management | Preventive | |
| Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 | Audits and risk management | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Detective | |
| Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and risk management | Preventive | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Preventive | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Preventive | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Preventive | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Preventive | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and risk management | Preventive | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Preventive | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Preventive | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Detective | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Preventive | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Detective | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Preventive | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Preventive | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Preventive | |
| Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and risk management | Preventive | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Preventive | |
| Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and risk management | Preventive | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and risk management | Detective | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 [ensuring that the activities and structure are subject to regular internal and external audit reviews. Principle 5: 102. Bullet 5] | Audits and risk management | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Detective | |
| Audit policies, standards, and procedures. CC ID 12927 | Audits and risk management | Preventive | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Detective | |
| Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Detective | |
| Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Detective | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Detective | |
| Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Preventive | |
| Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Preventive | |
| Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Preventive | |
| Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Preventive | |
| Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Preventive | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Detective | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Preventive | |
| Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Detective | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [The board and senior management contribute to the effectiveness of the internal audit function by providing the function with full and unconditional access to any records, file data and physical properties of the bank, including access to management information systems and records and the minutes of all consultative and decision-making bodies; Principle 10: 141. Bullet 1] | Audits and risk management | Preventive | |
| Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and risk management | Corrective | |
| Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and risk management | Preventive | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Preventive | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Preventive | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Preventive | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Detective | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Preventive | |
| Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and risk management | Preventive | |
| Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Preventive | |
| Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and risk management | Detective | |
| Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Detective | |
| Review management's response to issues raised in past audit reports. CC ID 01149 [{is responsible} The audit committee is, in particular, responsible for: receiving key audit reports and ensuring that senior management is taking necessary corrective actions in a timely manner to address control weaknesses, non-compliance with policies, laws and regulations, and other problems identified by auditors and other control functions; Principle 3: 69. Bullet 6] | Audits and risk management | Detective | |
| Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and risk management | Detective | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Preventive | |
| Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Preventive | |
| Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and risk management | Detective | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and risk management | Detective | |
| Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and risk management | Detective | |
| Address past incidents in the risk assessment program. CC ID 12743 | Audits and risk management | Preventive | |
| Establish and maintain the factors and context for risk to the organization. CC ID 12230 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Preventive | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and risk management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Detective | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Preventive | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and risk management | Preventive | |
| Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and risk management | Preventive | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Preventive | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Preventive | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Detective | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Preventive | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 [As part of its quantitative and qualitative analysis, the bank should utilise stress tests and scenario analyses to better understand potential risk exposures under a variety of adverse circumstances: Principle 7: 120. If adequate risk management processes are not in place, a new product, service, business line or third-party relationship or major transaction should be delayed until the bank is able to appropriately address the activity. There should also be a process to assess risk and performance relative to initial projections and to adapt the risk management treatment accordingly as the business matures. Principle 7: 123. ¶ 2] | Audits and risk management | Detective | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [{be independent} The second line of defence includes an independent risk management function. The risk management function complements the business line's risk activities through its monitoring and reporting responsibilities. Among other things, it is responsible for overseeing the bank's risk-taking activities and assessing risks and issues independently from the business line. The function should promote the importance of senior management and business line managers in identifying and assessing risks critically rather than relying only on surveillance conducted by the risk management function. Among other things, the finance function plays a critical role in ensuring that business performance and profit and loss results are accurately captured and reported to the board, management and business lines that will use such information as a key input to risk and business decisions. Principle 1: 41. The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: identifying material individual, aggregate and emerging risks; Principle 6: 105. Bullet 1 The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: assessing these risks and measuring the bank's exposure to them; Principle 6: 105. Bullet 2 Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113. Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113. {risk measurement}{quantitative consideration}{qualitative consideration} Risk identification and measurement should include both quantitative and qualitative elements. Risk measurements should also include qualitative, bank-wide views of risk relative to the bank's external operating environment. Banks should also consider and evaluate harder-to-quantify risks, such as reputation risk. Principle 7: 114. {risk measurement}{quantitative consideration}{qualitative consideration} Risk identification and measurement should include both quantitative and qualitative elements. Risk measurements should also include qualitative, bank-wide views of risk relative to the bank's external operating environment. Banks should also consider and evaluate harder-to-quantify risks, such as reputation risk. Principle 7: 114. {risk measurement}{are necessary} Effective risk identification and measurement approaches are likewise necessary in subsidiary banks and affiliates. Material risk-bearing affiliates and subsidiaries should be captured by the bankwide risk management system and should be a part of the overall risk governance framework. Principle 7: 124. {risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.] | Audits and risk management | Preventive | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [The bank's RAS should establish the individual and aggregate level and types of risk that the bank is willing to assume in advance of and in order to achieve its business activities within its risk capacity; Principle 1: 36. Bullet 2 {be comprehensive}{be accurate} Risk reporting systems should be dynamic, comprehensive and accurate, and should draw on a range of underlying assumptions. Risk monitoring and reporting should not only occur at the disaggregated level (including material risk residing in subsidiaries) but should also be aggregated to allow for a bank-wide or integrated perspective of risk exposures. Risk reporting systems should be clear about any deficiencies or limitations in risk estimates, as well as any significant embedded assumptions (eg regarding risk dependencies or correlations). Principle 8: 130.] | Audits and risk management | Preventive | |
| Identify the material risks in the risk assessment report. CC ID 06482 [Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113.] | Audits and risk management | Preventive | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [The bank's RAS should define the boundaries and business considerations in accordance with which the bank is expected to operate when pursuing the business strategy; and Principle 1: 36. Bullet 3] | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Detective | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 [Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129.] | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Detective | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and risk management | Preventive | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 [{be timely}{be accurate}{be clear}{be concise} Information should be communicated to the board and senior management in a timely, accurate and understandable manner so that they are equipped to take informed decisions. While ensuring that the board and senior management are sufficiently informed, management and those responsible for the risk management function should avoid voluminous information that can make it difficult to identify key issues. Rather, information should be prioritised and presented in a concise, fully contextualised manner. The board should assess the relevance and the process for maintaining the accuracy of the information it receives and determine if additional or less information is needed. Principle 8: 127.] | Audits and risk management | Preventive | |
| Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Preventive | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Preventive | |
| Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and risk management | Preventive | |
| Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and risk management | Preventive | |
| Approve the risk treatment plan. CC ID 13495 | Audits and risk management | Preventive | |
| Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Detective | |
| Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Detective | |
| Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and risk management | Preventive | |
| Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Operational management | Preventive | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 | Leadership and high level objectives | Preventive | |
| Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 [In discharging these responsibilities, the board should take into account the legitimate interests of depositors, shareholders and other relevant stakeholders. It should also ensure that the bank maintains an effective relationship with its supervisors. Principle 1: 28. {are relevant} board members should have a range of knowledge and experience in relevant areas and have varied backgrounds to promote diversity of views. Relevant areas of competence may include, but are not limited to capital markets, financial analysis, financial stability issues, financial reporting, information technology, strategic planning, risk management, compensation, regulation, corporate governance and management skills; Principle 2: 49. Bullet 1 Board members should be and remain qualified, individually and collectively, for their positions. They should understand their oversight and corporate governance role and be able to exercise sound, objective judgment about the affairs of the bank. Principle 2: ¶ 1] | Leadership and high level objectives | Preventive | |
| Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a testing program. CC ID 00654 [As part of its quantitative and qualitative analysis, the bank should utilise stress tests and scenario analyses to better understand potential risk exposures under a variety of adverse circumstances: Principle 7: 120.] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a penetration test program. CC ID 01105 | Monitoring and measurement | Preventive | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Corrective | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166.] | Monitoring and measurement | Corrective | |
| Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Audits and risk management | Preventive | |
| Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Audits and risk management | Preventive | |
| Exercise due professional care during the planning and performance of the audit. CC ID 07119 [The board and senior management contribute to the effectiveness of the internal audit function by requiring internal auditors to adhere to national and international professional standards, such as those established by the Institute of Internal Auditors; Principle 10: 141. Bullet 3] | Audits and risk management | Preventive | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Preventive | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Detective | |
| Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Detective | |
| Resolve disputes before creating the audit summary. CC ID 08964 | Audits and risk management | Preventive | |
| Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Audits and risk management | Preventive | |
| Use the risk taxonomy when managing risk. CC ID 12280 [{business environment}{risk environment} The degree of sophistication of the bank's risk management infrastructure – including, in particular, a sufficiently robust data infrastructure, data architecture and information technology infrastructure – should keep pace with developments such as balance sheet and revenue growth; increasing complexity of the bank's business, risk configuration or operating structure; geographical expansion; mergers and acquisitions; or the introduction of new products or business lines. Principle 7: 117.] | Audits and risk management | Preventive | |
| Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [The bank's RAS should communicate the board's risk appetite effectively throughout the bank, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the bank. Principle 1: 36. Bullet 4 An effective risk governance framework requires robust communication within the bank about risk, both across the organisation and through reporting to the board and senior management. Principle 8: ¶ 1 An effective risk governance framework requires robust communication within the bank about risk, both across the organisation and through reporting to the board and senior management. Principle 8: ¶ 1 The risk committee of the board is responsible for advising the board on the bank's overall current and future risk appetite, overseeing senior management's implementation of the RAS, reporting on the state of risk culture in the bank, and interacting with and overseeing the CRO. Principle 3: 72. There should be effective communication and coordination between the audit committee and the risk committee to facilitate the exchange of information and effective coverage of all risks, including emerging risks, and any needed adjustments to the risk governance framework of the bank. Principle 3: 75. Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: breaches of risk limits or compliance rules; Principle 4: 94. Bullet 3 The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: reporting to senior management and the board or risk committee on all these items, including but not limited to proposing appropriate risk-mitigating actions. Principle 6: 105. Bullet 7 In operating within a group structure, the board of the parent company should be aware of the material risks and issues that might affect both the bank as a whole and its subsidiaries. It should exercise adequate oversight over subsidiaries while respecting the independent legal and governance responsibilities that might apply to subsidiary boards. Principle 5: 95. The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. {specific risk modelling}{risk monitoring} Risk measurement and modelling techniques should be used in addition to, but should not replace, qualitative risk analysis and monitoring. The risk management function should keep the board and senior management apprised of the assumptions used in and potential shortcomings of the bank's risk models and analyses. This would ensure better understanding of risks and exposures and may allow quicker action to address and mitigate risks. Principle 7: 119. Mergers and acquisitions, divestitures and other changes to a bank's organisational structure can pose special risk management challenges to the bank. In particular, risks can arise from conducting due diligence that fails to identify post-merger risks or activities conflicting with the bank's strategic objectives or risk appetite. The risk management function should be actively involved in assessing risks that could arise from mergers and acquisitions and inform the board and senior management of its findings Principle 7: 125. Ongoing communication about risk issues, including the bank's risk strategy, throughout the bank is a key tenet of a strong risk culture. A strong risk culture should promote risk awareness and encourage open communication and challenge about risk-taking across the organisation as well as vertically to and from the board and senior management. Senior management should actively communicate and consult with the control functions on management's major plans and activities so that the control functions can effectively discharge their responsibilities. Principle 8: 126. {risk information}{interested personnel}{appropriate authority} Material risk-related ad hoc information that requires immediate decisions or reactions should be promptly presented to senior management and, as appropriate, the board, the responsible officers and, where applicable, the heads of control functions so that suitable measures and activities can be initiated at an early stage. Principle 8: 128. {be timely}{be accurate}{be clear}{be concise} Information should be communicated to the board and senior management in a timely, accurate and understandable manner so that they are equipped to take informed decisions. While ensuring that the board and senior management are sufficiently informed, management and those responsible for the risk management function should avoid voluminous information that can make it difficult to identify key issues. Rather, information should be prioritised and presented in a concise, fully contextualised manner. The board should assess the relevance and the process for maintaining the accuracy of the information it receives and determine if additional or less information is needed. Principle 8: 127. Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129. {refrain from violating} The bank should also disclose key points concerning its risk exposures and risk management strategies without breaching necessary confidentiality. When involved in material and complex or non-transparent activities, the bank should disclose adequate information on their purpose, strategies, structures, and related risks and controls. Principle 12: 155.] | Audits and risk management | Preventive | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 [{strategic plan}{capital plan} The board should take an active role in defining the risk appetite and ensuring its alignment with the bank's strategic, capital and financial plans and compensation practices. The bank's risk appetite should be clearly conveyed through an RAS that can be easily understood by all relevant parties: the board itself, senior management, bank employees and the supervisor. Principle 1: 35. The bank's RAS should communicate the board's risk appetite effectively throughout the bank, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the bank. Principle 1: 36. Bullet 4 {is appropriate} In a group structure, the board of the parent company has the overall responsibility for the group and for ensuring the establishment and operation of a clear governance framework appropriate to the structure, business and risks of the group and its entities. The board and senior management should know and understand the bank group's organisational structure and the risks that it poses. Principle 5: ¶ 1 {refrain from violating} The bank should also disclose key points concerning its risk exposures and risk management strategies without breaching necessary confidentiality. When involved in material and complex or non-transparent activities, the bank should disclose adequate information on their purpose, strategies, structures, and related risks and controls. Principle 12: 155.] | Audits and risk management | Preventive | |
| Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Human Resources management | Preventive | |
| Train all new hires, as necessary. CC ID 06673 | Human Resources management | Preventive | |
| Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677 [Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the board. Principle 6: 111. Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the board. Principle 6: 111. The board and senior management should respect and promote the independence of the internal audit function by ensuring that: if the chief audit executive is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. Principle 10: 142. Bullet 3 The board and senior management should respect and promote the independence of the internal audit function by ensuring that: if the chief audit executive is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. Principle 10: 142. Bullet 3] | Human Resources management | Preventive | |
| Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 | Human Resources management | Preventive | |
| Delegate authority for specific processes, as necessary. CC ID 06780 | Human Resources management | Preventive | |
| Use rewards and career development to motivate personnel. CC ID 06906 | Human Resources management | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 [{is sufficient} The risk management function should have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines. Staff should have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank's activities. Staff should have access to regular training. Principle 6: 107. In order to help board members acquire, maintain and enhance their knowledge and skills, and fulfil their responsibilities, the board should ensure that members participate in induction programmes and have access to ongoing training on relevant issues which may involve internal or external resources. The board should dedicate sufficient time, budget and other resources for this purpose, and draw on external expertise as needed. More extensive efforts should be made to train and keep updated those members with more limited financial, regulatory or risk-related experience. Principle 2: 55.] | Human Resources management | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 | Human Resources management | Preventive | |
| Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Human Resources management | Preventive | |
| Tailor training to be taught at each person's level of responsibility. CC ID 06674 [Members of senior management should have the necessary experience, competencies and integrity to manage the businesses and people under their supervision. They should receive access to regular training to maintain and enhance their competencies and stay up to date on developments relevant to their areas of responsibility. Principle 4: 89. In order to help board members acquire, maintain and enhance their knowledge and skills, and fulfil their responsibilities, the board should ensure that members participate in induction programmes and have access to ongoing training on relevant issues which may involve internal or external resources. The board should dedicate sufficient time, budget and other resources for this purpose, and draw on external expertise as needed. More extensive efforts should be made to train and keep updated those members with more limited financial, regulatory or risk-related experience. Principle 2: 55.] | Human Resources management | Preventive | |
| Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Human Resources management | Preventive | |
| Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Human Resources management | Preventive | |
| Conduct Archives and Records Management training. CC ID 00975 | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Preventive | |
| Conduct secure coding and development training for developers. CC ID 06822 | Human Resources management | Corrective | |
| Conduct crime prevention training. CC ID 06350 | Human Resources management | Preventive | |
| Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [{hold accountable} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: Principle 1: 46.] | Human Resources management | Corrective | |
| Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435 [{disciplinary action} In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: confirming that employees, including senior management, are aware that appropriate disciplinary or other actions will follow unacceptable behaviours and transgressions. Principle 1: 30. Bullet 4] | Human Resources management | Preventive | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 [The board should oversee the implementation and operation of policies to identify potential conflicts of interest. Where these conflicts cannot be prevented, they should be properly managed (based on the permissibility of relationships or transactions under sound corporate policies consistent with national law and supervisory standards). Principle 3: 82.] | Human Resources management | Preventive | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 [The board should have oversight of the whistleblowing policy mechanism and ensuring that senior management addresses legitimate issues that are raised. The board should take responsibility for ensuring that staff who raise concerns are protected from detrimental treatment or reprisals. Principle 1: 32. Bullet 2] | Human Resources management | Preventive | |
| Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 [There should be effective communication and coordination between the audit committee and the risk committee to facilitate the exchange of information and effective coverage of all risks, including emerging risks, and any needed adjustments to the risk governance framework of the bank. Principle 3: 75. Supervisors should provide guidance for and supervise corporate governance at banks, including through comprehensive evaluations and regular interaction with boards and senior management, should require improvement and remedial action as necessary, and should share information on corporate governance with other supervisors. Principle 13: ¶ 1 {have in place} Supervisors should have processes in place to fully evaluate a bank's corporate governance. Such evaluations may be conducted through regular reviews of written materials and reports, interviews with board members and bank personnel, examinations, self-assessments by the bank, and other types of on- and off-site monitoring. The evaluations should also include regular communication with a bank's board of directors, senior management, those responsible for the risk, compliance and internal audit functions, and external auditors. Principle 13: 159. Supervisors should interact regularly with boards of directors, individual board members, senior managers and those responsible for the risk management, compliance and internal audit functions. This should include scheduled meetings and ad hoc exchanges, through a variety of communication vehicles (eg e-mail, telephone, in-person meetings). The purpose of the interactions is to support timely and open dialogue between the bank and supervisors on a range of issues, including the bank's strategies, business model and risks, the effectiveness of corporate governance at the bank, the bank's culture, management issues and succession planning, compensation and incentives, and other supervisory findings or expectations that supervisors believe should be particularly important to board members. Supervisors should also provide insights to the bank on its operations relative to its peers, market developments and emerging systemic risks. Principle 13: 164.] | Operational management | Preventive | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Preventive | |
| Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Preventive | |
| Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Preventive | |
| Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Preventive | |
| Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Preventive | |
| Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Preventive | |
| Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Preventive | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158.] | Operational management | Preventive | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Preventive | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 [Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97.] | Leadership and high level objectives | Preventive | |
| Include transactions and events as a part of internal reporting. CC ID 12413 | Leadership and high level objectives | Preventive | |
| Analyze the business environment in which the organization operates. CC ID 12798 [Accordingly, the board should: actively engage in the affairs of the bank and keep up with material changes in the bank's business and the external environment as well as act in a timely manner to protect the long-term interests of the bank; Principle 1: 26. Bullet 1] | Leadership and high level objectives | Preventive | |
| Align assets with business functions and the business environment. CC ID 13681 | Leadership and high level objectives | Preventive | |
| Analyze the external environment in which the organization operates. CC ID 12799 [having a centralised process for approving the creation of new legal entities and subsidiaries based on established criteria, including the ability to monitor and fulfil each entity's regulatory, tax, financial reporting, governance and other requirements and for the dissolution of dormant subsidiaries; Principle 5: 102. Bullet 3 having a centralised process for approving the creation of new legal entities and subsidiaries based on established criteria, including the ability to monitor and fulfil each entity's regulatory, tax, financial reporting, governance and other requirements and for the dissolution of dormant subsidiaries; Principle 5: 102. Bullet 3] | Leadership and high level objectives | Preventive | |
| Include environmental requirements in the analysis of the external environment. CC ID 12965 | Leadership and high level objectives | Preventive | |
| Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Leadership and high level objectives | Preventive | |
| Include society in the analysis of the external environment. CC ID 12963 | Leadership and high level objectives | Preventive | |
| Include opportunities in the analysis of the external environment. CC ID 12954 | Leadership and high level objectives | Preventive | |
| Include third party relationships in the analysis of the external environment. CC ID 12952 | Leadership and high level objectives | Preventive | |
| Include industry forces in the analysis of the external environment. CC ID 12904 | Leadership and high level objectives | Preventive | |
| Include threats in the analysis of the external environment. CC ID 12898 | Leadership and high level objectives | Preventive | |
| Include geopolitics in the analysis of the external environment. CC ID 12897 | Leadership and high level objectives | Preventive | |
| Include legal requirements in the analysis of the external environment. CC ID 12896 | Leadership and high level objectives | Preventive | |
| Include technology in the analysis of the external environment. CC ID 12837 | Leadership and high level objectives | Preventive | |
| Include analyzing the market in the analysis of the external environment. CC ID 12836 | Leadership and high level objectives | Preventive | |
| Conduct a context analysis to define objectives and strategies. CC ID 12864 [avoiding setting up complicated structures that lack economic substance or business purpose; Principle 5: 102. Bullet 1] | Leadership and high level objectives | Preventive | |
| Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 [Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: the bank's performance and financial condition; Principle 4: 94. Bullet 2] | Leadership and high level objectives | Preventive | |
| Identify threats that could affect achieving organizational objectives. CC ID 12827 | Leadership and high level objectives | Preventive | |
| Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Preventive | |
| Correct errors and deficiencies in a timely manner. CC ID 13501 [Accordingly, the board should: actively engage in the affairs of the bank and keep up with material changes in the bank's business and the external environment as well as act in a timely manner to protect the long-term interests of the bank; Principle 1: 26. Bullet 1] | Leadership and high level objectives | Corrective | |
| Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 | Leadership and high level objectives | Preventive | |
| Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Leadership and high level objectives | Preventive | |
| Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 [In addition to identifying and measuring risk exposures, the risk management function should evaluate possible ways to mitigate these exposures. In some cases, the risk management function may direct that risk be reduced or hedged to limit exposure. In other cases, such as when there is a decision to accept or take risk that is beyond risk limits (ie on a temporary basis) or take risk that cannot be hedged or mitigated, the risk management function should report material exemptions to the board and monitor the positions to ensure that they remain within the bank's framework of limits and controls or within exception approval. Either approach may be appropriate depending on the issue at hand, provided that the independence of the risk management function is not compromised. Principle 7: 122.] | Leadership and high level objectives | Preventive | |
| Estimate the costs of implementing the compliance framework. CC ID 07191 | Leadership and high level objectives | Preventive | |
| Align the reporting methodology with the decision management strategy. CC ID 15659 | Leadership and high level objectives | Preventive | |
| Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 | Leadership and high level objectives | Corrective | |
| Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 | Leadership and high level objectives | Preventive | |
| Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492 [The compliance function should advise the board and senior management on the bank's compliance with applicable laws, rules and standards and keep them informed of developments in the area. It should also help educate staff about compliance issues, act as a contact point within the bank for compliance queries from staff members, and provide guidance to staff on the appropriate implementation of applicable laws, rules and standards in the form of policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines. Principle 9: 135.] | Leadership and high level objectives | Preventive | |
| Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Leadership and high level objectives | Preventive | |
| Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Leadership and high level objectives | Preventive | |
| Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Leadership and high level objectives | Preventive | |
| Attach the required information to each funds transfer. CC ID 16756 | Leadership and high level objectives | Preventive | |
| Verify all required information is attached to each funds transfer. CC ID 16755 | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Leadership and high level objectives | Preventive | |
| Refrain from setting up anonymous financial accounts. CC ID 16721 | Leadership and high level objectives | Preventive | |
| Identify and maintain positions in financial accounts. CC ID 16751 | Leadership and high level objectives | Preventive | |
| Supplement financial resources, as necessary. CC ID 16685 | Leadership and high level objectives | Preventive | |
| Limit the types of assets accepted as collateral. CC ID 16602 | Leadership and high level objectives | Preventive | |
| Avoid the use of concentrated holdings of assets. CC ID 16651 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a securities trading program. CC ID 16626 | Leadership and high level objectives | Preventive | |
| Include investment information in approval requests for investments. CC ID 16590 | Leadership and high level objectives | Preventive | |
| Review and approve lending policies. CC ID 16607 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain margin systems. CC ID 16601 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Leadership and high level objectives | Preventive | |
| Implement a fraud detection system. CC ID 13081 | Monitoring and measurement | Preventive | |
| Approve the system security plan. CC ID 14241 | Monitoring and measurement | Preventive | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Preventive | |
| Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 [stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets. They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results; and Principle 7: 120. Bullet 3] | Monitoring and measurement | Preventive | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Detective | |
| Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Preventive | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Preventive | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Preventive | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
| Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Preventive | |
| Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Audits and risk management | Preventive | |
| Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 [The board and senior management should respect and promote the independence of the internal audit function by ensuring that: internal audit reports are provided to the board or its audit committee without management filtering and that the internal auditors have direct access to the board or the board's audit committee; Principle 10: 142. Bullet 1 The board and senior management should respect and promote the independence of the internal audit function by ensuring that: the head of the internal audit function's primary reporting line is to the board (or its audit committee), which is also responsible for the selection, oversight of the performance and, if necessary, dismissal of the head of this function; Principle 10: 142. Bullet 2] | Audits and risk management | Preventive | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Corrective | |
| Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Audits and risk management | Preventive | |
| Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Detective | |
| Integrate the risk management program with the organization's business activities. CC ID 13661 [The board should ensure that transactions with related parties (including internal group transactions) are reviewed to assess risk and are subject to appropriate restrictions (eg by requiring that such transactions be conducted on arm's length terms) and that corporate or business resources of the bank are not misappropriated or misapplied. Principle 1: 27. {risk management function}{compliance function}Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior management should recognise and respect the independent duties of the risk management, compliance and internal audit functions and should not interfere in their exercise of such duties. Principle 4: 93. Bullet 1 If adequate risk management processes are not in place, a new product, service, business line or third-party relationship or major transaction should be delayed until the bank is able to appropriately address the activity. There should also be a process to assess risk and performance relative to initial projections and to adapt the risk management treatment accordingly as the business matures. Principle 7: 123. ¶ 2 {risk measurement}{are necessary} Effective risk identification and measurement approaches are likewise necessary in subsidiary banks and affiliates. Material risk-bearing affiliates and subsidiaries should be captured by the bankwide risk management system and should be a part of the overall risk governance framework. Principle 7: 124.] | Audits and risk management | Preventive | |
| Integrate the risk management program into daily business decision-making. CC ID 13659 [The bank's RAS should communicate the board's risk appetite effectively throughout the bank, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the bank. Principle 1: 36. Bullet 4 Business units are the first line of defence. They take risks and are responsible and accountable for the ongoing management of such risks. This includes identifying, assessing and reporting such exposures, taking into account the bank's risk appetite and its policies, procedures and controls. The manner in which the business line executes its responsibilities should reflect the bank's existing risk culture. The board should promote a strong culture of adhering to limits and managing risk exposures. Principle 1: 40. The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: Principle 6: 105. The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: influencing and, when necessary, challenging decisions that give rise to material risk; and Principle 6: 105. Bullet 6] | Audits and risk management | Preventive | |
| Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Preventive | |
| Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Audits and risk management | Preventive | |
| Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Audits and risk management | Preventive | |
| Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Audits and risk management | Preventive | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Audits and risk management | Preventive | |
| Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Audits and risk management | Preventive | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 | Audits and risk management | Preventive | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Audits and risk management | Preventive | |
| Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Preventive | |
| Evaluate the cyber insurance market. CC ID 12695 | Audits and risk management | Preventive | |
| Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Audits and risk management | Preventive | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Preventive | |
| Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Human Resources management | Preventive | |
| Establish, implement, and maintain an education methodology. CC ID 06671 [In order to help board members acquire, maintain and enhance their knowledge and skills, and fulfil their responsibilities, the board should ensure that members participate in induction programmes and have access to ongoing training on relevant issues which may involve internal or external resources. The board should dedicate sufficient time, budget and other resources for this purpose, and draw on external expertise as needed. More extensive efforts should be made to train and keep updated those members with more limited financial, regulatory or risk-related experience. Principle 2: 55.] | Human Resources management | Preventive | |
| Establish, implement, and maintain performance reviews. CC ID 14777 | Human Resources management | Detective | |
| Conduct staff performance reviews, as necessary. CC ID 07205 [The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: assess whether senior management's collective knowledge and expertise remain appropriate given the nature of the business and the bank's risk profile; and Principle 1: 46. Bullet 5 {be independent} For employees in control functions (eg risk, compliance and internal audit), remuneration should be determined independently of any business line overseen, and performance measures should be based principally on the achievement of their own objectives so as not to compromise their independence. Principle 11: 147.] | Human Resources management | Detective | |
| Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Preventive | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 [Accordingly, the board should: oversee the integrity, independence and effectiveness of the bank's policies and procedures for whistleblowing. Principle 1: 26. Bullet 12 {confidential communication}{illegal activity}{unethical conduct} Employees should be encouraged and able to communicate, confidentially and without the risk of reprisal, legitimate concerns about illegal, unethical or questionable practices. This can be facilitated through a well communicated policy and adequate procedures and processes, consistent with national law, which allow employees to communicate material and bona fide concerns and observations of any violations in a confidential manner (eg whistleblower policy). This includes communicating material concerns to the bank's supervisor. Principle 1: 32. Bullet 1 Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: issues raised as a result of the bank's whistleblowing procedures. Principle 4: 94. Bullet 6] | Human Resources management | Preventive | |
| Respond to ethics complaints of ethics violations. CC ID 11497 [The board should have oversight of the whistleblowing policy mechanism and ensuring that senior management addresses legitimate issues that are raised. The board should take responsibility for ensuring that staff who raise concerns are protected from detrimental treatment or reprisals. Principle 1: 32. Bullet 2] | Human Resources management | Corrective | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 [The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: meet regularly with senior management; Principle 1: 46. Bullet 2 Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. Principle 4: 93. {organizational silos} Banks should avoid organisational "silos" that can impede effective sharing of information across an organisation and can result in decisions being taken in isolation from the rest of the bank. Overcoming these information-sharing obstacles may require the board, senior management and control functions to re-evaluate established practices in order to encourage greater communication. Principle 8: 131.] | Operational management | Preventive | |
| Define the scope for the internal control framework. CC ID 16325 | Operational management | Preventive | |
| Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Detective | |
| Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Preventive | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Preventive | |
| Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Preventive | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Preventive | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Preventive | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Preventive | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Preventive | |
| Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{risk management function}{compliance function}Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior management should recognise and respect the independent duties of the risk management, compliance and internal audit functions and should not interfere in their exercise of such duties. Principle 4: 93. Bullet 1] | Operational management | Preventive | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Preventive | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Preventive | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Preventive | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Preventive | |
| Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Preventive | |
| Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Restrict transaction activities, as necessary. CC ID 16334 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Protect the integrity of application service transactions. CC ID 12017 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 | Third Party and supply chain oversight | Preventive | |
| Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Third Party and supply chain oversight | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Preventive | |
| Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 | Third Party and supply chain oversight | Detective | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Third Party and supply chain oversight | Preventive | |
| Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 | Third Party and supply chain oversight | Detective | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 | Third Party and supply chain oversight | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Preventive | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 [Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: changes in business strategy, risk strategy/risk appetite; Principle 4: 94. Bullet1] | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 [Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129.] | Leadership and high level objectives | Preventive | |
| Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Leadership and high level objectives | Corrective | |
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 [In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: confirming that appropriate steps have been or are being taken to communicate throughout the bank the corporate values, professional standards or codes of conduct it sets, together with supporting policies; and Principle 1: 30. Bullet 3 The organisation and procedures and decision-making of senior management should be clear and transparent and designed to promote effective management of the bank. This includes clarity on the role, authority and responsibility of the various positions within senior management, including that of the CEO. Principle 4: 88. All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: Principle 12: 153. All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: Principle 12: 153. {applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.] | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 | Leadership and high level objectives | Preventive | |
| Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Monitoring and measurement | Preventive | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Monitoring and measurement | Preventive | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Monitoring and measurement | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Monitoring and measurement | Preventive | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 [stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets. They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results; and Principle 7: 120. Bullet 3 the results of stress tests and scenario analyses should also be communicated to, and given appropriate consideration by, relevant business lines and individuals within the bank. Principle 7: 120. Bullet 4 Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129.] | Monitoring and measurement | Preventive | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Preventive | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [A risk committee should: should oversee that management has in place processes to promote the bank's adherence to the approved risk policies. Principle 3: 71. Bullet 8] | Audits and risk management | Preventive | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Audits and risk management | Preventive | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Preventive | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Preventive | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Preventive | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Preventive | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Preventive | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 [{risk committee}{risk limit}{risk mitigation plan} The committee should receive regular reporting and communication from the CRO and other relevant functions about the bank's current risk profile, current state of the risk culture, utilisation against the established risk appetite, and limits, limit breaches and mitigation plans (see Principle 6). Principle 3: 74.] | Audits and risk management | Preventive | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Preventive | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Audits and risk management | Preventive | |
| Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Audits and risk management | Preventive | |
| Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Audits and risk management | Preventive | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Preventive | |
| Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Preventive | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Audits and risk management | Preventive | |
| Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142 | Technical security | Preventive | |
| Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Human Resources management | Preventive | |
| Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141 | Human Resources management | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Preventive | |
| Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 | Human Resources management | Preventive | |
| Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 [{applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154. {applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.] | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Preventive | |
| Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 | Human Resources management | Preventive | |
| Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 | Human Resources management | Preventive | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Human Resources management | Preventive | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Preventive | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Preventive | |
| Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Preventive | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Preventive | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Preventive | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Preventive | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Preventive | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Preventive | |
| Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Preventive | |
| Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 | Monitoring and measurement | Preventive | |
| Isolate rogue devices after a rogue device has been detected. CC ID 07061 | Monitoring and measurement | Corrective | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Corrective | |
| Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 | Monitoring and measurement | Detective | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Monitoring and measurement | Corrective | |
| Secure the Domain Name System. CC ID 00540 | Technical security | Preventive | |
| Automate threat assessments, as necessary. CC ID 06877 | Operational management | Preventive | |
| Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Preventive | |
| Encrypt electronic commerce transactions and messages. CC ID 08621 | Acquisition or sale of facilities, technology, and services | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Define the scope of the security policy. CC ID 07145 | Leadership and high level objectives | Preventive | |
| Address Information Security during the business planning processes. CC ID 06495 | Leadership and high level objectives | Preventive | |
| Include valuation models in the margin system. CC ID 16663 | Leadership and high level objectives | Preventive | |
| Include procedures for collecting price data in the margin system. CC ID 16662 | Leadership and high level objectives | Preventive | |
| Include reliable sources for price data in the margin system. CC ID 16661 | Leadership and high level objectives | Preventive | |
| Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Preventive | |
| Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Preventive | |
| Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Preventive | |
| Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Preventive | |
| Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Preventive | |
| Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Preventive | |
| Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Preventive | |
| Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Preventive | |
| Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Preventive | |
| Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Preventive | |
| Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Preventive | |
| Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 | Technical security | Preventive | |
| Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 | Technical security | Preventive | |
| Perform content sanitization on data-in-transit. CC ID 16512 | Technical security | Preventive | |
| Perform content conversion on data-in-transit. CC ID 16510 | Technical security | Preventive | |
| Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Technical security | Preventive | |
| Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554 | Technical security | Preventive | |
| Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 | Technical security | Preventive | |
| Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309 | Human Resources management | Corrective | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 | Operational management | Preventive | |
| Include required information in electronic commerce transactions and messages. CC ID 15318 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Limit data leakage. CC ID 00356 | Privacy protection for information and data | Preventive | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Leadership and high level objectives | Preventive | |
| Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Leadership and high level objectives | Preventive | |
| Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Leadership and high level objectives | Preventive | |
| Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Leadership and high level objectives | Preventive | |
| Establish and maintain a compliance oversight committee. CC ID 00765 [In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: setting and adhering to corporate values that create expectations that all business should be conducted in a legal and ethical manner, and overseeing the adherence to such values by senior management and other employees; Principle 1: 30. Bullet 1 {capital plan}Accordingly, the board should: approve the approach and oversee the implementation of key policies pertaining to the bank's capital adequacy assessment process, capital and liquidity plans, compliance policies and obligations, and the internal control system; Principle 1: 26. Bullet 7] | Leadership and high level objectives | Detective | |
| Assign the review of project plans for critical projects to the compliance oversight committee. CC ID 01182 | Leadership and high level objectives | Preventive | |
| Assign the corporate governance of Information Technology to the compliance oversight committee. CC ID 01178 | Leadership and high level objectives | Preventive | |
| Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 | Leadership and high level objectives | Preventive | |
| Involve the Board of Directors or senior management in Information Governance. CC ID 00609 | Leadership and high level objectives | Preventive | |
| Assign reviewing and approving Quality Management standards to the appropriate oversight committee. CC ID 07192 | Leadership and high level objectives | Preventive | |
| Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 | Monitoring and measurement | Preventive | |
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Monitoring and measurement | Preventive | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [{is independent} A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: an internal audit function independent from the first and second lines of defence. Principle 1: 38. Bullet 3] | Audits and risk management | Preventive | |
| Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 [{matters requiring attention}Accordingly, the board should: approve the annual financial statements and require a periodic independent review of critical areas; Principle 1: 26. Bullet 9 {is responsible}The audit committee is, in particular, responsible for: approving, or recommending to the board or shareholders for their approval, the appointment, remuneration and dismissal of external auditors; Principle 3: 69. Bullet 4 {is responsible} The audit committee is, in particular, responsible for: reviewing and approving the audit scope and frequency; Principle 3: 69. Bullet 5 {is responsible} The audit committee is, in particular, responsible for: overseeing the financial reporting process; Principle 3: 69. Bullet 2 The internal audit function should provide independent assurance to the board and should support board and senior management in promoting an effective governance process and the long-term soundness of the bank. Principle 10: ¶ 1] | Audits and risk management | Preventive | |
| Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Audits and risk management | Preventive | |
| Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Audits and risk management | Preventive | |
| Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 [{remuneration system} The board, together with its compensation committee where one exists, should approve the compensation of senior executives, including the CEO, CRO and head of internal audit, and should oversee development and operation of compensation policies, systems and related control processes. Principle 11: 146.] | Audits and risk management | Preventive | |
| Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Audits and risk management | Preventive | |
| Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Audits and risk management | Preventive | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Audits and risk management | Preventive | |
| Assign the audit to impartial auditors. CC ID 07118 [The third line of defence consists of an independent and effective internal audit function. Among other things, it provides independent review and objective assurance on the quality and effectiveness of the bank's internal control system, the first and second lines of defence and the risk governance framework including links to organisational culture, as well as strategic and business planning, compensation and decision-making processes. Internal auditors must be competent and appropriately trained and not involved in developing, implementing or operating the risk management function or other first or second line of defence functions (see Principle 9). Principle 1: 43. {risk management function}{compliance function}Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior management should recognise and respect the independent duties of the risk management, compliance and internal audit functions and should not interfere in their exercise of such duties. Principle 4: 93. Bullet 1 The board and senior management should respect and promote the independence of the internal audit function by ensuring that: Principle 10: 142. The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively. Principle 10: 139.] | Audits and risk management | Preventive | |
| Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Preventive | |
| Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 | Audits and risk management | Preventive | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [Accordingly, the board should: approve the selection and oversee the performance of the CEO, key members of senior management and heads of the control functions; Principle 1: 26. Bullet 10 The board should select the CEO and may select other key personnel, including members of senior management. Principle 1: 45. {is responsible}The audit committee is, in particular, responsible for: providing oversight of and interacting with the bank's internal and external auditors; Principle 3: 69. Bullet 3 In operating within a group structure, the board of the parent company should be aware of the material risks and issues that might affect both the bank as a whole and its subsidiaries. It should exercise adequate oversight over subsidiaries while respecting the independent legal and governance responsibilities that might apply to subsidiary boards. Principle 5: 95. Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the board. Principle 6: 111. Senior management is responsible for delegating duties to staff and should establish a management structure that promotes accountability and transparency throughout the bank. Principle 4: 92. The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76. The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76. Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.] | Human Resources management | Preventive | |
| Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 | Human Resources management | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [The board has overall responsibility for the bank, including approving and overseeing management's implementation of the bank's strategic objectives, governance framework and corporate culture. Principle 1: ¶ 1 The board should establish and be satisfied with the bank's organisational structure. This will enable the board and senior management to carry out their responsibilities and facilitate effective decision-making and good governance. This includes clearly laying out the key responsibilities and authorities of the board itself and of senior management and of those responsible for the risk management and control functions. Principle 1: 24. {refrain from delegating} The board has ultimate responsibility for the bank's business strategy and financial soundness, key personnel decisions, internal organisation and governance structure and practices, and risk management and compliance obligations. The board may delegate some of its functions, though not its responsibilities, to board committees where appropriate. Principle 1: 23. {refrain from delegating} The board has ultimate responsibility for the bank's business strategy and financial soundness, key personnel decisions, internal organisation and governance structure and practices, and risk management and compliance obligations. The board may delegate some of its functions, though not its responsibilities, to board committees where appropriate. Principle 1: 23. The board should have oversight of the whistleblowing policy mechanism and ensuring that senior management addresses legitimate issues that are raised. The board should take responsibility for ensuring that staff who raise concerns are protected from detrimental treatment or reprisals. Principle 1: 32. Bullet 2 The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42. {hold accountable} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: Principle 1: 46. {hold accountable} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: Principle 1: 46. The board should maintain and periodically update organisational rules, by-laws, or other similar documents setting out its organisation, rights, responsibilities and key activities. Principle 3: 58. {capital plan}Accordingly, the board should: approve the approach and oversee the implementation of key policies pertaining to the bank's capital adequacy assessment process, capital and liquidity plans, compliance policies and obligations, and the internal control system; Principle 1: 26. Bullet 7 Board members should be and remain qualified, individually and collectively, for their positions. They should understand their oversight and corporate governance role and be able to exercise sound, objective judgment about the affairs of the bank. Principle 2: ¶ 1 {is sufficient} The board should structure itself in terms of leadership, size and the use of committees so as to effectively carry out its oversight role and other responsibilities. This includes ensuring that the board has the time and means to cover all necessary subjects in sufficient depth and have a robust discussion of issues. Principle 3: 57. In the interest of greater transparency and accountability, a board should disclose the committees it has established, their mandates and their composition (including members who are considered to be independent). Principle 3: 65. {is responsible} The audit committee is, in particular, responsible for: framing policy on internal audit and financial reporting, among other things; Principle 3: 69. Bullet 1 The board should oversee the implementation and operation of policies to identify potential conflicts of interest. Where these conflicts cannot be prevented, they should be properly managed (based on the permissibility of relationships or transactions under sound corporate policies consistent with national law and supervisory standards). Principle 3: 82. The board should oversee and be satisfied with the process by which appropriate public disclosure is made, and/or information is provided to supervisors, relating to the bank's policies on conflicts of interest and potential material conflicts of interest. Principle 3: 84. Under the direction and oversight of the board, senior management should carry out and manage the bank's activities in a manner consistent with the business strategy, risk appetite, remuneration and other policies approved by the board. Principle 4: ¶ 1 Senior management contributes substantially to a bank's sound corporate governance through personal conduct (eg by helping to establish the "tone at the top" along with the board). Members of senior management should provide adequate oversight of those they manage, and ensure that the bank's activities are consistent with the business strategy, risk appetite and the policies approved by the board. Principle 4: 91. The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: question and critically review explanations and information provided by senior management; Principle 1: 46. Bullet 3 {is appropriate} In a group structure, the board of the parent company has the overall responsibility for the group and for ensuring the establishment and operation of a clear governance framework appropriate to the structure, business and risks of the group and its entities. The board and senior management should know and understand the bank group's organisational structure and the risks that it poses. Principle 5: ¶ 1 In order to fulfil its responsibilities, the board of the parent company should: approve policies and clear strategies for establishing new structures and legal entities, and ensure that they are consistent with the policies and interests of the group; Principle 5: 96. Bullet 5 In order to fulfil its responsibilities, the board of the parent company should: approve policies and clear strategies for establishing new structures and legal entities, and ensure that they are consistent with the policies and interests of the group; Principle 5: 96. Bullet 5 In order to help board members acquire, maintain and enhance their knowledge and skills, and fulfil their responsibilities, the board should ensure that members participate in induction programmes and have access to ongoing training on relevant issues which may involve internal or external resources. The board should dedicate sufficient time, budget and other resources for this purpose, and draw on external expertise as needed. More extensive efforts should be made to train and keep updated those members with more limited financial, regulatory or risk-related experience. Principle 2: 55. continually maintaining and reviewing appropriate policies, procedures and processes governing the approval and maintenance of those structures or activities, including fully vetting the purpose, the associated risks and the bank's ability to manage those risks prior to setting up new structures and initiating associated activities; Principle 5: 102. Bullet 2 Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the board. Principle 6: 111. The bank's board of directors is responsible for overseeing the management of the bank's compliance risk. The board should establish a compliance function and approve the bank's policies and processes for identifying, assessing, monitoring and reporting and advising on compliance risk. Principle 9: ¶ 1 In order to fulfil its responsibilities, the board of the parent company should: establish a group structure (including the legal entity and business structure) and a corporate governance framework with clearly defined roles and responsibilities, including those at the parent company level and at the subsidiary level as may be appropriate based on the complexity and significance of the subsidiary; Principle 5: 96. Bullet 1 Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.] | Human Resources management | Preventive | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Preventive | |
| Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 | Human Resources management | Preventive | |
| Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 | Human Resources management | Preventive | |
| Define and assign the business unit manager's roles and responsibilities. CC ID 00810 | Human Resources management | Preventive | |
| Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 | Human Resources management | Preventive | |
| Define and assign the technology security leader's roles and responsibilities. CC ID 01897 | Human Resources management | Preventive | |
| Define and assign the property management leader's roles and responsibilities. CC ID 00669 | Human Resources management | Preventive | |
| Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 | Human Resources management | Preventive | |
| Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 | Human Resources management | Preventive | |
| Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 | Human Resources management | Preventive | |
| Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 | Human Resources management | Preventive | |
| Assign a contact person to all business units. CC ID 07144 [The compliance function should advise the board and senior management on the bank's compliance with applicable laws, rules and standards and keep them informed of developments in the area. It should also help educate staff about compliance issues, act as a contact point within the bank for compliance queries from staff members, and provide guidance to staff on the appropriate implementation of applicable laws, rules and standards in the form of policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines. Principle 9: 135.] | Human Resources management | Preventive | |
| Assign roles and responsibilities for physical security, as necessary. CC ID 13113 | Human Resources management | Preventive | |
| Identify and define all critical roles. CC ID 00777 | Human Resources management | Preventive | |
| Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Human Resources management | Preventive | |
| Assign the role of security management to applicable controls. CC ID 06444 | Human Resources management | Preventive | |
| Define and assign the data controller's roles and responsibilities. CC ID 00471 | Human Resources management | Preventive | |
| Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Preventive | |
| Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Preventive | |
| Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Human Resources management | Preventive | |
| Assign the role of logical access control to applicable controls. CC ID 00772 | Human Resources management | Preventive | |
| Assign the role of asset physical security to applicable controls. CC ID 00770 | Human Resources management | Preventive | |
| Assign the role of data custodian to applicable controls. CC ID 04789 | Human Resources management | Preventive | |
| Assign the role of the Quality Management committee to applicable controls. CC ID 00769 [{unauthorized action}{dual authorization control}{legal and regulatory requirements} In order to avoid actions beyond the authority of the individual or even fraud, internal controls also place reasonable checks on managerial and employee discretion. Even in smaller banks, for example, key management decisions should be taken by more than one person. Internal reviews should also determine the extent of a bank's compliance with company policies and procedures as well as with legal and regulatory policies. Adequate escalation procedures are a key element of the internal control system. Principle 7: 116.] | Human Resources management | Preventive | |
| Assign interested personnel to the Quality Management committee. CC ID 07193 | Human Resources management | Preventive | |
| Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Human Resources management | Preventive | |
| Assign the role of fire protection management to applicable controls. CC ID 04891 | Human Resources management | Preventive | |
| Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Human Resources management | Preventive | |
| Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Human Resources management | Preventive | |
| Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Human Resources management | Preventive | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Preventive | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Preventive | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Preventive | |
| Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Preventive | |
| Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 [As part of the overall corporate governance framework, the board is responsible for overseeing a strong risk governance framework. An effective risk governance framework includes a strong risk culture, a well developed risk appetite articulated through the RAS, and well defined responsibilities for risk management in particular and control functions in general. Principle 1: 33.] | Operational management | Preventive | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain communication protocols. CC ID 12245 [{be clear}{be comprehensible} Disclosure should be accurate, clear and presented such that shareholders, depositors, other relevant stakeholders and market participants can consult the information easily. Timely public disclosure is desirable on a bank's public website, in its annual and periodic financial reports, or by other appropriate means. It is good practice to have an annual corporate governance-specific and comprehensive statement in a clearly identifiable section of the annual report depending on the applicable financial reporting framework. All material developments that arise between regular reports should be disclosed to the bank supervisor and relevant stakeholders as required by law without undue delay. Principle 12: 156.] | Leadership and high level objectives | Preventive | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 [{be clear}{be comprehensible} Disclosure should be accurate, clear and presented such that shareholders, depositors, other relevant stakeholders and market participants can consult the information easily. Timely public disclosure is desirable on a bank's public website, in its annual and periodic financial reports, or by other appropriate means. It is good practice to have an annual corporate governance-specific and comprehensive statement in a clearly identifiable section of the annual report depending on the applicable financial reporting framework. All material developments that arise between regular reports should be disclosed to the bank supervisor and relevant stakeholders as required by law without undue delay. Principle 12: 156.] | Leadership and high level objectives | Preventive | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Preventive | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 | Leadership and high level objectives | Preventive | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Leadership and high level objectives | Preventive | |
| Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Leadership and high level objectives | Preventive | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Preventive | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Preventive | |
| Develop instructions for setting organizational objectives and strategies. CC ID 12931 [The board should establish and be satisfied with the bank's organisational structure. This will enable the board and senior management to carry out their responsibilities and facilitate effective decision-making and good governance. This includes clearly laying out the key responsibilities and authorities of the board itself and of senior management and of those responsible for the risk management and control functions. Principle 1: 24.] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain organizational objectives. CC ID 09959 | Leadership and high level objectives | Preventive | |
| Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [The board should be prepared to discuss with, and as necessary report to, the bank's supervisor and the host country supervisors the policies and strategies adopted regarding the establishment and maintenance of these structures and activities. Principle 5: 104. Ongoing communication about risk issues, including the bank's risk strategy, throughout the bank is a key tenet of a strong risk culture. A strong risk culture should promote risk awareness and encourage open communication and challenge about risk-taking across the organisation as well as vertically to and from the board and senior management. Senior management should actively communicate and consult with the control functions on management's major plans and activities so that the control functions can effectively discharge their responsibilities. Principle 8: 126. Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 | Leadership and high level objectives | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [The bank's board of directors is responsible for overseeing the management of the bank's compliance risk. The board should establish a compliance function and approve the bank's policies and processes for identifying, assessing, monitoring and reporting and advising on compliance risk. Principle 9: ¶ 1 {refrain from interfering}{be independent} To be effective, the compliance function must have sufficient authority, stature, independence, resources and access to the board. Management should respect the independent duties of the compliance function and not interfere with their fulfilment. As previously noted, there should be no "dual hatting" by the head of the compliance function. Principle 9: 137.] | Leadership and high level objectives | Preventive | |
| Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Leadership and high level objectives | Preventive | |
| Correlate Information Systems with applicable controls. CC ID 01621 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
| Include the effective date on all organizational policies. CC ID 06820 | Leadership and high level objectives | Preventive | |
| Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 | Leadership and high level objectives | Preventive | |
| Include threats in the organization’s policies, standards, and procedures. CC ID 12953 | Leadership and high level objectives | Preventive | |
| Analyze organizational policies, as necessary. CC ID 14037 | Leadership and high level objectives | Detective | |
| Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 | Leadership and high level objectives | Preventive | |
| Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Preventive | |
| Map in scope assets and in scope records to external requirements. CC ID 12189 | Leadership and high level objectives | Detective | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [The compliance function should advise the board and senior management on the bank's compliance with applicable laws, rules and standards and keep them informed of developments in the area. It should also help educate staff about compliance issues, act as a contact point within the bank for compliance queries from staff members, and provide guidance to staff on the appropriate implementation of applicable laws, rules and standards in the form of policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines. Principle 9: 135. Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97.] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Leadership and high level objectives | Preventive | |
| Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Leadership and high level objectives | Preventive | |
| Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Leadership and high level objectives | Preventive | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Preventive | |
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Corrective | |
| Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Preventive | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Preventive | |
| Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Preventive | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Preventive | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Preventive | |
| Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Detective | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Preventive | |
| Align the Authority Document list with external requirements. CC ID 06288 | Leadership and high level objectives | Preventive | |
| Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Preventive | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 [In addition to identifying and measuring risk exposures, the risk management function should evaluate possible ways to mitigate these exposures. In some cases, the risk management function may direct that risk be reduced or hedged to limit exposure. In other cases, such as when there is a decision to accept or take risk that is beyond risk limits (ie on a temporary basis) or take risk that cannot be hedged or mitigated, the risk management function should report material exemptions to the board and monitor the positions to ensure that they remain within the bank's framework of limits and controls or within exception approval. Either approach may be appropriate depending on the issue at hand, provided that the independence of the risk management function is not compromised. Principle 7: 122.] | Leadership and high level objectives | Preventive | |
| Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Leadership and high level objectives | Detective | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 | Leadership and high level objectives | Preventive | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Preventive | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Preventive | |
| Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 [{board committees} Committees should maintain appropriate records of their deliberations and decisions (eg meeting minutes or summaries of matters reviewed, recommendations made and decisions taken). Such records should document the committees' fulfilment of their responsibilities and help the supervisor or those responsible to assess the effectiveness of these committees. Principle 3: 66. {board committees} Committees should maintain appropriate records of their deliberations and decisions (eg meeting minutes or summaries of matters reviewed, recommendations made and decisions taken). Such records should document the committees' fulfilment of their responsibilities and help the supervisor or those responsible to assess the effectiveness of these committees. Principle 3: 66. The board should maintain appropriate records (eg meeting minutes or summaries of matters reviewed, recommendations made. decisions taken and dissenting opinions) of its deliberations and decisions. These should be made available to the supervisor when required. Principle 3: 60. The board should maintain appropriate records (eg meeting minutes or summaries of matters reviewed, recommendations made. decisions taken and dissenting opinions) of its deliberations and decisions. These should be made available to the supervisor when required. Principle 3: 60. All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: whether the bank has set up board committees and the number of times key standing committees have met. Principle 12: 153. Bullet 2 All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: whether the bank has set up board committees and the number of times key standing committees have met. Principle 12: 153. Bullet 2] | Leadership and high level objectives | Detective | |
| Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 | Leadership and high level objectives | Preventive | |
| Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 | Leadership and high level objectives | Detective | |
| Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 [Accordingly, the board should: oversee the development of and approve the bank's business objectives and strategy and monitor their implementation; Principle 1: 26. Bullet 2] | Leadership and high level objectives | Preventive | |
| Include acting with integrity in the strategic plan. CC ID 12870 [{applicable requirements} An independent compliance function is a key component of the bank's second line of defence. This function is responsible for, among other things, ensuring that the bank operates with integrity and in compliance with applicable, laws, regulations and internal policies. Principle 9: 132.] | Leadership and high level objectives | Preventive | |
| Include the outsource partners in the strategic plan, as necessary. CC ID 13960 | Leadership and high level objectives | Preventive | |
| Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a planning policy. CC ID 14673 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain planning procedures. CC ID 14698 | Leadership and high level objectives | Preventive | |
| Include compliance requirements in the planning policy. CC ID 14688 | Leadership and high level objectives | Preventive | |
| Include coordination amongst entities in the planning policy. CC ID 14687 | Leadership and high level objectives | Preventive | |
| Include management commitment in the planning policy. CC ID 14686 | Leadership and high level objectives | Preventive | |
| Include roles and responsibilities in the planning policy. CC ID 14685 | Leadership and high level objectives | Preventive | |
| Include the scope in the planning policy. CC ID 14684 | Leadership and high level objectives | Preventive | |
| Include the purpose in the planning policy. CC ID 14683 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a security planning policy. CC ID 14027 | Leadership and high level objectives | Preventive | |
| Include compliance requirements in the security planning policy. CC ID 14131 | Leadership and high level objectives | Preventive | |
| Include coordination amongst entities in the security planning policy. CC ID 14130 | Leadership and high level objectives | Preventive | |
| Include management commitment in the security planning policy. CC ID 14129 | Leadership and high level objectives | Preventive | |
| Include roles and responsibilities in the security planning policy. CC ID 14128 | Leadership and high level objectives | Preventive | |
| Include the scope in the security planning policy. CC ID 14127 | Leadership and high level objectives | Preventive | |
| Include the purpose in the security planning policy. CC ID 14126 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain security planning procedures. CC ID 14060 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a decision management strategy. CC ID 06913 [individual board members' attitude should facilitate communication, collaboration and critical debate in the decision-making process. Principle 2: 49. Bullet 3 The organisation and procedures and decision-making of senior management should be clear and transparent and designed to promote effective management of the bank. This includes clarity on the role, authority and responsibility of the various positions within senior management, including that of the CEO. Principle 4: 88. Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Leadership and high level objectives | Preventive | |
| Include an economic impact analysis in the decision management strategy. CC ID 14015 | Leadership and high level objectives | Preventive | |
| Include cost benefit analysis in the decision management strategy. CC ID 14014 | Leadership and high level objectives | Preventive | |
| Include criteria for compliance in the decision-making criteria. CC ID 12951 | Leadership and high level objectives | Preventive | |
| Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 | Leadership and high level objectives | Preventive | |
| Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 | Leadership and high level objectives | Preventive | |
| Include criteria for setting priorities in the decision-making criteria. CC ID 12938 | Leadership and high level objectives | Preventive | |
| Identify and document the events that initiate the decision management strategy. CC ID 06914 | Leadership and high level objectives | Detective | |
| Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an information technology process framework. CC ID 13648 | Leadership and high level objectives | Preventive | |
| Include maturity models in the Information Technology process framework. CC ID 13652 | Leadership and high level objectives | Preventive | |
| Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651 | Leadership and high level objectives | Preventive | |
| Include Information Technology process structures in the Information Technology process framework. CC ID 13650 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a tactical plan. CC ID 12785 | Leadership and high level objectives | Preventive | |
| Include acting with integrity in the tactical plan. CC ID 12871 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 | Leadership and high level objectives | Preventive | |
| Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 | Leadership and high level objectives | Preventive | |
| Include the transparency goals in the Information Governance Plan. CC ID 10056 | Leadership and high level objectives | Preventive | |
| Include the information integrity goals in the Information Governance Plan. CC ID 10057 | Leadership and high level objectives | Preventive | |
| Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 | Leadership and high level objectives | Preventive | |
| Align business continuity objectives with the business continuity policy. CC ID 12408 | Leadership and high level objectives | Preventive | |
| Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 | Leadership and high level objectives | Preventive | |
| Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Leadership and high level objectives | Preventive | |
| Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 | Leadership and high level objectives | Preventive | |
| Document the business case and return on investment in each Information Technology project plan. CC ID 06846 | Leadership and high level objectives | Preventive | |
| Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 | Leadership and high level objectives | Preventive | |
| Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 | Leadership and high level objectives | Preventive | |
| Include milestones for each project phase in the Information Technology project plan. CC ID 12621 | Leadership and high level objectives | Preventive | |
| Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Leadership and high level objectives | Corrective | |
| Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 | Leadership and high level objectives | Preventive | |
| Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 | Leadership and high level objectives | Preventive | |
| Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 | Leadership and high level objectives | Preventive | |
| Include a search plan in the counterterror protective security plan. CC ID 06865 | Leadership and high level objectives | Preventive | |
| Include an evacuation plan in the counterterror protective security plan. CC ID 06940 | Leadership and high level objectives | Preventive | |
| Include a continuity plan in the counterterror protective security plan. CC ID 07031 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a financial management program. CC ID 13228 [Accordingly, the board should: require that the bank maintain a robust finance function responsible for accounting and financial data; Principle 1: 26. Bullet 8 {is responsible} The audit committee is, in particular, responsible for: overseeing the establishment of accounting policies and practices by the bank; and Principle 3: 69. Bullet 7] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Leadership and high level objectives | Preventive | |
| Include communication protocols in the financial management program. CC ID 16763 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Leadership and high level objectives | Preventive | |
| Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Leadership and high level objectives | Preventive | |
| Document the rationale for the amount of financial resources being held. CC ID 16688 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain collateral procedures. CC ID 16653 | Leadership and high level objectives | Preventive | |
| Include the use of appropriate models in the collateral procedures. CC ID 16687 | Leadership and high level objectives | Preventive | |
| Define the collateral requirements in the collateral procedures. CC ID 16686 | Leadership and high level objectives | Preventive | |
| Identify and document the financial resources available for use. CC ID 16643 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain credit loss procedures. CC ID 16683 | Leadership and high level objectives | Preventive | |
| Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Leadership and high level objectives | Preventive | |
| Include fairness and equitability standards in the securities trading program. CC ID 16690 | Leadership and high level objectives | Preventive | |
| Include roles and responsibilities in the securities trading program. CC ID 16689 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Preventive | |
| Include performance guarantees in the capital restoration plan. CC ID 16616 | Leadership and high level objectives | Preventive | |
| Include corrective actions taken in the capital restoration plan. CC ID 16612 | Leadership and high level objectives | Preventive | |
| Include required information in the capital restoration plan. CC ID 16609 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain valuation procedures. CC ID 16634 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain lending policies. CC ID 16608 | Leadership and high level objectives | Preventive | |
| Include the requirements for risk assessments in the lending policy. CC ID 16730 | Leadership and high level objectives | Preventive | |
| Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Leadership and high level objectives | Preventive | |
| Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Leadership and high level objectives | Preventive | |
| Include pricing structures in the lending policy. CC ID 16724 | Leadership and high level objectives | Preventive | |
| Include monitoring requirements in the lending policy. CC ID 16710 | Leadership and high level objectives | Preventive | |
| Include loan origination procedures in the lending policy. CC ID 16709 | Leadership and high level objectives | Preventive | |
| Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Leadership and high level objectives | Preventive | |
| Include loan requirements in the lending policy. CC ID 16706 | Leadership and high level objectives | Preventive | |
| Include appraisals and evaluations in the lending policy. CC ID 16705 | Leadership and high level objectives | Preventive | |
| Include terms and conditions in the lending policy. CC ID 16695 | Leadership and high level objectives | Preventive | |
| Include the scope and distribution of loans in the lending policy. CC ID 16693 | Leadership and high level objectives | Preventive | |
| Include geographic areas in the lending policy. CC ID 16691 | Leadership and high level objectives | Preventive | |
| Include underwriting guidelines in the lending policy. CC ID 16619 | Leadership and high level objectives | Preventive | |
| Include credit review in the underwriting guidelines. CC ID 16765 | Leadership and high level objectives | Preventive | |
| Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Leadership and high level objectives | Preventive | |
| Include documentation requirements in the lending policy. CC ID 16617 | Leadership and high level objectives | Preventive | |
| Include the purpose of the loan in the loan documentation. CC ID 16747 | Leadership and high level objectives | Preventive | |
| Include the source of repayment in the loan documentation. CC ID 16746 | Leadership and high level objectives | Preventive | |
| Include approval requirements in the lending policy. CC ID 16615 | Leadership and high level objectives | Preventive | |
| Include reporting requirements in the lending policy. CC ID 16614 | Leadership and high level objectives | Preventive | |
| Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Leadership and high level objectives | Preventive | |
| Include loan administration procedures in the lending policy. CC ID 16610 | Leadership and high level objectives | Preventive | |
| Include loan participation agreements in the loan administration procedures. CC ID 16745 | Leadership and high level objectives | Preventive | |
| Include termination procedures in the loan participation agreement. CC ID 16753 | Leadership and high level objectives | Preventive | |
| Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Leadership and high level objectives | Preventive | |
| Include servicing agreements in the loan administration procedures. CC ID 16744 | Leadership and high level objectives | Preventive | |
| Include claims processing in the loan administration procedures. CC ID 16742 | Leadership and high level objectives | Preventive | |
| Include forbearance management in the loan administration procedures. CC ID 16741 | Leadership and high level objectives | Preventive | |
| Include foreclosure management in the loan administration procedures. CC ID 16740 | Leadership and high level objectives | Preventive | |
| Include delinquency management in the loan administration procedures. CC ID 16739 | Leadership and high level objectives | Preventive | |
| Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Leadership and high level objectives | Preventive | |
| Include loan closing in the loan administration procedures. CC ID 16734 | Leadership and high level objectives | Preventive | |
| Include payoff statements in the loan administration procedures. CC ID 16733 | Leadership and high level objectives | Preventive | |
| Include payment processing in the loan administration procedures. CC ID 16732 | Leadership and high level objectives | Preventive | |
| Include loan reviews in the loan administration procedures. CC ID 16703 | Leadership and high level objectives | Preventive | |
| Include collections in the loan administration procedures. CC ID 16701 | Leadership and high level objectives | Preventive | |
| Include collateral inspections in the loan administration procedures. CC ID 16699 | Leadership and high level objectives | Preventive | |
| Include disbursements in the loan administration procedures. CC ID 16697 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a dividend policy. CC ID 16569 | Leadership and high level objectives | Preventive | |
| Include compliance requirements in the dividend policy. CC ID 16570 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Leadership and high level objectives | Preventive | |
| Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Leadership and high level objectives | Preventive | |
| Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Leadership and high level objectives | Preventive | |
| Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Leadership and high level objectives | Preventive | |
| Include the call date in the securities transaction notification. CC ID 16680 | Leadership and high level objectives | Preventive | |
| Include service charges and commissions in the securities transaction notification. CC ID 16702 | Leadership and high level objectives | Preventive | |
| Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Leadership and high level objectives | Preventive | |
| Include the call price in the securities transaction notification. CC ID 16678 | Leadership and high level objectives | Preventive | |
| Include debits and credits in the securities transaction notification. CC ID 16677 | Leadership and high level objectives | Preventive | |
| Include transactions in the securities transaction notification. CC ID 16676 | Leadership and high level objectives | Preventive | |
| Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Leadership and high level objectives | Preventive | |
| Include yield information in the securities transaction notification. CC ID 16673 | Leadership and high level objectives | Preventive | |
| Include redemption information in the securities transaction notification. CC ID 16672 | Leadership and high level objectives | Preventive | |
| Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Leadership and high level objectives | Preventive | |
| Include the type of call in the securities transaction notification. CC ID 16668 | Leadership and high level objectives | Preventive | |
| Include an account statement in the securities transaction notification. CC ID 16666 | Leadership and high level objectives | Preventive | |
| Include the yield to maturity in the securities transaction notification. CC ID 16665 | Leadership and high level objectives | Preventive | |
| Include the execution price in the securities transaction notification. CC ID 16664 | Leadership and high level objectives | Preventive | |
| Include the organization's role in the securities transaction notification. CC ID 16646 | Leadership and high level objectives | Preventive | |
| Include the name of the broker in the securities transaction notification. CC ID 16647 | Leadership and high level objectives | Preventive | |
| Include the name of the customer in the securities transaction notification. CC ID 16625 | Leadership and high level objectives | Preventive | |
| Include the organization's name in the securities transaction notification. CC ID 16624 | Leadership and high level objectives | Preventive | |
| Include confirmations in the securities transaction notification. CC ID 16623 | Leadership and high level objectives | Preventive | |
| Include remunerations in the securities transaction notification. CC ID 16622 | Leadership and high level objectives | Preventive | |
| Include requested information in the securities transaction notification. CC ID 16641 | Leadership and high level objectives | Preventive | |
| Include the execution date in the securities transaction notification. CC ID 16620 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain financial reports. CC ID 14770 [{matters requiring attention}Accordingly, the board should: approve the annual financial statements and require a periodic independent review of critical areas; Principle 1: 26. Bullet 9 Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Leadership and high level objectives | Preventive | |
| Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Preventive | |
| Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Preventive | |
| Include the business need justification for lost value in the financial report. CC ID 15588 | Leadership and high level objectives | Preventive | |
| Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Preventive | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Preventive | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Preventive | |
| Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Preventive | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Preventive | |
| Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Preventive | |
| Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain Security Control System monitoring and reporting procedures. CC ID 12506 [Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: internal control failures; Principle 4: 94. Bullet 4] | Monitoring and measurement | Preventive | |
| Include detecting and reporting the failure of a change detection mechanism in the Security Control System monitoring and reporting procedures. CC ID 12525 | Monitoring and measurement | Preventive | |
| Include detecting and reporting the failure of audit logging in the Security Control System monitoring and reporting procedures. CC ID 12513 | Monitoring and measurement | Preventive | |
| Include detecting and reporting the failure of an anti-malware solution in the Security Control System monitoring and reporting procedures. CC ID 12512 | Monitoring and measurement | Preventive | |
| Include detecting and reporting the failure of a segmentation control in the Security Control System monitoring and reporting procedures. CC ID 12511 | Monitoring and measurement | Preventive | |
| Include detecting and reporting the failure of a physical access control in the Security Control System monitoring and reporting procedures. CC ID 12510 | Monitoring and measurement | Preventive | |
| Include detecting and reporting the failure of a logical access control in the Security Control System monitoring and reporting procedures. CC ID 12509 | Monitoring and measurement | Preventive | |
| Include detecting and reporting the failure of an Intrusion Detection and Prevention System in the Security Control System monitoring and reporting procedures. CC ID 12508 | Monitoring and measurement | Preventive | |
| Include detecting and reporting the failure of a security testing tool in the Security Control System monitoring and reporting procedures. CC ID 15488 | Monitoring and measurement | Preventive | |
| Include detecting and reporting the failure of a firewall in the Security Control System monitoring and reporting procedures. CC ID 12507 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: ongoing monitoring of the risk-taking activities and risk exposures in line with the board approved risk appetite, risk limits and corresponding capital or liquidity needs (ie capital planning); Principle 6: 105. Bullet 4 The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management function. This includes the ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board in its engagement with and oversight of the development of the bank's risk appetite and RAS and for translating the risk appetite into a risk limits structure. The CRO, together with management, should be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation). Principle 6: 109. establishing adequate procedures and processes to identify and manage all material risks arising from these structures, including lack of management transparency, operational risks introduced by interconnected and complex funding structures, intragroup exposures, trapped collateral and counterparty risk. The bank should only approve structures if the material risks can be properly identified, assessed and managed; and Principle 5: 102. Bullet 4 {be comprehensive}{be accurate} Risk reporting systems should be dynamic, comprehensive and accurate, and should draw on a range of underlying assumptions. Risk monitoring and reporting should not only occur at the disaggregated level (including material risk residing in subsidiaries) but should also be aggregated to allow for a bank-wide or integrated perspective of risk exposures. Risk reporting systems should be clear about any deficiencies or limitations in risk estimates, as well as any significant embedded assumptions (eg regarding risk dependencies or correlations). Principle 8: 130.] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a compliance testing strategy. CC ID 00659 | Monitoring and measurement | Preventive | |
| Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Preventive | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Preventive | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Preventive | |
| Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Preventive | |
| Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Preventive | |
| Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Preventive | |
| Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Preventive | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Preventive | |
| Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Preventive | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Preventive | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Preventive | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Preventive | |
| Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Preventive | |
| Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Preventive | |
| Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Preventive | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Preventive | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Monitoring and measurement | Preventive | |
| Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 | Monitoring and measurement | Preventive | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Monitoring and measurement | Preventive | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Monitoring and measurement | Preventive | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Monitoring and measurement | Preventive | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Monitoring and measurement | Preventive | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Monitoring and measurement | Preventive | |
| Document improvement actions based on test results and exercises. CC ID 16840 | Monitoring and measurement | Preventive | |
| Define the test requirements for each testing program. CC ID 13177 [internal stress tests should cover a range of scenarios based on reasonable assumptions regarding dependencies and correlations. Senior management should define and approve and, as applicable, the board should review and provide effective challenge to the scenarios that are used in the bank's risk analyses; Principle 7: 120. Bullet 1] | Monitoring and measurement | Preventive | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Monitoring and measurement | Preventive | |
| Document the business need justification for authorized wireless access points. CC ID 12044 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Monitoring and measurement | Preventive | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Monitoring and measurement | Preventive | |
| Define the test frequency for each testing program. CC ID 13176 | Monitoring and measurement | Preventive | |
| Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Monitoring and measurement | Preventive | |
| Align the penetration test program with industry standards. CC ID 12469 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Monitoring and measurement | Preventive | |
| Include facilities in the business line testing strategy. CC ID 13253 | Monitoring and measurement | Preventive | |
| Include electrical systems in the business line testing strategy. CC ID 13251 | Monitoring and measurement | Preventive | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Monitoring and measurement | Preventive | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Monitoring and measurement | Preventive | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Monitoring and measurement | Preventive | |
| Include environmental controls in the business line testing strategy. CC ID 13246 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Monitoring and measurement | Preventive | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Preventive | |
| Recommend mitigation techniques based on penetration test results. CC ID 04881 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42.] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Preventive | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [{unauthorized action}{dual authorization control}{legal and regulatory requirements} In order to avoid actions beyond the authority of the individual or even fraud, internal controls also place reasonable checks on managerial and employee discretion. Even in smaller banks, for example, key management decisions should be taken by more than one person. Internal reviews should also determine the extent of a bank's compliance with company policies and procedures as well as with legal and regulatory policies. Adequate escalation procedures are a key element of the internal control system. Principle 7: 116.] | Monitoring and measurement | Preventive | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Preventive | |
| Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Preventive | |
| Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Preventive | |
| Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 | Audits and risk management | Preventive | |
| Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Preventive | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Audits and risk management | Preventive | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Preventive | |
| Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Audits and risk management | Preventive | |
| Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Audits and risk management | Preventive | |
| Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Audits and risk management | Preventive | |
| Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Audits and risk management | Preventive | |
| Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Audits and risk management | Preventive | |
| Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Audits and risk management | Preventive | |
| Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Audits and risk management | Preventive | |
| Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Audits and risk management | Preventive | |
| Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Audits and risk management | Preventive | |
| Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Audits and risk management | Preventive | |
| Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Audits and risk management | Preventive | |
| Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 [In order to fulfil its responsibilities, the board of the parent company should: establish an effective internal audit function that ensures audits are being performed within or for all subsidiaries and part of the group and group itself; and Principle 5: 96. Bullet 9 {risk management function}{compliance function}Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior management should recognise and respect the independent duties of the risk management, compliance and internal audit functions and should not interfere in their exercise of such duties. Principle 4: 93. Bullet 1] | Audits and risk management | Preventive | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Preventive | |
| Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Preventive | |
| Include risks and opportunities in the audit program. CC ID 15236 | Audits and risk management | Preventive | |
| Establish and maintain audit terms. CC ID 13880 [The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively. Principle 10: 139.] | Audits and risk management | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 [{be comprehensive}{be accurate} Risk reporting systems should be dynamic, comprehensive and accurate, and should draw on a range of underlying assumptions. Risk monitoring and reporting should not only occur at the disaggregated level (including material risk residing in subsidiaries) but should also be aggregated to allow for a bank-wide or integrated perspective of risk exposures. Risk reporting systems should be clear about any deficiencies or limitations in risk estimates, as well as any significant embedded assumptions (eg regarding risk dependencies or correlations). Principle 8: 130.] | Audits and risk management | Preventive | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Preventive | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Preventive | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Preventive | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Preventive | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Audits and risk management | Preventive | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Preventive | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Preventive | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Preventive | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Preventive | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Preventive | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Preventive | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Preventive | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Preventive | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Preventive | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Preventive | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Preventive | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Preventive | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Preventive | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Preventive | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Preventive | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Preventive | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Preventive | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Preventive | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Detective | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Preventive | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Preventive | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Preventive | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Preventive | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Preventive | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Audits and risk management | Preventive | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Audits and risk management | Preventive | |
| Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Preventive | |
| Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Audits and risk management | Preventive | |
| Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Audits and risk management | Preventive | |
| Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Audits and risk management | Preventive | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Audits and risk management | Preventive | |
| Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Preventive | |
| Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Audits and risk management | Preventive | |
| Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Preventive | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Preventive | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Preventive | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Preventive | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Preventive | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Preventive | |
| Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Audits and risk management | Preventive | |
| Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Audits and risk management | Preventive | |
| Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Audits and risk management | Preventive | |
| Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Audits and risk management | Preventive | |
| Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Audits and risk management | Preventive | |
| Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Audits and risk management | Preventive | |
| Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Audits and risk management | Preventive | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Preventive | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Detective | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Preventive | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Preventive | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Preventive | |
| Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Preventive | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Preventive | |
| Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Preventive | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 [requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: the quality of risk reporting to the board and senior management; and Principle 10: 141. Bullet 6 sub bullet 2] | Audits and risk management | Preventive | |
| Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Preventive | |
| Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Preventive | |
| Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Preventive | |
| Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Preventive | |
| Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Preventive | |
| Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Preventive | |
| Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Preventive | |
| Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Preventive | |
| Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Preventive | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Preventive | |
| Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Audits and risk management | Preventive | |
| Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Audits and risk management | Preventive | |
| Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Audits and risk management | Preventive | |
| Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [The internal audit function should provide independent assurance to the board and should support board and senior management in promoting an effective governance process and the long-term soundness of the bank. Principle 10: ¶ 1] | Audits and risk management | Preventive | |
| Include the expectations for the audit report in the audit terms. CC ID 07148 | Audits and risk management | Preventive | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Preventive | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Corrective | |
| Include materiality levels in the audit terms. CC ID 01238 | Audits and risk management | Preventive | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Audits and risk management | Preventive | |
| Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Audits and risk management | Preventive | |
| Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Preventive | |
| Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Preventive | |
| Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Audits and risk management | Preventive | |
| Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Preventive | |
| Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Preventive | |
| Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Preventive | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Preventive | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Preventive | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Preventive | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Preventive | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Preventive | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Preventive | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Preventive | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Preventive | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Preventive | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Preventive | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Preventive | |
| Establish and maintain organizational audit reports. CC ID 06731 | Audits and risk management | Preventive | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Detective | |
| Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Preventive | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Preventive | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Preventive | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Preventive | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Preventive | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Preventive | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Preventive | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Preventive | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Preventive | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Preventive | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Preventive | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Preventive | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Preventive | |
| Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Preventive | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Preventive | |
| Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Preventive | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Preventive | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Preventive | |
| Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Audits and risk management | Preventive | |
| Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Audits and risk management | Preventive | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Preventive | |
| Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Audits and risk management | Preventive | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Preventive | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Preventive | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Preventive | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Preventive | |
| Include a statement of the character of the engagement in the audit report. CC ID 07166 | Audits and risk management | Preventive | |
| Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Audits and risk management | Preventive | |
| Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Audits and risk management | Preventive | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Preventive | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Preventive | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Preventive | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Preventive | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Preventive | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Preventive | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Preventive | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Preventive | |
| Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Audits and risk management | Preventive | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Preventive | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Preventive | |
| Include recommended corrective actions in the audit report. CC ID 16197 | Audits and risk management | Preventive | |
| Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Preventive | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Preventive | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Preventive | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Preventive | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Preventive | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Preventive | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Audits and risk management | Preventive | |
| Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Audits and risk management | Preventive | |
| Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Audits and risk management | Preventive | |
| Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Audits and risk management | Preventive | |
| Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Audits and risk management | Preventive | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Preventive | |
| Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Audits and risk management | Preventive | |
| Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Audits and risk management | Detective | |
| Review past audit reports. CC ID 01155 | Audits and risk management | Detective | |
| Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Audits and risk management | Detective | |
| Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Audits and risk management | Detective | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Preventive | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Preventive | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Preventive | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Corrective | |
| Include an audit opinion in the audit report. CC ID 07017 | Audits and risk management | Preventive | |
| Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Preventive | |
| Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Audits and risk management | Preventive | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Corrective | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Preventive | |
| Include items that were excluded from the audit report in the audit report. CC ID 07007 | Audits and risk management | Preventive | |
| Include the organization's privacy practices in the audit report. CC ID 07029 | Audits and risk management | Preventive | |
| Include items that pertain to third parties in the audit report. CC ID 07008 | Audits and risk management | Preventive | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Preventive | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Preventive | |
| Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Audits and risk management | Preventive | |
| Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Audits and risk management | Preventive | |
| Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Audits and risk management | Preventive | |
| Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Audits and risk management | Preventive | |
| Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Audits and risk management | Preventive | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Corrective | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Preventive | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Audits and risk management | Preventive | |
| Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Audits and risk management | Preventive | |
| Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Audits and risk management | Preventive | |
| Review the issues of non-compliance from past audit reports. CC ID 01148 | Audits and risk management | Detective | |
| Accept the audit report. CC ID 07025 | Audits and risk management | Preventive | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [The board and senior management contribute to the effectiveness of the internal audit function by requiring timely and effective correction of audit issues by senior management; and Principle 10: 141. Bullet 5 When a supervisor requires a bank to take remedial action, the supervisor should set a timetable for completion. Supervisors should have escalation procedures in place to require more stringent or accelerated remedial action in the event that a bank does not adequately address the deficiencies identified or the supervisor deems that further action is warranted. Principle 13: 167.] | Audits and risk management | Corrective | |
| Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 [When a supervisor requires a bank to take remedial action, the supervisor should set a timetable for completion. Supervisors should have escalation procedures in place to require more stringent or accelerated remedial action in the event that a bank does not adequately address the deficiencies identified or the supervisor deems that further action is warranted. Principle 13: 167.] | Audits and risk management | Preventive | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 [Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. Principle 4: 93. Banks should have an effective independent risk management function, under the direction of a chief risk officer (CRO), with sufficient stature, independence, resources and access to the board. Principle 6: ¶ 1 {internal control system}{risk management system}The board and senior management contribute to the effectiveness of the internal audit function by requiring the function to independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes; Principle 10: 141. Bullet 2 {risk management function}requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: the effectiveness of the risk management and compliance functions; Principle 10: 141. Bullet 6 sub bullet 1 {risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.] | Audits and risk management | Preventive | |
| Include the scope of risk management activities in the risk management program. CC ID 13658 [{specific risk modelling}{risk monitoring} Risk measurement and modelling techniques should be used in addition to, but should not replace, qualitative risk analysis and monitoring. The risk management function should keep the board and senior management apprised of the assumptions used in and potential shortcomings of the bank's risk models and analyses. This would ensure better understanding of risks and exposures and may allow quicker action to address and mitigate risks. Principle 7: 119.] | Audits and risk management | Preventive | |
| Include managing mobile risks in the risk management program. CC ID 13535 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 [Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. Principle 4: 93. {risk management framework} Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank's risk management and internal control infrastructure should keep pace with changes to the bank's risk profile, to the external risk landscape and in industry practice Principle 7: ¶ 1] | Audits and risk management | Preventive | |
| Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Preventive | |
| Include the use of alternate service providers in the risk management strategies. CC ID 13217 | Audits and risk management | Preventive | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Audits and risk management | Preventive | |
| Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 [Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Audits and risk management | Preventive | |
| Include the need for risk assessments in the risk assessment program. CC ID 06447 | Audits and risk management | Preventive | |
| Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 [{strategic plan}{capital plan} The board should take an active role in defining the risk appetite and ensuring its alignment with the bank's strategic, capital and financial plans and compensation practices. The bank's risk appetite should be clearly conveyed through an RAS that can be easily understood by all relevant parties: the board itself, senior management, bank employees and the supervisor. Principle 1: 35.] | Audits and risk management | Preventive | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Preventive | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Preventive | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Preventive | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Preventive | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Preventive | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Preventive | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Preventive | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Preventive | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Preventive | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Preventive | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Preventive | |
| Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Preventive | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Audits and risk management | Preventive | |
| Document cybersecurity risks. CC ID 12281 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account information classification. CC ID 06477 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Audits and risk management | Preventive | |
| Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Audits and risk management | Preventive | |
| Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Audits and risk management | Preventive | |
| Document organizational risk criteria. CC ID 12277 | Audits and risk management | Preventive | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Preventive | |
| Include language that is easy to understand in the risk assessment report. CC ID 06461 | Audits and risk management | Preventive | |
| Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Audits and risk management | Preventive | |
| Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Audits and risk management | Preventive | |
| Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Audits and risk management | Preventive | |
| Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 [Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Audits and risk management | Preventive | |
| Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Audits and risk management | Preventive | |
| Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Audits and risk management | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Preventive | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Preventive | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 [the results of stress tests and scenario analyses should also be communicated to, and given appropriate consideration by, relevant business lines and individuals within the bank. Principle 7: 120. Bullet 4] | Audits and risk management | Preventive | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 | Audits and risk management | Detective | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 | Audits and risk management | Detective | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 [{notification system} The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: establishing an early warning or trigger system for breaches of the bank's risk appetite or limits; Principle 6: 105. Bullet 5] | Audits and risk management | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Preventive | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Preventive | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Preventive | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Preventive | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Preventive | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Preventive | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Preventive | |
| Document organizational risk tolerance in a risk register. CC ID 09961 | Audits and risk management | Preventive | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [Accordingly, the board should: Establish, along with senior management and the CRO, the bank's risk appetite, taking into account the competitive and regulatory landscape and the bank's long-term interests, risk exposure and ability to manage risk effectively; Principle 1: 26. Bullet 5 {strategic plan}{capital plan} The board should take an active role in defining the risk appetite and ensuring its alignment with the bank's strategic, capital and financial plans and compensation practices. The bank's risk appetite should be clearly conveyed through an RAS that can be easily understood by all relevant parties: the board itself, senior management, bank employees and the supervisor. Principle 1: 35. (quantitative consideration}The bank's RAS should include both quantitative and qualitative considerations; Principle 1: 36. Bullet 1 In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: promoting risk awareness within a strong risk culture, conveying the board's expectation that it does not support excessive risk-taking and that all employees are responsible for helping the bank operate within the established risk appetite and risk limits; Principle 1: 30. Bullet 2 Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113. establishing adequate procedures and processes to identify and manage all material risks arising from these structures, including lack of management transparency, operational risks introduced by interconnected and complex funding structures, intragroup exposures, trapped collateral and counterparty risk. The bank should only approve structures if the material risks can be properly identified, assessed and managed; and Principle 5: 102. Bullet 4] | Audits and risk management | Preventive | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Audits and risk management | Preventive | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [{risk management function}{review and approval process}{entail} A full and frank assessment of risks under a variety of scenarios as well as an assessment of potential shortcomings in the ability of the bank's risk management and internal controls to effectively manage associated risks; Principle 7: 123. ¶ 1 Bullet 1] | Audits and risk management | Detective | |
| Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. Principle 4: 93. The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: reporting to senior management and the board or risk committee on all these items, including but not limited to proposing appropriate risk-mitigating actions. Principle 6: 105. Bullet 7 In addition to identifying and measuring risk exposures, the risk management function should evaluate possible ways to mitigate these exposures. In some cases, the risk management function may direct that risk be reduced or hedged to limit exposure. In other cases, such as when there is a decision to accept or take risk that is beyond risk limits (ie on a temporary basis) or take risk that cannot be hedged or mitigated, the risk management function should report material exemptions to the board and monitor the positions to ensure that they remain within the bank's framework of limits and controls or within exception approval. Either approach may be appropriate depending on the issue at hand, provided that the independence of the risk management function is not compromised. Principle 7: 122. stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets. They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results; and Principle 7: 120. Bullet 3] | Audits and risk management | Preventive | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Preventive | |
| Include the risk treatment strategy in the risk treatment plan. CC ID 12159 [Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Audits and risk management | Preventive | |
| Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Audits and risk management | Corrective | |
| Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Audits and risk management | Preventive | |
| Include change control processes in the risk treatment plan. CC ID 11981 | Audits and risk management | Preventive | |
| Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Audits and risk management | Preventive | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Audits and risk management | Preventive | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Audits and risk management | Preventive | |
| Include risk assessment results in the risk treatment plan. CC ID 11978 | Audits and risk management | Preventive | |
| Include a description of usage in the risk treatment plan. CC ID 11977 | Audits and risk management | Preventive | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Preventive | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 [Developing and conveying the bank's risk appetite is essential to reinforcing a strong risk culture. The risk governance framework should outline actions to be taken when stated risk limits are breached, including disciplinary actions for excessive risk-taking, escalation procedures and board of director notification. Principle 1: 34. Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166. If adequate risk management processes are not in place, a new product, service, business line or third-party relationship or major transaction should be delayed until the bank is able to appropriately address the activity. There should also be a process to assess risk and performance relative to initial projections and to adapt the risk management treatment accordingly as the business matures. Principle 7: 123. ¶ 2] | Audits and risk management | Preventive | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 | Audits and risk management | Corrective | |
| Review and approve the risk assessment findings. CC ID 06485 | Audits and risk management | Preventive | |
| Include risk responses in the risk management program. CC ID 13195 | Audits and risk management | Preventive | |
| Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Corrective | |
| Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Preventive | |
| Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Preventive | |
| Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 | Audits and risk management | Preventive | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Preventive | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Audits and risk management | Preventive | |
| Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Preventive | |
| Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Preventive | |
| Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Preventive | |
| Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Preventive | |
| Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Preventive | |
| Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Audits and risk management | Preventive | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Preventive | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Preventive | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Preventive | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an access classification scheme. CC ID 00509 | Technical security | Preventive | |
| Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme. CC ID 00510 [Cooperation and appropriate information-sharing among relevant public authorities, including bank supervisors and conduct authorities, can significantly contribute to the effectiveness of these authorities in their respective roles. Such information-sharing is particularly important between home and host supervisors of cross-border banking entities. Cooperation can occur on a bilateral basis, in the form of a supervisory college or through periodic meetings among supervisors at which corporate governance matters should be discussed. Such communication can help supervisors improve their assessment of the overall governance of a bank and the risks it faces, particularly in a group context, and help other authorities assess the risks posed to the broader financial system. Information shared should be relevant for supervisory purposes and be provided within the constraints of confidentiality and other applicable laws. Special arrangements, such as a memorandum of understanding, may be warranted to govern the sharing of information among supervisors or between supervisors and other authorities. Principle 13: 168.] | Technical security | Preventive | |
| Include business security requirements in the access classification scheme. CC ID 00002 | Technical security | Preventive | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 | Technical security | Preventive | |
| Include third party access in the access classification scheme. CC ID 11786 | Technical security | Preventive | |
| Establish, implement, and maintain a system and information integrity policy. CC ID 14034 | Technical security | Preventive | |
| Establish, implement, and maintain system and information integrity procedures. CC ID 14051 [{be timely}{be accurate}{be clear}{be concise} Information should be communicated to the board and senior management in a timely, accurate and understandable manner so that they are equipped to take informed decisions. While ensuring that the board and senior management are sufficiently informed, management and those responsible for the risk management function should avoid voluminous information that can make it difficult to identify key issues. Rather, information should be prioritised and presented in a concise, fully contextualised manner. The board should assess the relevance and the process for maintaining the accuracy of the information it receives and determine if additional or less information is needed. Principle 8: 127.] | Technical security | Preventive | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Technical security | Preventive | |
| Establish, implement, and maintain information flow procedures. CC ID 04542 [{organizational silos} Banks should avoid organisational "silos" that can impede effective sharing of information across an organisation and can result in decisions being taken in isolation from the rest of the bank. Overcoming these information-sharing obstacles may require the board, senior management and control functions to re-evaluate established practices in order to encourage greater communication. Principle 8: 131. {applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.] | Technical security | Preventive | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 [In order to fulfil its responsibilities, the board of the parent company should: assess whether there are effective systems in place to facilitate the exchange of information among the various entities, to manage the risks of the separate subsidiaries or group entities as well as of the group as a whole, and to ensure effective supervision of the group; Principle 5: 96. Bullet 6 In order to fulfil its responsibilities, the board of the parent company should: assess whether there are effective systems in place to facilitate the exchange of information among the various entities, to manage the risks of the separate subsidiaries or group entities as well as of the group as a whole, and to ensure effective supervision of the group; Principle 5: 96. Bullet 6] | Technical security | Preventive | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 | Operational and Systems Continuity | Preventive | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 [stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets. They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results; and Principle 7: 120. Bullet 3] | Operational and Systems Continuity | Detective | |
| Define the scope for the security operations center. CC ID 15713 | Human Resources management | Preventive | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 [The chair of the board plays a crucial role in the proper functioning of the board. The chair provides leadership to the board and is responsible for its effective overall functioning, including maintaining a relationship of trust with board members. The chair should possess the requisite experience, competencies and personal qualities in order to fulfil these responsibilities. The chair should ensure that board decisions are taken on a sound and well informed basis. The chair should encourage and promote critical discussion and ensure that dissenting views can be freely expressed and discussed within the decision-making process. The chair should dedicate sufficient time to the exercise of his or her responsibilities. Principle 3: 61.] | Human Resources management | Preventive | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 [{international business activity}{economic forces}{legal environment} the board collectively should have a reasonable understanding of local, regional and, if appropriate, global economic and market forces and of the legal and regulatory environment. International experience, where relevant, should also be considered; and Principle 2: 49. Bullet 2 To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: periodically review its structure, size and composition as well as committees' structures and coordination; Principle 3: 59. Bullet 1 {is sufficient} The board should structure itself in terms of leadership, size and the use of committees so as to effectively carry out its oversight role and other responsibilities. This includes ensuring that the board has the time and means to cover all necessary subjects in sufficient depth and have a robust discussion of issues. Principle 3: 57. Boards should have a clear and rigorous process for identifying, assessing and selecting board candidates. Unless required otherwise by law, the board (not management) nominates candidates and promotes appropriate succession planning of board members. Principle 2: 50. The bank should have in place a nomination committee or similar body, composed of a sufficient number of independent board members, which identifies and nominates candidates after having taken into account the criteria described above. Further details about the nomination committee and other board committees are discussed in paragraph 76. Principle 2: 54. The bank should have in place a nomination committee or similar body, composed of a sufficient number of independent board members, which identifies and nominates candidates after having taken into account the criteria described above. Further details about the nomination committee and other board committees are discussed in paragraph 76. Principle 2: 54. To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: assess the ongoing suitability of each board member periodically (at least annually), also taking into account his or her performance on the board; Principle 3: 59. Bullet 2 The chair of the board plays a crucial role in the proper functioning of the board. The chair provides leadership to the board and is responsible for its effective overall functioning, including maintaining a relationship of trust with board members. The chair should possess the requisite experience, competencies and personal qualities in order to fulfil these responsibilities. The chair should ensure that board decisions are taken on a sound and well informed basis. The chair should encourage and promote critical discussion and ensure that dissenting views can be freely expressed and discussed within the decision-making process. The chair should dedicate sufficient time to the exercise of his or her responsibilities. Principle 3: 61. Where there are shareholders with power to appoint board members, the board should ensure that such individuals understand their duties. Board members have responsibilities to the bank's overall interests, regardless of who appoints them. In cases where board members are selected by a controlling shareholder, the board may wish to set out specific procedures or conduct periodic reviews to facilitate the appropriate discharge of responsibility by all board members. Principle 2: 56. At a minimum, the audit committee as a whole should possess a collective balance of skills and expert knowledge – commensurate with the complexity of the banking organisation and the duties to be performed – and should have relevant experience in financial reporting, accounting and auditing. Where needed, the audit committee has access to external expert advice. Principle 3: 70. At a minimum, the audit committee as a whole should possess a collective balance of skills and expert knowledge – commensurate with the complexity of the banking organisation and the duties to be performed – and should have relevant experience in financial reporting, accounting and auditing. Where needed, the audit committee has access to external expert advice. Principle 3: 70. Supervisors should evaluate the processes and criteria used by banks in the selection of board members and senior management and, as they judge necessary, obtain information about the expertise and character of board members and senior management. The fit and proper criteria should include those discussed in Principle 2 of this document. The individual and collective suitability of board members and senior management should be subject to ongoing attention by supervisors. Principle 13: 161.] | Human Resources management | Preventive | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 [The board should appoint members to specialised committees with the goal of achieving an appropriate mix of skills and experience that, in combination, allow the committees to fully understand, objectively evaluate and bring fresh thinking to the relevant issues. Principle 3: 78. The selection process should include reviewing whether board candidates: possess the knowledge, skills, experience and, particularly in the case of non-executive directors, independence of mind given their responsibilities on the board and in the light of the bank's business and risk profile; Principle 2: 51(i). In order to fulfil its responsibilities, the board of the parent company should: define an appropriate subsidiary board and management structure which takes into account the material risks to which the group, its businesses and its subsidiaries are exposed; Principle 5: 96. Bullet 2 Supervisors should evaluate the processes and criteria used by banks in the selection of board members and senior management and, as they judge necessary, obtain information about the expertise and character of board members and senior management. The fit and proper criteria should include those discussed in Principle 2 of this document. The individual and collective suitability of board members and senior management should be subject to ongoing attention by supervisors. Principle 13: 161. Supervisors should evaluate the processes and criteria used by banks in the selection of board members and senior management and, as they judge necessary, obtain information about the expertise and character of board members and senior management. The fit and proper criteria should include those discussed in Principle 2 of this document. The individual and collective suitability of board members and senior management should be subject to ongoing attention by supervisors. Principle 13: 161. (reputation) The selection process should include reviewing whether board candidates: have a record of integrity and good repute; Principle 2: 51(ii). The selection process should include reviewing whether board candidates: have the ability to promote a smooth interaction between board members. Principle 2: 51(iv). The selection process should include reviewing whether board candidates: have sufficient time to fully carry out their responsibilities; and Principle 2: 51(iii).] | Human Resources management | Preventive | |
| Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 [{board committee} Each committee should have a charter or other instrument that sets out its mandate, scope and working procedures. This includes how the committee will report to the full board, what is expected of committee members and any tenure limits for serving on the committee. The board should consider the occasional rotation of members and of the chair of such committees, as this can help avoid undue concentration of power and promote fresh perspectives. Principle 3: 64.] | Human Resources management | Preventive | |
| Define and assign the security staff roles and responsibilities. CC ID 11750 | Human Resources management | Preventive | |
| Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 | Human Resources management | Preventive | |
| Assign the roles and responsibilities for the asset management system. CC ID 14368 | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 [Members of senior management should be selected through an appropriate promotion or recruitment process which takes into account the qualifications required for the position in question. For those senior management positions for which the board of directors is required to review or select candidates through an interview process, senior management should provide sufficient information to the board. Principle 4: 90.] | Human Resources management | Preventive | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Human Resources management | Preventive | |
| Require all new hires to sign the Code of Conduct. CC ID 06665 | Human Resources management | Preventive | |
| Require all new hires to sign Acceptable Use Policies. CC ID 06662 | Human Resources management | Preventive | |
| Require new hires to sign nondisclosure agreements. CC ID 06668 | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel security policy. CC ID 14025 | Human Resources management | Preventive | |
| Include compliance requirements in the personnel security policy. CC ID 14154 | Human Resources management | Preventive | |
| Include coordination amongst entities in the personnel security policy. CC ID 14114 | Human Resources management | Preventive | |
| Include management commitment in the personnel security policy. CC ID 14113 | Human Resources management | Preventive | |
| Include roles and responsibilities in the personnel security policy. CC ID 14112 | Human Resources management | Preventive | |
| Include the scope in the personnel security policy. CC ID 14111 | Human Resources management | Preventive | |
| Include the purpose in the personnel security policy. CC ID 14110 | Human Resources management | Preventive | |
| Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109 | Human Resources management | Preventive | |
| Establish, implement, and maintain personnel security procedures. CC ID 14058 | Human Resources management | Preventive | |
| Establish, implement, and maintain security clearance level criteria. CC ID 00780 | Human Resources management | Preventive | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Preventive | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Preventive | |
| Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Detective | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Preventive | |
| Document the security clearance procedure results. CC ID 01635 | Human Resources management | Detective | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Human Resources management | Preventive | |
| Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 | Human Resources management | Preventive | |
| Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [{is sufficient} The risk management function should have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines. Staff should have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank's activities. Staff should have access to regular training. Principle 6: 107.] | Human Resources management | Preventive | |
| Establish and maintain an annual report on compensation. CC ID 14801 [{applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154. {applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.] | Human Resources management | Preventive | |
| Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 [{applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.] | Human Resources management | Preventive | |
| Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 [Remuneration systems form a key component of the governance and incentive structure through which the board and senior management promote good performance, convey acceptable risktaking behaviour and reinforce the bank's operating and risk culture. The board (or, by delegation, its compensation committee) is responsible for the overall oversight of management's implementation of the remuneration system for the entire bank. In addition, the board or its committee should regularly monitor and review outcomes to assess whether the bank-wide remuneration system is creating the desired incentives for managing risk, capital and liquidity. The board or subcommittee should review the remuneration plans, processes and outcomes at least annually. Principle 11: 143. Remuneration systems form a key component of the governance and incentive structure through which the board and senior management promote good performance, convey acceptable risktaking behaviour and reinforce the bank's operating and risk culture. The board (or, by delegation, its compensation committee) is responsible for the overall oversight of management's implementation of the remuneration system for the entire bank. In addition, the board or its committee should regularly monitor and review outcomes to assess whether the bank-wide remuneration system is creating the desired incentives for managing risk, capital and liquidity. The board or subcommittee should review the remuneration plans, processes and outcomes at least annually. Principle 11: 143. {remuneration system} The board, together with its compensation committee where one exists, should approve the compensation of senior executives, including the CEO, CRO and head of internal audit, and should oversee development and operation of compensation policies, systems and related control processes. Principle 11: 146.] | Human Resources management | Preventive | |
| Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 [Banks have to set specific provisions for employees with a significant influence on the overall risk profile, so-called material risk-takers. Remuneration payout schedules should be sensitive to risk outcomes over a multi-year horizon. For material risk-takers, this is often achieved through arrangements that defer a sufficiently large part of the compensation until risk outcomes become better known. This includes "malus/forfeiture" provisions, where compensation can be reduced or reversed based on realised risks or conduct events before compensation vests, and/or "clawback" provisions, under which compensation can be reduced or reversed after compensation vests if new facts emerge showing that the compensation paid was based on erroneous assumptions, such as misreporting, or if it is discovered that the employee has failed to comply with internal policies or legal requirements. In such cases, banks should take action as soon as practicable to recover forfeitable or recoupable amounts to improve the likelihood of successful recovery. "Golden hellos" or "golden parachutes", under which new or terminated executives or staff receive large payouts irrespective of performance, are generally not consistent with sound compensation practice. Principle 11: 150. Banks have to set specific provisions for employees with a significant influence on the overall risk profile, so-called material risk-takers. Remuneration payout schedules should be sensitive to risk outcomes over a multi-year horizon. For material risk-takers, this is often achieved through arrangements that defer a sufficiently large part of the compensation until risk outcomes become better known. This includes "malus/forfeiture" provisions, where compensation can be reduced or reversed based on realised risks or conduct events before compensation vests, and/or "clawback" provisions, under which compensation can be reduced or reversed after compensation vests if new facts emerge showing that the compensation paid was based on erroneous assumptions, such as misreporting, or if it is discovered that the employee has failed to comply with internal policies or legal requirements. In such cases, banks should take action as soon as practicable to recover forfeitable or recoupable amounts to improve the likelihood of successful recovery. "Golden hellos" or "golden parachutes", under which new or terminated executives or staff receive large payouts irrespective of performance, are generally not consistent with sound compensation practice. Principle 11: 150. Banks have to set specific provisions for employees with a significant influence on the overall risk profile, so-called material risk-takers. Remuneration payout schedules should be sensitive to risk outcomes over a multi-year horizon. For material risk-takers, this is often achieved through arrangements that defer a sufficiently large part of the compensation until risk outcomes become better known. This includes "malus/forfeiture" provisions, where compensation can be reduced or reversed based on realised risks or conduct events before compensation vests, and/or "clawback" provisions, under which compensation can be reduced or reversed after compensation vests if new facts emerge showing that the compensation paid was based on erroneous assumptions, such as misreporting, or if it is discovered that the employee has failed to comply with internal policies or legal requirements. In such cases, banks should take action as soon as practicable to recover forfeitable or recoupable amounts to improve the likelihood of successful recovery. "Golden hellos" or "golden parachutes", under which new or terminated executives or staff receive large payouts irrespective of performance, are generally not consistent with sound compensation practice. Principle 11: 150.] | Human Resources management | Preventive | |
| Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 [{be independent} For employees in control functions (eg risk, compliance and internal audit), remuneration should be determined independently of any business line overseen, and performance measures should be based principally on the achievement of their own objectives so as not to compromise their independence. Principle 11: 147. {remuneration standard} The FSB principles on compensation are intended to apply to significant financial institutions, but they are especially critical for large, systemically important firms. National jurisdictions may also apply the principles in a proportionate manner to smaller, less complex institutions. Banks are encouraged to implement the FSB principles, or consistent national provisions based on them. Principle 11: 145. Remuneration systems form a key component of the governance and incentive structure through which the board and senior management promote good performance, convey acceptable risktaking behaviour and reinforce the bank's operating and risk culture. The board (or, by delegation, its compensation committee) is responsible for the overall oversight of management's implementation of the remuneration system for the entire bank. In addition, the board or its committee should regularly monitor and review outcomes to assess whether the bank-wide remuneration system is creating the desired incentives for managing risk, capital and liquidity. The board or subcommittee should review the remuneration plans, processes and outcomes at least annually. Principle 11: 143.] | Human Resources management | Preventive | |
| Establish, implement, and maintain job applications. CC ID 16180 | Human Resources management | Preventive | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Preventive | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Preventive | |
| Document all training in a training record. CC ID 01423 | Human Resources management | Detective | |
| Review the current published guidance and awareness and training programs. CC ID 01245 | Human Resources management | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Preventive | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Preventive | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Preventive | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Preventive | |
| Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Preventive | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Preventive | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Preventive | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Preventive | |
| Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: Principle 3: 83. The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: Principle 3: 83. The board should oversee and be satisfied with the process by which appropriate public disclosure is made, and/or information is provided to supervisors, relating to the bank's policies on conflicts of interest and potential material conflicts of interest. This should include information on the bank's approach to disclosing and managing material conflicts of interest that are not consistent with such policies, and conflicts that could arise because of the bank's affiliation or transactions with other entities within the group. Principle 3: 85. In order to fulfil its responsibilities, the board of the parent company should: ensure that the group's corporate governance framework includes appropriate processes and controls to identify and address potential intragroup conflicts of interest, such as those arising from intragroup transactions, in appropriate recognition of the interest of the group. Principle 5: 96. Bullet 10 The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: a rigorous review and approval process for members to follow before they engage in certain activities (such as serving on another board) so as to ensure that such activity will not create a conflict of interest; Principle 3: 83. Bullet 3] | Human Resources management | Preventive | |
| Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 [The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: adequate procedures for transactions with related parties so that they are made on an arm's length basis; and Principle 3: 83. Bullet 6 The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: examples of where conflicts can arise when serving as a board member; Principle 3: 83. Bullet 2] | Human Resources management | Preventive | |
| Include roles and responsibilities in the conflict of interest policy. CC ID 14790 [The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: a member's duty to avoid, to the extent possible, activities that could create conflicts of interest or the appearance of conflicts of interest; Principle 3: 83. Bullet 1 The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: a member's responsibility to abstain from voting on any matter where the member may have a conflict of interest or where the member's objectivity or ability to properly fulfil duties to the bank may be otherwise compromised; Principle 3: 83. Bullet 5 The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: a member's duty to promptly disclose any matter that may result, or has already resulted, in a conflict of interest; Principle 3: 83. Bullet 4] | Human Resources management | Preventive | |
| Establish, implement, and maintain a Code of Conduct. CC ID 04897 | Human Resources management | Preventive | |
| Include definitions of ethics violations in the Code of Conduct. CC ID 14768 [{code of conduct} It should explicitly disallow illegal activity, such as financial misreporting and misconduct, economic crime including fraud, breach of sanctions, money laundering, anti-competitive practices, bribery and corruption, or the violation of consumer rights. Principle 1: 31. Bullet 1] | Human Resources management | Preventive | |
| Include exercising due professional care in the Code of Conduct. CC ID 14210 [The members of the board should exercise their "duty of care" and "duty of loyalty" to the bank under applicable national laws and supervisory standards. Principle 1: 25. {code of conduct} It should make clear that employees are expected to conduct themselves ethically and perform their job with skill and due care and diligence in addition to complying with laws, regulations and company policies. Principle 1: 31. Bullet 2] | Human Resources management | Preventive | |
| Include definitions of desirable conduct in the Code of Conduct. CC ID 12846 [{are acceptable} A bank's code of conduct or code of ethics, or comparable policy, should define acceptable and unacceptable behaviours. Principle 1: 31.] | Human Resources management | Preventive | |
| Analyze the documentation produced by staff during the performance review. CC ID 07207 | Human Resources management | Detective | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Human Resources management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Accordingly, the board should: oversee implementation of the bank's governance framework and periodically review that it remains appropriate in the light of material changes to the bank's size, complexity, geographical footprint, business strategy, markets and regulatory requirements; Principle 1: 26. Bullet 4 As part of the overall corporate governance framework, the board is responsible for overseeing a strong risk governance framework. An effective risk governance framework includes a strong risk culture, a well developed risk appetite articulated through the RAS, and well defined responsibilities for risk management in particular and control functions in general. Principle 1: 33. The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42. To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: either separately or as part of these assessments, periodically review the effectiveness of its own governance practices and procedures, determine where improvements may be needed, and make any necessary changes; and Principle 3: 59. Bullet 3 Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166. The board should define appropriate governance structures and practices for its own work, and put in place the means for such practices to be followed and periodically reviewed for ongoing effectiveness. Principle 3: ¶ 1 {are adequate}In order to fulfil its responsibilities, the board of the parent company should: assess whether the group's corporate governance framework includes adequate policies, processes and controls and whether the framework addresses risk management across the businesses and legal entity structures; Principle 5: 96. Bullet 3 {are adequate}In order to fulfil its responsibilities, the board of the parent company should: assess whether the group's corporate governance framework includes adequate policies, processes and controls and whether the framework addresses risk management across the businesses and legal entity structures; Principle 5: 96. Bullet 3 The bank's risk governance framework should include policies, supported by appropriate control procedures and processes, designed to ensure that the bank's risk identification, aggregation, mitigation and monitoring capabilities are commensurate with the bank's size, complexity and risk profile. Principle 7: 112. {risk measurement}{are necessary} Effective risk identification and measurement approaches are likewise necessary in subsidiary banks and affiliates. Material risk-bearing affiliates and subsidiaries should be captured by the bankwide risk management system and should be a part of the overall risk governance framework. Principle 7: 124. {internal control system}{risk management system}The board and senior management contribute to the effectiveness of the internal audit function by requiring the function to independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes; Principle 10: 141. Bullet 2 The board and senior management contribute to the effectiveness of the internal audit function by requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: Principle 10: 141. Bullet 6 {risk management function}requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: the effectiveness of the risk management and compliance functions; Principle 10: 141. Bullet 6 sub bullet 1 Supervisors should provide guidance for and supervise corporate governance at banks, including through comprehensive evaluations and regular interaction with boards and senior management, should require improvement and remedial action as necessary, and should share information on corporate governance with other supervisors. Principle 13: ¶ 1 {have in place} Supervisors should have processes in place to fully evaluate a bank's corporate governance. Such evaluations may be conducted through regular reviews of written materials and reports, interviews with board members and bank personnel, examinations, self-assessments by the bank, and other types of on- and off-site monitoring. The evaluations should also include regular communication with a bank's board of directors, senior management, those responsible for the risk, compliance and internal audit functions, and external auditors. Principle 13: 159. In reviewing corporate governance in the context of a group structure, supervisors should take into account the corporate governance responsibilities of both the parent company and subsidiaries, in accordance with Principle 5 of this document. Principle 13: 163. In order to fulfil its responsibilities, the board of the parent company should: establish a group structure (including the legal entity and business structure) and a corporate governance framework with clearly defined roles and responsibilities, including those at the parent company level and at the subsidiary level as may be appropriate based on the complexity and significance of the subsidiary; Principle 5: 96. Bullet 1 Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158.] | Operational management | Preventive | |
| Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Preventive | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Preventive | |
| Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Operational management | Preventive | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Preventive | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Preventive | |
| Include the scope in the compliance policy. CC ID 14812 | Operational management | Preventive | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Preventive | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Preventive | |
| Include management commitment in the compliance policy. CC ID 14808 | Operational management | Preventive | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Preventive | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Preventive | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Preventive | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 [{risk management framework} Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank's risk management and internal control infrastructure should keep pace with changes to the bank's risk profile, to the external risk landscape and in industry practice Principle 7: ¶ 1 {internal control system}{risk management system}The board and senior management contribute to the effectiveness of the internal audit function by requiring the function to independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes; Principle 10: 141. Bullet 2 Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.] | Operational management | Preventive | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Preventive | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Preventive | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Preventive | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Preventive | |
| Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Preventive | |
| Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Preventive | |
| Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Preventive | |
| Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Preventive | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Preventive | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Preventive | |
| Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Preventive | |
| Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Preventive | |
| Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Preventive | |
| Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Detective | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Preventive | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Preventive | |
| Include physical safeguards in the information security program. CC ID 12375 | Operational management | Preventive | |
| Include technical safeguards in the information security program. CC ID 12374 | Operational management | Preventive | |
| Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Preventive | |
| Include system development in the information security program. CC ID 12389 | Operational management | Preventive | |
| Include system maintenance in the information security program. CC ID 12388 | Operational management | Preventive | |
| Include system acquisition in the information security program. CC ID 12387 | Operational management | Preventive | |
| Include access control in the information security program. CC ID 12386 | Operational management | Preventive | |
| Include operations management in the information security program. CC ID 12385 | Operational management | Preventive | |
| Include communication management in the information security program. CC ID 12384 | Operational management | Preventive | |
| Include environmental security in the information security program. CC ID 12383 | Operational management | Preventive | |
| Include physical security in the information security program. CC ID 12382 | Operational management | Preventive | |
| Include human resources security in the information security program. CC ID 12381 | Operational management | Preventive | |
| Include asset management in the information security program. CC ID 12380 | Operational management | Preventive | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Preventive | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Preventive | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Preventive | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Preventive | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Preventive | |
| Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Preventive | |
| Include risk management in the information security program. CC ID 12378 | Operational management | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Preventive | |
| Establish, implement, and maintain an information security policy. CC ID 11740 | Operational management | Preventive | |
| Include business processes in the information security policy. CC ID 16326 | Operational management | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Preventive | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Preventive | |
| Include information security objectives in the information security policy. CC ID 13493 | Operational management | Preventive | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Preventive | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Preventive | |
| Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Preventive | |
| Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Preventive | |
| Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Preventive | |
| Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Preventive | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Preventive | |
| Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Preventive | |
| Include startup processes in operational control procedures. CC ID 00833 | Operational management | Preventive | |
| Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Preventive | |
| Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Preventive | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Corrective | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Preventive | |
| Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Preventive | |
| Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Preventive | |
| Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Preventive | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Preventive | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Preventive | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Preventive | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Preventive | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Preventive | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Preventive | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Preventive | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Preventive | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Preventive | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Corrective | |
| Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Preventive | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Preventive | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Preventive | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Preventive | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Preventive | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Preventive | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Preventive | |
| Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Preventive | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Preventive | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Preventive | |
| Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Preventive | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Preventive | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Preventive | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Preventive | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Preventive | |
| Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Preventive | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Preventive | |
| Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Preventive | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Preventive | |
| Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Preventive | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Preventive | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Preventive | |
| Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Preventive | |
| Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{applicable requirements} An independent compliance function is a key component of the bank's second line of defence. This function is responsible for, among other things, ensuring that the bank operates with integrity and in compliance with applicable, laws, regulations and internal policies. Principle 9: 132.] | Operational management | Preventive | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Preventive | |
| Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 | Third Party and supply chain oversight | Preventive | |
| Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Third Party and supply chain oversight | Preventive | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Third Party and supply chain oversight | Preventive | |
| Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Third Party and supply chain oversight | Preventive | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 | Third Party and supply chain oversight | Detective | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Preventive | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Detective | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Detective | |
| Request attestation of compliance from third parties. CC ID 12067 | Third Party and supply chain oversight | Detective | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Third Party and supply chain oversight | Preventive | |
| Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Third Party and supply chain oversight | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 | Leadership and high level objectives | Preventive | |
| Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 | Leadership and high level objectives | Preventive | |
| Assign senior management to approve business cases. CC ID 13068 | Leadership and high level objectives | Preventive | |
| Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors. CC ID 13094 | Leadership and high level objectives | Preventive | |
| Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Preventive | |
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Monitoring and measurement | Preventive | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 [{manner} The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: the way in which the board will deal with any non-compliance with the policy. Principle 3: 83. Bullet 7] | Monitoring and measurement | Preventive | |
| Assign the Board of Directors to address audit findings. CC ID 12396 [Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: Principle 4: 94. The board and senior management should respect and promote the independence of the internal audit function by ensuring that: internal audit reports are provided to the board or its audit committee without management filtering and that the internal auditors have direct access to the board or the board's audit committee; Principle 10: 142. Bullet 1 The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively. Principle 10: 139.] | Audits and risk management | Corrective | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Preventive | |
| Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Detective | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Preventive | |
| Assign responsibility for remediation actions. CC ID 13622 | Audits and risk management | Preventive | |
| Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Detective | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Detective | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Preventive | |
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources management | Preventive | |
| Designate an alternate for each organizational leader. CC ID 12053 | Human Resources management | Preventive | |
| Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 | Human Resources management | Preventive | |
| Establish and maintain board committees, as necessary. CC ID 14789 [To increase efficiency and allow deeper focus in specific areas, a board may establish certain specialised board committees. The committees should be created and mandated by the full board. The number and nature of committees depend on many factors, including the size of the bank and its board, the nature of the business areas of the bank, and its risk profile. Principle 3: 63.] | Human Resources management | Preventive | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 [{performance standard} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: set appropriate performance and remuneration standards for senior management consistent with the long-term strategic objectives and the financial soundness of the bank; Principle 1: 46. Bullet 4] | Human Resources management | Preventive | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 [{capital plan}Accordingly, the board should: approve the approach and oversee the implementation of key policies pertaining to the bank's capital adequacy assessment process, capital and liquidity plans, compliance policies and obligations, and the internal control system; Principle 1: 26. Bullet 7] | Human Resources management | Preventive | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Preventive | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 [Board candidates should not have any conflicts of interest that may impede their ability to perform their duties independently and objectively and subject them to undue influence from: Principle 2: 52. Board candidates should not have any conflicts of interest that may impede their ability to perform their duties independently and objectively and subject them to undue influence from: other persons (such as management or other shareholders); Principle 2: 52. Bullet 1 Board candidates should not have any conflicts of interest that may impede their ability to perform their duties independently and objectively and subject them to undue influence from: past or present positions held; or Principle 2: 52. Bullet 2 Board candidates should not have any conflicts of interest that may impede their ability to perform their duties independently and objectively and subject them to undue influence from: personal, professional or other economic relationships with other members of the board or management (or with other entities within the group). Principle 2: 52. Bullet 3 {is sufficient} The board must be suitable to carry out its responsibilities and have a composition that facilitates effective oversight. For that purpose, the board should be comprised of a sufficient number of independent directors. Principle 2: 47. {be independent}{non-executive member} A committee chair should be an independent, non-executive board member. Principle 3: 67. {be independent}{have in place} To promote checks and balances, the chair of the board should be an independent or non-executive board member. In jurisdictions where the chair is permitted to assume executive duties, the bank should have measures in place to mitigate any adverse impact on the bank's checks and balances, eg by designating a lead board member, a senior independent board member or a similar position and having a larger number of non-executives on the board. Principle 3: 62.] | Human Resources management | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [{be independent} The second line of defence includes an independent risk management function. The risk management function complements the business line's risk activities through its monitoring and reporting responsibilities. Among other things, it is responsible for overseeing the bank's risk-taking activities and assessing risks and issues independently from the business line. The function should promote the importance of senior management and business line managers in identifying and assessing risks critically rather than relying only on surveillance conducted by the risk management function. Among other things, the finance function plays a critical role in ensuring that business performance and profit and loss results are accurately captured and reported to the board, management and business lines that will use such information as a key input to risk and business decisions. Principle 1: 41. Accordingly, the board should: oversee the bank's adherence to the RAS, risk policy and risk limits; Principle 1: 26. Bullet 6 {be aware} Senior management – and the board, as appropriate – should be cognisant of these challenges and take action to avoid or mitigate them by: Principle 5: 102. Large, complex and internationally active banks, and other banks, based on their risk profile and local governance requirements, should have a senior manager (CRO or equivalent) with overall responsibility for the bank's risk management function. In banking groups, there should be a group CRO in addition to subsidiary-level risk officers. Because some banks may have an officer who fulfils the function of a CRO under a different title, reference in this document to the CRO is intended to incorporate equivalent positions, provided they meet the independence and other requirements set out herein. Principle 6: 108. The bank's board of directors is responsible for overseeing the management of the bank's compliance risk. The board should establish a compliance function and approve the bank's policies and processes for identifying, assessing, monitoring and reporting and advising on compliance risk. Principle 9: ¶ 1] | Human Resources management | Preventive | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Preventive | |
| Rotate members of the board of directors, as necessary. CC ID 14803 [{board committee}{rotate} Each committee should have a charter or other instrument that sets out its mandate, scope and working procedures. This includes how the committee will report to the full board, what is expected of committee members and any tenure limits for serving on the committee. The board should consider the occasional rotation of members and of the chair of such committees, as this can help avoid undue concentration of power and promote fresh perspectives. Principle 3: 64.] | Human Resources management | Corrective | |
| Define and assign board committees, as necessary. CC ID 14787 [In jurisdictions permitting or requiring executive members on the board, the board of a bank should work to ensure the needed objectivity in each committee, such as by having only non-executives and, to the extent possible, a majority of independent members. Principle 3: 79.] | Human Resources management | Preventive | |
| Define and assign risk committees, as necessary. CC ID 14795 [A risk committee should: be required for systemically important banks and is strongly recommended for other banks based on a bank's size, risk profile or complexity; Principle 3: 71. Bullet 1] | Human Resources management | Preventive | |
| Define and assign audit committees, as necessary. CC ID 14788 [An audit committee should: be required for systemically important banks and is strongly recommended for other banks based on an organisation's size, risk profile or complexity; Principle 3: 68. Bullet 1] | Human Resources management | Preventive | |
| Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 [An audit committee should: include members who have experience in audit practices, financial reporting and accounting. Principle 3: 68. Bullet 5 An audit committee should: be made up entirely of independent or non-executive board members; and Principle 3: 68. Bullet 4] | Human Resources management | Preventive | |
| Define and assign compensation committees, as necessary. CC ID 14793 [Systemically important financial institutions should have a board compensation committee as an integral part of their governance structure and organisation to oversee the compensation system's design and operation. Principle 11: 144. The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76. The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76.] | Human Resources management | Preventive | |
| Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources management | Preventive | |
| Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources management | Preventive | |
| Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 [Banks should have an effective independent risk management function, under the direction of a chief risk officer (CRO), with sufficient stature, independence, resources and access to the board. Principle 6: ¶ 1 The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management function. This includes the ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board in its engagement with and oversight of the development of the bank's risk appetite and RAS and for translating the risk appetite into a risk limits structure. The CRO, together with management, should be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation). Principle 6: 109. The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management function. This includes the ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board in its engagement with and oversight of the development of the bank's risk appetite and RAS and for translating the risk appetite into a risk limits structure. The CRO, together with management, should be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation). Principle 6: 109. The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management function. This includes the ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board in its engagement with and oversight of the development of the bank's risk appetite and RAS and for translating the risk appetite into a risk limits structure. The CRO, together with management, should be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation). Principle 6: 109.] | Human Resources management | Preventive | |
| Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources management | Preventive | |
| Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources management | Preventive | |
| Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources management | Preventive | |
| Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources management | Preventive | |
| Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources management | Preventive | |
| Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 | Human Resources management | Preventive | |
| Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources management | Preventive | |
| Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources management | Preventive | |
| Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources management | Preventive | |
| Define and assign workforce roles and responsibilities. CC ID 13267 [The organisation and procedures and decision-making of senior management should be clear and transparent and designed to promote effective management of the bank. This includes clarity on the role, authority and responsibility of the various positions within senior management, including that of the CEO. Principle 4: 88. Senior management is responsible for delegating duties to staff and should establish a management structure that promotes accountability and transparency throughout the bank. Principle 4: 92. In order to fulfil its responsibilities, the board of the parent company should: establish a group structure (including the legal entity and business structure) and a corporate governance framework with clearly defined roles and responsibilities, including those at the parent company level and at the subsidiary level as may be appropriate based on the complexity and significance of the subsidiary; Principle 5: 96. Bullet 1 In order to fulfil its responsibilities, the board of the parent company should: establish a group structure (including the legal entity and business structure) and a corporate governance framework with clearly defined roles and responsibilities, including those at the parent company level and at the subsidiary level as may be appropriate based on the complexity and significance of the subsidiary; Principle 5: 96. Bullet 1] | Human Resources management | Preventive | |
| Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 | Human Resources management | Preventive | |
| Document the use of external experts. CC ID 16263 | Human Resources management | Preventive | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [The board should establish and be satisfied with the bank's organisational structure. This will enable the board and senior management to carry out their responsibilities and facilitate effective decision-making and good governance. This includes clearly laying out the key responsibilities and authorities of the board itself and of senior management and of those responsible for the risk management and control functions. Principle 1: 24. As part of the overall corporate governance framework, the board is responsible for overseeing a strong risk governance framework. An effective risk governance framework includes a strong risk culture, a well developed risk appetite articulated through the RAS, and well defined responsibilities for risk management in particular and control functions in general. Principle 1: 33. The development of an effective RAS should be driven by both top-down board leadership and bottom-up management involvement. While the definition of risk appetite may be initiated by senior management, successful implementation depends upon effective interactions between the board, senior management, risk management and operating businesses, including the chief financial officer (CFO). Principle 1: 37. A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: Principle 1: 38. A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: the business line; Principle 1: 38. Bullet 1 {risk management} Depending on the bank's nature, size and complexity, and the risk profile of its activities, the specifics of how these three lines of defence are structured can vary. Regardless of the structure, responsibilities for each line of defence should be well defined and communicated. Principle 1: 39. {is independent} A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: a risk management function and a compliance function independent from the first line of defence; and Principle 1: 38. Bullet 2 Business units are the first line of defence. They take risks and are responsible and accountable for the ongoing management of such risks. This includes identifying, assessing and reporting such exposures, taking into account the bank's risk appetite and its policies, procedures and controls. The manner in which the business line executes its responsibilities should reflect the bank's existing risk culture. The board should promote a strong culture of adhering to limits and managing risk exposures. Principle 1: 40. A risk committee should: is required to review the bank's risk policies at least annually; and Principle 3: 71. Bullet 7 The risk committee of the board is responsible for advising the board on the bank's overall current and future risk appetite, overseeing senior management's implementation of the RAS, reporting on the state of risk culture in the bank, and interacting with and overseeing the CRO. Principle 3: 72. The risk committee of the board is responsible for advising the board on the bank's overall current and future risk appetite, overseeing senior management's implementation of the RAS, reporting on the state of risk culture in the bank, and interacting with and overseeing the CRO. Principle 3: 72. The risk committee of the board is responsible for advising the board on the bank's overall current and future risk appetite, overseeing senior management's implementation of the RAS, reporting on the state of risk culture in the bank, and interacting with and overseeing the CRO. Principle 3: 72. A risk committee should: should include members who have experience in risk management issues and practices; Principle 3: 71. Bullet 5 {risk committee}{capital management} The committee's work includes oversight of the strategies for capital and liquidity management as well as for all relevant risks of the bank, such as credit, market, operational and reputational risks, to ensure they are consistent with the stated risk appetite. Principle 3: 73. {risk committee}{capital management} The committee's work includes oversight of the strategies for capital and liquidity management as well as for all relevant risks of the bank, such as credit, market, operational and reputational risks, to ensure they are consistent with the stated risk appetite. Principle 3: 73. internal stress tests should cover a range of scenarios based on reasonable assumptions regarding dependencies and correlations. Senior management should define and approve and, as applicable, the board should review and provide effective challenge to the scenarios that are used in the bank's risk analyses; Principle 7: 120. Bullet 1 Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97. Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97. The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76.] | Human Resources management | Preventive | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 [A risk committee should: should include a majority of members who are independent; Principle 3: 71. Bullet 4] | Human Resources management | Preventive | |
| Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources management | Preventive | |
| Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources management | Preventive | |
| Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources management | Preventive | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources management | Preventive | |
| Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources management | Preventive | |
| Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Preventive | |
| Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Preventive | |
| Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Preventive | |
| Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Preventive | |
| Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources management | Preventive | |
| Define and assign roles and responsibilities for dispute resolution. CC ID 13626 | Human Resources management | Preventive | |
| Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources management | Preventive | |
| Analyze workforce management. CC ID 12844 | Human Resources management | Detective | |
| Include compensation structures in the analysis of workforce management. CC ID 12902 [Accordingly, the board should: oversee the bank's approach to compensation, including monitoring and reviewing executive compensation and assessing whether it is aligned with the bank's risk culture and risk appetite; and Principle 1: 26. Bullet 11 {performance standard} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: set appropriate performance and remuneration standards for senior management consistent with the long-term strategic objectives and the financial soundness of the bank; Principle 1: 46. Bullet 4 {future profit} Remuneration should reflect risk-taking and risk outcomes. Practices by which remuneration is paid for potential future revenues whose timing and likelihood remain uncertain should be carefully evaluated by means of both qualitative and quantitative key indicators. The remuneration framework should provide for variable remuneration to be adjusted to take into account the full range of risks, including breaches of risk appetite limits, internal procedures or legal requirements. Principle 11: 149. {future profit} Remuneration should reflect risk-taking and risk outcomes. Practices by which remuneration is paid for potential future revenues whose timing and likelihood remain uncertain should be carefully evaluated by means of both qualitative and quantitative key indicators. The remuneration framework should provide for variable remuneration to be adjusted to take into account the full range of risks, including breaches of risk appetite limits, internal procedures or legal requirements. Principle 11: 149. {future profit} Remuneration should reflect risk-taking and risk outcomes. Practices by which remuneration is paid for potential future revenues whose timing and likelihood remain uncertain should be carefully evaluated by means of both qualitative and quantitative key indicators. The remuneration framework should provide for variable remuneration to be adjusted to take into account the full range of risks, including breaches of risk appetite limits, internal procedures or legal requirements. Principle 11: 149. The remuneration structure should be in line with the business and risk strategy, objectives, values and long-term interests of the bank. It should also incorporate measures to prevent conflicts of interest. Remuneration programmes should encourage a sound risk culture in which risk-taking behaviour is appropriate and which encourages employees to act in the interest of the company as a whole (also taking into account client interests) rather than for themselves or only their business lines. In particular, incentives embedded within remuneration structures should not incentivise staff to take excessive risk. Principle 11: 148.] | Human Resources management | Preventive | |
| Categorize the gender of all employees. CC ID 15609 | Human Resources management | Preventive | |
| Categorize all employees by racial groups and ethnic groups. CC ID 15627 | Human Resources management | Preventive | |
| Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 [The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: be actively engaged in succession plans for the CEO and other key positions, as appropriate, and ensure that appropriate succession plans are in place for senior management positions. Principle 1: 46. Bullet 6 The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: be actively engaged in succession plans for the CEO and other key positions, as appropriate, and ensure that appropriate succession plans are in place for senior management positions. Principle 1: 46. Bullet 6 Boards should have a clear and rigorous process for identifying, assessing and selecting board candidates. Unless required otherwise by law, the board (not management) nominates candidates and promotes appropriate succession planning of board members. Principle 2: 50.] | Human Resources management | Preventive | |
| Establish and maintain Personnel Files for all employees. CC ID 12438 | Human Resources management | Preventive | |
| Include credit check results in each employee's personnel file. CC ID 12447 | Human Resources management | Preventive | |
| Include any criminal records in each employee's personnel file. CC ID 12446 | Human Resources management | Preventive | |
| Include all employee information in each employee's personnel file. CC ID 12445 | Human Resources management | Preventive | |
| Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444 | Human Resources management | Preventive | |
| Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441 | Human Resources management | Preventive | |
| Include referral follow-up results in each employee's personnel file. CC ID 12440 | Human Resources management | Preventive | |
| Include background check results in each employee's personnel file. CC ID 12439 | Human Resources management | Preventive | |
| Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761 | Human Resources management | Preventive | |
| Establish, implement, and maintain staff position risk designations. CC ID 14280 | Human Resources management | Preventive | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Detective | |
| Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Detective | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Preventive | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Preventive | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Preventive | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Preventive | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Preventive | |
| Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Preventive | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Detective | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Preventive | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources management | Preventive | |
| Assign an owner of the personnel status change and termination procedures. CC ID 11805 | Human Resources management | Preventive | |
| Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 | Human Resources management | Preventive | |
| Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 | Human Resources management | Preventive | |
| Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 | Human Resources management | Corrective | |
| Conduct exit interviews upon termination of employment. CC ID 14290 | Human Resources management | Preventive | |
| Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 | Human Resources management | Detective | |
| Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 [Accordingly, the board should: oversee the bank's approach to compensation, including monitoring and reviewing executive compensation and assessing whether it is aligned with the bank's risk culture and risk appetite; and Principle 1: 26. Bullet 11 Systemically important financial institutions should have a board compensation committee as an integral part of their governance structure and organisation to oversee the compensation system's design and operation. Principle 11: 144. The bank's remuneration structure should support sound corporate governance and risk management. Principle 11: ¶ 1 The remuneration structure should be in line with the business and risk strategy, objectives, values and long-term interests of the bank. It should also incorporate measures to prevent conflicts of interest. Remuneration programmes should encourage a sound risk culture in which risk-taking behaviour is appropriate and which encourages employees to act in the interest of the company as a whole (also taking into account client interests) rather than for themselves or only their business lines. In particular, incentives embedded within remuneration structures should not incentivise staff to take excessive risk. Principle 11: 148. The remuneration structure should be in line with the business and risk strategy, objectives, values and long-term interests of the bank. It should also incorporate measures to prevent conflicts of interest. Remuneration programmes should encourage a sound risk culture in which risk-taking behaviour is appropriate and which encourages employees to act in the interest of the company as a whole (also taking into account client interests) rather than for themselves or only their business lines. In particular, incentives embedded within remuneration structures should not incentivise staff to take excessive risk. Principle 11: 148. The remuneration structure should be in line with the business and risk strategy, objectives, values and long-term interests of the bank. It should also incorporate measures to prevent conflicts of interest. Remuneration programmes should encourage a sound risk culture in which risk-taking behaviour is appropriate and which encourages employees to act in the interest of the company as a whole (also taking into account client interests) rather than for themselves or only their business lines. In particular, incentives embedded within remuneration structures should not incentivise staff to take excessive risk. Principle 11: 148.] | Human Resources management | Preventive | |
| Refrain from using employees' privacy choices to restrict employment. CC ID 12425 | Human Resources management | Preventive | |
| Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 | Human Resources management | Preventive | |
| Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria. CC ID 12825 [All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: the recruitment approach for the selection of members of the board and for ensuring an appropriate diversity of skills, backgrounds and viewpoints; and Principle 12: 153. Bullet 1 All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: the recruitment approach for the selection of members of the board and for ensuring an appropriate diversity of skills, backgrounds and viewpoints; and Principle 12: 153. Bullet 1] | Human Resources management | Preventive | |
| Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 | Human Resources management | Preventive | |
| Include a space for the applicant's name on the job application. CC ID 16190 | Human Resources management | Preventive | |
| Include a space for the applicant's current address on the job application. CC ID 16189 | Human Resources management | Preventive | |
| Include a space for the applicant's social security number on the job application. CC ID 16188 | Human Resources management | Preventive | |
| Include a space for the applicant's date of birth on the job application. CC ID 16186 | Human Resources management | Preventive | |
| Include a space for previous employers and business relationships on the job application. CC ID 16185 | Human Resources management | Preventive | |
| Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 | Human Resources management | Preventive | |
| Include a space for the start date on the job application. CC ID 16187 | Human Resources management | Preventive | |
| Include a space to explain legal penalties on the job application. CC ID 16183 | Human Resources management | Preventive | |
| Approve the wording of job applications. CC ID 16182 | Human Resources management | Preventive | |
| Include a space for past aliases and other used names on job applications. CC ID 12301 | Human Resources management | Preventive | |
| Include a space for previous addresses and previous residences on the job application. CC ID 12302 | Human Resources management | Preventive | |
| Include a space to explain employment gaps on the job application. CC ID 12303 | Human Resources management | Preventive | |
| Support certification programs as viable training programs. CC ID 13268 | Human Resources management | Preventive | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Preventive | |
| Include ethical culture in the training plan, as necessary. CC ID 12801 | Human Resources management | Preventive | |
| Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources management | Preventive | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Preventive | |
| Conduct performance reviews for the board of directors and board committees, as necessary. CC ID 14783 [To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: Principle 3: 59.] | Human Resources management | Detective | |
| Take appropriate actions after performance reviews of board members, as necessary. CC ID 14799 [If a board member ceases to be qualified or is failing to fulfil his or her responsibilities, the board should take appropriate actions as permitted by law, which may include notifying their banking supervisor. Principle 2: 53.] | Human Resources management | Preventive | |
| Establish, implement, and maintain an ethics program. CC ID 11496 | Human Resources management | Preventive | |
| Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 [As part of the overall corporate governance framework, the board is responsible for overseeing a strong risk governance framework. An effective risk governance framework includes a strong risk culture, a well developed risk appetite articulated through the RAS, and well defined responsibilities for risk management in particular and control functions in general. Principle 1: 33. Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166. Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166. {is independent} A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: a risk management function and a compliance function independent from the first line of defence; and Principle 1: 38. Bullet 2 {is responsible}The audit committee is, in particular, responsible for: reviewing the third-party opinions on the design and effectiveness of the overall risk governance framework and internal control system. Principle 3: 69. Bullet 8 {is appropriate} In a group structure, the board of the parent company has the overall responsibility for the group and for ensuring the establishment and operation of a clear governance framework appropriate to the structure, business and risks of the group and its entities. The board and senior management should know and understand the bank group's organisational structure and the risks that it poses. Principle 5: ¶ 1 The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: subject to the review and approval of the board, developing and implementing the enterprisewide risk governance framework, which includes the bank's risk culture, risk appetite and risk limits; Principle 6: 105. Bullet 3 Supervisors should provide guidance for and supervise corporate governance at banks, including through comprehensive evaluations and regular interaction with boards and senior management, should require improvement and remedial action as necessary, and should share information on corporate governance with other supervisors. Principle 13: ¶ 1 Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97. The bank's senior management is responsible for establishing a compliance policy that contains the basic principles to be approved by the board and explains the main processes by which compliance risks are to be identified and managed through all levels of the organisation. Principle 9: 133. Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158. Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158.] | Operational management | Preventive | |
| Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Preventive | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Preventive | |
| Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Leadership and high level objectives | Detective | |
| Determine the amount of assets to be held in escrow. CC ID 16575 | Leadership and high level objectives | Detective | |
| Rank discovered vulnerabilities. CC ID 11940 | Monitoring and measurement | Detective | |
| Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Corrective | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Detective | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Detective | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Preventive | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Detective | |
| Audit information systems, as necessary. CC ID 13010 | Audits and risk management | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Detective | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Detective | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Detective | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Detective | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Detective | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Detective | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Preventive | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 [{manner}{party} The board should oversee and approve how and by whom legitimate material concerns shall be investigated and addressed by an objective independent internal or external body, senior management and/or the board itself. Principle 1: 32. Bullet 3] | Human Resources management | Preventive | |
| Perform social network analysis, as necessary. CC ID 14864 | Operational management | Detective | |
| Document that supply chain members investigate security events. CC ID 13348 | Third Party and supply chain oversight | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 [{is responsible} The audit committee is, in particular, responsible for: receiving key audit reports and ensuring that senior management is taking necessary corrective actions in a timely manner to address control weaknesses, non-compliance with policies, laws and regulations, and other problems identified by auditors and other control functions; Principle 3: 69. Bullet 6] | Audits and risk management | Detective | |
| Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Technical security | Preventive | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
| Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Leadership and high level objectives | Preventive | |
| Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 [Accordingly, the board should: actively engage in the affairs of the bank and keep up with material changes in the bank's business and the external environment as well as act in a timely manner to protect the long-term interests of the bank; Principle 1: 26. Bullet 1] | Leadership and high level objectives | Preventive | |
| Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Leadership and high level objectives | Preventive | |
| Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 [Accordingly, the board should: actively engage in the affairs of the bank and keep up with material changes in the bank's business and the external environment as well as act in a timely manner to protect the long-term interests of the bank; Principle 1: 26. Bullet 1] | Leadership and high level objectives | Preventive | |
| Monitor regulatory trends to maintain compliance. CC ID 00604 | Leadership and high level objectives | Detective | |
| Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 | Leadership and high level objectives | Detective | |
| Monitor the performance of the margin system. CC ID 16655 | Leadership and high level objectives | Detective | |
| Monitor the organization's exposure to threats, as necessary. CC ID 06494 [{risk management framework} Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank's risk management and internal control infrastructure should keep pace with changes to the bank's risk profile, to the external risk landscape and in industry practice Principle 7: ¶ 1] | Monitoring and measurement | Preventive | |
| Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Detective | |
| Monitor for new vulnerabilities. CC ID 06843 | Monitoring and measurement | Preventive | |
| Monitor devices continuously for conformance with production specifications. CC ID 06201 | Monitoring and measurement | Detective | |
| Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 | Monitoring and measurement | Corrective | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42.] | Monitoring and measurement | Detective | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Preventive | |
| Monitor the performance of the governance, risk, and compliance capability. CC ID 12857 [Business units are the first line of defence. They take risks and are responsible and accountable for the ongoing management of such risks. This includes identifying, assessing and reporting such exposures, taking into account the bank's risk appetite and its policies, procedures and controls. The manner in which the business line executes its responsibilities should reflect the bank's existing risk culture. The board should promote a strong culture of adhering to limits and managing risk exposures. Principle 1: 40. The board should define appropriate governance structures and practices for its own work, and put in place the means for such practices to be followed and periodically reviewed for ongoing effectiveness. Principle 3: ¶ 1 In order to fulfil its responsibilities, the board of the parent company should: ensure that the group's corporate governance framework includes appropriate processes and controls to identify and address potential intragroup conflicts of interest, such as those arising from intragroup transactions; Principle 5: 96. Bullet 4 {risk management function}{review and approval process}{entail} An assessment of the extent to which the bank's risk management, legal and regulatory compliance, information technology, business line and internal control functions have adequate tools and the expertise necessary to measure and manage related risks. Principle 7: 123. ¶ 1 Bullet 2 Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158.] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 [{law, rule, or regulation}{negatively impact} While the strategic objectives, risk governance framework, corporate values and corporate governance principles of the subsidiary should align with that of the parent company (referred to here as "group policies"), the subsidiary board should make necessary adjustments where a group policy conflicts with an applicable legal or regulatory provision or prudential rule, or would be detrimental to the sound and prudent management of the subsidiary. Principle 5: 98.] | Monitoring and measurement | Detective | |
| Include monitoring in the corrective action plan. CC ID 11645 | Monitoring and measurement | Detective | |
| Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Preventive | |
| Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Audits and risk management | Preventive | |
| Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Audits and risk management | Preventive | |
| Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Audits and risk management | Preventive | |
| Enforce information flow control. CC ID 11781 | Technical security | Preventive | |
| Identify and watch individuals that pose a risk to the organization. CC ID 10674 | Human Resources management | Detective | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Detective | |
| Analyze and evaluate training records to improve the training program. CC ID 06380 | Human Resources management | Detective | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Human Resources management | Preventive | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Human Resources management | Preventive | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Preventive | |
| Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Records management | Detective | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 [The board should ensure that transactions with related parties (including internal group transactions) are reviewed to assess risk and are subject to appropriate restrictions (eg by requiring that such transactions be conducted on arm's length terms) and that corporate or business resources of the bank are not misappropriated or misapplied. Principle 1: 27.] | Privacy protection for information and data | Corrective | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Preventive | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Preventive | |
| Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Preventive | |
| Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Preventive | |
| Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Preventive | |
| Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Preventive | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Preventive | |
| Identify the internal factors that may affect organizational objectives. CC ID 12957 [In discharging these responsibilities, the board should take into account the legitimate interests of depositors, shareholders and other relevant stakeholders. It should also ensure that the bank maintains an effective relationship with its supervisors. Principle 1: 28.] | Leadership and high level objectives | Preventive | |
| Include key processes in the analysis of the internal business environment. CC ID 12947 | Leadership and high level objectives | Preventive | |
| Include existing information in the analysis of the internal business environment. CC ID 12943 | Leadership and high level objectives | Preventive | |
| Include resources in the analysis of the internal business environment. CC ID 12942 | Leadership and high level objectives | Preventive | |
| Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Leadership and high level objectives | Preventive | |
| Include incentives in the analysis of the internal business environment. CC ID 12940 | Leadership and high level objectives | Preventive | |
| Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Leadership and high level objectives | Preventive | |
| Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Leadership and high level objectives | Preventive | |
| Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Leadership and high level objectives | Preventive | |
| Identify the external forces that may affect organizational objectives. CC ID 12960 | Leadership and high level objectives | Preventive | |
| Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Leadership and high level objectives | Preventive | |
| Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Leadership and high level objectives | Preventive | |
| Determine progress toward the objectives of the strategic plan. CC ID 12944 [Accordingly, the board should: oversee the development of and approve the bank's business objectives and strategy and monitor their implementation; Principle 1: 26. Bullet 2 The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: monitor that senior management's actions are consistent with the strategy and policies approved by the board, including the risk appetite; Principle 1: 46. Bullet 1 Senior management contributes substantially to a bank's sound corporate governance through personal conduct (eg by helping to establish the "tone at the top" along with the board). Members of senior management should provide adequate oversight of those they manage, and ensure that the bank's activities are consistent with the business strategy, risk appetite and the policies approved by the board. Principle 4: 91.] | Leadership and high level objectives | Preventive | |
| Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 | Leadership and high level objectives | Preventive | |
| Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 | Leadership and high level objectives | Preventive | |
| Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 [Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Leadership and high level objectives | Preventive | |
| Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 | Leadership and high level objectives | Preventive | |
| Take actions in accordance with the decision-making criteria. CC ID 12909 [The chair of the board plays a crucial role in the proper functioning of the board. The chair provides leadership to the board and is responsible for its effective overall functioning, including maintaining a relationship of trust with board members. The chair should possess the requisite experience, competencies and personal qualities in order to fulfil these responsibilities. The chair should ensure that board decisions are taken on a sound and well informed basis. The chair should encourage and promote critical discussion and ensure that dissenting views can be freely expressed and discussed within the decision-making process. The chair should dedicate sufficient time to the exercise of his or her responsibilities. Principle 3: 61.] | Leadership and high level objectives | Preventive | |
| Include ongoing monitoring in the financial management program. CC ID 16762 | Leadership and high level objectives | Preventive | |
| Employ tools to manage settlement and funding flows. CC ID 16743 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Leadership and high level objectives | Preventive | |
| Analyze the effectiveness of the stress test plan. CC ID 16657 | Leadership and high level objectives | Detective | |
| Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Leadership and high level objectives | Preventive | |
| Include customer due diligence in the loan administration procedures. CC ID 16736 | Leadership and high level objectives | Preventive | |
| Assess the properties of the margin model used in the margin system. CC ID 16658 | Leadership and high level objectives | Detective | |
| Analyze the performance of the margin system. CC ID 16654 | Leadership and high level objectives | Detective | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Corrective | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Preventive | |
| Identify risk management measures when testing in scope systems. CC ID 14960 | Monitoring and measurement | Detective | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Preventive | |
| Approve the vulnerability management program. CC ID 15722 | Monitoring and measurement | Preventive | |
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Corrective | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Preventive | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Preventive | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Preventive | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Corrective | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Preventive | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Detective | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Preventive | |
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Detective | |
| Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Detective | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Detective | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
| Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Preventive | |
| Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 | Operational management | Preventive | |
| Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Preventive | |
| Review and approve access controls, as necessary. CC ID 13074 | Operational management | Detective | |
| Provide management direction and support for the information security program. CC ID 11999 | Operational management | Preventive | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Preventive | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
| Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Preventive | |
| Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Preventive | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 [Accordingly, the board should: oversee implementation of the bank's governance framework and periodically review that it remains appropriate in the light of material changes to the bank's size, complexity, geographical footprint, business strategy, markets and regulatory requirements; Principle 1: 26. Bullet 4 In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: Principle 1: 30. To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: Principle 3: 59. To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: either separately or as part of these assessments, periodically review the effectiveness of its own governance practices and procedures, determine where improvements may be needed, and make any necessary changes; and Principle 3: 59. Bullet 3 In the case of a significant regulated subsidiary (due to its risk profile or systemic importance or due to its size relative to the parent company), the board of the significant subsidiary should take such further steps as are necessary to help the subsidiary meet its own corporate governance responsibilities and the legal and regulatory requirements that apply to it. Principle 5: 99. As part of their evaluation of the overall corporate governance in a bank, supervisors should also endeavour to assess the governance effectiveness of the board and senior management, especially with respect to the risk culture of the bank. An assessment of governance effectiveness aims to determine the extent to which the board and senior management demonstrate effective behaviours that contribute to good governance. This includes consideration of the behavioural dynamic of the board and senior management, such as how the "tone at the top" and the cultural values of the bank are communicated and put into practice, how information flows to and from the board and senior management, and how potential serious problems are identified and addressed throughout the organisation. The evaluation of governance effectiveness includes review of any board and management assessments, surveys and other information often used by banks in assessing their internal culture, as well as supervisory interviews, observations and qualitative judgments. In arriving at such judgments, supervisors need to be particularly mindful of consistency of treatment across the banks they supervise. Supervisory staff should have the necessary skills to evaluate these issues and arrive at the complex judgments involved in assessing governance effectiveness. Principle 13: 162.] | Operational management | Preventive | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 [A risk committee should: should discuss all risk strategies on both an aggregated basis and by type of risk and make recommendations to the board thereon, and on the risk appetite; Principle 3: 71. Bullet 6 In order to fulfil its responsibilities, the board of the parent company should: maintain an effective relationship with both the home regulator and, through the subsidiary board or direct contact, with the regulators of all subsidiaries; Principle 5: 96. Bullet 8 The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. The board and senior management are primarily responsible for the governance of the bank, and supervisors should assess their performance in this regard. This section sets forth several principles that can assist supervisors in assessing corporate governance and foster good corporate governance in banks. Principle 13: 157. As part of their evaluation of the overall corporate governance in a bank, supervisors should also endeavour to assess the governance effectiveness of the board and senior management, especially with respect to the risk culture of the bank. An assessment of governance effectiveness aims to determine the extent to which the board and senior management demonstrate effective behaviours that contribute to good governance. This includes consideration of the behavioural dynamic of the board and senior management, such as how the "tone at the top" and the cultural values of the bank are communicated and put into practice, how information flows to and from the board and senior management, and how potential serious problems are identified and addressed throughout the organisation. The evaluation of governance effectiveness includes review of any board and management assessments, surveys and other information often used by banks in assessing their internal culture, as well as supervisory interviews, observations and qualitative judgments. In arriving at such judgments, supervisors need to be particularly mindful of consistency of treatment across the banks they supervise. Supervisory staff should have the necessary skills to evaluate these issues and arrive at the complex judgments involved in assessing governance effectiveness. Principle 13: 162. {define} The frequency of interactions with the above persons may vary according to the size, complexity, structure, economic significance and risk profile of the bank. On that basis, supervisors may, for example, meet with the full board of directors annually, but more frequently with the chairman or lead or senior independent director and with key committee chairs. For systemically important banks, interaction should occur more frequently, particularly with members of the board and members of senior management, and those responsible for the risk management, compliance and internal audit functions. Principle 13: 165. Supervisors should interact regularly with boards of directors, individual board members, senior managers and those responsible for the risk management, compliance and internal audit functions. This should include scheduled meetings and ad hoc exchanges, through a variety of communication vehicles (eg e-mail, telephone, in-person meetings). The purpose of the interactions is to support timely and open dialogue between the bank and supervisors on a range of issues, including the bank's strategies, business model and risks, the effectiveness of corporate governance at the bank, the bank's culture, management issues and succession planning, compensation and incentives, and other supervisory findings or expectations that supervisors believe should be particularly important to board members. Supervisors should also provide insights to the bank on its operations relative to its peers, market developments and emerging systemic risks. Principle 13: 164. Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.] | Operational management | Preventive | |
| Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Preventive | |
| Analyze the organizational culture. CC ID 12899 | Operational management | Preventive | |
| Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 [Ongoing communication about risk issues, including the bank's risk strategy, throughout the bank is a key tenet of a strong risk culture. A strong risk culture should promote risk awareness and encourage open communication and challenge about risk-taking across the organisation as well as vertically to and from the board and senior management. Senior management should actively communicate and consult with the control functions on management's major plans and activities so that the control functions can effectively discharge their responsibilities. Principle 8: 126.] | Operational management | Detective | |
| Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Detective | |
| Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 [In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: setting and adhering to corporate values that create expectations that all business should be conducted in a legal and ethical manner, and overseeing the adherence to such values by senior management and other employees; Principle 1: 30. Bullet 1 Accordingly, the board should: play a lead role in establishing the bank's corporate culture and values; Principle 1: 26. Bullet 3] | Operational management | Detective | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Corrective | |
| Authorize new assets prior to putting them into the production environment. CC ID 13530 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Third Party and supply chain oversight | Detective | |
| Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064 | Third Party and supply chain oversight | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Retain penetration test results according to internal policy. CC ID 10049 | Monitoring and measurement | Preventive | |
| Retain penetration test remediation action records according to internal policy. CC ID 11629 | Monitoring and measurement | Preventive | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Preventive | |
| Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Preventive | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 [Cooperation and appropriate information-sharing among relevant public authorities, including bank supervisors and conduct authorities, can significantly contribute to the effectiveness of these authorities in their respective roles. Such information-sharing is particularly important between home and host supervisors of cross-border banking entities. Cooperation can occur on a bilateral basis, in the form of a supervisory college or through periodic meetings among supervisors at which corporate governance matters should be discussed. Such communication can help supervisors improve their assessment of the overall governance of a bank and the risks it faces, particularly in a group context, and help other authorities assess the risks posed to the broader financial system. Information shared should be relevant for supervisory purposes and be provided within the constraints of confidentiality and other applicable laws. Special arrangements, such as a memorandum of understanding, may be warranted to govern the sharing of information among supervisors or between supervisors and other authorities. Principle 13: 168. Cooperation and appropriate information-sharing among relevant public authorities, including bank supervisors and conduct authorities, can significantly contribute to the effectiveness of these authorities in their respective roles. Such information-sharing is particularly important between home and host supervisors of cross-border banking entities. Cooperation can occur on a bilateral basis, in the form of a supervisory college or through periodic meetings among supervisors at which corporate governance matters should be discussed. Such communication can help supervisors improve their assessment of the overall governance of a bank and the risks it faces, particularly in a group context, and help other authorities assess the risks posed to the broader financial system. Information shared should be relevant for supervisory purposes and be provided within the constraints of confidentiality and other applicable laws. Special arrangements, such as a memorandum of understanding, may be warranted to govern the sharing of information among supervisors or between supervisors and other authorities. Principle 13: 168.] | Operational management | Preventive | |
Systems Design, Build, and Implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include quality gates and testing milestones in the Quality Management program. CC ID 06825 [To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: use the results of these assessments as part of the ongoing improvement efforts of the board and, where required by the supervisor, share results with the supervisor. Principle 3: 59. Bullet 4] | Leadership and high level objectives | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Conduct Red Team exercises, as necessary. CC ID 12131 | Monitoring and measurement | Detective | |
| Test security systems and associated security procedures, as necessary. CC ID 11901 | Monitoring and measurement | Detective | |
| Scan wireless networks for rogue devices. CC ID 11623 | Monitoring and measurement | Detective | |
| Implement incident response procedures when rogue devices are discovered. CC ID 11880 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Monitoring and measurement | Detective | |
| Perform internal penetration tests, as necessary. CC ID 12471 | Monitoring and measurement | Detective | |
| Perform external penetration tests, as necessary. CC ID 12470 | Monitoring and measurement | Detective | |
| Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 | Monitoring and measurement | Detective | |
| Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Monitoring and measurement | Detective | |
| Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Monitoring and measurement | Detective | |
| Reduce the maximum bandwidth of covert channels. CC ID 10655 | Monitoring and measurement | Corrective | |
| Perform vulnerability scans, as necessary. CC ID 11637 | Monitoring and measurement | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 | Monitoring and measurement | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Monitoring and measurement | Detective | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Detective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Detective | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Detective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 | Monitoring and measurement | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Detective | |
| Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 | Monitoring and measurement | Preventive | |
| Test the system for insecure cryptographic storage. CC ID 11635 | Monitoring and measurement | Detective | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 | Monitoring and measurement | Corrective | |
| Correct or mitigate vulnerabilities. CC ID 12497 | Monitoring and measurement | Corrective | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Monitoring and measurement | Corrective | |
| Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Preventive | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Audits and risk management | Preventive | |
| Identify and control all network access controls. CC ID 00529 | Technical security | Preventive | |
| Implement segregation of duties. CC ID 11843 [The compliance function is independent from management to avoid undue influence or obstacles as that function performs its duties. The compliance function should directly report to the board, as appropriate, on the bank's efforts in the above areas and on how the bank is managing its compliance risk. Principle 9: 136. {be independent} While it is common for risk managers to work closely with individual business units, the risk management function should be sufficiently independent of the business units and should not be involved in revenue generation. Such independence is an essential component of an effective risk management function, as is having access to all business lines that have the potential to generate material risk to the bank as well as to relevant risk-bearing subsidiaries and affiliates. Principle 6: 106.] | Technical security | Preventive | |
| Review and approve information exchange system connections. CC ID 07143 | Technical security | Preventive | |
| Terminate user accounts when notified that an individual is terminated. CC ID 11614 | Human Resources management | Corrective | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 | Human Resources management | Corrective | |
| Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Human Resources management | Preventive | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Preventive | |
| Validate transactions using identifiers and credentials. CC ID 13203 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Records management | Preventive | |
| Establish, implement, and maintain payment transaction security measures. CC ID 13088 [The board should ensure that transactions with related parties (including internal group transactions) are reviewed to assess risk and are subject to appropriate restrictions (eg by requiring that such transactions be conducted on arm's length terms) and that corporate or business resources of the bank are not misappropriated or misapplied. Principle 1: 27.] | Acquisition or sale of facilities, technology, and services | Preventive | |
| Document the third parties compliance with the organization's system hardening framework. CC ID 04263 | Third Party and supply chain oversight | Detective | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Leadership and high level objectives | Preventive | |
| Test the collateral requirements for appropriateness. CC ID 16681 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Leadership and high level objectives | Preventive | |
| Include stress scenarios in the stress test plan. CC ID 16659 | Leadership and high level objectives | Preventive | |
| Perform stress testing in accordance with the stress test plan. CC ID 16652 | Leadership and high level objectives | Preventive | |
| Validate the margin system on a regular basis. CC ID 16660 | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Monitoring and measurement | Preventive | |
| Test compliance controls for proper functionality. CC ID 00660 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a system security plan. CC ID 01922 | Monitoring and measurement | Preventive | |
| Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Detective | |
| Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Detective | |
| Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Detective | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Preventive | |
| Analyze system audit reports and determine the need to perform more tests. CC ID 00666 | Monitoring and measurement | Detective | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Monitoring and measurement | Detective | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Monitoring and measurement | Preventive | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Monitoring and measurement | Preventive | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Monitoring and measurement | Preventive | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Monitoring and measurement | Preventive | |
| Scan organizational networks for rogue devices. CC ID 00536 | Monitoring and measurement | Detective | |
| Scan the network for wireless access points. CC ID 00370 | Monitoring and measurement | Detective | |
| Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 | Monitoring and measurement | Detective | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Monitoring and measurement | Preventive | |
| Perform conformity assessments, as necessary. CC ID 15095 | Monitoring and measurement | Detective | |
| Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 | Monitoring and measurement | Preventive | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Monitoring and measurement | Detective | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Monitoring and measurement | Corrective | |
| Perform penetration tests, as necessary. CC ID 00655 | Monitoring and measurement | Detective | |
| Include coverage of all in scope systems during penetration testing. CC ID 11957 | Monitoring and measurement | Detective | |
| Test the system for broken access controls. CC ID 01319 | Monitoring and measurement | Detective | |
| Test the system for broken authentication and session management. CC ID 01320 | Monitoring and measurement | Detective | |
| Test the system for insecure communications. CC ID 00535 | Monitoring and measurement | Detective | |
| Test the system for cross-site scripting attacks. CC ID 01321 | Monitoring and measurement | Detective | |
| Test the system for buffer overflows. CC ID 01322 | Monitoring and measurement | Detective | |
| Test the system for injection flaws. CC ID 01323 | Monitoring and measurement | Detective | |
| Test the system for Denial of Service. CC ID 01326 | Monitoring and measurement | Detective | |
| Test the system for insecure configuration management. CC ID 01327 | Monitoring and measurement | Detective | |
| Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 | Monitoring and measurement | Detective | |
| Test the system for cross-site request forgery. CC ID 06296 | Monitoring and measurement | Detective | |
| Repeat penetration testing, as necessary. CC ID 06860 | Monitoring and measurement | Detective | |
| Test the system for covert channels. CC ID 10652 | Monitoring and measurement | Detective | |
| Test systems to determine which covert channels might be exploited. CC ID 10654 | Monitoring and measurement | Detective | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Monitoring and measurement | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Monitoring and measurement | Detective | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Preventive | |
| Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Detective | |
| Test the system for proper error handling. CC ID 01324 | Monitoring and measurement | Detective | |
| Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Detective | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Detective | |
| Perform self-tests on cryptographic modules within the system. CC ID 06537 | Monitoring and measurement | Detective | |
| Perform power-up tests on cryptographic modules within the system. CC ID 06538 | Monitoring and measurement | Detective | |
| Perform conditional tests on cryptographic modules within the system. CC ID 06539 | Monitoring and measurement | Detective | |
| Report audit findings by the internal audit manager directly to senior management. CC ID 01152 | Audits and risk management | Detective | |
| Review the external audit assertion for accuracy. CC ID 06977 | Audits and risk management | Detective | |
| Review the risk assessments as compared to the in scope controls. CC ID 06978 [Banks should regularly compare actual performance against risk estimates (ie backtesting) to assist in judging the accuracy and effectiveness of the risk management process and making necessary adjustments. Principle 7: 121.] | Audits and risk management | Detective | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Preventive | |
| Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Detective | |
| Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Detective | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Detective | |
| Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Audits and risk management | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 [requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: the effectiveness of the bank's system of internal controls. Principle 10: 141. Bullet 6 sub bullet 3] | Audits and risk management | Detective | |
| Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Detective | |
| Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Audits and risk management | Preventive | |
| Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Preventive | |
| Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Detective | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Detective | |
| Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Detective | |
| Submit an audit report that is complete. CC ID 01145 | Audits and risk management | Detective | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 [{risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.] | Audits and risk management | Detective | |
| Establish, implement, and maintain the audit plan. CC ID 01156 | Audits and risk management | Detective | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: assessing these risks and measuring the bank's exposure to them; Principle 6: 105. Bullet 2 {risk management framework} Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank's risk management and internal control infrastructure should keep pace with changes to the bank's risk profile, to the external risk landscape and in industry practice Principle 7: ¶ 1 Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113. Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113. {risk management function}{review and approval process}{entail} A full and frank assessment of risks under a variety of scenarios as well as an assessment of potential shortcomings in the ability of the bank's risk management and internal controls to effectively manage associated risks; Principle 7: 123. ¶ 1 Bullet 1] | Audits and risk management | Preventive | |
| Determine the effectiveness of risk control measures. CC ID 06601 | Audits and risk management | Detective | |
| Test the recovery plan, as necessary. CC ID 13290 | Operational and Systems Continuity | Detective | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The board should be comprised of individuals with a balance of skills, diversity and expertise, who collectively possess the necessary qualifications commensurate with the size, complexity and risk profile of the bank Principle 2: 48. Members of senior management should have the necessary experience, competencies and integrity to manage the businesses and people under their supervision. They should receive access to regular training to maintain and enhance their competencies and stay up to date on developments relevant to their areas of responsibility. Principle 4: 89. The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. As part of their evaluation of the overall corporate governance in a bank, supervisors should also endeavour to assess the governance effectiveness of the board and senior management, especially with respect to the risk culture of the bank. An assessment of governance effectiveness aims to determine the extent to which the board and senior management demonstrate effective behaviours that contribute to good governance. This includes consideration of the behavioural dynamic of the board and senior management, such as how the "tone at the top" and the cultural values of the bank are communicated and put into practice, how information flows to and from the board and senior management, and how potential serious problems are identified and addressed throughout the organisation. The evaluation of governance effectiveness includes review of any board and management assessments, surveys and other information often used by banks in assessing their internal culture, as well as supervisory interviews, observations and qualitative judgments. In arriving at such judgments, supervisors need to be particularly mindful of consistency of treatment across the banks they supervise. Supervisory staff should have the necessary skills to evaluate these issues and arrive at the complex judgments involved in assessing governance effectiveness. Principle 13: 162. Members of senior management should be selected through an appropriate promotion or recruitment process which takes into account the qualifications required for the position in question. For those senior management positions for which the board of directors is required to review or select candidates through an interview process, senior management should provide sufficient information to the board. Principle 4: 90. Members of senior management should be selected through an appropriate promotion or recruitment process which takes into account the qualifications required for the position in question. For those senior management positions for which the board of directors is required to review or select candidates through an interview process, senior management should provide sufficient information to the board. Principle 4: 90.] | Human Resources management | Detective | |
| Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Preventive | |
| Assign and staff all roles appropriately. CC ID 00784 [{is sufficient} The risk management function should have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines. Staff should have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank's activities. Staff should have access to regular training. Principle 6: 107. {is sufficient} The risk management function should have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines. Staff should have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank's activities. Staff should have access to regular training. Principle 6: 107.] | Human Resources management | Detective | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [An audit committee should: have a chair who is independent and is not the chair of the board or of any other committee; Principle 3: 68. Bullet 3 {be independent} A risk committee should: should be distinct from the audit committee, but may have other related tasks, such as finance; Principle 3: 71. Bullet 2 {be independent} A risk committee should: should have a chair who is an independent director and not the chair of the board or of any other committee; Principle 3: 71. Bullet 3 {separation of function} There is a potential conflict of interest where a bank is both owned by the state and subject to banking supervision of the state. If such conflicts of interest do exist, there should be full administrative separation of the ownership and banking supervision functions in order to minimise political interference in the supervision of the bank. Principle 3: 86. {be independent} An audit committee should: be distinct from other committees; Principle 3: 68. Bullet 2 {be independent}{have in place} To promote checks and balances, the chair of the board should be an independent or non-executive board member. In jurisdictions where the chair is permitted to assume executive duties, the bank should have measures in place to mitigate any adverse impact on the bank's checks and balances, eg by designating a lead board member, a senior independent board member or a similar position and having a larger number of non-executives on the board. Principle 3: 62. {refrain from interfering}{be independent} To be effective, the compliance function must have sufficient authority, stature, independence, resources and access to the board. Management should respect the independent duties of the compliance function and not interfere with their fulfilment. As previously noted, there should be no "dual hatting" by the head of the compliance function. Principle 9: 137. {refrain from interfering}{be independent} To be effective, the compliance function must have sufficient authority, stature, independence, resources and access to the board. Management should respect the independent duties of the compliance function and not interfere with their fulfilment. As previously noted, there should be no "dual hatting" by the head of the compliance function. Principle 9: 137. {be independent} There should be no "dual hatting" by the heads of these functions. Principle 10: 140.] | Human Resources management | Detective | |
| Conduct tests and evaluate training. CC ID 06672 | Human Resources management | Detective | |
| Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. CC ID 01135 [Mergers and acquisitions, divestitures and other changes to a bank's organisational structure can pose special risk management challenges to the bank. In particular, risks can arise from conducting due diligence that fails to identify post-merger risks or activities conflicting with the bank's strategic objectives or risk appetite. The risk management function should be actively involved in assessing risks that could arise from mergers and acquisitions and inform the board and senior management of its findings Principle 7: 125.] | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740 | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741 | Acquisition or sale of facilities, technology, and services | Detective | |
| Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742 | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743 | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new software or upgraded software for security vulnerabilities. CC ID 01898 | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new software or upgraded software for compatibility with the current system. CC ID 11654 | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655 | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899 | Acquisition or sale of facilities, technology, and services | Detective | |
| Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744 | Acquisition or sale of facilities, technology, and services | Detective | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Third Party and supply chain oversight | Detective | |
Training | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Submit applications for professional certification. CC ID 16192 | Human Resources management | Preventive | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Detective | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Preventive | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Preventive | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Detective | |
| Develop or acquire content to update the training plans. CC ID 12867 | Human Resources management | Preventive | |
| Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Preventive | |
| Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Human Resources management | Preventive | |
| Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Human Resources management | Preventive | |
| Include risk management in the training plan, as necessary. CC ID 13040 | Human Resources management | Preventive | |
| Conduct personal data processing training. CC ID 13757 | Human Resources management | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Preventive | |
| Include the cloud service usage standard in the training plan. CC ID 13039 | Human Resources management | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Preventive | |
| Conduct tampering prevention training. CC ID 11875 | Human Resources management | Preventive | |
| Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Human Resources management | Preventive | |
| Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Human Resources management | Preventive | |
| Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Human Resources management | Preventive | |
| Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Human Resources management | Preventive | |
| Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Human Resources management | Preventive | |
| Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Human Resources management | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Leadership and high level objectives | Communicate | |
| Correct errors and deficiencies in a timely manner. CC ID 13501 [Accordingly, the board should: actively engage in the affairs of the bank and keep up with material changes in the bank's business and the external environment as well as act in a timely manner to protect the long-term interests of the bank; Principle 1: 26. Bullet 1] | Leadership and high level objectives | Business Processes | |
| Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 | Leadership and high level objectives | Business Processes | |
| Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Process or Activity | |
| Implement incident response procedures when rogue devices are discovered. CC ID 11880 | Monitoring and measurement | Technical Security | |
| Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Isolate rogue devices after a rogue device has been detected. CC ID 07061 | Monitoring and measurement | Configuration | |
| Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 | Monitoring and measurement | Testing | |
| Reduce the maximum bandwidth of covert channels. CC ID 10655 | Monitoring and measurement | Technical Security | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Configuration | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Behavior | |
| Perform vulnerability assessments, as necessary. CC ID 11828 | Monitoring and measurement | Technical Security | |
| Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 | Monitoring and measurement | Technical Security | |
| Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 | Monitoring and measurement | Configuration | |
| Recommend mitigation techniques based on penetration test results. CC ID 04881 | Monitoring and measurement | Establish/Maintain Documentation | |
| Correct or mitigate vulnerabilities. CC ID 12497 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 | Monitoring and measurement | Technical Security | |
| Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Investigate | |
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Process or Activity | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166.] | Monitoring and measurement | Behavior | |
| Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [The bank's corporate values should recognise the critical importance of timely and frank discussion and escalation of problems to higher levels within the organisation. Principle 1: 32. The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42. Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: breaches of risk limits or compliance rules; Principle 4: 94. Bullet 3 {legal concern}Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: legal or regulatory concerns; and Principle 4: 94. Bullet 5 The compliance function should advise the board and senior management on the bank's compliance with applicable laws, rules and standards and keep them informed of developments in the area. It should also help educate staff about compliance issues, act as a contact point within the bank for compliance queries from staff members, and provide guidance to staff on the appropriate implementation of applicable laws, rules and standards in the form of policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines. Principle 9: 135. The compliance function is independent from management to avoid undue influence or obstacles as that function performs its duties. The compliance function should directly report to the board, as appropriate, on the bank's efforts in the above areas and on how the bank is managing its compliance risk. Principle 9: 136.] | Monitoring and measurement | Actionable Reports or Measurements | |
| Assign the Board of Directors to address audit findings. CC ID 12396 [Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: Principle 4: 94. The board and senior management should respect and promote the independence of the internal audit function by ensuring that: internal audit reports are provided to the board or its audit committee without management filtering and that the internal auditors have direct access to the board or the board's audit committee; Principle 10: 142. Bullet 1 The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively. Principle 10: 139.] | Audits and risk management | Human Resources Management | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Establish/Maintain Documentation | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Process or Activity | |
| Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and risk management | Audits and Risk Management | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Establish/Maintain Documentation | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Business Processes | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Establish/Maintain Documentation | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [The board and senior management contribute to the effectiveness of the internal audit function by requiring timely and effective correction of audit issues by senior management; and Principle 10: 141. Bullet 5 When a supervisor requires a bank to take remedial action, the supervisor should set a timetable for completion. Supervisors should have escalation procedures in place to require more stringent or accelerated remedial action in the event that a bank does not adequately address the deficiencies identified or the supervisor deems that further action is warranted. Principle 13: 167.] | Audits and risk management | Establish/Maintain Documentation | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Actionable Reports or Measurements | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Acquisition/Sale of Assets or Services | |
| Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Audits and risk management | Establish/Maintain Documentation | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 | Audits and risk management | Establish/Maintain Documentation | |
| Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Establish/Maintain Documentation | |
| Rotate members of the board of directors, as necessary. CC ID 14803 [{board committee}{rotate} Each committee should have a charter or other instrument that sets out its mandate, scope and working procedures. This includes how the committee will report to the full board, what is expected of committee members and any tenure limits for serving on the committee. The board should consider the occasional rotation of members and of the chair of such committees, as this can help avoid undue concentration of power and promote fresh perspectives. Principle 3: 64.] | Human Resources management | Human Resources Management | |
| Terminate user accounts when notified that an individual is terminated. CC ID 11614 | Human Resources management | Technical Security | |
| Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 | Human Resources management | Technical Security | |
| Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309 | Human Resources management | Data and Information Management | |
| Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 | Human Resources management | Human Resources Management | |
| Conduct secure coding and development training for developers. CC ID 06822 | Human Resources management | Behavior | |
| Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442 [{hold accountable} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: Principle 1: 46.] | Human Resources management | Behavior | |
| Respond to ethics complaints of ethics violations. CC ID 11497 [The board should have oversight of the whistleblowing policy mechanism and ensuring that senior management addresses legitimate issues that are raised. The board should take responsibility for ensuring that staff who raise concerns are protected from detrimental treatment or reprisals. Principle 1: 32. Bullet 2] | Human Resources management | Business Processes | |
| Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Actionable Reports or Measurements | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Establish/Maintain Documentation | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Process or Activity | |
| Correct defective acquired goods or services. CC ID 06911 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 [The board should ensure that transactions with related parties (including internal group transactions) are reviewed to assess risk and are subject to appropriate restrictions (eg by requiring that such transactions be conducted on arm's length terms) and that corporate or business resources of the bank are not misappropriated or misapplied. Principle 1: 27.] | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 | Leadership and high level objectives | Process or Activity | |
| Monitor regulatory trends to maintain compliance. CC ID 00604 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Analyze organizational policies, as necessary. CC ID 14037 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Map in scope assets and in scope records to external requirements. CC ID 12189 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain a compliance oversight committee. CC ID 00765 [In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: setting and adhering to corporate values that create expectations that all business should be conducted in a legal and ethical manner, and overseeing the adherence to such values by senior management and other employees; Principle 1: 30. Bullet 1 {capital plan}Accordingly, the board should: approve the approach and oversee the implementation of key policies pertaining to the bank's capital adequacy assessment process, capital and liquidity plans, compliance policies and obligations, and the internal control system; Principle 1: 26. Bullet 7] | Leadership and high level objectives | Establish Roles | |
| Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 [{board committees} Committees should maintain appropriate records of their deliberations and decisions (eg meeting minutes or summaries of matters reviewed, recommendations made and decisions taken). Such records should document the committees' fulfilment of their responsibilities and help the supervisor or those responsible to assess the effectiveness of these committees. Principle 3: 66. {board committees} Committees should maintain appropriate records of their deliberations and decisions (eg meeting minutes or summaries of matters reviewed, recommendations made and decisions taken). Such records should document the committees' fulfilment of their responsibilities and help the supervisor or those responsible to assess the effectiveness of these committees. Principle 3: 66. The board should maintain appropriate records (eg meeting minutes or summaries of matters reviewed, recommendations made. decisions taken and dissenting opinions) of its deliberations and decisions. These should be made available to the supervisor when required. Principle 3: 60. The board should maintain appropriate records (eg meeting minutes or summaries of matters reviewed, recommendations made. decisions taken and dissenting opinions) of its deliberations and decisions. These should be made available to the supervisor when required. Principle 3: 60. All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: whether the bank has set up board committees and the number of times key standing committees have met. Principle 12: 153. Bullet 2 All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: whether the bank has set up board committees and the number of times key standing committees have met. Principle 12: 153. Bullet 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Identify and document the events that initiate the decision management strategy. CC ID 06914 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Leadership and high level objectives | Investigate | |
| Verify all required information is attached to each funds transfer. CC ID 16755 | Leadership and high level objectives | Business Processes | |
| Analyze the effectiveness of the stress test plan. CC ID 16657 | Leadership and high level objectives | Process or Activity | |
| Validate the margin system on a regular basis. CC ID 16660 | Leadership and high level objectives | Testing | |
| Assess the properties of the margin model used in the margin system. CC ID 16658 | Leadership and high level objectives | Process or Activity | |
| Monitor the performance of the margin system. CC ID 16655 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Analyze the performance of the margin system. CC ID 16654 | Leadership and high level objectives | Process or Activity | |
| Determine the amount of assets to be held in escrow. CC ID 16575 | Leadership and high level objectives | Investigate | |
| Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Test compliance controls for proper functionality. CC ID 00660 | Monitoring and measurement | Testing | |
| Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Testing | |
| Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Testing | |
| Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Testing | |
| Analyze system audit reports and determine the need to perform more tests. CC ID 00666 | Monitoring and measurement | Testing | |
| Monitor devices continuously for conformance with production specifications. CC ID 06201 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Conduct Red Team exercises, as necessary. CC ID 12131 | Monitoring and measurement | Technical Security | |
| Test security systems and associated security procedures, as necessary. CC ID 11901 | Monitoring and measurement | Technical Security | |
| Test in scope systems for segregation of duties, as necessary. CC ID 13906 | Monitoring and measurement | Testing | |
| Identify risk management measures when testing in scope systems. CC ID 14960 | Monitoring and measurement | Process or Activity | |
| Scan organizational networks for rogue devices. CC ID 00536 | Monitoring and measurement | Testing | |
| Scan the network for wireless access points. CC ID 00370 | Monitoring and measurement | Testing | |
| Scan wireless networks for rogue devices. CC ID 11623 | Monitoring and measurement | Technical Security | |
| Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 | Monitoring and measurement | Testing | |
| Perform conformity assessments, as necessary. CC ID 15095 | Monitoring and measurement | Testing | |
| Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 | Monitoring and measurement | Technical Security | |
| Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 | Monitoring and measurement | Establish/Maintain Documentation | |
| Use dedicated user accounts when conducting penetration testing. CC ID 13728 | Monitoring and measurement | Testing | |
| Perform penetration tests, as necessary. CC ID 00655 | Monitoring and measurement | Testing | |
| Perform internal penetration tests, as necessary. CC ID 12471 | Monitoring and measurement | Technical Security | |
| Perform external penetration tests, as necessary. CC ID 12470 | Monitoring and measurement | Technical Security | |
| Include coverage of all in scope systems during penetration testing. CC ID 11957 | Monitoring and measurement | Testing | |
| Test the system for broken access controls. CC ID 01319 | Monitoring and measurement | Testing | |
| Test the system for broken authentication and session management. CC ID 01320 | Monitoring and measurement | Testing | |
| Test the system for insecure communications. CC ID 00535 | Monitoring and measurement | Testing | |
| Test the system for cross-site scripting attacks. CC ID 01321 | Monitoring and measurement | Testing | |
| Test the system for buffer overflows. CC ID 01322 | Monitoring and measurement | Testing | |
| Test the system for injection flaws. CC ID 01323 | Monitoring and measurement | Testing | |
| Test the system for Denial of Service. CC ID 01326 | Monitoring and measurement | Testing | |
| Test the system for insecure configuration management. CC ID 01327 | Monitoring and measurement | Testing | |
| Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 | Monitoring and measurement | Testing | |
| Test the system for cross-site request forgery. CC ID 06296 | Monitoring and measurement | Testing | |
| Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 | Monitoring and measurement | Technical Security | |
| Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Monitoring and measurement | Technical Security | |
| Verify segmentation controls are operational and effective. CC ID 12545 | Monitoring and measurement | Audits and Risk Management | |
| Repeat penetration testing, as necessary. CC ID 06860 | Monitoring and measurement | Testing | |
| Test the system for covert channels. CC ID 10652 | Monitoring and measurement | Testing | |
| Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Monitoring and measurement | Technical Security | |
| Test systems to determine which covert channels might be exploited. CC ID 10654 | Monitoring and measurement | Testing | |
| Perform vulnerability scans, as necessary. CC ID 11637 | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Monitoring and measurement | Testing | |
| Identify and document security vulnerabilities. CC ID 11857 | Monitoring and measurement | Technical Security | |
| Rank discovered vulnerabilities. CC ID 11940 | Monitoring and measurement | Investigate | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Monitoring and measurement | Technical Security | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Technical Security | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Monitoring and measurement | Testing | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Technical Security | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Technical Security | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Technical Security | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Technical Security | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Technical Security | |
| Test the system for unvalidated input. CC ID 01318 | Monitoring and measurement | Testing | |
| Test the system for proper error handling. CC ID 01324 | Monitoring and measurement | Testing | |
| Test the system for insecure data storage. CC ID 01325 | Monitoring and measurement | Testing | |
| Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 | Monitoring and measurement | Testing | |
| Test the system for insecure cryptographic storage. CC ID 11635 | Monitoring and measurement | Technical Security | |
| Perform self-tests on cryptographic modules within the system. CC ID 06537 | Monitoring and measurement | Testing | |
| Perform power-up tests on cryptographic modules within the system. CC ID 06538 | Monitoring and measurement | Testing | |
| Perform conditional tests on cryptographic modules within the system. CC ID 06539 | Monitoring and measurement | Testing | |
| Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 | Monitoring and measurement | Configuration | |
| Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Actionable Reports or Measurements | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42.] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Business Processes | |
| Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Investigate | |
| Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Investigate | |
| Report on the policies and controls that have been implemented by management. CC ID 01670 [{be transparent} The governance of the bank should be adequately transparent to its shareholders, depositors, other relevant stakeholders and market participants. Principle 12: ¶ 1] | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a corrective action plan. CC ID 00675 [{law, rule, or regulation}{negatively impact} While the strategic objectives, risk governance framework, corporate values and corporate governance principles of the subsidiary should align with that of the parent company (referred to here as "group policies"), the subsidiary board should make necessary adjustments where a group policy conflicts with an applicable legal or regulatory provision or prudential rule, or would be detrimental to the sound and prudent management of the subsidiary. Principle 5: 98.] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Include monitoring in the corrective action plan. CC ID 11645 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report audit findings by the internal audit manager directly to senior management. CC ID 01152 | Audits and risk management | Testing | |
| Review the external audit assertion for accuracy. CC ID 06977 | Audits and risk management | Testing | |
| Review the risk assessments as compared to the in scope controls. CC ID 06978 [Banks should regularly compare actual performance against risk estimates (ie backtesting) to assist in judging the accuracy and effectiveness of the risk management process and making necessary adjustments. Principle 7: 121.] | Audits and risk management | Testing | |
| Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and risk management | Audits and Risk Management | |
| Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Audits and Risk Management | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Audits and Risk Management | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Audits and Risk Management | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and risk management | Audits and Risk Management | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Audits and Risk Management | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Audits and Risk Management | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Investigate | |
| Audit information systems, as necessary. CC ID 13010 | Audits and risk management | Investigate | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Investigate | |
| Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Testing | |
| Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Testing | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Audits and Risk Management | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Process or Activity | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Testing | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Process or Activity | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Testing | |
| Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Audits and risk management | Testing | |
| Determine the effectiveness of in scope controls. CC ID 06984 [requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: the effectiveness of the bank's system of internal controls. Principle 10: 141. Bullet 6 sub bullet 3] | Audits and risk management | Testing | |
| Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Audits and Risk Management | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Audits and Risk Management | |
| Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Audits and Risk Management | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Audits and Risk Management | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Audits and Risk Management | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Audits and Risk Management | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Audits and Risk Management | |
| Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Testing | |
| Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Testing | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Behavior | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Process or Activity | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Process or Activity | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Process or Activity | |
| Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Behavior | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Audits and Risk Management | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Testing | |
| Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Testing | |
| Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Audits and Risk Management | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Investigate | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Establish/Maintain Documentation | |
| Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Human Resources Management | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Audits and Risk Management | |
| Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and risk management | Audits and Risk Management | |
| Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Audits and risk management | Establish/Maintain Documentation | |
| Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Audits and Risk Management | |
| Review past audit reports. CC ID 01155 | Audits and risk management | Establish/Maintain Documentation | |
| Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Audits and risk management | Establish/Maintain Documentation | |
| Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Investigate | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Process or Activity | |
| Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 [{is responsible} The audit committee is, in particular, responsible for: receiving key audit reports and ensuring that senior management is taking necessary corrective actions in a timely manner to address control weaknesses, non-compliance with policies, laws and regulations, and other problems identified by auditors and other control functions; Principle 3: 69. Bullet 6] | Audits and risk management | Log Management | |
| Review the issues of non-compliance from past audit reports. CC ID 01148 | Audits and risk management | Establish/Maintain Documentation | |
| Submit an audit report that is complete. CC ID 01145 | Audits and risk management | Testing | |
| Review management's response to issues raised in past audit reports. CC ID 01149 [{is responsible} The audit committee is, in particular, responsible for: receiving key audit reports and ensuring that senior management is taking necessary corrective actions in a timely manner to address control weaknesses, non-compliance with policies, laws and regulations, and other problems identified by auditors and other control functions; Principle 3: 69. Bullet 6] | Audits and risk management | Audits and Risk Management | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 [{risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.] | Audits and risk management | Testing | |
| Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Human Resources Management | |
| Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain the audit plan. CC ID 01156 | Audits and risk management | Testing | |
| Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Business Processes | |
| Analyze the risk management strategy for addressing requirements. CC ID 12926 | Audits and risk management | Audits and Risk Management | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and risk management | Audits and Risk Management | |
| Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and risk management | Audits and Risk Management | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Human Resources Management | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Investigate | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Audits and Risk Management | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 | Audits and risk management | Establish/Maintain Documentation | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 | Audits and risk management | Establish/Maintain Documentation | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Audits and Risk Management | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Investigate | |
| Conduct a Business Impact Analysis, as necessary. CC ID 01147 [As part of its quantitative and qualitative analysis, the bank should utilise stress tests and scenario analyses to better understand potential risk exposures under a variety of adverse circumstances: Principle 7: 120. If adequate risk management processes are not in place, a new product, service, business line or third-party relationship or major transaction should be delayed until the bank is able to appropriately address the activity. There should also be a process to assess risk and performance relative to initial projections and to adapt the risk management treatment accordingly as the business matures. Principle 7: 123. ¶ 2] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with each business process. CC ID 06463 [The bank's RAS should define the boundaries and business considerations in accordance with which the bank is expected to operate when pursuing the business strategy; and Principle 1: 36. Bullet 3] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with the business environment. CC ID 06464 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Audits and Risk Management | |
| Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Investigate | |
| Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with external entities. CC ID 06469 [Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129.] | Audits and risk management | Audits and Risk Management | |
| Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Actionable Reports or Measurements | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Audits and Risk Management | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 [{risk management function}{review and approval process}{entail} A full and frank assessment of risks under a variety of scenarios as well as an assessment of potential shortcomings in the ability of the bank's risk management and internal controls to effectively manage associated risks; Principle 7: 123. ¶ 1 Bullet 1] | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Process or Activity | |
| Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Process or Activity | |
| Determine the effectiveness of risk control measures. CC ID 06601 | Audits and risk management | Testing | |
| Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Audits and Risk Management | |
| Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Audits and Risk Management | |
| Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Process or Activity | |
| Test the recovery plan, as necessary. CC ID 13290 | Operational and Systems Continuity | Testing | |
| Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 [stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets. They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results; and Principle 7: 120. Bullet 3] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Analyze workforce management. CC ID 12844 | Human Resources management | Human Resources Management | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The board should be comprised of individuals with a balance of skills, diversity and expertise, who collectively possess the necessary qualifications commensurate with the size, complexity and risk profile of the bank Principle 2: 48. Members of senior management should have the necessary experience, competencies and integrity to manage the businesses and people under their supervision. They should receive access to regular training to maintain and enhance their competencies and stay up to date on developments relevant to their areas of responsibility. Principle 4: 89. The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. As part of their evaluation of the overall corporate governance in a bank, supervisors should also endeavour to assess the governance effectiveness of the board and senior management, especially with respect to the risk culture of the bank. An assessment of governance effectiveness aims to determine the extent to which the board and senior management demonstrate effective behaviours that contribute to good governance. This includes consideration of the behavioural dynamic of the board and senior management, such as how the "tone at the top" and the cultural values of the bank are communicated and put into practice, how information flows to and from the board and senior management, and how potential serious problems are identified and addressed throughout the organisation. The evaluation of governance effectiveness includes review of any board and management assessments, surveys and other information often used by banks in assessing their internal culture, as well as supervisory interviews, observations and qualitative judgments. In arriving at such judgments, supervisors need to be particularly mindful of consistency of treatment across the banks they supervise. Supervisory staff should have the necessary skills to evaluate these issues and arrive at the complex judgments involved in assessing governance effectiveness. Principle 13: 162. Members of senior management should be selected through an appropriate promotion or recruitment process which takes into account the qualifications required for the position in question. For those senior management positions for which the board of directors is required to review or select candidates through an interview process, senior management should provide sufficient information to the board. Principle 4: 90. Members of senior management should be selected through an appropriate promotion or recruitment process which takes into account the qualifications required for the position in question. For those senior management positions for which the board of directors is required to review or select candidates through an interview process, senior management should provide sufficient information to the board. Principle 4: 90.] | Human Resources management | Testing | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Human Resources Management | |
| Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Human Resources Management | |
| Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Establish/Maintain Documentation | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Human Resources Management | |
| Document the security clearance procedure results. CC ID 01635 | Human Resources management | Establish/Maintain Documentation | |
| Identify and watch individuals that pose a risk to the organization. CC ID 10674 | Human Resources management | Monitor and Evaluate Occurrences | |
| Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 | Human Resources management | Human Resources Management | |
| Assign and staff all roles appropriately. CC ID 00784 [{is sufficient} The risk management function should have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines. Staff should have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank's activities. Staff should have access to regular training. Principle 6: 107. {is sufficient} The risk management function should have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines. Staff should have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank's activities. Staff should have access to regular training. Principle 6: 107.] | Human Resources management | Testing | |
| Implement segregation of duties in roles and responsibilities. CC ID 00774 [An audit committee should: have a chair who is independent and is not the chair of the board or of any other committee; Principle 3: 68. Bullet 3 {be independent} A risk committee should: should be distinct from the audit committee, but may have other related tasks, such as finance; Principle 3: 71. Bullet 2 {be independent} A risk committee should: should have a chair who is an independent director and not the chair of the board or of any other committee; Principle 3: 71. Bullet 3 {separation of function} There is a potential conflict of interest where a bank is both owned by the state and subject to banking supervision of the state. If such conflicts of interest do exist, there should be full administrative separation of the ownership and banking supervision functions in order to minimise political interference in the supervision of the bank. Principle 3: 86. {be independent} An audit committee should: be distinct from other committees; Principle 3: 68. Bullet 2 {be independent}{have in place} To promote checks and balances, the chair of the board should be an independent or non-executive board member. In jurisdictions where the chair is permitted to assume executive duties, the bank should have measures in place to mitigate any adverse impact on the bank's checks and balances, eg by designating a lead board member, a senior independent board member or a similar position and having a larger number of non-executives on the board. Principle 3: 62. {refrain from interfering}{be independent} To be effective, the compliance function must have sufficient authority, stature, independence, resources and access to the board. Management should respect the independent duties of the compliance function and not interfere with their fulfilment. As previously noted, there should be no "dual hatting" by the head of the compliance function. Principle 9: 137. {refrain from interfering}{be independent} To be effective, the compliance function must have sufficient authority, stature, independence, resources and access to the board. Management should respect the independent duties of the compliance function and not interfere with their fulfilment. As previously noted, there should be no "dual hatting" by the head of the compliance function. Principle 9: 137. {be independent} There should be no "dual hatting" by the heads of these functions. Principle 10: 140.] | Human Resources management | Testing | |
| Document all training in a training record. CC ID 01423 | Human Resources management | Establish/Maintain Documentation | |
| Conduct tests and evaluate training. CC ID 06672 | Human Resources management | Testing | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Training | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Training | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Monitor and Evaluate Occurrences | |
| Analyze and evaluate training records to improve the training program. CC ID 06380 | Human Resources management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain performance reviews. CC ID 14777 | Human Resources management | Business Processes | |
| Conduct performance reviews for the board of directors and board committees, as necessary. CC ID 14783 [To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: Principle 3: 59.] | Human Resources management | Human Resources Management | |
| Conduct staff performance reviews, as necessary. CC ID 07205 [The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: assess whether senior management's collective knowledge and expertise remain appropriate given the nature of the business and the bank's risk profile; and Principle 1: 46. Bullet 5 {be independent} For employees in control functions (eg risk, compliance and internal audit), remuneration should be determined independently of any business line overseen, and performance measures should be based principally on the achievement of their own objectives so as not to compromise their independence. Principle 11: 147.] | Human Resources management | Business Processes | |
| Analyze the documentation produced by staff during the performance review. CC ID 07207 | Human Resources management | Establish/Maintain Documentation | |
| Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Business Processes | |
| Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Establish/Maintain Documentation | |
| Review and approve access controls, as necessary. CC ID 13074 | Operational management | Process or Activity | |
| Perform social network analysis, as necessary. CC ID 14864 | Operational management | Investigate | |
| Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 [Ongoing communication about risk issues, including the bank's risk strategy, throughout the bank is a key tenet of a strong risk culture. A strong risk culture should promote risk awareness and encourage open communication and challenge about risk-taking across the organisation as well as vertically to and from the board and senior management. Senior management should actively communicate and consult with the control functions on management's major plans and activities so that the control functions can effectively discharge their responsibilities. Principle 8: 126.] | Operational management | Process or Activity | |
| Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Process or Activity | |
| Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 [In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: setting and adhering to corporate values that create expectations that all business should be conducted in a legal and ethical manner, and overseeing the adherence to such values by senior management and other employees; Principle 1: 30. Bullet 1 Accordingly, the board should: play a lead role in establishing the bank's corporate culture and values; Principle 1: 26. Bullet 3] | Operational management | Process or Activity | |
| Establish, implement, and maintain data input and data access authorization tracking. CC ID 00920 | Records management | Monitor and Evaluate Occurrences | |
| Conduct an acquisition feasibility study prior to acquiring assets. CC ID 01129 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. CC ID 01135 [Mergers and acquisitions, divestitures and other changes to a bank's organisational structure can pose special risk management challenges to the bank. In particular, risks can arise from conducting due diligence that fails to identify post-merger risks or activities conflicting with the bank's strategic objectives or risk appetite. The risk management function should be actively involved in assessing risks that could arise from mergers and acquisitions and inform the board and senior management of its findings Principle 7: 125.] | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740 | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741 | Acquisition or sale of facilities, technology, and services | Testing | |
| Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742 | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743 | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new software or upgraded software for security vulnerabilities. CC ID 01898 | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new software or upgraded software for compatibility with the current system. CC ID 11654 | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655 | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899 | Acquisition or sale of facilities, technology, and services | Testing | |
| Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744 | Acquisition or sale of facilities, technology, and services | Testing | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Third Party and supply chain oversight | Testing | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Third Party and supply chain oversight | Process or Activity | |
| Document that supply chain members investigate security events. CC ID 13348 | Third Party and supply chain oversight | Investigate | |
| Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064 | Third Party and supply chain oversight | Process or Activity | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Request attestation of compliance from third parties. CC ID 12067 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 | Third Party and supply chain oversight | Business Processes | |
| Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 | Third Party and supply chain oversight | Business Processes | |
| Document the third parties compliance with the organization's system hardening framework. CC ID 04263 | Third Party and supply chain oversight | Technical Security | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain communication protocols. CC ID 12245 [{be clear}{be comprehensible} Disclosure should be accurate, clear and presented such that shareholders, depositors, other relevant stakeholders and market participants can consult the information easily. Timely public disclosure is desirable on a bank's public website, in its annual and periodic financial reports, or by other appropriate means. It is good practice to have an annual corporate governance-specific and comprehensive statement in a clearly identifiable section of the annual report depending on the applicable financial reporting framework. All material developments that arise between regular reports should be disclosed to the bank supervisor and relevant stakeholders as required by law without undue delay. Principle 12: 156.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Business Processes | |
| Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 [{be clear}{be comprehensible} Disclosure should be accurate, clear and presented such that shareholders, depositors, other relevant stakeholders and market participants can consult the information easily. Timely public disclosure is desirable on a bank's public website, in its annual and periodic financial reports, or by other appropriate means. It is good practice to have an annual corporate governance-specific and comprehensive statement in a clearly identifiable section of the annual report depending on the applicable financial reporting framework. All material developments that arise between regular reports should be disclosed to the bank supervisor and relevant stakeholders as required by law without undue delay. Principle 12: 156.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include external requirements in the organization's communication protocol. CC ID 12418 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 | Leadership and high level objectives | Communicate | |
| Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Process or Activity | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Process or Activity | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Communicate | |
| Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 | Leadership and high level objectives | Communicate | |
| Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 | Leadership and high level objectives | Process or Activity | |
| Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 | Leadership and high level objectives | Communicate | |
| Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 | Leadership and high level objectives | Communicate | |
| Route notifications, as necessary. CC ID 12832 | Leadership and high level objectives | Process or Activity | |
| Substantiate notifications, as necessary. CC ID 12831 | Leadership and high level objectives | Process or Activity | |
| Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 | Leadership and high level objectives | Business Processes | |
| Prioritize notifications, as necessary. CC ID 12830 | Leadership and high level objectives | Process or Activity | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 [To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: use the results of these assessments as part of the ongoing improvement efforts of the board and, where required by the supervisor, share results with the supervisor. Principle 3: 59. Bullet 4] | Leadership and high level objectives | Actionable Reports or Measurements | |
| Disseminate and communicate internal controls with supply chain members. CC ID 12416 | Leadership and high level objectives | Communicate | |
| Establish and maintain the organization's survey method. CC ID 12869 | Leadership and high level objectives | Process or Activity | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Provide a consolidated view of information in the organization's survey method. CC ID 12894 | Leadership and high level objectives | Process or Activity | |
| Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of performance variances in the notification system. CC ID 12929 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 [Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97.] | Leadership and high level objectives | Business Processes | |
| Include transactions and events as a part of internal reporting. CC ID 12413 | Leadership and high level objectives | Business Processes | |
| Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 [Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: changes in business strategy, risk strategy/risk appetite; Principle 4: 94. Bullet1] | Leadership and high level objectives | Communicate | |
| Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Develop instructions for setting organizational objectives and strategies. CC ID 12931 [The board should establish and be satisfied with the bank's organisational structure. This will enable the board and senior management to carry out their responsibilities and facilitate effective decision-making and good governance. This includes clearly laying out the key responsibilities and authorities of the board itself and of senior management and of those responsible for the risk management and control functions. Principle 1: 24.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Analyze the business environment in which the organization operates. CC ID 12798 [Accordingly, the board should: actively engage in the affairs of the bank and keep up with material changes in the bank's business and the external environment as well as act in a timely manner to protect the long-term interests of the bank; Principle 1: 26. Bullet 1] | Leadership and high level objectives | Business Processes | |
| Identify the internal factors that may affect organizational objectives. CC ID 12957 [In discharging these responsibilities, the board should take into account the legitimate interests of depositors, shareholders and other relevant stakeholders. It should also ensure that the bank maintains an effective relationship with its supervisors. Principle 1: 28.] | Leadership and high level objectives | Process or Activity | |
| Include key processes in the analysis of the internal business environment. CC ID 12947 | Leadership and high level objectives | Process or Activity | |
| Include existing information in the analysis of the internal business environment. CC ID 12943 | Leadership and high level objectives | Process or Activity | |
| Include resources in the analysis of the internal business environment. CC ID 12942 | Leadership and high level objectives | Process or Activity | |
| Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Leadership and high level objectives | Process or Activity | |
| Include incentives in the analysis of the internal business environment. CC ID 12940 | Leadership and high level objectives | Process or Activity | |
| Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Leadership and high level objectives | Process or Activity | |
| Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Leadership and high level objectives | Process or Activity | |
| Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Leadership and high level objectives | Process or Activity | |
| Align assets with business functions and the business environment. CC ID 13681 | Leadership and high level objectives | Business Processes | |
| Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Leadership and high level objectives | Communicate | |
| Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 [Accordingly, the board should: actively engage in the affairs of the bank and keep up with material changes in the bank's business and the external environment as well as act in a timely manner to protect the long-term interests of the bank; Principle 1: 26. Bullet 1] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Analyze the external environment in which the organization operates. CC ID 12799 [having a centralised process for approving the creation of new legal entities and subsidiaries based on established criteria, including the ability to monitor and fulfil each entity's regulatory, tax, financial reporting, governance and other requirements and for the dissolution of dormant subsidiaries; Principle 5: 102. Bullet 3 having a centralised process for approving the creation of new legal entities and subsidiaries based on established criteria, including the ability to monitor and fulfil each entity's regulatory, tax, financial reporting, governance and other requirements and for the dissolution of dormant subsidiaries; Principle 5: 102. Bullet 3] | Leadership and high level objectives | Business Processes | |
| Identify the external forces that may affect organizational objectives. CC ID 12960 | Leadership and high level objectives | Process or Activity | |
| Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include environmental requirements in the analysis of the external environment. CC ID 12965 | Leadership and high level objectives | Business Processes | |
| Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 [Accordingly, the board should: actively engage in the affairs of the bank and keep up with material changes in the bank's business and the external environment as well as act in a timely manner to protect the long-term interests of the bank; Principle 1: 26. Bullet 1] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Leadership and high level objectives | Business Processes | |
| Include society in the analysis of the external environment. CC ID 12963 | Leadership and high level objectives | Business Processes | |
| Include opportunities in the analysis of the external environment. CC ID 12954 | Leadership and high level objectives | Business Processes | |
| Include third party relationships in the analysis of the external environment. CC ID 12952 | Leadership and high level objectives | Business Processes | |
| Include industry forces in the analysis of the external environment. CC ID 12904 | Leadership and high level objectives | Business Processes | |
| Include threats in the analysis of the external environment. CC ID 12898 | Leadership and high level objectives | Business Processes | |
| Include geopolitics in the analysis of the external environment. CC ID 12897 | Leadership and high level objectives | Business Processes | |
| Include legal requirements in the analysis of the external environment. CC ID 12896 | Leadership and high level objectives | Business Processes | |
| Include technology in the analysis of the external environment. CC ID 12837 | Leadership and high level objectives | Business Processes | |
| Include analyzing the market in the analysis of the external environment. CC ID 12836 | Leadership and high level objectives | Business Processes | |
| Conduct a context analysis to define objectives and strategies. CC ID 12864 [avoiding setting up complicated structures that lack economic substance or business purpose; Principle 5: 102. Bullet 1] | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain organizational objectives. CC ID 09959 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 [Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: the bank's performance and financial condition; Principle 4: 94. Bullet 2] | Leadership and high level objectives | Business Processes | |
| Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [The board should be prepared to discuss with, and as necessary report to, the bank's supervisor and the host country supervisors the policies and strategies adopted regarding the establishment and maintenance of these structures and activities. Principle 5: 104. Ongoing communication about risk issues, including the bank's risk strategy, throughout the bank is a key tenet of a strong risk culture. A strong risk culture should promote risk awareness and encourage open communication and challenge about risk-taking across the organisation as well as vertically to and from the board and senior management. Senior management should actively communicate and consult with the control functions on management's major plans and activities so that the control functions can effectively discharge their responsibilities. Principle 8: 126. Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Identify threats that could affect achieving organizational objectives. CC ID 12827 | Leadership and high level objectives | Business Processes | |
| Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Leadership and high level objectives | Process or Activity | |
| Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Leadership and high level objectives | Process or Activity | |
| Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Business Processes | |
| Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 [Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129.] | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include quality gates and testing milestones in the Quality Management program. CC ID 06825 [To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: use the results of these assessments as part of the ongoing improvement efforts of the board and, where required by the supervisor, share results with the supervisor. Principle 3: 59. Bullet 4] | Leadership and high level objectives | Systems Design, Build, and Implementation | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [The bank's board of directors is responsible for overseeing the management of the bank's compliance risk. The board should establish a compliance function and approve the bank's policies and processes for identifying, assessing, monitoring and reporting and advising on compliance risk. Principle 9: ¶ 1 {refrain from interfering}{be independent} To be effective, the compliance function must have sufficient authority, stature, independence, resources and access to the board. Management should respect the independent duties of the compliance function and not interfere with their fulfilment. As previously noted, there should be no "dual hatting" by the head of the compliance function. Principle 9: 137.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the scope of the security policy. CC ID 07145 | Leadership and high level objectives | Data and Information Management | |
| Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 | Leadership and high level objectives | Business Processes | |
| Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Correlate Information Systems with applicable controls. CC ID 01621 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the effective date on all organizational policies. CC ID 06820 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include threats in the organization’s policies, standards, and procedures. CC ID 12953 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Leadership and high level objectives | Business Processes | |
| Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 [The compliance function should advise the board and senior management on the bank's compliance with applicable laws, rules and standards and keep them informed of developments in the area. It should also help educate staff about compliance issues, act as a contact point within the bank for compliance queries from staff members, and provide guidance to staff on the appropriate implementation of applicable laws, rules and standards in the form of policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines. Principle 9: 135. Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 [In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: confirming that appropriate steps have been or are being taken to communicate throughout the bank the corporate values, professional standards or codes of conduct it sets, together with supporting policies; and Principle 1: 30. Bullet 3 The organisation and procedures and decision-making of senior management should be clear and transparent and designed to promote effective management of the bank. This includes clarity on the role, authority and responsibility of the various positions within senior management, including that of the CEO. Principle 4: 88. All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: Principle 12: 153. All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: Principle 12: 153. {applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.] | Leadership and high level objectives | Communicate | |
| Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Leadership and high level objectives | Establish Roles | |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Align the Authority Document list with external requirements. CC ID 06288 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Leadership and high level objectives | Establish Roles | |
| Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 [In addition to identifying and measuring risk exposures, the risk management function should evaluate possible ways to mitigate these exposures. In some cases, the risk management function may direct that risk be reduced or hedged to limit exposure. In other cases, such as when there is a decision to accept or take risk that is beyond risk limits (ie on a temporary basis) or take risk that cannot be hedged or mitigated, the risk management function should report material exemptions to the board and monitor the positions to ensure that they remain within the bank's framework of limits and controls or within exception approval. Either approach may be appropriate depending on the issue at hand, provided that the independence of the risk management function is not compromised. Principle 7: 122.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 [In addition to identifying and measuring risk exposures, the risk management function should evaluate possible ways to mitigate these exposures. In some cases, the risk management function may direct that risk be reduced or hedged to limit exposure. In other cases, such as when there is a decision to accept or take risk that is beyond risk limits (ie on a temporary basis) or take risk that cannot be hedged or mitigated, the risk management function should report material exemptions to the board and monitor the positions to ensure that they remain within the bank's framework of limits and controls or within exception approval. Either approach may be appropriate depending on the issue at hand, provided that the independence of the risk management function is not compromised. Principle 7: 122.] | Leadership and high level objectives | Business Processes | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Leadership and high level objectives | Establish Roles | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Leadership and high level objectives | Behavior | |
| Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 | Leadership and high level objectives | Behavior | |
| Estimate the costs of implementing the compliance framework. CC ID 07191 | Leadership and high level objectives | Business Processes | |
| Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Leadership and high level objectives | Establish Roles | |
| Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assign the review of project plans for critical projects to the compliance oversight committee. CC ID 01182 | Leadership and high level objectives | Establish Roles | |
| Assign the corporate governance of Information Technology to the compliance oversight committee. CC ID 01178 | Leadership and high level objectives | Establish Roles | |
| Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 | Leadership and high level objectives | Establish Roles | |
| Involve the Board of Directors or senior management in Information Governance. CC ID 00609 | Leadership and high level objectives | Establish Roles | |
| Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 | Leadership and high level objectives | Human Resources Management | |
| Address Information Security during the business planning processes. CC ID 06495 | Leadership and high level objectives | Data and Information Management | |
| Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assign reviewing and approving Quality Management standards to the appropriate oversight committee. CC ID 07192 | Leadership and high level objectives | Establish Roles | |
| Establish, implement, and maintain a strategic plan. CC ID 12784 [Accordingly, the board should: oversee the development of and approve the bank's business objectives and strategy and monitor their implementation; Principle 1: 26. Bullet 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Determine progress toward the objectives of the strategic plan. CC ID 12944 [Accordingly, the board should: oversee the development of and approve the bank's business objectives and strategy and monitor their implementation; Principle 1: 26. Bullet 2 The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: monitor that senior management's actions are consistent with the strategy and policies approved by the board, including the risk appetite; Principle 1: 46. Bullet 1 Senior management contributes substantially to a bank's sound corporate governance through personal conduct (eg by helping to establish the "tone at the top" along with the board). Members of senior management should provide adequate oversight of those they manage, and ensure that the bank's activities are consistent with the business strategy, risk appetite and the policies approved by the board. Principle 4: 91.] | Leadership and high level objectives | Process or Activity | |
| Include acting with integrity in the strategic plan. CC ID 12870 [{applicable requirements} An independent compliance function is a key component of the bank's second line of defence. This function is responsible for, among other things, ensuring that the bank operates with integrity and in compliance with applicable, laws, regulations and internal policies. Principle 9: 132.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592 | Leadership and high level objectives | Communicate | |
| Include the outsource partners in the strategic plan, as necessary. CC ID 13960 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a planning policy. CC ID 14673 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain planning procedures. CC ID 14698 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 | Leadership and high level objectives | Communicate | |
| Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 | Leadership and high level objectives | Communicate | |
| Include compliance requirements in the planning policy. CC ID 14688 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include coordination amongst entities in the planning policy. CC ID 14687 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include management commitment in the planning policy. CC ID 14686 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include roles and responsibilities in the planning policy. CC ID 14685 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the scope in the planning policy. CC ID 14684 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the purpose in the planning policy. CC ID 14683 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security planning policy. CC ID 14027 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include compliance requirements in the security planning policy. CC ID 14131 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security planning policy. CC ID 14130 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include management commitment in the security planning policy. CC ID 14129 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security planning policy. CC ID 14128 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the scope in the security planning policy. CC ID 14127 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the purpose in the security planning policy. CC ID 14126 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain security planning procedures. CC ID 14060 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain a decision management strategy. CC ID 06913 [individual board members' attitude should facilitate communication, collaboration and critical debate in the decision-making process. Principle 2: 49. Bullet 3 The organisation and procedures and decision-making of senior management should be clear and transparent and designed to promote effective management of the bank. This includes clarity on the role, authority and responsibility of the various positions within senior management, including that of the CEO. Principle 4: 88. Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Align the reporting methodology with the decision management strategy. CC ID 15659 | Leadership and high level objectives | Business Processes | |
| Include an economic impact analysis in the decision management strategy. CC ID 14015 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include cost benefit analysis in the decision management strategy. CC ID 14014 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include criteria for compliance in the decision-making criteria. CC ID 12951 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include criteria for setting priorities in the decision-making criteria. CC ID 12938 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 | Leadership and high level objectives | Process or Activity | |
| Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 | Leadership and high level objectives | Process or Activity | |
| Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 [Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Leadership and high level objectives | Process or Activity | |
| Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 | Leadership and high level objectives | Process or Activity | |
| Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 [In discharging these responsibilities, the board should take into account the legitimate interests of depositors, shareholders and other relevant stakeholders. It should also ensure that the bank maintains an effective relationship with its supervisors. Principle 1: 28. {are relevant} board members should have a range of knowledge and experience in relevant areas and have varied backgrounds to promote diversity of views. Relevant areas of competence may include, but are not limited to capital markets, financial analysis, financial stability issues, financial reporting, information technology, strategic planning, risk management, compensation, regulation, corporate governance and management skills; Principle 2: 49. Bullet 1 Board members should be and remain qualified, individually and collectively, for their positions. They should understand their oversight and corporate governance role and be able to exercise sound, objective judgment about the affairs of the bank. Principle 2: ¶ 1] | Leadership and high level objectives | Behavior | |
| Take actions in accordance with the decision-making criteria. CC ID 12909 [The chair of the board plays a crucial role in the proper functioning of the board. The chair provides leadership to the board and is responsible for its effective overall functioning, including maintaining a relationship of trust with board members. The chair should possess the requisite experience, competencies and personal qualities in order to fulfil these responsibilities. The chair should ensure that board decisions are taken on a sound and well informed basis. The chair should encourage and promote critical discussion and ensure that dissenting views can be freely expressed and discussed within the decision-making process. The chair should dedicate sufficient time to the exercise of his or her responsibilities. Principle 3: 61.] | Leadership and high level objectives | Process or Activity | |
| Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain an information technology process framework. CC ID 13648 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include maturity models in the Information Technology process framework. CC ID 13652 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include Information Technology process structures in the Information Technology process framework. CC ID 13650 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a tactical plan. CC ID 12785 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include acting with integrity in the tactical plan. CC ID 12871 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 | Leadership and high level objectives | Human Resources Management | |
| Include the transparency goals in the Information Governance Plan. CC ID 10056 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the information integrity goals in the Information Governance Plan. CC ID 10057 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Align business continuity objectives with the business continuity policy. CC ID 12408 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 | Leadership and high level objectives | Business Processes | |
| Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the business case and return on investment in each Information Technology project plan. CC ID 06846 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Leadership and high level objectives | Business Processes | |
| Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Assign senior management to approve business cases. CC ID 13068 | Leadership and high level objectives | Human Resources Management | |
| Include milestones for each project phase in the Information Technology project plan. CC ID 12621 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a search plan in the counterterror protective security plan. CC ID 06865 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include an evacuation plan in the counterterror protective security plan. CC ID 06940 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a continuity plan in the counterterror protective security plan. CC ID 07031 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Include significant security risks in the Information Technology Plan status reports. CC ID 06939 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 | Leadership and high level objectives | Actionable Reports or Measurements | |
| Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors. CC ID 13094 | Leadership and high level objectives | Human Resources Management | |
| Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492 [The compliance function should advise the board and senior management on the bank's compliance with applicable laws, rules and standards and keep them informed of developments in the area. It should also help educate staff about compliance issues, act as a contact point within the bank for compliance queries from staff members, and provide guidance to staff on the appropriate implementation of applicable laws, rules and standards in the form of policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines. Principle 9: 135.] | Leadership and high level objectives | Business Processes | |
| Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 | Leadership and high level objectives | Behavior | |
| Establish, implement, and maintain a financial management program. CC ID 13228 [Accordingly, the board should: require that the bank maintain a robust finance function responsible for accounting and financial data; Principle 1: 26. Bullet 8 {is responsible} The audit committee is, in particular, responsible for: overseeing the establishment of accounting policies and practices by the bank; and Principle 3: 69. Bullet 7] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Leadership and high level objectives | Communicate | |
| Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Leadership and high level objectives | Business Processes | |
| Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Leadership and high level objectives | Business Processes | |
| Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Leadership and high level objectives | Business Processes | |
| Attach the required information to each funds transfer. CC ID 16756 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Leadership and high level objectives | Business Processes | |
| Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Leadership and high level objectives | Testing | |
| Include communication protocols in the financial management program. CC ID 16763 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include ongoing monitoring in the financial management program. CC ID 16762 | Leadership and high level objectives | Process or Activity | |
| Employ tools to manage settlement and funding flows. CC ID 16743 | Leadership and high level objectives | Process or Activity | |
| Refrain from setting up anonymous financial accounts. CC ID 16721 | Leadership and high level objectives | Business Processes | |
| Identify and maintain positions in financial accounts. CC ID 16751 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Leadership and high level objectives | Process or Activity | |
| Establish, implement, and maintain financial resource management procedures. CC ID 16642 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the rationale for the amount of financial resources being held. CC ID 16688 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Supplement financial resources, as necessary. CC ID 16685 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain collateral procedures. CC ID 16653 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the use of appropriate models in the collateral procedures. CC ID 16687 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the collateral requirements in the collateral procedures. CC ID 16686 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Test the collateral requirements for appropriateness. CC ID 16681 | Leadership and high level objectives | Testing | |
| Limit the types of assets accepted as collateral. CC ID 16602 | Leadership and high level objectives | Business Processes | |
| Avoid the use of concentrated holdings of assets. CC ID 16651 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Leadership and high level objectives | Testing | |
| Include stress scenarios in the stress test plan. CC ID 16659 | Leadership and high level objectives | Testing | |
| Perform stress testing in accordance with the stress test plan. CC ID 16652 | Leadership and high level objectives | Testing | |
| Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Leadership and high level objectives | Communicate | |
| Identify and document the financial resources available for use. CC ID 16643 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain credit loss procedures. CC ID 16683 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a securities trading program. CC ID 16626 | Leadership and high level objectives | Business Processes | |
| Include fairness and equitability standards in the securities trading program. CC ID 16690 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include roles and responsibilities in the securities trading program. CC ID 16689 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include performance guarantees in the capital restoration plan. CC ID 16616 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include corrective actions taken in the capital restoration plan. CC ID 16612 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include required information in the capital restoration plan. CC ID 16609 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain valuation procedures. CC ID 16634 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include investment information in approval requests for investments. CC ID 16590 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain lending policies. CC ID 16608 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Leadership and high level objectives | Process or Activity | |
| Include the requirements for risk assessments in the lending policy. CC ID 16730 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include pricing structures in the lending policy. CC ID 16724 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include monitoring requirements in the lending policy. CC ID 16710 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan origination procedures in the lending policy. CC ID 16709 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan requirements in the lending policy. CC ID 16706 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include appraisals and evaluations in the lending policy. CC ID 16705 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include terms and conditions in the lending policy. CC ID 16695 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the scope and distribution of loans in the lending policy. CC ID 16693 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include geographic areas in the lending policy. CC ID 16691 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include underwriting guidelines in the lending policy. CC ID 16619 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include credit review in the underwriting guidelines. CC ID 16765 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include documentation requirements in the lending policy. CC ID 16617 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the purpose of the loan in the loan documentation. CC ID 16747 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the source of repayment in the loan documentation. CC ID 16746 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include approval requirements in the lending policy. CC ID 16615 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include reporting requirements in the lending policy. CC ID 16614 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan administration procedures in the lending policy. CC ID 16610 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan participation agreements in the loan administration procedures. CC ID 16745 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include termination procedures in the loan participation agreement. CC ID 16753 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include servicing agreements in the loan administration procedures. CC ID 16744 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include claims processing in the loan administration procedures. CC ID 16742 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include forbearance management in the loan administration procedures. CC ID 16741 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include foreclosure management in the loan administration procedures. CC ID 16740 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include delinquency management in the loan administration procedures. CC ID 16739 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include customer due diligence in the loan administration procedures. CC ID 16736 | Leadership and high level objectives | Process or Activity | |
| Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan closing in the loan administration procedures. CC ID 16734 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include payoff statements in the loan administration procedures. CC ID 16733 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include payment processing in the loan administration procedures. CC ID 16732 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan reviews in the loan administration procedures. CC ID 16703 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include collections in the loan administration procedures. CC ID 16701 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include collateral inspections in the loan administration procedures. CC ID 16699 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include disbursements in the loan administration procedures. CC ID 16697 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Review and approve lending policies. CC ID 16607 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain a dividend policy. CC ID 16569 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include compliance requirements in the dividend policy. CC ID 16570 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain margin systems. CC ID 16601 | Leadership and high level objectives | Business Processes | |
| Include valuation models in the margin system. CC ID 16663 | Leadership and high level objectives | Data and Information Management | |
| Include procedures for collecting price data in the margin system. CC ID 16662 | Leadership and high level objectives | Data and Information Management | |
| Include reliable sources for price data in the margin system. CC ID 16661 | Leadership and high level objectives | Data and Information Management | |
| Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Data and Information Management | |
| Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Data and Information Management | |
| Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Data and Information Management | |
| Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Data and Information Management | |
| Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Data and Information Management | |
| Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Data and Information Management | |
| Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Data and Information Management | |
| Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Data and Information Management | |
| Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Data and Information Management | |
| Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Data and Information Management | |
| Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the call date in the securities transaction notification. CC ID 16680 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include service charges and commissions in the securities transaction notification. CC ID 16702 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the call price in the securities transaction notification. CC ID 16678 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include debits and credits in the securities transaction notification. CC ID 16677 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include transactions in the securities transaction notification. CC ID 16676 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include yield information in the securities transaction notification. CC ID 16673 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include redemption information in the securities transaction notification. CC ID 16672 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the type of call in the securities transaction notification. CC ID 16668 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include an account statement in the securities transaction notification. CC ID 16666 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the yield to maturity in the securities transaction notification. CC ID 16665 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the execution price in the securities transaction notification. CC ID 16664 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the organization's role in the securities transaction notification. CC ID 16646 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the name of the broker in the securities transaction notification. CC ID 16647 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the name of the customer in the securities transaction notification. CC ID 16625 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the organization's name in the securities transaction notification. CC ID 16624 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include confirmations in the securities transaction notification. CC ID 16623 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include remunerations in the securities transaction notification. CC ID 16622 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include requested information in the securities transaction notification. CC ID 16641 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Leadership and high level objectives | Communicate | |
| Include the execution date in the securities transaction notification. CC ID 16620 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain financial reports. CC ID 14770 [{matters requiring attention}Accordingly, the board should: approve the annual financial statements and require a periodic independent review of critical areas; Principle 1: 26. Bullet 9 Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the business need justification for lost value in the financial report. CC ID 15588 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Communicate | |
| Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain Security Control System monitoring and reporting procedures. CC ID 12506 [Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: internal control failures; Principle 4: 94. Bullet 4] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include detecting and reporting the failure of a change detection mechanism in the Security Control System monitoring and reporting procedures. CC ID 12525 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include detecting and reporting the failure of audit logging in the Security Control System monitoring and reporting procedures. CC ID 12513 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include detecting and reporting the failure of an anti-malware solution in the Security Control System monitoring and reporting procedures. CC ID 12512 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include detecting and reporting the failure of a segmentation control in the Security Control System monitoring and reporting procedures. CC ID 12511 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include detecting and reporting the failure of a physical access control in the Security Control System monitoring and reporting procedures. CC ID 12510 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include detecting and reporting the failure of a logical access control in the Security Control System monitoring and reporting procedures. CC ID 12509 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include detecting and reporting the failure of an Intrusion Detection and Prevention System in the Security Control System monitoring and reporting procedures. CC ID 12508 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include detecting and reporting the failure of a security testing tool in the Security Control System monitoring and reporting procedures. CC ID 15488 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include detecting and reporting the failure of a firewall in the Security Control System monitoring and reporting procedures. CC ID 12507 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: ongoing monitoring of the risk-taking activities and risk exposures in line with the board approved risk appetite, risk limits and corresponding capital or liquidity needs (ie capital planning); Principle 6: 105. Bullet 4 The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management function. This includes the ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board in its engagement with and oversight of the development of the bank's risk appetite and RAS and for translating the risk appetite into a risk limits structure. The CRO, together with management, should be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation). Principle 6: 109. establishing adequate procedures and processes to identify and manage all material risks arising from these structures, including lack of management transparency, operational risks introduced by interconnected and complex funding structures, intragroup exposures, trapped collateral and counterparty risk. The bank should only approve structures if the material risks can be properly identified, assessed and managed; and Principle 5: 102. Bullet 4 {be comprehensive}{be accurate} Risk reporting systems should be dynamic, comprehensive and accurate, and should draw on a range of underlying assumptions. Risk monitoring and reporting should not only occur at the disaggregated level (including material risk residing in subsidiaries) but should also be aggregated to allow for a bank-wide or integrated perspective of risk exposures. Risk reporting systems should be clear about any deficiencies or limitations in risk estimates, as well as any significant embedded assumptions (eg regarding risk dependencies or correlations). Principle 8: 130.] | Monitoring and measurement | Establish/Maintain Documentation | |
| Monitor the organization's exposure to threats, as necessary. CC ID 06494 [{risk management framework} Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank's risk management and internal control infrastructure should keep pace with changes to the bank's risk profile, to the external risk landscape and in industry practice Principle 7: ¶ 1] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Implement a fraud detection system. CC ID 13081 | Monitoring and measurement | Business Processes | |
| Monitor for new vulnerabilities. CC ID 06843 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a compliance testing strategy. CC ID 00659 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Monitoring and measurement | Testing | |
| Establish, implement, and maintain a system security plan. CC ID 01922 | Monitoring and measurement | Testing | |
| Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Communicate | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Establish/Maintain Documentation | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Process or Activity | |
| Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Establish/Maintain Documentation | |
| Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Establish/Maintain Documentation | |
| Approve the system security plan. CC ID 14241 | Monitoring and measurement | Business Processes | |
| Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Establish/Maintain Documentation | |
| Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Establish/Maintain Documentation | |
| Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Testing | |
| Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
| Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Human Resources Management | |
| Establish, implement, and maintain a testing program. CC ID 00654 [As part of its quantitative and qualitative analysis, the bank should utilise stress tests and scenario analyses to better understand potential risk exposures under a variety of adverse circumstances: Principle 7: 120.] | Monitoring and measurement | Behavior | |
| Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the security assessment and authorization policy. CC ID 14220 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the purpose in the security assessment and authorization policy. CC ID 14219 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 | Monitoring and measurement | Communicate | |
| Include management commitment in the security assessment and authorization policy. CC ID 14189 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include compliance requirements in the security assessment and authorization policy. CC ID 14183 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 | Monitoring and measurement | Communicate | |
| Employ third parties to carry out testing programs, as necessary. CC ID 13178 | Monitoring and measurement | Human Resources Management | |
| Document improvement actions based on test results and exercises. CC ID 16840 | Monitoring and measurement | Establish/Maintain Documentation | |
| Define the test requirements for each testing program. CC ID 13177 [internal stress tests should cover a range of scenarios based on reasonable assumptions regarding dependencies and correlations. Senior management should define and approve and, as applicable, the board should review and provide effective challenge to the scenarios that are used in the bank's risk analyses; Principle 7: 120. Bullet 1] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include test requirements for the use of human subjects in the testing program. CC ID 16222 | Monitoring and measurement | Testing | |
| Test the in scope system in accordance with its intended purpose. CC ID 14961 | Monitoring and measurement | Testing | |
| Perform network testing in accordance with organizational standards. CC ID 16448 | Monitoring and measurement | Testing | |
| Test user accounts in accordance with organizational standards. CC ID 16421 | Monitoring and measurement | Testing | |
| Include mechanisms for emergency stops in the testing program. CC ID 14398 | Monitoring and measurement | Establish/Maintain Documentation | |
| Document the business need justification for authorized wireless access points. CC ID 12044 | Monitoring and measurement | Establish/Maintain Documentation | |
| Deny network access to rogue devices until network access approval has been received. CC ID 11852 | Monitoring and measurement | Configuration | |
| Establish, implement, and maintain conformity assessment procedures. CC ID 15032 | Monitoring and measurement | Establish/Maintain Documentation | |
| Share conformity assessment results with affected parties and interested personnel. CC ID 15113 | Monitoring and measurement | Communicate | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 | Monitoring and measurement | Communicate | |
| Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 | Monitoring and measurement | Communicate | |
| Create technical documentation assessment certificates in an official language. CC ID 15110 | Monitoring and measurement | Establish/Maintain Documentation | |
| Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 | Monitoring and measurement | Testing | |
| Define the test frequency for each testing program. CC ID 13176 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 [stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets. They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results; and Principle 7: 120. Bullet 3 the results of stress tests and scenario analyses should also be communicated to, and given appropriate consideration by, relevant business lines and individuals within the bank. Principle 7: 120. Bullet 4 Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129.] | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain a penetration test program. CC ID 01105 | Monitoring and measurement | Behavior | |
| Align the penetration test program with industry standards. CC ID 12469 | Monitoring and measurement | Establish/Maintain Documentation | |
| Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 | Monitoring and measurement | Establish Roles | |
| Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 | Monitoring and measurement | Testing | |
| Retain penetration test results according to internal policy. CC ID 10049 | Monitoring and measurement | Records Management | |
| Retain penetration test remediation action records according to internal policy. CC ID 11629 | Monitoring and measurement | Records Management | |
| Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Process or Activity | |
| Establish, implement, and maintain a business line testing strategy. CC ID 13245 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include facilities in the business line testing strategy. CC ID 13253 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include electrical systems in the business line testing strategy. CC ID 13251 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include mechanical systems in the business line testing strategy. CC ID 13250 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include emergency power supplies in the business line testing strategy. CC ID 13247 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include environmental controls in the business line testing strategy. CC ID 13246 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Monitoring and measurement | Establish/Maintain Documentation | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Technical Security | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Communicate | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Records Management | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Business Processes | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Testing | |
| Approve the vulnerability management program. CC ID 15722 | Monitoring and measurement | Process or Activity | |
| Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 | Monitoring and measurement | Establish Roles | |
| Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 | Monitoring and measurement | Technical Security | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42.] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Establish/Maintain Documentation | |
| Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 [stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets. They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results; and Principle 7: 120. Bullet 3] | Monitoring and measurement | Business Processes | |
| Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Audits and Risk Management | |
| Identify and document instances of non-compliance with the compliance framework. CC ID 06499 [{unauthorized action}{dual authorization control}{legal and regulatory requirements} In order to avoid actions beyond the authority of the individual or even fraud, internal controls also place reasonable checks on managerial and employee discretion. Even in smaller banks, for example, key management decisions should be taken by more than one person. Internal reviews should also determine the extent of a bank's compliance with company policies and procedures as well as with legal and regulatory policies. Adequate escalation procedures are a key element of the internal control system. Principle 7: 116.] | Monitoring and measurement | Establish/Maintain Documentation | |
| Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Establish/Maintain Documentation | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 [{manner} The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: the way in which the board will deal with any non-compliance with the policy. Principle 3: 83. Bullet 7] | Monitoring and measurement | Human Resources Management | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Communicate | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Establish/Maintain Documentation | |
| Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Actionable Reports or Measurements | |
| Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Establish/Maintain Documentation | |
| Monitor the performance of the governance, risk, and compliance capability. CC ID 12857 [Business units are the first line of defence. They take risks and are responsible and accountable for the ongoing management of such risks. This includes identifying, assessing and reporting such exposures, taking into account the bank's risk appetite and its policies, procedures and controls. The manner in which the business line executes its responsibilities should reflect the bank's existing risk culture. The board should promote a strong culture of adhering to limits and managing risk exposures. Principle 1: 40. The board should define appropriate governance structures and practices for its own work, and put in place the means for such practices to be followed and periodically reviewed for ongoing effectiveness. Principle 3: ¶ 1 In order to fulfil its responsibilities, the board of the parent company should: ensure that the group's corporate governance framework includes appropriate processes and controls to identify and address potential intragroup conflicts of interest, such as those arising from intragroup transactions; Principle 5: 96. Bullet 4 {risk management function}{review and approval process}{entail} An assessment of the extent to which the bank's risk management, legal and regulatory compliance, information technology, business line and internal control functions have adequate tools and the expertise necessary to measure and manage related risks. Principle 7: 123. ¶ 1 Bullet 2 Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158.] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Business Processes | |
| Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 | Audits and risk management | Establish/Maintain Documentation | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [A risk committee should: should oversee that management has in place processes to promote the bank's adherence to the approved risk policies. Principle 3: 71. Bullet 8] | Audits and risk management | Communicate | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [{is independent} A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: an internal audit function independent from the first and second lines of defence. Principle 1: 38. Bullet 3] | Audits and risk management | Establish Roles | |
| Manage supply chain audits. CC ID 01203 | Audits and risk management | Audits and Risk Management | |
| Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and risk management | Audits and Risk Management | |
| Rotate auditors, as necessary. CC ID 15589 | Audits and risk management | Audits and Risk Management | |
| Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 [{matters requiring attention}Accordingly, the board should: approve the annual financial statements and require a periodic independent review of critical areas; Principle 1: 26. Bullet 9 {is responsible}The audit committee is, in particular, responsible for: approving, or recommending to the board or shareholders for their approval, the appointment, remuneration and dismissal of external auditors; Principle 3: 69. Bullet 4 {is responsible} The audit committee is, in particular, responsible for: reviewing and approving the audit scope and frequency; Principle 3: 69. Bullet 5 {is responsible} The audit committee is, in particular, responsible for: overseeing the financial reporting process; Principle 3: 69. Bullet 2 The internal audit function should provide independent assurance to the board and should support board and senior management in promoting an effective governance process and the long-term soundness of the bank. Principle 10: ¶ 1] | Audits and risk management | Establish Roles | |
| Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Audits and risk management | Establish Roles | |
| Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Audits and risk management | Establish Roles | |
| Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 [{remuneration system} The board, together with its compensation committee where one exists, should approve the compensation of senior executives, including the CEO, CRO and head of internal audit, and should oversee development and operation of compensation policies, systems and related control processes. Principle 11: 146.] | Audits and risk management | Establish Roles | |
| Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Audits and risk management | Establish Roles | |
| Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Audits and risk management | Establish Roles | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Audits and risk management | Establish Roles | |
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [The third line of defence consists of an independent and effective internal audit function. Among other things, it provides independent review and objective assurance on the quality and effectiveness of the bank's internal control system, the first and second lines of defence and the risk governance framework including links to organisational culture, as well as strategic and business planning, compensation and decision-making processes. Internal auditors must be competent and appropriately trained and not involved in developing, implementing or operating the risk management function or other first or second line of defence functions (see Principle 9). Principle 1: 43. The board and senior management contribute to the effectiveness of the internal audit function by requiring that audit staff collectively have or can access knowledge, skills and resources commensurate with the business activities and risks of the bank; Principle 10: 141. Bullet 4 The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively. Principle 10: 139.] | Audits and risk management | Audits and Risk Management | |
| Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Establish/Maintain Documentation | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Establish/Maintain Documentation | |
| Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Audits and risk management | Establish/Maintain Documentation | |
| Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Audits and risk management | Establish/Maintain Documentation | |
| Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Audits and risk management | Establish/Maintain Documentation | |
| Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Audits and risk management | Establish/Maintain Documentation | |
| Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Audits and risk management | Establish/Maintain Documentation | |
| Review the external audit scope, as necessary. CC ID 01202 | Audits and risk management | Audits and Risk Management | |
| Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Audits and risk management | Establish/Maintain Documentation | |
| Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Audits and risk management | Establish/Maintain Documentation | |
| Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Audits and risk management | Establish/Maintain Documentation | |
| Review the external auditor's qualifications. CC ID 01197 | Audits and risk management | Audits and Risk Management | |
| Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 | Audits and risk management | Audits and Risk Management | |
| Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Audits and risk management | Establish/Maintain Documentation | |
| Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Audits and risk management | Establish/Maintain Documentation | |
| Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Audits and risk management | Behavior | |
| Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Audits and risk management | Behavior | |
| Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Audits and risk management | Establish/Maintain Documentation | |
| Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an audit program. CC ID 00684 [In order to fulfil its responsibilities, the board of the parent company should: establish an effective internal audit function that ensures audits are being performed within or for all subsidiaries and part of the group and group itself; and Principle 5: 96. Bullet 9 {risk management function}{compliance function}Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior management should recognise and respect the independent duties of the risk management, compliance and internal audit functions and should not interfere in their exercise of such duties. Principle 4: 93. Bullet 1] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Establish/Maintain Documentation | |
| Assign the audit to impartial auditors. CC ID 07118 [The third line of defence consists of an independent and effective internal audit function. Among other things, it provides independent review and objective assurance on the quality and effectiveness of the bank's internal control system, the first and second lines of defence and the risk governance framework including links to organisational culture, as well as strategic and business planning, compensation and decision-making processes. Internal auditors must be competent and appropriately trained and not involved in developing, implementing or operating the risk management function or other first or second line of defence functions (see Principle 9). Principle 1: 43. {risk management function}{compliance function}Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior management should recognise and respect the independent duties of the risk management, compliance and internal audit functions and should not interfere in their exercise of such duties. Principle 4: 93. Bullet 1 The board and senior management should respect and promote the independence of the internal audit function by ensuring that: Principle 10: 142. The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively. Principle 10: 139.] | Audits and risk management | Establish Roles | |
| Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Audits and Risk Management | |
| Exercise due professional care during the planning and performance of the audit. CC ID 07119 [The board and senior management contribute to the effectiveness of the internal audit function by requiring internal auditors to adhere to national and international professional standards, such as those established by the Institute of Internal Auditors; Principle 10: 141. Bullet 3] | Audits and risk management | Behavior | |
| Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks and opportunities in the audit program. CC ID 15236 | Audits and risk management | Establish/Maintain Documentation | |
| Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and risk management | Audits and Risk Management | |
| Establish and maintain audit terms. CC ID 13880 [The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively. Principle 10: 139.] | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Process or Activity | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 [{be comprehensive}{be accurate} Risk reporting systems should be dynamic, comprehensive and accurate, and should draw on a range of underlying assumptions. Risk monitoring and reporting should not only occur at the disaggregated level (including material risk residing in subsidiaries) but should also be aggregated to allow for a bank-wide or integrated perspective of risk exposures. Risk reporting systems should be clear about any deficiencies or limitations in risk estimates, as well as any significant embedded assumptions (eg regarding risk dependencies or correlations). Principle 8: 130.] | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Establish/Maintain Documentation | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Audits and Risk Management | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Audits and Risk Management | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Audits and Risk Management | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Audits and Risk Management | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Audits and Risk Management | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and risk management | Audits and Risk Management | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Audits and Risk Management | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Establish/Maintain Documentation | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Audits and risk management | Establish/Maintain Documentation | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Audits and Risk Management | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Establish/Maintain Documentation | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Establish/Maintain Documentation | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Establish/Maintain Documentation | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Establish/Maintain Documentation | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Establish/Maintain Documentation | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Establish/Maintain Documentation | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Establish/Maintain Documentation | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Establish/Maintain Documentation | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Establish/Maintain Documentation | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Establish/Maintain Documentation | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Establish/Maintain Documentation | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Establish/Maintain Documentation | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Establish/Maintain Documentation | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Establish/Maintain Documentation | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Establish/Maintain Documentation | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Audits and Risk Management | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Business Processes | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Audits and Risk Management | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Audits and risk management | Establish/Maintain Documentation | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Audits and Risk Management | |
| Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Establish/Maintain Documentation | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Investigate | |
| Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Audits and risk management | Establish/Maintain Documentation | |
| Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Audits and risk management | Establish/Maintain Documentation | |
| Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Audits and risk management | Establish/Maintain Documentation | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Audits and Risk Management | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and risk management | Audits and Risk Management | |
| Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Establish/Maintain Documentation | |
| Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Audits and risk management | Establish/Maintain Documentation | |
| Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Audits and Risk Management | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Audits and risk management | Establish/Maintain Documentation | |
| Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Audits and risk management | Establish/Maintain Documentation | |
| Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Establish/Maintain Documentation | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Establish/Maintain Documentation | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Establish/Maintain Documentation | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Establish/Maintain Documentation | |
| Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Establish/Maintain Documentation | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Establish/Maintain Documentation | |
| Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Establish/Maintain Documentation | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 [requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: the quality of risk reporting to the board and senior management; and Principle 10: 141. Bullet 6 sub bullet 2] | Audits and risk management | Establish/Maintain Documentation | |
| Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Establish/Maintain Documentation | |
| Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Establish/Maintain Documentation | |
| Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Establish/Maintain Documentation | |
| Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Establish/Maintain Documentation | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Audits and risk management | Communicate | |
| Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Audits and risk management | Establish/Maintain Documentation | |
| Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Audits and risk management | Establish/Maintain Documentation | |
| Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 [The internal audit function should provide independent assurance to the board and should support board and senior management in promoting an effective governance process and the long-term soundness of the bank. Principle 10: ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include the expectations for the audit report in the audit terms. CC ID 07148 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Establish/Maintain Documentation | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Communicate | |
| Include materiality levels in the audit terms. CC ID 01238 | Audits and risk management | Establish/Maintain Documentation | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Audits and risk management | Establish/Maintain Documentation | |
| Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Audits and risk management | Establish/Maintain Documentation | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Business Processes | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Business Processes | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Behavior | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Audits and Risk Management | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
| Audit in scope audit items and compliance documents. CC ID 06730 [ensuring that the activities and structure are subject to regular internal and external audit reviews. Principle 5: 102. Bullet 5] | Audits and risk management | Audits and Risk Management | |
| Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Audits and risk management | Actionable Reports or Measurements | |
| Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Establish/Maintain Documentation | |
| Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Establish/Maintain Documentation | |
| Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Audits and risk management | Establish/Maintain Documentation | |
| Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Records Management | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Testing | |
| Audit policies, standards, and procedures. CC ID 12927 | Audits and risk management | Audits and Risk Management | |
| Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Establish/Maintain Documentation | |
| Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Establish/Maintain Documentation | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Process or Activity | |
| Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Establish/Maintain Documentation | |
| Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Audits and risk management | Testing | |
| Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Audits and Risk Management | |
| Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Audits and Risk Management | |
| Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Audits and Risk Management | |
| Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Audits and Risk Management | |
| Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Audits and Risk Management | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Communicate | |
| Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Testing | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Human Resources Management | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Process or Activity | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Process or Activity | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Process or Activity | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Process or Activity | |
| Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Establish/Maintain Documentation | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Establish/Maintain Documentation | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Establish/Maintain Documentation | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Establish/Maintain Documentation | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Establish/Maintain Documentation | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Audits and Risk Management | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Establish/Maintain Documentation | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Establish/Maintain Documentation | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Audits and Risk Management | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Establish/Maintain Documentation | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Establish/Maintain Documentation | |
| Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Monitor and Evaluate Occurrences | |
| Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Establish Roles | |
| Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Business Processes | |
| Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Audits and risk management | Monitor and Evaluate Occurrences | |
| Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Audits and risk management | Business Processes | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Process or Activity | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Establish/Maintain Documentation | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [The board and senior management contribute to the effectiveness of the internal audit function by providing the function with full and unconditional access to any records, file data and physical properties of the bank, including access to management information systems and records and the minutes of all consultative and decision-making bodies; Principle 10: 141. Bullet 1] | Audits and risk management | Audits and Risk Management | |
| Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 [The board and senior management should respect and promote the independence of the internal audit function by ensuring that: internal audit reports are provided to the board or its audit committee without management filtering and that the internal auditors have direct access to the board or the board's audit committee; Principle 10: 142. Bullet 1 The board and senior management should respect and promote the independence of the internal audit function by ensuring that: the head of the internal audit function's primary reporting line is to the board (or its audit committee), which is also responsible for the selection, oversight of the performance and, if necessary, dismissal of the head of this function; Principle 10: 142. Bullet 2] | Audits and risk management | Business Processes | |
| Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and risk management | Audits and Risk Management | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain organizational audit reports. CC ID 06731 | Audits and risk management | Establish/Maintain Documentation | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Audits and Risk Management | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Audits and Risk Management | |
| Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Establish/Maintain Documentation | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Establish/Maintain Documentation | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Establish/Maintain Documentation | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Establish/Maintain Documentation | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Establish/Maintain Documentation | |
| Include the word independent in the title of audit reports. CC ID 07003 | Audits and risk management | Actionable Reports or Measurements | |
| Include the date of the audit in the audit report. CC ID 07024 | Audits and risk management | Actionable Reports or Measurements | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Establish/Maintain Documentation | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Audits and risk management | Actionable Reports or Measurements | |
| Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Establish/Maintain Documentation | |
| Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Establish/Maintain Documentation | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Audits and risk management | Actionable Reports or Measurements | |
| Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Establish/Maintain Documentation | |
| Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Establish/Maintain Documentation | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement of the character of the engagement in the audit report. CC ID 07166 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Audits and risk management | Establish/Maintain Documentation | |
| Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Audits and risk management | Establish/Maintain Documentation | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Establish/Maintain Documentation | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Audits and Risk Management | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Audits and risk management | Establish/Maintain Documentation | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Establish/Maintain Documentation | |
| Include recommended corrective actions in the audit report. CC ID 16197 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Establish/Maintain Documentation | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Establish/Maintain Documentation | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Establish/Maintain Documentation | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Audits and Risk Management | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Establish/Maintain Documentation | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Audits and risk management | Actionable Reports or Measurements | |
| Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Audits and risk management | Establish/Maintain Documentation | |
| Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Audits and risk management | Establish/Maintain Documentation | |
| Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Audits and risk management | Establish/Maintain Documentation | |
| Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Audits and risk management | Establish/Maintain Documentation | |
| Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Audits and risk management | Establish/Maintain Documentation | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and risk management | Audits and Risk Management | |
| Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Audits and Risk Management | |
| Resolve disputes before creating the audit summary. CC ID 08964 | Audits and risk management | Behavior | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Establish/Maintain Documentation | |
| Include an audit opinion in the audit report. CC ID 07017 | Audits and risk management | Establish/Maintain Documentation | |
| Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Establish/Maintain Documentation | |
| Include items that were excluded from the audit report in the audit report. CC ID 07007 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's privacy practices in the audit report. CC ID 07029 | Audits and risk management | Establish/Maintain Documentation | |
| Include items that pertain to third parties in the audit report. CC ID 07008 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Establish/Maintain Documentation | |
| Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Audits and risk management | Establish/Maintain Documentation | |
| Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Audits and risk management | Establish/Maintain Documentation | |
| Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Audits and risk management | Establish/Maintain Documentation | |
| Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Audits and risk management | Establish/Maintain Documentation | |
| Disclose any audit irregularities in the audit report. CC ID 06995 | Audits and risk management | Actionable Reports or Measurements | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Audits and risk management | Establish/Maintain Documentation | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Human Resources Management | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Communicate | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Communicate | |
| Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Audits and risk management | Behavior | |
| Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Audits and risk management | Establish/Maintain Documentation | |
| Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Audits and risk management | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Audits and risk management | Business Processes | |
| Accept the audit report. CC ID 07025 | Audits and risk management | Establish/Maintain Documentation | |
| Assign responsibility for remediation actions. CC ID 13622 | Audits and risk management | Human Resources Management | |
| Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 [When a supervisor requires a bank to take remedial action, the supervisor should set a timetable for completion. Supervisors should have escalation procedures in place to require more stringent or accelerated remedial action in the event that a bank does not adequately address the deficiencies identified or the supervisor deems that further action is warranted. Principle 13: 167.] | Audits and risk management | Establish/Maintain Documentation | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Audits and Risk Management | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Establish/Maintain Documentation | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Establish/Maintain Documentation | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Establish/Maintain Documentation | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Establish/Maintain Documentation | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Establish/Maintain Documentation | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Communicate | |
| Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk management program. CC ID 12051 [Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. Principle 4: 93. Banks should have an effective independent risk management function, under the direction of a chief risk officer (CRO), with sufficient stature, independence, resources and access to the board. Principle 6: ¶ 1 {internal control system}{risk management system}The board and senior management contribute to the effectiveness of the internal audit function by requiring the function to independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes; Principle 10: 141. Bullet 2 {risk management function}requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: the effectiveness of the risk management and compliance functions; Principle 10: 141. Bullet 6 sub bullet 1 {risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of risk management activities in the risk management program. CC ID 13658 [{specific risk modelling}{risk monitoring} Risk measurement and modelling techniques should be used in addition to, but should not replace, qualitative risk analysis and monitoring. The risk management function should keep the board and senior management apprised of the assumptions used in and potential shortcomings of the bank's risk models and analyses. This would ensure better understanding of risks and exposures and may allow quicker action to address and mitigate risks. Principle 7: 119.] | Audits and risk management | Establish/Maintain Documentation | |
| Integrate the risk management program with the organization's business activities. CC ID 13661 [The board should ensure that transactions with related parties (including internal group transactions) are reviewed to assess risk and are subject to appropriate restrictions (eg by requiring that such transactions be conducted on arm's length terms) and that corporate or business resources of the bank are not misappropriated or misapplied. Principle 1: 27. {risk management function}{compliance function}Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior management should recognise and respect the independent duties of the risk management, compliance and internal audit functions and should not interfere in their exercise of such duties. Principle 4: 93. Bullet 1 If adequate risk management processes are not in place, a new product, service, business line or third-party relationship or major transaction should be delayed until the bank is able to appropriately address the activity. There should also be a process to assess risk and performance relative to initial projections and to adapt the risk management treatment accordingly as the business matures. Principle 7: 123. ¶ 2 {risk measurement}{are necessary} Effective risk identification and measurement approaches are likewise necessary in subsidiary banks and affiliates. Material risk-bearing affiliates and subsidiaries should be captured by the bankwide risk management system and should be a part of the overall risk governance framework. Principle 7: 124.] | Audits and risk management | Business Processes | |
| Integrate the risk management program into daily business decision-making. CC ID 13659 [The bank's RAS should communicate the board's risk appetite effectively throughout the bank, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the bank. Principle 1: 36. Bullet 4 Business units are the first line of defence. They take risks and are responsible and accountable for the ongoing management of such risks. This includes identifying, assessing and reporting such exposures, taking into account the bank's risk appetite and its policies, procedures and controls. The manner in which the business line executes its responsibilities should reflect the bank's existing risk culture. The board should promote a strong culture of adhering to limits and managing risk exposures. Principle 1: 40. The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: Principle 6: 105. The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: influencing and, when necessary, challenging decisions that give rise to material risk; and Principle 6: 105. Bullet 6] | Audits and risk management | Business Processes | |
| Include managing mobile risks in the risk management program. CC ID 13535 | Audits and risk management | Establish/Maintain Documentation | |
| Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Audits and Risk Management | |
| Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain risk management strategies. CC ID 13209 [Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. Principle 4: 93. {risk management framework} Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank's risk management and internal control infrastructure should keep pace with changes to the bank's risk profile, to the external risk landscape and in industry practice Principle 7: ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Establish/Maintain Documentation | |
| Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Data and Information Management | |
| Include the use of alternate service providers in the risk management strategies. CC ID 13217 | Audits and risk management | Establish/Maintain Documentation | |
| Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Audits and risk management | Establish/Maintain Documentation | |
| Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 | Audits and risk management | Establish Roles | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 [Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Audits and risk management | Establish/Maintain Documentation | |
| Address past incidents in the risk assessment program. CC ID 12743 | Audits and risk management | Audits and Risk Management | |
| Include the need for risk assessments in the risk assessment program. CC ID 06447 | Audits and risk management | Establish/Maintain Documentation | |
| Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain the factors and context for risk to the organization. CC ID 12230 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 [{strategic plan}{capital plan} The board should take an active role in defining the risk appetite and ensuring its alignment with the bank's strategic, capital and financial plans and compensation practices. The bank's risk appetite should be clearly conveyed through an RAS that can be easily understood by all relevant parties: the board itself, senior management, bank employees and the supervisor. Principle 1: 35.] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Communicate | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Communicate | |
| Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Audits and risk management | Business Processes | |
| Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Audits and risk management | Business Processes | |
| Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 | Audits and risk management | Business Processes | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Process or Activity | |
| Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Establish/Maintain Documentation | |
| Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Establish/Maintain Documentation | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Establish/Maintain Documentation | |
| Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Establish/Maintain Documentation | |
| Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Communicate | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Establish/Maintain Documentation | |
| Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Audits and risk management | Establish/Maintain Documentation | |
| Use the risk taxonomy when managing risk. CC ID 12280 [{business environment}{risk environment} The degree of sophistication of the bank's risk management infrastructure – including, in particular, a sufficiently robust data infrastructure, data architecture and information technology infrastructure – should keep pace with developments such as balance sheet and revenue growth; increasing complexity of the bank's business, risk configuration or operating structure; geographical expansion; mergers and acquisitions; or the introduction of new products or business lines. Principle 7: 117.] | Audits and risk management | Behavior | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Establish/Maintain Documentation | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Communicate | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Technical Security | |
| Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Audits and risk management | Establish/Maintain Documentation | |
| Document cybersecurity risks. CC ID 12281 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account information classification. CC ID 06477 | Audits and risk management | Establish/Maintain Documentation | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Human Resources Management | |
| Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Audits and Risk Management | |
| Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Audits and risk management | Establish/Maintain Documentation | |
| Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Audits and risk management | Establish/Maintain Documentation | |
| Document organizational risk criteria. CC ID 12277 | Audits and risk management | Establish/Maintain Documentation | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Audits and risk management | Technical Security | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and risk management | Audits and Risk Management | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Audits and Risk Management | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Establish/Maintain Documentation | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and risk management | Audits and Risk Management | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and risk management | Audits and Risk Management | |
| Include language that is easy to understand in the risk assessment report. CC ID 06461 | Audits and risk management | Establish/Maintain Documentation | |
| Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Audits and risk management | Establish/Maintain Documentation | |
| Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Audits and risk management | Establish/Maintain Documentation | |
| Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Audits and risk management | Establish/Maintain Documentation | |
| Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 [Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Audits and risk management | Establish/Maintain Documentation | |
| Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and risk management | Audits and Risk Management | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Communicate | |
| Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Audits and risk management | Establish/Maintain Documentation | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: assessing these risks and measuring the bank's exposure to them; Principle 6: 105. Bullet 2 {risk management framework} Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank's risk management and internal control infrastructure should keep pace with changes to the bank's risk profile, to the external risk landscape and in industry practice Principle 7: ¶ 1 Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113. Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113. {risk management function}{review and approval process}{entail} A full and frank assessment of risks under a variety of scenarios as well as an assessment of potential shortcomings in the ability of the bank's risk management and internal controls to effectively manage associated risks; Principle 7: 123. ¶ 1 Bullet 1] | Audits and risk management | Testing | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Establish/Maintain Documentation | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Establish/Maintain Documentation | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 [the results of stress tests and scenario analyses should also be communicated to, and given appropriate consideration by, relevant business lines and individuals within the bank. Principle 7: 120. Bullet 4] | Audits and risk management | Establish/Maintain Documentation | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Audits and Risk Management | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Audits and Risk Management | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Audits and Risk Management | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 [{notification system} The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: establishing an early warning or trigger system for breaches of the bank's risk appetite or limits; Principle 6: 105. Bullet 5] | Audits and risk management | Establish/Maintain Documentation | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 [{risk committee}{risk limit}{risk mitigation plan} The committee should receive regular reporting and communication from the CRO and other relevant functions about the bank's current risk profile, current state of the risk culture, utilisation against the established risk appetite, and limits, limit breaches and mitigation plans (see Principle 6). Principle 3: 74.] | Audits and risk management | Communicate | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Audits and risk management | Business Processes | |
| Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 [The bank's RAS should communicate the board's risk appetite effectively throughout the bank, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the bank. Principle 1: 36. Bullet 4 An effective risk governance framework requires robust communication within the bank about risk, both across the organisation and through reporting to the board and senior management. Principle 8: ¶ 1 An effective risk governance framework requires robust communication within the bank about risk, both across the organisation and through reporting to the board and senior management. Principle 8: ¶ 1 The risk committee of the board is responsible for advising the board on the bank's overall current and future risk appetite, overseeing senior management's implementation of the RAS, reporting on the state of risk culture in the bank, and interacting with and overseeing the CRO. Principle 3: 72. There should be effective communication and coordination between the audit committee and the risk committee to facilitate the exchange of information and effective coverage of all risks, including emerging risks, and any needed adjustments to the risk governance framework of the bank. Principle 3: 75. Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: breaches of risk limits or compliance rules; Principle 4: 94. Bullet 3 The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: reporting to senior management and the board or risk committee on all these items, including but not limited to proposing appropriate risk-mitigating actions. Principle 6: 105. Bullet 7 In operating within a group structure, the board of the parent company should be aware of the material risks and issues that might affect both the bank as a whole and its subsidiaries. It should exercise adequate oversight over subsidiaries while respecting the independent legal and governance responsibilities that might apply to subsidiary boards. Principle 5: 95. The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. {specific risk modelling}{risk monitoring} Risk measurement and modelling techniques should be used in addition to, but should not replace, qualitative risk analysis and monitoring. The risk management function should keep the board and senior management apprised of the assumptions used in and potential shortcomings of the bank's risk models and analyses. This would ensure better understanding of risks and exposures and may allow quicker action to address and mitigate risks. Principle 7: 119. Mergers and acquisitions, divestitures and other changes to a bank's organisational structure can pose special risk management challenges to the bank. In particular, risks can arise from conducting due diligence that fails to identify post-merger risks or activities conflicting with the bank's strategic objectives or risk appetite. The risk management function should be actively involved in assessing risks that could arise from mergers and acquisitions and inform the board and senior management of its findings Principle 7: 125. Ongoing communication about risk issues, including the bank's risk strategy, throughout the bank is a key tenet of a strong risk culture. A strong risk culture should promote risk awareness and encourage open communication and challenge about risk-taking across the organisation as well as vertically to and from the board and senior management. Senior management should actively communicate and consult with the control functions on management's major plans and activities so that the control functions can effectively discharge their responsibilities. Principle 8: 126. {risk information}{interested personnel}{appropriate authority} Material risk-related ad hoc information that requires immediate decisions or reactions should be promptly presented to senior management and, as appropriate, the board, the responsible officers and, where applicable, the heads of control functions so that suitable measures and activities can be initiated at an early stage. Principle 8: 128. {be timely}{be accurate}{be clear}{be concise} Information should be communicated to the board and senior management in a timely, accurate and understandable manner so that they are equipped to take informed decisions. While ensuring that the board and senior management are sufficiently informed, management and those responsible for the risk management function should avoid voluminous information that can make it difficult to identify key issues. Rather, information should be prioritised and presented in a concise, fully contextualised manner. The board should assess the relevance and the process for maintaining the accuracy of the information it receives and determine if additional or less information is needed. Principle 8: 127. Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129. {refrain from violating} The bank should also disclose key points concerning its risk exposures and risk management strategies without breaching necessary confidentiality. When involved in material and complex or non-transparent activities, the bank should disclose adequate information on their purpose, strategies, structures, and related risks and controls. Principle 12: 155.] | Audits and risk management | Behavior | |
| Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Audits and Risk Management | |
| Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Establish/Maintain Documentation | |
| Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Establish/Maintain Documentation | |
| Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Establish/Maintain Documentation | |
| Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Establish/Maintain Documentation | |
| Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Establish/Maintain Documentation | |
| Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Establish/Maintain Documentation | |
| Document organizational risk tolerance in a risk register. CC ID 09961 | Audits and risk management | Establish/Maintain Documentation | |
| Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Audits and risk management | Business Processes | |
| Review the Business Impact Analysis, as necessary. CC ID 12774 | Audits and risk management | Business Processes | |
| Analyze and quantify the risks to in scope systems and information. CC ID 00701 [{be independent} The second line of defence includes an independent risk management function. The risk management function complements the business line's risk activities through its monitoring and reporting responsibilities. Among other things, it is responsible for overseeing the bank's risk-taking activities and assessing risks and issues independently from the business line. The function should promote the importance of senior management and business line managers in identifying and assessing risks critically rather than relying only on surveillance conducted by the risk management function. Among other things, the finance function plays a critical role in ensuring that business performance and profit and loss results are accurately captured and reported to the board, management and business lines that will use such information as a key input to risk and business decisions. Principle 1: 41. The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: identifying material individual, aggregate and emerging risks; Principle 6: 105. Bullet 1 The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: assessing these risks and measuring the bank's exposure to them; Principle 6: 105. Bullet 2 Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113. Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113. {risk measurement}{quantitative consideration}{qualitative consideration} Risk identification and measurement should include both quantitative and qualitative elements. Risk measurements should also include qualitative, bank-wide views of risk relative to the bank's external operating environment. Banks should also consider and evaluate harder-to-quantify risks, such as reputation risk. Principle 7: 114. {risk measurement}{quantitative consideration}{qualitative consideration} Risk identification and measurement should include both quantitative and qualitative elements. Risk measurements should also include qualitative, bank-wide views of risk relative to the bank's external operating environment. Banks should also consider and evaluate harder-to-quantify risks, such as reputation risk. Principle 7: 114. {risk measurement}{are necessary} Effective risk identification and measurement approaches are likewise necessary in subsidiary banks and affiliates. Material risk-bearing affiliates and subsidiaries should be captured by the bankwide risk management system and should be a part of the overall risk governance framework. Principle 7: 124. {risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.] | Audits and risk management | Audits and Risk Management | |
| Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 [The bank's RAS should establish the individual and aggregate level and types of risk that the bank is willing to assume in advance of and in order to achieve its business activities within its risk capacity; Principle 1: 36. Bullet 2 {be comprehensive}{be accurate} Risk reporting systems should be dynamic, comprehensive and accurate, and should draw on a range of underlying assumptions. Risk monitoring and reporting should not only occur at the disaggregated level (including material risk residing in subsidiaries) but should also be aggregated to allow for a bank-wide or integrated perspective of risk exposures. Risk reporting systems should be clear about any deficiencies or limitations in risk estimates, as well as any significant embedded assumptions (eg regarding risk dependencies or correlations). Principle 8: 130.] | Audits and risk management | Audits and Risk Management | |
| Identify the material risks in the risk assessment report. CC ID 06482 [Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113.] | Audits and risk management | Audits and Risk Management | |
| Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [Accordingly, the board should: Establish, along with senior management and the CRO, the bank's risk appetite, taking into account the competitive and regulatory landscape and the bank's long-term interests, risk exposure and ability to manage risk effectively; Principle 1: 26. Bullet 5 {strategic plan}{capital plan} The board should take an active role in defining the risk appetite and ensuring its alignment with the bank's strategic, capital and financial plans and compensation practices. The bank's risk appetite should be clearly conveyed through an RAS that can be easily understood by all relevant parties: the board itself, senior management, bank employees and the supervisor. Principle 1: 35. (quantitative consideration}The bank's RAS should include both quantitative and qualitative considerations; Principle 1: 36. Bullet 1 In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: promoting risk awareness within a strong risk culture, conveying the board's expectation that it does not support excessive risk-taking and that all employees are responsible for helping the bank operate within the established risk appetite and risk limits; Principle 1: 30. Bullet 2 Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113. establishing adequate procedures and processes to identify and manage all material risks arising from these structures, including lack of management transparency, operational risks introduced by interconnected and complex funding structures, intragroup exposures, trapped collateral and counterparty risk. The bank should only approve structures if the material risks can be properly identified, assessed and managed; and Principle 5: 102. Bullet 4] | Audits and risk management | Establish/Maintain Documentation | |
| Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Investigate | |
| Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 [{strategic plan}{capital plan} The board should take an active role in defining the risk appetite and ensuring its alignment with the bank's strategic, capital and financial plans and compensation practices. The bank's risk appetite should be clearly conveyed through an RAS that can be easily understood by all relevant parties: the board itself, senior management, bank employees and the supervisor. Principle 1: 35. The bank's RAS should communicate the board's risk appetite effectively throughout the bank, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the bank. Principle 1: 36. Bullet 4 {is appropriate} In a group structure, the board of the parent company has the overall responsibility for the group and for ensuring the establishment and operation of a clear governance framework appropriate to the structure, business and risks of the group and its entities. The board and senior management should know and understand the bank group's organisational structure and the risks that it poses. Principle 5: ¶ 1 {refrain from violating} The bank should also disclose key points concerning its risk exposures and risk management strategies without breaching necessary confidentiality. When involved in material and complex or non-transparent activities, the bank should disclose adequate information on their purpose, strategies, structures, and related risks and controls. Principle 12: 155.] | Audits and risk management | Behavior | |
| Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Establish/Maintain Documentation | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and risk management | Audits and Risk Management | |
| Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 [{be timely}{be accurate}{be clear}{be concise} Information should be communicated to the board and senior management in a timely, accurate and understandable manner so that they are equipped to take informed decisions. While ensuring that the board and senior management are sufficiently informed, management and those responsible for the risk management function should avoid voluminous information that can make it difficult to identify key issues. Rather, information should be prioritised and presented in a concise, fully contextualised manner. The board should assess the relevance and the process for maintaining the accuracy of the information it receives and determine if additional or less information is needed. Principle 8: 127.] | Audits and risk management | Audits and Risk Management | |
| Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 [Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. Principle 4: 93. The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: reporting to senior management and the board or risk committee on all these items, including but not limited to proposing appropriate risk-mitigating actions. Principle 6: 105. Bullet 7 In addition to identifying and measuring risk exposures, the risk management function should evaluate possible ways to mitigate these exposures. In some cases, the risk management function may direct that risk be reduced or hedged to limit exposure. In other cases, such as when there is a decision to accept or take risk that is beyond risk limits (ie on a temporary basis) or take risk that cannot be hedged or mitigated, the risk management function should report material exemptions to the board and monitor the positions to ensure that they remain within the bank's framework of limits and controls or within exception approval. Either approach may be appropriate depending on the issue at hand, provided that the independence of the risk management function is not compromised. Principle 7: 122. stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets. They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results; and Principle 7: 120. Bullet 3] | Audits and risk management | Establish/Maintain Documentation | |
| Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Establish/Maintain Documentation | |
| Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Audits and Risk Management | |
| Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and risk management | Audits and Risk Management | |
| Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and risk management | Audits and Risk Management | |
| Include the risk treatment strategy in the risk treatment plan. CC ID 12159 [Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.] | Audits and risk management | Establish/Maintain Documentation | |
| Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Audits and risk management | Establish/Maintain Documentation | |
| Include change control processes in the risk treatment plan. CC ID 11981 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Audits and risk management | Establish/Maintain Documentation | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Audits and risk management | Establish/Maintain Documentation | |
| Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk assessment results in the risk treatment plan. CC ID 11978 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of usage in the risk treatment plan. CC ID 11977 | Audits and risk management | Establish/Maintain Documentation | |
| Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Audits and risk management | Communicate | |
| Approve the risk treatment plan. CC ID 13495 | Audits and risk management | Audits and Risk Management | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 [Developing and conveying the bank's risk appetite is essential to reinforcing a strong risk culture. The risk governance framework should outline actions to be taken when stated risk limits are breached, including disciplinary actions for excessive risk-taking, escalation procedures and board of director notification. Principle 1: 34. Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166. If adequate risk management processes are not in place, a new product, service, business line or third-party relationship or major transaction should be delayed until the bank is able to appropriately address the activity. There should also be a process to assess risk and performance relative to initial projections and to adapt the risk management treatment accordingly as the business matures. Principle 7: 123. ¶ 2] | Audits and risk management | Establish/Maintain Documentation | |
| Review and approve the risk assessment findings. CC ID 06485 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk responses in the risk management program. CC ID 13195 | Audits and risk management | Establish/Maintain Documentation | |
| Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Establish/Maintain Documentation | |
| Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and risk management | Audits and Risk Management | |
| Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Audits and risk management | Establish/Maintain Documentation | |
| Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Audits and risk management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Audits and risk management | Communicate | |
| Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 | Audits and risk management | Establish/Maintain Documentation | |
| Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Establish/Maintain Documentation | |
| Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Communicate | |
| Evaluate the cyber insurance market. CC ID 12695 | Audits and risk management | Business Processes | |
| Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Audits and risk management | Business Processes | |
| Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Business Processes | |
| Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Audits and risk management | Establish/Maintain Documentation | |
| Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Audits and risk management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Establish/Maintain Documentation | |
| Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Audits and risk management | Establish/Maintain Documentation | |
| Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Establish/Maintain Documentation | |
| Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Establish/Maintain Documentation | |
| Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Establish/Maintain Documentation | |
| Include supply chain risk management procedures in the risk management program. CC ID 13190 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Communicate | |
| Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 | Audits and risk management | Human Resources Management | |
| Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Audits and risk management | Communicate | |
| Establish, implement, and maintain an access classification scheme. CC ID 00509 | Technical security | Establish/Maintain Documentation | |
| Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme. CC ID 00510 [Cooperation and appropriate information-sharing among relevant public authorities, including bank supervisors and conduct authorities, can significantly contribute to the effectiveness of these authorities in their respective roles. Such information-sharing is particularly important between home and host supervisors of cross-border banking entities. Cooperation can occur on a bilateral basis, in the form of a supervisory college or through periodic meetings among supervisors at which corporate governance matters should be discussed. Such communication can help supervisors improve their assessment of the overall governance of a bank and the risks it faces, particularly in a group context, and help other authorities assess the risks posed to the broader financial system. Information shared should be relevant for supervisory purposes and be provided within the constraints of confidentiality and other applicable laws. Special arrangements, such as a memorandum of understanding, may be warranted to govern the sharing of information among supervisors or between supervisors and other authorities. Principle 13: 168.] | Technical security | Establish/Maintain Documentation | |
| Include business security requirements in the access classification scheme. CC ID 00002 | Technical security | Establish/Maintain Documentation | |
| Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 | Technical security | Establish/Maintain Documentation | |
| Include third party access in the access classification scheme. CC ID 11786 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system and information integrity policy. CC ID 14034 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain system and information integrity procedures. CC ID 14051 [{be timely}{be accurate}{be clear}{be concise} Information should be communicated to the board and senior management in a timely, accurate and understandable manner so that they are equipped to take informed decisions. While ensuring that the board and senior management are sufficiently informed, management and those responsible for the risk management function should avoid voluminous information that can make it difficult to identify key issues. Rather, information should be prioritised and presented in a concise, fully contextualised manner. The board should assess the relevance and the process for maintaining the accuracy of the information it receives and determine if additional or less information is needed. Principle 8: 127.] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the system and information integrity procedures to interested personnel and affected parties. CC ID 14142 | Technical security | Communicate | |
| Identify and control all network access controls. CC ID 00529 | Technical security | Technical Security | |
| Secure the Domain Name System. CC ID 00540 | Technical security | Configuration | |
| Implement segregation of duties. CC ID 11843 [The compliance function is independent from management to avoid undue influence or obstacles as that function performs its duties. The compliance function should directly report to the board, as appropriate, on the bank's efforts in the above areas and on how the bank is managing its compliance risk. Principle 9: 136. {be independent} While it is common for risk managers to work closely with individual business units, the risk management function should be sufficiently independent of the business units and should not be involved in revenue generation. Such independence is an essential component of an effective risk management function, as is having access to all business lines that have the potential to generate material risk to the bank as well as to relevant risk-bearing subsidiaries and affiliates. Principle 6: 106.] | Technical security | Technical Security | |
| Enforce information flow control. CC ID 11781 | Technical security | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain information flow procedures. CC ID 04542 [{organizational silos} Banks should avoid organisational "silos" that can impede effective sharing of information across an organisation and can result in decisions being taken in isolation from the rest of the bank. Overcoming these information-sharing obstacles may require the board, senior management and control functions to re-evaluate established practices in order to encourage greater communication. Principle 8: 131. {applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.] | Technical security | Establish/Maintain Documentation | |
| Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 | Technical security | Data and Information Management | |
| Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 | Technical security | Data and Information Management | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 [In order to fulfil its responsibilities, the board of the parent company should: assess whether there are effective systems in place to facilitate the exchange of information among the various entities, to manage the risks of the separate subsidiaries or group entities as well as of the group as a whole, and to ensure effective supervision of the group; Principle 5: 96. Bullet 6 In order to fulfil its responsibilities, the board of the parent company should: assess whether there are effective systems in place to facilitate the exchange of information among the various entities, to manage the risks of the separate subsidiaries or group entities as well as of the group as a whole, and to ensure effective supervision of the group; Principle 5: 96. Bullet 6] | Technical security | Establish/Maintain Documentation | |
| Perform content sanitization on data-in-transit. CC ID 16512 | Technical security | Data and Information Management | |
| Perform content conversion on data-in-transit. CC ID 16510 | Technical security | Data and Information Management | |
| Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Technical security | Data and Information Management | |
| Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554 | Technical security | Data and Information Management | |
| Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 | Technical security | Data and Information Management | |
| Review and approve information exchange system connections. CC ID 07143 | Technical security | Technical Security | |
| Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Technical security | Log Management | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a recovery plan. CC ID 13288 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [Accordingly, the board should: approve the selection and oversee the performance of the CEO, key members of senior management and heads of the control functions; Principle 1: 26. Bullet 10 The board should select the CEO and may select other key personnel, including members of senior management. Principle 1: 45. {is responsible}The audit committee is, in particular, responsible for: providing oversight of and interacting with the bank's internal and external auditors; Principle 3: 69. Bullet 3 In operating within a group structure, the board of the parent company should be aware of the material risks and issues that might affect both the bank as a whole and its subsidiaries. It should exercise adequate oversight over subsidiaries while respecting the independent legal and governance responsibilities that might apply to subsidiary boards. Principle 5: 95. Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the board. Principle 6: 111. Senior management is responsible for delegating duties to staff and should establish a management structure that promotes accountability and transparency throughout the bank. Principle 4: 92. The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76. The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76. Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.] | Human Resources management | Establish Roles | |
| Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 | Human Resources management | Establish Roles | |
| Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources management | Human Resources Management | |
| Define the scope for the security operations center. CC ID 15713 | Human Resources management | Establish/Maintain Documentation | |
| Designate an alternate for each organizational leader. CC ID 12053 | Human Resources management | Human Resources Management | |
| Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Human Resources management | Behavior | |
| Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 | Human Resources management | Human Resources Management | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [The board has overall responsibility for the bank, including approving and overseeing management's implementation of the bank's strategic objectives, governance framework and corporate culture. Principle 1: ¶ 1 The board should establish and be satisfied with the bank's organisational structure. This will enable the board and senior management to carry out their responsibilities and facilitate effective decision-making and good governance. This includes clearly laying out the key responsibilities and authorities of the board itself and of senior management and of those responsible for the risk management and control functions. Principle 1: 24. {refrain from delegating} The board has ultimate responsibility for the bank's business strategy and financial soundness, key personnel decisions, internal organisation and governance structure and practices, and risk management and compliance obligations. The board may delegate some of its functions, though not its responsibilities, to board committees where appropriate. Principle 1: 23. {refrain from delegating} The board has ultimate responsibility for the bank's business strategy and financial soundness, key personnel decisions, internal organisation and governance structure and practices, and risk management and compliance obligations. The board may delegate some of its functions, though not its responsibilities, to board committees where appropriate. Principle 1: 23. The board should have oversight of the whistleblowing policy mechanism and ensuring that senior management addresses legitimate issues that are raised. The board should take responsibility for ensuring that staff who raise concerns are protected from detrimental treatment or reprisals. Principle 1: 32. Bullet 2 The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42. {hold accountable} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: Principle 1: 46. {hold accountable} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: Principle 1: 46. The board should maintain and periodically update organisational rules, by-laws, or other similar documents setting out its organisation, rights, responsibilities and key activities. Principle 3: 58. {capital plan}Accordingly, the board should: approve the approach and oversee the implementation of key policies pertaining to the bank's capital adequacy assessment process, capital and liquidity plans, compliance policies and obligations, and the internal control system; Principle 1: 26. Bullet 7 Board members should be and remain qualified, individually and collectively, for their positions. They should understand their oversight and corporate governance role and be able to exercise sound, objective judgment about the affairs of the bank. Principle 2: ¶ 1 {is sufficient} The board should structure itself in terms of leadership, size and the use of committees so as to effectively carry out its oversight role and other responsibilities. This includes ensuring that the board has the time and means to cover all necessary subjects in sufficient depth and have a robust discussion of issues. Principle 3: 57. In the interest of greater transparency and accountability, a board should disclose the committees it has established, their mandates and their composition (including members who are considered to be independent). Principle 3: 65. {is responsible} The audit committee is, in particular, responsible for: framing policy on internal audit and financial reporting, among other things; Principle 3: 69. Bullet 1 The board should oversee the implementation and operation of policies to identify potential conflicts of interest. Where these conflicts cannot be prevented, they should be properly managed (based on the permissibility of relationships or transactions under sound corporate policies consistent with national law and supervisory standards). Principle 3: 82. The board should oversee and be satisfied with the process by which appropriate public disclosure is made, and/or information is provided to supervisors, relating to the bank's policies on conflicts of interest and potential material conflicts of interest. Principle 3: 84. Under the direction and oversight of the board, senior management should carry out and manage the bank's activities in a manner consistent with the business strategy, risk appetite, remuneration and other policies approved by the board. Principle 4: ¶ 1 Senior management contributes substantially to a bank's sound corporate governance through personal conduct (eg by helping to establish the "tone at the top" along with the board). Members of senior management should provide adequate oversight of those they manage, and ensure that the bank's activities are consistent with the business strategy, risk appetite and the policies approved by the board. Principle 4: 91. The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: question and critically review explanations and information provided by senior management; Principle 1: 46. Bullet 3 {is appropriate} In a group structure, the board of the parent company has the overall responsibility for the group and for ensuring the establishment and operation of a clear governance framework appropriate to the structure, business and risks of the group and its entities. The board and senior management should know and understand the bank group's organisational structure and the risks that it poses. Principle 5: ¶ 1 In order to fulfil its responsibilities, the board of the parent company should: approve policies and clear strategies for establishing new structures and legal entities, and ensure that they are consistent with the policies and interests of the group; Principle 5: 96. Bullet 5 In order to fulfil its responsibilities, the board of the parent company should: approve policies and clear strategies for establishing new structures and legal entities, and ensure that they are consistent with the policies and interests of the group; Principle 5: 96. Bullet 5 In order to help board members acquire, maintain and enhance their knowledge and skills, and fulfil their responsibilities, the board should ensure that members participate in induction programmes and have access to ongoing training on relevant issues which may involve internal or external resources. The board should dedicate sufficient time, budget and other resources for this purpose, and draw on external expertise as needed. More extensive efforts should be made to train and keep updated those members with more limited financial, regulatory or risk-related experience. Principle 2: 55. continually maintaining and reviewing appropriate policies, procedures and processes governing the approval and maintenance of those structures or activities, including fully vetting the purpose, the associated risks and the bank's ability to manage those risks prior to setting up new structures and initiating associated activities; Principle 5: 102. Bullet 2 Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the board. Principle 6: 111. The bank's board of directors is responsible for overseeing the management of the bank's compliance risk. The board should establish a compliance function and approve the bank's policies and processes for identifying, assessing, monitoring and reporting and advising on compliance risk. Principle 9: ¶ 1 In order to fulfil its responsibilities, the board of the parent company should: establish a group structure (including the legal entity and business structure) and a corporate governance framework with clearly defined roles and responsibilities, including those at the parent company level and at the subsidiary level as may be appropriate based on the complexity and significance of the subsidiary; Principle 5: 96. Bullet 1 Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.] | Human Resources management | Establish Roles | |
| Establish and maintain board committees, as necessary. CC ID 14789 [To increase efficiency and allow deeper focus in specific areas, a board may establish certain specialised board committees. The committees should be created and mandated by the full board. The number and nature of committees depend on many factors, including the size of the bank and its board, the nature of the business areas of the bank, and its risk profile. Principle 3: 63.] | Human Resources management | Human Resources Management | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 [The chair of the board plays a crucial role in the proper functioning of the board. The chair provides leadership to the board and is responsible for its effective overall functioning, including maintaining a relationship of trust with board members. The chair should possess the requisite experience, competencies and personal qualities in order to fulfil these responsibilities. The chair should ensure that board decisions are taken on a sound and well informed basis. The chair should encourage and promote critical discussion and ensure that dissenting views can be freely expressed and discussed within the decision-making process. The chair should dedicate sufficient time to the exercise of his or her responsibilities. Principle 3: 61.] | Human Resources management | Establish/Maintain Documentation | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 [{performance standard} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: set appropriate performance and remuneration standards for senior management consistent with the long-term strategic objectives and the financial soundness of the bank; Principle 1: 46. Bullet 4] | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 [{international business activity}{economic forces}{legal environment} the board collectively should have a reasonable understanding of local, regional and, if appropriate, global economic and market forces and of the legal and regulatory environment. International experience, where relevant, should also be considered; and Principle 2: 49. Bullet 2 To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: periodically review its structure, size and composition as well as committees' structures and coordination; Principle 3: 59. Bullet 1 {is sufficient} The board should structure itself in terms of leadership, size and the use of committees so as to effectively carry out its oversight role and other responsibilities. This includes ensuring that the board has the time and means to cover all necessary subjects in sufficient depth and have a robust discussion of issues. Principle 3: 57. Boards should have a clear and rigorous process for identifying, assessing and selecting board candidates. Unless required otherwise by law, the board (not management) nominates candidates and promotes appropriate succession planning of board members. Principle 2: 50. The bank should have in place a nomination committee or similar body, composed of a sufficient number of independent board members, which identifies and nominates candidates after having taken into account the criteria described above. Further details about the nomination committee and other board committees are discussed in paragraph 76. Principle 2: 54. The bank should have in place a nomination committee or similar body, composed of a sufficient number of independent board members, which identifies and nominates candidates after having taken into account the criteria described above. Further details about the nomination committee and other board committees are discussed in paragraph 76. Principle 2: 54. To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: assess the ongoing suitability of each board member periodically (at least annually), also taking into account his or her performance on the board; Principle 3: 59. Bullet 2 The chair of the board plays a crucial role in the proper functioning of the board. The chair provides leadership to the board and is responsible for its effective overall functioning, including maintaining a relationship of trust with board members. The chair should possess the requisite experience, competencies and personal qualities in order to fulfil these responsibilities. The chair should ensure that board decisions are taken on a sound and well informed basis. The chair should encourage and promote critical discussion and ensure that dissenting views can be freely expressed and discussed within the decision-making process. The chair should dedicate sufficient time to the exercise of his or her responsibilities. Principle 3: 61. Where there are shareholders with power to appoint board members, the board should ensure that such individuals understand their duties. Board members have responsibilities to the bank's overall interests, regardless of who appoints them. In cases where board members are selected by a controlling shareholder, the board may wish to set out specific procedures or conduct periodic reviews to facilitate the appropriate discharge of responsibility by all board members. Principle 2: 56. At a minimum, the audit committee as a whole should possess a collective balance of skills and expert knowledge – commensurate with the complexity of the banking organisation and the duties to be performed – and should have relevant experience in financial reporting, accounting and auditing. Where needed, the audit committee has access to external expert advice. Principle 3: 70. At a minimum, the audit committee as a whole should possess a collective balance of skills and expert knowledge – commensurate with the complexity of the banking organisation and the duties to be performed – and should have relevant experience in financial reporting, accounting and auditing. Where needed, the audit committee has access to external expert advice. Principle 3: 70. Supervisors should evaluate the processes and criteria used by banks in the selection of board members and senior management and, as they judge necessary, obtain information about the expertise and character of board members and senior management. The fit and proper criteria should include those discussed in Principle 2 of this document. The individual and collective suitability of board members and senior management should be subject to ongoing attention by supervisors. Principle 13: 161.] | Human Resources management | Establish/Maintain Documentation | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 [The board should appoint members to specialised committees with the goal of achieving an appropriate mix of skills and experience that, in combination, allow the committees to fully understand, objectively evaluate and bring fresh thinking to the relevant issues. Principle 3: 78. The selection process should include reviewing whether board candidates: possess the knowledge, skills, experience and, particularly in the case of non-executive directors, independence of mind given their responsibilities on the board and in the light of the bank's business and risk profile; Principle 2: 51(i). In order to fulfil its responsibilities, the board of the parent company should: define an appropriate subsidiary board and management structure which takes into account the material risks to which the group, its businesses and its subsidiaries are exposed; Principle 5: 96. Bullet 2 Supervisors should evaluate the processes and criteria used by banks in the selection of board members and senior management and, as they judge necessary, obtain information about the expertise and character of board members and senior management. The fit and proper criteria should include those discussed in Principle 2 of this document. The individual and collective suitability of board members and senior management should be subject to ongoing attention by supervisors. Principle 13: 161. Supervisors should evaluate the processes and criteria used by banks in the selection of board members and senior management and, as they judge necessary, obtain information about the expertise and character of board members and senior management. The fit and proper criteria should include those discussed in Principle 2 of this document. The individual and collective suitability of board members and senior management should be subject to ongoing attention by supervisors. Principle 13: 161. (reputation) The selection process should include reviewing whether board candidates: have a record of integrity and good repute; Principle 2: 51(ii). The selection process should include reviewing whether board candidates: have the ability to promote a smooth interaction between board members. Principle 2: 51(iv). The selection process should include reviewing whether board candidates: have sufficient time to fully carry out their responsibilities; and Principle 2: 51(iii).] | Human Resources management | Establish/Maintain Documentation | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 [{capital plan}Accordingly, the board should: approve the approach and oversee the implementation of key policies pertaining to the bank's capital adequacy assessment process, capital and liquidity plans, compliance policies and obligations, and the internal control system; Principle 1: 26. Bullet 7] | Human Resources management | Human Resources Management | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Human Resources Management | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Establish Roles | |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 [Board candidates should not have any conflicts of interest that may impede their ability to perform their duties independently and objectively and subject them to undue influence from: Principle 2: 52. Board candidates should not have any conflicts of interest that may impede their ability to perform their duties independently and objectively and subject them to undue influence from: other persons (such as management or other shareholders); Principle 2: 52. Bullet 1 Board candidates should not have any conflicts of interest that may impede their ability to perform their duties independently and objectively and subject them to undue influence from: past or present positions held; or Principle 2: 52. Bullet 2 Board candidates should not have any conflicts of interest that may impede their ability to perform their duties independently and objectively and subject them to undue influence from: personal, professional or other economic relationships with other members of the board or management (or with other entities within the group). Principle 2: 52. Bullet 3 {is sufficient} The board must be suitable to carry out its responsibilities and have a composition that facilitates effective oversight. For that purpose, the board should be comprised of a sufficient number of independent directors. Principle 2: 47. {be independent}{non-executive member} A committee chair should be an independent, non-executive board member. Principle 3: 67. {be independent}{have in place} To promote checks and balances, the chair of the board should be an independent or non-executive board member. In jurisdictions where the chair is permitted to assume executive duties, the bank should have measures in place to mitigate any adverse impact on the bank's checks and balances, eg by designating a lead board member, a senior independent board member or a similar position and having a larger number of non-executives on the board. Principle 3: 62.] | Human Resources management | Human Resources Management | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [{be independent} The second line of defence includes an independent risk management function. The risk management function complements the business line's risk activities through its monitoring and reporting responsibilities. Among other things, it is responsible for overseeing the bank's risk-taking activities and assessing risks and issues independently from the business line. The function should promote the importance of senior management and business line managers in identifying and assessing risks critically rather than relying only on surveillance conducted by the risk management function. Among other things, the finance function plays a critical role in ensuring that business performance and profit and loss results are accurately captured and reported to the board, management and business lines that will use such information as a key input to risk and business decisions. Principle 1: 41. Accordingly, the board should: oversee the bank's adherence to the RAS, risk policy and risk limits; Principle 1: 26. Bullet 6 {be aware} Senior management – and the board, as appropriate – should be cognisant of these challenges and take action to avoid or mitigate them by: Principle 5: 102. Large, complex and internationally active banks, and other banks, based on their risk profile and local governance requirements, should have a senior manager (CRO or equivalent) with overall responsibility for the bank's risk management function. In banking groups, there should be a group CRO in addition to subsidiary-level risk officers. Because some banks may have an officer who fulfils the function of a CRO under a different title, reference in this document to the CRO is intended to incorporate equivalent positions, provided they meet the independence and other requirements set out herein. Principle 6: 108. The bank's board of directors is responsible for overseeing the management of the bank's compliance risk. The board should establish a compliance function and approve the bank's policies and processes for identifying, assessing, monitoring and reporting and advising on compliance risk. Principle 9: ¶ 1] | Human Resources management | Human Resources Management | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Human Resources Management | |
| Define and assign board committees, as necessary. CC ID 14787 [In jurisdictions permitting or requiring executive members on the board, the board of a bank should work to ensure the needed objectivity in each committee, such as by having only non-executives and, to the extent possible, a majority of independent members. Principle 3: 79.] | Human Resources management | Human Resources Management | |
| Define and assign risk committees, as necessary. CC ID 14795 [A risk committee should: be required for systemically important banks and is strongly recommended for other banks based on a bank's size, risk profile or complexity; Principle 3: 71. Bullet 1] | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 [{board committee} Each committee should have a charter or other instrument that sets out its mandate, scope and working procedures. This includes how the committee will report to the full board, what is expected of committee members and any tenure limits for serving on the committee. The board should consider the occasional rotation of members and of the chair of such committees, as this can help avoid undue concentration of power and promote fresh perspectives. Principle 3: 64.] | Human Resources management | Establish/Maintain Documentation | |
| Define and assign audit committees, as necessary. CC ID 14788 [An audit committee should: be required for systemically important banks and is strongly recommended for other banks based on an organisation's size, risk profile or complexity; Principle 3: 68. Bullet 1] | Human Resources management | Human Resources Management | |
| Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 [An audit committee should: include members who have experience in audit practices, financial reporting and accounting. Principle 3: 68. Bullet 5 An audit committee should: be made up entirely of independent or non-executive board members; and Principle 3: 68. Bullet 4] | Human Resources management | Human Resources Management | |
| Define and assign compensation committees, as necessary. CC ID 14793 [Systemically important financial institutions should have a board compensation committee as an integral part of their governance structure and organisation to oversee the compensation system's design and operation. Principle 11: 144. The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76. The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76.] | Human Resources management | Human Resources Management | |
| Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 | Human Resources management | Establish Roles | |
| Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources management | Human Resources Management | |
| Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 | Human Resources management | Establish Roles | |
| Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources management | Human Resources Management | |
| Define and assign the business unit manager's roles and responsibilities. CC ID 00810 | Human Resources management | Establish Roles | |
| Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 | Human Resources management | Establish Roles | |
| Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 [Banks should have an effective independent risk management function, under the direction of a chief risk officer (CRO), with sufficient stature, independence, resources and access to the board. Principle 6: ¶ 1 The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management function. This includes the ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board in its engagement with and oversight of the development of the bank's risk appetite and RAS and for translating the risk appetite into a risk limits structure. The CRO, together with management, should be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation). Principle 6: 109. The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management function. This includes the ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board in its engagement with and oversight of the development of the bank's risk appetite and RAS and for translating the risk appetite into a risk limits structure. The CRO, together with management, should be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation). Principle 6: 109. The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management function. This includes the ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board in its engagement with and oversight of the development of the bank's risk appetite and RAS and for translating the risk appetite into a risk limits structure. The CRO, together with management, should be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation). Principle 6: 109.] | Human Resources management | Human Resources Management | |
| Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources management | Human Resources Management | |
| Define and assign the technology security leader's roles and responsibilities. CC ID 01897 | Human Resources management | Establish Roles | |
| Define and assign the security staff roles and responsibilities. CC ID 11750 | Human Resources management | Establish/Maintain Documentation | |
| Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources management | Human Resources Management | |
| Define and assign the property management leader's roles and responsibilities. CC ID 00669 | Human Resources management | Establish Roles | |
| Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 | Human Resources management | Establish Roles | |
| Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 | Human Resources management | Establish Roles | |
| Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 | Human Resources management | Establish Roles | |
| Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 | Human Resources management | Establish/Maintain Documentation | |
| Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 | Human Resources management | Establish Roles | |
| Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources management | Human Resources Management | |
| Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources management | Human Resources Management | |
| Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources management | Human Resources Management | |
| Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 | Human Resources management | Human Resources Management | |
| Assign a contact person to all business units. CC ID 07144 [The compliance function should advise the board and senior management on the bank's compliance with applicable laws, rules and standards and keep them informed of developments in the area. It should also help educate staff about compliance issues, act as a contact point within the bank for compliance queries from staff members, and provide guidance to staff on the appropriate implementation of applicable laws, rules and standards in the form of policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines. Principle 9: 135.] | Human Resources management | Establish Roles | |
| Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Human Resources management | Business Processes | |
| Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources management | Human Resources Management | |
| Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources management | Human Resources Management | |
| Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources management | Human Resources Management | |
| Define and assign workforce roles and responsibilities. CC ID 13267 [The organisation and procedures and decision-making of senior management should be clear and transparent and designed to promote effective management of the bank. This includes clarity on the role, authority and responsibility of the various positions within senior management, including that of the CEO. Principle 4: 88. Senior management is responsible for delegating duties to staff and should establish a management structure that promotes accountability and transparency throughout the bank. Principle 4: 92. In order to fulfil its responsibilities, the board of the parent company should: establish a group structure (including the legal entity and business structure) and a corporate governance framework with clearly defined roles and responsibilities, including those at the parent company level and at the subsidiary level as may be appropriate based on the complexity and significance of the subsidiary; Principle 5: 96. Bullet 1 In order to fulfil its responsibilities, the board of the parent company should: establish a group structure (including the legal entity and business structure) and a corporate governance framework with clearly defined roles and responsibilities, including those at the parent company level and at the subsidiary level as may be appropriate based on the complexity and significance of the subsidiary; Principle 5: 96. Bullet 1] | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 | Human Resources management | Human Resources Management | |
| Assign roles and responsibilities for physical security, as necessary. CC ID 13113 | Human Resources management | Establish Roles | |
| Document the use of external experts. CC ID 16263 | Human Resources management | Human Resources Management | |
| Define and assign roles and responsibilities for those involved in risk management. CC ID 13660 [The board should establish and be satisfied with the bank's organisational structure. This will enable the board and senior management to carry out their responsibilities and facilitate effective decision-making and good governance. This includes clearly laying out the key responsibilities and authorities of the board itself and of senior management and of those responsible for the risk management and control functions. Principle 1: 24. As part of the overall corporate governance framework, the board is responsible for overseeing a strong risk governance framework. An effective risk governance framework includes a strong risk culture, a well developed risk appetite articulated through the RAS, and well defined responsibilities for risk management in particular and control functions in general. Principle 1: 33. The development of an effective RAS should be driven by both top-down board leadership and bottom-up management involvement. While the definition of risk appetite may be initiated by senior management, successful implementation depends upon effective interactions between the board, senior management, risk management and operating businesses, including the chief financial officer (CFO). Principle 1: 37. A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: Principle 1: 38. A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: the business line; Principle 1: 38. Bullet 1 {risk management} Depending on the bank's nature, size and complexity, and the risk profile of its activities, the specifics of how these three lines of defence are structured can vary. Regardless of the structure, responsibilities for each line of defence should be well defined and communicated. Principle 1: 39. {is independent} A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: a risk management function and a compliance function independent from the first line of defence; and Principle 1: 38. Bullet 2 Business units are the first line of defence. They take risks and are responsible and accountable for the ongoing management of such risks. This includes identifying, assessing and reporting such exposures, taking into account the bank's risk appetite and its policies, procedures and controls. The manner in which the business line executes its responsibilities should reflect the bank's existing risk culture. The board should promote a strong culture of adhering to limits and managing risk exposures. Principle 1: 40. A risk committee should: is required to review the bank's risk policies at least annually; and Principle 3: 71. Bullet 7 The risk committee of the board is responsible for advising the board on the bank's overall current and future risk appetite, overseeing senior management's implementation of the RAS, reporting on the state of risk culture in the bank, and interacting with and overseeing the CRO. Principle 3: 72. The risk committee of the board is responsible for advising the board on the bank's overall current and future risk appetite, overseeing senior management's implementation of the RAS, reporting on the state of risk culture in the bank, and interacting with and overseeing the CRO. Principle 3: 72. The risk committee of the board is responsible for advising the board on the bank's overall current and future risk appetite, overseeing senior management's implementation of the RAS, reporting on the state of risk culture in the bank, and interacting with and overseeing the CRO. Principle 3: 72. A risk committee should: should include members who have experience in risk management issues and practices; Principle 3: 71. Bullet 5 {risk committee}{capital management} The committee's work includes oversight of the strategies for capital and liquidity management as well as for all relevant risks of the bank, such as credit, market, operational and reputational risks, to ensure they are consistent with the stated risk appetite. Principle 3: 73. {risk committee}{capital management} The committee's work includes oversight of the strategies for capital and liquidity management as well as for all relevant risks of the bank, such as credit, market, operational and reputational risks, to ensure they are consistent with the stated risk appetite. Principle 3: 73. internal stress tests should cover a range of scenarios based on reasonable assumptions regarding dependencies and correlations. Senior management should define and approve and, as applicable, the board should review and provide effective challenge to the scenarios that are used in the bank's risk analyses; Principle 7: 120. Bullet 1 Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97. Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97. The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76.] | Human Resources management | Human Resources Management | |
| Include the management structure in the duties and responsibilities for risk management. CC ID 13665 [A risk committee should: should include a majority of members who are independent; Principle 3: 71. Bullet 4] | Human Resources management | Human Resources Management | |
| Assign the roles and responsibilities for the change control program. CC ID 13118 | Human Resources management | Human Resources Management | |
| Identify and define all critical roles. CC ID 00777 | Human Resources management | Establish Roles | |
| Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 | Human Resources management | Establish Roles | |
| Assign responsibility for cyber threat intelligence. CC ID 12746 | Human Resources management | Human Resources Management | |
| Assign the role of security management to applicable controls. CC ID 06444 | Human Resources management | Establish Roles | |
| Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 | Human Resources management | Human Resources Management | |
| Define and assign the data processor's roles and responsibilities. CC ID 12607 | Human Resources management | Human Resources Management | |
| Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 | Human Resources management | Human Resources Management | |
| Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 | Human Resources management | Communicate | |
| Define and assign the data controller's roles and responsibilities. CC ID 00471 | Human Resources management | Establish Roles | |
| Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 | Human Resources management | Human Resources Management | |
| Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 | Human Resources management | Human Resources Management | |
| Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 | Human Resources management | Human Resources Management | |
| Assign the role of data controller to applicable controls. CC ID 00354 | Human Resources management | Establish Roles | |
| Assign the role of data controller to provide advice, when requested. CC ID 12611 | Human Resources management | Human Resources Management | |
| Assign the role of data controller to additional personnel, as necessary. CC ID 00473 | Human Resources management | Establish Roles | |
| Assign the role of Information Technology operations to applicable controls. CC ID 00682 | Human Resources management | Establish Roles | |
| Assign the role of logical access control to applicable controls. CC ID 00772 | Human Resources management | Establish Roles | |
| Assign the role of asset physical security to applicable controls. CC ID 00770 | Human Resources management | Establish Roles | |
| Assign the role of data custodian to applicable controls. CC ID 04789 | Human Resources management | Establish Roles | |
| Assign the role of the Quality Management committee to applicable controls. CC ID 00769 [{unauthorized action}{dual authorization control}{legal and regulatory requirements} In order to avoid actions beyond the authority of the individual or even fraud, internal controls also place reasonable checks on managerial and employee discretion. Even in smaller banks, for example, key management decisions should be taken by more than one person. Internal reviews should also determine the extent of a bank's compliance with company policies and procedures as well as with legal and regulatory policies. Adequate escalation procedures are a key element of the internal control system. Principle 7: 116.] | Human Resources management | Establish Roles | |
| Assign interested personnel to the Quality Management committee. CC ID 07193 | Human Resources management | Establish Roles | |
| Assign the roles and responsibilities for the asset management system. CC ID 14368 | Human Resources management | Establish/Maintain Documentation | |
| Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 | Human Resources management | Establish Roles | |
| Assign the role of fire protection management to applicable controls. CC ID 04891 | Human Resources management | Establish Roles | |
| Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 | Human Resources management | Establish Roles | |
| Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 | Human Resources management | Establish Roles | |
| Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 | Human Resources management | Establish Roles | |
| Define and assign the roles and responsibilities of security guards. CC ID 12543 | Human Resources management | Human Resources Management | |
| Define and assign roles and responsibilities for dispute resolution. CC ID 13626 | Human Resources management | Human Resources Management | |
| Define and assign the roles for Legal Support Workers. CC ID 13711 | Human Resources management | Human Resources Management | |
| Include compensation structures in the analysis of workforce management. CC ID 12902 [Accordingly, the board should: oversee the bank's approach to compensation, including monitoring and reviewing executive compensation and assessing whether it is aligned with the bank's risk culture and risk appetite; and Principle 1: 26. Bullet 11 {performance standard} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: set appropriate performance and remuneration standards for senior management consistent with the long-term strategic objectives and the financial soundness of the bank; Principle 1: 46. Bullet 4 {future profit} Remuneration should reflect risk-taking and risk outcomes. Practices by which remuneration is paid for potential future revenues whose timing and likelihood remain uncertain should be carefully evaluated by means of both qualitative and quantitative key indicators. The remuneration framework should provide for variable remuneration to be adjusted to take into account the full range of risks, including breaches of risk appetite limits, internal procedures or legal requirements. Principle 11: 149. {future profit} Remuneration should reflect risk-taking and risk outcomes. Practices by which remuneration is paid for potential future revenues whose timing and likelihood remain uncertain should be carefully evaluated by means of both qualitative and quantitative key indicators. The remuneration framework should provide for variable remuneration to be adjusted to take into account the full range of risks, including breaches of risk appetite limits, internal procedures or legal requirements. Principle 11: 149. {future profit} Remuneration should reflect risk-taking and risk outcomes. Practices by which remuneration is paid for potential future revenues whose timing and likelihood remain uncertain should be carefully evaluated by means of both qualitative and quantitative key indicators. The remuneration framework should provide for variable remuneration to be adjusted to take into account the full range of risks, including breaches of risk appetite limits, internal procedures or legal requirements. Principle 11: 149. The remuneration structure should be in line with the business and risk strategy, objectives, values and long-term interests of the bank. It should also incorporate measures to prevent conflicts of interest. Remuneration programmes should encourage a sound risk culture in which risk-taking behaviour is appropriate and which encourages employees to act in the interest of the company as a whole (also taking into account client interests) rather than for themselves or only their business lines. In particular, incentives embedded within remuneration structures should not incentivise staff to take excessive risk. Principle 11: 148.] | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 [Members of senior management should be selected through an appropriate promotion or recruitment process which takes into account the qualifications required for the position in question. For those senior management positions for which the board of directors is required to review or select candidates through an interview process, senior management should provide sufficient information to the board. Principle 4: 90.] | Human Resources management | Establish/Maintain Documentation | |
| Categorize the gender of all employees. CC ID 15609 | Human Resources management | Human Resources Management | |
| Categorize all employees by racial groups and ethnic groups. CC ID 15627 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 [The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: be actively engaged in succession plans for the CEO and other key positions, as appropriate, and ensure that appropriate succession plans are in place for senior management positions. Principle 1: 46. Bullet 6 The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: be actively engaged in succession plans for the CEO and other key positions, as appropriate, and ensure that appropriate succession plans are in place for senior management positions. Principle 1: 46. Bullet 6 Boards should have a clear and rigorous process for identifying, assessing and selecting board candidates. Unless required otherwise by law, the board (not management) nominates candidates and promotes appropriate succession planning of board members. Principle 2: 50.] | Human Resources management | Human Resources Management | |
| Establish and maintain Personnel Files for all employees. CC ID 12438 | Human Resources management | Human Resources Management | |
| Include credit check results in each employee's personnel file. CC ID 12447 | Human Resources management | Human Resources Management | |
| Include any criminal records in each employee's personnel file. CC ID 12446 | Human Resources management | Human Resources Management | |
| Include all employee information in each employee's personnel file. CC ID 12445 | Human Resources management | Human Resources Management | |
| Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444 | Human Resources management | Human Resources Management | |
| Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441 | Human Resources management | Human Resources Management | |
| Include referral follow-up results in each employee's personnel file. CC ID 12440 | Human Resources management | Human Resources Management | |
| Include background check results in each employee's personnel file. CC ID 12439 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 | Human Resources management | Establish/Maintain Documentation | |
| Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761 | Human Resources management | Human Resources Management | |
| Require all new hires to sign the Code of Conduct. CC ID 06665 | Human Resources management | Establish/Maintain Documentation | |
| Require all new hires to sign Acceptable Use Policies. CC ID 06662 | Human Resources management | Establish/Maintain Documentation | |
| Require new hires to sign nondisclosure agreements. CC ID 06668 | Human Resources management | Establish/Maintain Documentation | |
| Train all new hires, as necessary. CC ID 06673 | Human Resources management | Behavior | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personnel security policy. CC ID 14025 | Human Resources management | Establish/Maintain Documentation | |
| Include compliance requirements in the personnel security policy. CC ID 14154 | Human Resources management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the personnel security policy. CC ID 14114 | Human Resources management | Establish/Maintain Documentation | |
| Include management commitment in the personnel security policy. CC ID 14113 | Human Resources management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the personnel security policy. CC ID 14112 | Human Resources management | Establish/Maintain Documentation | |
| Include the scope in the personnel security policy. CC ID 14111 | Human Resources management | Establish/Maintain Documentation | |
| Include the purpose in the personnel security policy. CC ID 14110 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain personnel security procedures. CC ID 14058 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141 | Human Resources management | Communicate | |
| Establish, implement, and maintain security clearance level criteria. CC ID 00780 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain staff position risk designations. CC ID 14280 | Human Resources management | Human Resources Management | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Establish Roles | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Establish Roles | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Establish/Maintain Documentation | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Human Resources Management | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Establish/Maintain Documentation | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Human Resources Management | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Human Resources Management | |
| Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Establish/Maintain Documentation | |
| Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Testing | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Human Resources Management | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Human Resources Management | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Human Resources Management | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Communicate | |
| Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Establish/Maintain Documentation | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Human Resources Management | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 | Human Resources management | Establish/Maintain Documentation | |
| Assign an owner of the personnel status change and termination procedures. CC ID 11805 | Human Resources management | Human Resources Management | |
| Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 | Human Resources management | Human Resources Management | |
| Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677 [Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the board. Principle 6: 111. Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the board. Principle 6: 111. The board and senior management should respect and promote the independence of the internal audit function by ensuring that: if the chief audit executive is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. Principle 10: 142. Bullet 3 The board and senior management should respect and promote the independence of the internal audit function by ensuring that: if the chief audit executive is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. Principle 10: 142. Bullet 3] | Human Resources management | Behavior | |
| Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 | Human Resources management | Communicate | |
| Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 | Human Resources management | Human Resources Management | |
| Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 | Human Resources management | Behavior | |
| Conduct exit interviews upon termination of employment. CC ID 14290 | Human Resources management | Human Resources Management | |
| Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 | Human Resources management | Establish/Maintain Documentation | |
| Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 | Human Resources management | Establish Roles | |
| Delegate authority for specific processes, as necessary. CC ID 06780 | Human Resources management | Behavior | |
| Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 | Human Resources management | Technical Security | |
| Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [{is sufficient} The risk management function should have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines. Staff should have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank's activities. Staff should have access to regular training. Principle 6: 107.] | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 [Accordingly, the board should: oversee the bank's approach to compensation, including monitoring and reviewing executive compensation and assessing whether it is aligned with the bank's risk culture and risk appetite; and Principle 1: 26. Bullet 11 Systemically important financial institutions should have a board compensation committee as an integral part of their governance structure and organisation to oversee the compensation system's design and operation. Principle 11: 144. The bank's remuneration structure should support sound corporate governance and risk management. Principle 11: ¶ 1 The remuneration structure should be in line with the business and risk strategy, objectives, values and long-term interests of the bank. It should also incorporate measures to prevent conflicts of interest. Remuneration programmes should encourage a sound risk culture in which risk-taking behaviour is appropriate and which encourages employees to act in the interest of the company as a whole (also taking into account client interests) rather than for themselves or only their business lines. In particular, incentives embedded within remuneration structures should not incentivise staff to take excessive risk. Principle 11: 148. The remuneration structure should be in line with the business and risk strategy, objectives, values and long-term interests of the bank. It should also incorporate measures to prevent conflicts of interest. Remuneration programmes should encourage a sound risk culture in which risk-taking behaviour is appropriate and which encourages employees to act in the interest of the company as a whole (also taking into account client interests) rather than for themselves or only their business lines. In particular, incentives embedded within remuneration structures should not incentivise staff to take excessive risk. Principle 11: 148. The remuneration structure should be in line with the business and risk strategy, objectives, values and long-term interests of the bank. It should also incorporate measures to prevent conflicts of interest. Remuneration programmes should encourage a sound risk culture in which risk-taking behaviour is appropriate and which encourages employees to act in the interest of the company as a whole (also taking into account client interests) rather than for themselves or only their business lines. In particular, incentives embedded within remuneration structures should not incentivise staff to take excessive risk. Principle 11: 148.] | Human Resources management | Human Resources Management | |
| Establish and maintain an annual report on compensation. CC ID 14801 [{applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154. {applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.] | Human Resources management | Establish/Maintain Documentation | |
| Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 [{applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.] | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 [{applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154. {applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.] | Human Resources management | Communicate | |
| Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 [Remuneration systems form a key component of the governance and incentive structure through which the board and senior management promote good performance, convey acceptable risktaking behaviour and reinforce the bank's operating and risk culture. The board (or, by delegation, its compensation committee) is responsible for the overall oversight of management's implementation of the remuneration system for the entire bank. In addition, the board or its committee should regularly monitor and review outcomes to assess whether the bank-wide remuneration system is creating the desired incentives for managing risk, capital and liquidity. The board or subcommittee should review the remuneration plans, processes and outcomes at least annually. Principle 11: 143. Remuneration systems form a key component of the governance and incentive structure through which the board and senior management promote good performance, convey acceptable risktaking behaviour and reinforce the bank's operating and risk culture. The board (or, by delegation, its compensation committee) is responsible for the overall oversight of management's implementation of the remuneration system for the entire bank. In addition, the board or its committee should regularly monitor and review outcomes to assess whether the bank-wide remuneration system is creating the desired incentives for managing risk, capital and liquidity. The board or subcommittee should review the remuneration plans, processes and outcomes at least annually. Principle 11: 143. {remuneration system} The board, together with its compensation committee where one exists, should approve the compensation of senior executives, including the CEO, CRO and head of internal audit, and should oversee development and operation of compensation policies, systems and related control processes. Principle 11: 146.] | Human Resources management | Establish/Maintain Documentation | |
| Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 [Banks have to set specific provisions for employees with a significant influence on the overall risk profile, so-called material risk-takers. Remuneration payout schedules should be sensitive to risk outcomes over a multi-year horizon. For material risk-takers, this is often achieved through arrangements that defer a sufficiently large part of the compensation until risk outcomes become better known. This includes "malus/forfeiture" provisions, where compensation can be reduced or reversed based on realised risks or conduct events before compensation vests, and/or "clawback" provisions, under which compensation can be reduced or reversed after compensation vests if new facts emerge showing that the compensation paid was based on erroneous assumptions, such as misreporting, or if it is discovered that the employee has failed to comply with internal policies or legal requirements. In such cases, banks should take action as soon as practicable to recover forfeitable or recoupable amounts to improve the likelihood of successful recovery. "Golden hellos" or "golden parachutes", under which new or terminated executives or staff receive large payouts irrespective of performance, are generally not consistent with sound compensation practice. Principle 11: 150. Banks have to set specific provisions for employees with a significant influence on the overall risk profile, so-called material risk-takers. Remuneration payout schedules should be sensitive to risk outcomes over a multi-year horizon. For material risk-takers, this is often achieved through arrangements that defer a sufficiently large part of the compensation until risk outcomes become better known. This includes "malus/forfeiture" provisions, where compensation can be reduced or reversed based on realised risks or conduct events before compensation vests, and/or "clawback" provisions, under which compensation can be reduced or reversed after compensation vests if new facts emerge showing that the compensation paid was based on erroneous assumptions, such as misreporting, or if it is discovered that the employee has failed to comply with internal policies or legal requirements. In such cases, banks should take action as soon as practicable to recover forfeitable or recoupable amounts to improve the likelihood of successful recovery. "Golden hellos" or "golden parachutes", under which new or terminated executives or staff receive large payouts irrespective of performance, are generally not consistent with sound compensation practice. Principle 11: 150. Banks have to set specific provisions for employees with a significant influence on the overall risk profile, so-called material risk-takers. Remuneration payout schedules should be sensitive to risk outcomes over a multi-year horizon. For material risk-takers, this is often achieved through arrangements that defer a sufficiently large part of the compensation until risk outcomes become better known. This includes "malus/forfeiture" provisions, where compensation can be reduced or reversed based on realised risks or conduct events before compensation vests, and/or "clawback" provisions, under which compensation can be reduced or reversed after compensation vests if new facts emerge showing that the compensation paid was based on erroneous assumptions, such as misreporting, or if it is discovered that the employee has failed to comply with internal policies or legal requirements. In such cases, banks should take action as soon as practicable to recover forfeitable or recoupable amounts to improve the likelihood of successful recovery. "Golden hellos" or "golden parachutes", under which new or terminated executives or staff receive large payouts irrespective of performance, are generally not consistent with sound compensation practice. Principle 11: 150.] | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 [{be independent} For employees in control functions (eg risk, compliance and internal audit), remuneration should be determined independently of any business line overseen, and performance measures should be based principally on the achievement of their own objectives so as not to compromise their independence. Principle 11: 147. {remuneration standard} The FSB principles on compensation are intended to apply to significant financial institutions, but they are especially critical for large, systemically important firms. National jurisdictions may also apply the principles in a proportionate manner to smaller, less complex institutions. Banks are encouraged to implement the FSB principles, or consistent national provisions based on them. Principle 11: 145. Remuneration systems form a key component of the governance and incentive structure through which the board and senior management promote good performance, convey acceptable risktaking behaviour and reinforce the bank's operating and risk culture. The board (or, by delegation, its compensation committee) is responsible for the overall oversight of management's implementation of the remuneration system for the entire bank. In addition, the board or its committee should regularly monitor and review outcomes to assess whether the bank-wide remuneration system is creating the desired incentives for managing risk, capital and liquidity. The board or subcommittee should review the remuneration plans, processes and outcomes at least annually. Principle 11: 143.] | Human Resources management | Establish/Maintain Documentation | |
| Refrain from using employees' privacy choices to restrict employment. CC ID 12425 | Human Resources management | Human Resources Management | |
| Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 | Human Resources management | Human Resources Management | |
| Use rewards and career development to motivate personnel. CC ID 06906 | Human Resources management | Behavior | |
| Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria. CC ID 12825 [All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: the recruitment approach for the selection of members of the board and for ensuring an appropriate diversity of skills, backgrounds and viewpoints; and Principle 12: 153. Bullet 1 All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: the recruitment approach for the selection of members of the board and for ensuring an appropriate diversity of skills, backgrounds and viewpoints; and Principle 12: 153. Bullet 1] | Human Resources management | Human Resources Management | |
| Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain job applications. CC ID 16180 | Human Resources management | Establish/Maintain Documentation | |
| Include a space for the applicant's name on the job application. CC ID 16190 | Human Resources management | Human Resources Management | |
| Include a space for the applicant's current address on the job application. CC ID 16189 | Human Resources management | Human Resources Management | |
| Include a space for the applicant's social security number on the job application. CC ID 16188 | Human Resources management | Human Resources Management | |
| Include a space for the applicant's date of birth on the job application. CC ID 16186 | Human Resources management | Human Resources Management | |
| Include a space for previous employers and business relationships on the job application. CC ID 16185 | Human Resources management | Human Resources Management | |
| Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 | Human Resources management | Human Resources Management | |
| Include a space for the start date on the job application. CC ID 16187 | Human Resources management | Human Resources Management | |
| Include a space to explain legal penalties on the job application. CC ID 16183 | Human Resources management | Human Resources Management | |
| Approve the wording of job applications. CC ID 16182 | Human Resources management | Human Resources Management | |
| Include a space for past aliases and other used names on job applications. CC ID 12301 | Human Resources management | Human Resources Management | |
| Include a space for previous addresses and previous residences on the job application. CC ID 12302 | Human Resources management | Human Resources Management | |
| Include a space to explain employment gaps on the job application. CC ID 12303 | Human Resources management | Human Resources Management | |
| Train all personnel and third parties, as necessary. CC ID 00785 [{is sufficient} The risk management function should have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines. Staff should have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank's activities. Staff should have access to regular training. Principle 6: 107. In order to help board members acquire, maintain and enhance their knowledge and skills, and fulfil their responsibilities, the board should ensure that members participate in induction programmes and have access to ongoing training on relevant issues which may involve internal or external resources. The board should dedicate sufficient time, budget and other resources for this purpose, and draw on external expertise as needed. More extensive efforts should be made to train and keep updated those members with more limited financial, regulatory or risk-related experience. Principle 2: 55.] | Human Resources management | Behavior | |
| Establish, implement, and maintain an education methodology. CC ID 06671 [In order to help board members acquire, maintain and enhance their knowledge and skills, and fulfil their responsibilities, the board should ensure that members participate in induction programmes and have access to ongoing training on relevant issues which may involve internal or external resources. The board should dedicate sufficient time, budget and other resources for this purpose, and draw on external expertise as needed. More extensive efforts should be made to train and keep updated those members with more limited financial, regulatory or risk-related experience. Principle 2: 55.] | Human Resources management | Business Processes | |
| Support certification programs as viable training programs. CC ID 13268 | Human Resources management | Human Resources Management | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Establish/Maintain Documentation | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Establish/Maintain Documentation | |
| Submit applications for professional certification. CC ID 16192 | Human Resources management | Training | |
| Retrain all personnel, as necessary. CC ID 01362 | Human Resources management | Behavior | |
| Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Human Resources management | Behavior | |
| Tailor training to be taught at each person's level of responsibility. CC ID 06674 [Members of senior management should have the necessary experience, competencies and integrity to manage the businesses and people under their supervision. They should receive access to regular training to maintain and enhance their competencies and stay up to date on developments relevant to their areas of responsibility. Principle 4: 89. In order to help board members acquire, maintain and enhance their knowledge and skills, and fulfil their responsibilities, the board should ensure that members participate in induction programmes and have access to ongoing training on relevant issues which may involve internal or external resources. The board should dedicate sufficient time, budget and other resources for this purpose, and draw on external expertise as needed. More extensive efforts should be made to train and keep updated those members with more limited financial, regulatory or risk-related experience. Principle 2: 55.] | Human Resources management | Behavior | |
| Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Human Resources management | Behavior | |
| Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Human Resources management | Behavior | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Human Resources Management | |
| Review the current published guidance and awareness and training programs. CC ID 01245 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Establish/Maintain Documentation | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Training | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Training | |
| Develop or acquire content to update the training plans. CC ID 12867 | Human Resources management | Training | |
| Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Training | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Establish/Maintain Documentation | |
| Include ethical culture in the training plan, as necessary. CC ID 12801 | Human Resources management | Human Resources Management | |
| Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Human Resources management | Training | |
| Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources management | Human Resources Management | |
| Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Human Resources management | Training | |
| Include risk management in the training plan, as necessary. CC ID 13040 | Human Resources management | Training | |
| Conduct Archives and Records Management training. CC ID 00975 | Human Resources management | Behavior | |
| Conduct personal data processing training. CC ID 13757 | Human Resources management | Training | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Training | |
| Include the cloud service usage standard in the training plan. CC ID 13039 | Human Resources management | Training | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Establish/Maintain Documentation | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Communicate | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Establish/Maintain Documentation | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Establish/Maintain Documentation | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Establish/Maintain Documentation | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Establish/Maintain Documentation | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Training | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Establish/Maintain Documentation | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Establish/Maintain Documentation | |
| Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Establish/Maintain Documentation | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Training | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Establish/Maintain Documentation | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Training | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Training | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Training | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Training | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Establish/Maintain Documentation | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Establish/Maintain Documentation | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Establish/Maintain Documentation | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Establish/Maintain Documentation | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Establish/Maintain Documentation | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Human Resources Management | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Human Resources Management | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Establish/Maintain Documentation | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Human Resources Management | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Training | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Establish/Maintain Documentation | |
| Conduct tampering prevention training. CC ID 11875 | Human Resources management | Training | |
| Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Human Resources management | Training | |
| Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Human Resources management | Training | |
| Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Human Resources management | Training | |
| Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Human Resources management | Training | |
| Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Human Resources management | Training | |
| Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Human Resources management | Training | |
| Conduct crime prevention training. CC ID 06350 | Human Resources management | Behavior | |
| Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: Principle 3: 83. The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: Principle 3: 83. The board should oversee and be satisfied with the process by which appropriate public disclosure is made, and/or information is provided to supervisors, relating to the bank's policies on conflicts of interest and potential material conflicts of interest. This should include information on the bank's approach to disclosing and managing material conflicts of interest that are not consistent with such policies, and conflicts that could arise because of the bank's affiliation or transactions with other entities within the group. Principle 3: 85. In order to fulfil its responsibilities, the board of the parent company should: ensure that the group's corporate governance framework includes appropriate processes and controls to identify and address potential intragroup conflicts of interest, such as those arising from intragroup transactions, in appropriate recognition of the interest of the group. Principle 5: 96. Bullet 10 The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: a rigorous review and approval process for members to follow before they engage in certain activities (such as serving on another board) so as to ensure that such activity will not create a conflict of interest; Principle 3: 83. Bullet 3] | Human Resources management | Establish/Maintain Documentation | |
| Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 [The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: adequate procedures for transactions with related parties so that they are made on an arm's length basis; and Principle 3: 83. Bullet 6 The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: examples of where conflicts can arise when serving as a board member; Principle 3: 83. Bullet 2] | Human Resources management | Establish/Maintain Documentation | |
| Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 | Human Resources management | Communicate | |
| Include roles and responsibilities in the conflict of interest policy. CC ID 14790 [The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: a member's duty to avoid, to the extent possible, activities that could create conflicts of interest or the appearance of conflicts of interest; Principle 3: 83. Bullet 1 The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: a member's responsibility to abstain from voting on any matter where the member may have a conflict of interest or where the member's objectivity or ability to properly fulfil duties to the bank may be otherwise compromised; Principle 3: 83. Bullet 5 The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: a member's duty to promptly disclose any matter that may result, or has already resulted, in a conflict of interest; Principle 3: 83. Bullet 4] | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Code of Conduct. CC ID 04897 | Human Resources management | Establish/Maintain Documentation | |
| Include definitions of ethics violations in the Code of Conduct. CC ID 14768 [{code of conduct} It should explicitly disallow illegal activity, such as financial misreporting and misconduct, economic crime including fraud, breach of sanctions, money laundering, anti-competitive practices, bribery and corruption, or the violation of consumer rights. Principle 1: 31. Bullet 1] | Human Resources management | Establish/Maintain Documentation | |
| Include exercising due professional care in the Code of Conduct. CC ID 14210 [The members of the board should exercise their "duty of care" and "duty of loyalty" to the bank under applicable national laws and supervisory standards. Principle 1: 25. {code of conduct} It should make clear that employees are expected to conduct themselves ethically and perform their job with skill and due care and diligence in addition to complying with laws, regulations and company policies. Principle 1: 31. Bullet 2] | Human Resources management | Establish/Maintain Documentation | |
| Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 | Human Resources management | Communicate | |
| Include definitions of desirable conduct in the Code of Conduct. CC ID 12846 [{are acceptable} A bank's code of conduct or code of ethics, or comparable policy, should define acceptable and unacceptable behaviours. Principle 1: 31.] | Human Resources management | Establish/Maintain Documentation | |
| Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435 [{disciplinary action} In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: confirming that employees, including senior management, are aware that appropriate disciplinary or other actions will follow unacceptable behaviours and transgressions. Principle 1: 30. Bullet 4] | Human Resources management | Behavior | |
| Take appropriate actions after performance reviews of board members, as necessary. CC ID 14799 [If a board member ceases to be qualified or is failing to fulfil his or her responsibilities, the board should take appropriate actions as permitted by law, which may include notifying their banking supervisor. Principle 2: 53.] | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain an ethics program. CC ID 11496 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 [{manner}{party} The board should oversee and approve how and by whom legitimate material concerns shall be investigated and addressed by an objective independent internal or external body, senior management and/or the board itself. Principle 1: 32. Bullet 3] | Human Resources management | Investigate | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 [The board should oversee the implementation and operation of policies to identify potential conflicts of interest. Where these conflicts cannot be prevented, they should be properly managed (based on the permissibility of relationships or transactions under sound corporate policies consistent with national law and supervisory standards). Principle 3: 82.] | Human Resources management | Behavior | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Human Resources management | Monitor and Evaluate Occurrences | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Human Resources management | Monitor and Evaluate Occurrences | |
| Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Business Processes | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 [Accordingly, the board should: oversee the integrity, independence and effectiveness of the bank's policies and procedures for whistleblowing. Principle 1: 26. Bullet 12 {confidential communication}{illegal activity}{unethical conduct} Employees should be encouraged and able to communicate, confidentially and without the risk of reprisal, legitimate concerns about illegal, unethical or questionable practices. This can be facilitated through a well communicated policy and adequate procedures and processes, consistent with national law, which allow employees to communicate material and bona fide concerns and observations of any violations in a confidential manner (eg whistleblower policy). This includes communicating material concerns to the bank's supervisor. Principle 1: 32. Bullet 1 Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: issues raised as a result of the bank's whistleblowing procedures. Principle 4: 94. Bullet 6] | Human Resources management | Business Processes | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Human Resources management | Communicate | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Human Resources management | Establish/Maintain Documentation | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 [The board should have oversight of the whistleblowing policy mechanism and ensuring that senior management addresses legitimate issues that are raised. The board should take responsibility for ensuring that staff who raise concerns are protected from detrimental treatment or reprisals. Principle 1: 32. Bullet 2] | Human Resources management | Behavior | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Accordingly, the board should: oversee implementation of the bank's governance framework and periodically review that it remains appropriate in the light of material changes to the bank's size, complexity, geographical footprint, business strategy, markets and regulatory requirements; Principle 1: 26. Bullet 4 As part of the overall corporate governance framework, the board is responsible for overseeing a strong risk governance framework. An effective risk governance framework includes a strong risk culture, a well developed risk appetite articulated through the RAS, and well defined responsibilities for risk management in particular and control functions in general. Principle 1: 33. The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42. To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: either separately or as part of these assessments, periodically review the effectiveness of its own governance practices and procedures, determine where improvements may be needed, and make any necessary changes; and Principle 3: 59. Bullet 3 Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166. The board should define appropriate governance structures and practices for its own work, and put in place the means for such practices to be followed and periodically reviewed for ongoing effectiveness. Principle 3: ¶ 1 {are adequate}In order to fulfil its responsibilities, the board of the parent company should: assess whether the group's corporate governance framework includes adequate policies, processes and controls and whether the framework addresses risk management across the businesses and legal entity structures; Principle 5: 96. Bullet 3 {are adequate}In order to fulfil its responsibilities, the board of the parent company should: assess whether the group's corporate governance framework includes adequate policies, processes and controls and whether the framework addresses risk management across the businesses and legal entity structures; Principle 5: 96. Bullet 3 The bank's risk governance framework should include policies, supported by appropriate control procedures and processes, designed to ensure that the bank's risk identification, aggregation, mitigation and monitoring capabilities are commensurate with the bank's size, complexity and risk profile. Principle 7: 112. {risk measurement}{are necessary} Effective risk identification and measurement approaches are likewise necessary in subsidiary banks and affiliates. Material risk-bearing affiliates and subsidiaries should be captured by the bankwide risk management system and should be a part of the overall risk governance framework. Principle 7: 124. {internal control system}{risk management system}The board and senior management contribute to the effectiveness of the internal audit function by requiring the function to independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes; Principle 10: 141. Bullet 2 The board and senior management contribute to the effectiveness of the internal audit function by requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: Principle 10: 141. Bullet 6 {risk management function}requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: the effectiveness of the risk management and compliance functions; Principle 10: 141. Bullet 6 sub bullet 1 Supervisors should provide guidance for and supervise corporate governance at banks, including through comprehensive evaluations and regular interaction with boards and senior management, should require improvement and remedial action as necessary, and should share information on corporate governance with other supervisors. Principle 13: ¶ 1 {have in place} Supervisors should have processes in place to fully evaluate a bank's corporate governance. Such evaluations may be conducted through regular reviews of written materials and reports, interviews with board members and bank personnel, examinations, self-assessments by the bank, and other types of on- and off-site monitoring. The evaluations should also include regular communication with a bank's board of directors, senior management, those responsible for the risk, compliance and internal audit functions, and external auditors. Principle 13: 159. In reviewing corporate governance in the context of a group structure, supervisors should take into account the corporate governance responsibilities of both the parent company and subsidiaries, in accordance with Principle 5 of this document. Principle 13: 163. In order to fulfil its responsibilities, the board of the parent company should: establish a group structure (including the legal entity and business structure) and a corporate governance framework with clearly defined roles and responsibilities, including those at the parent company level and at the subsidiary level as may be appropriate based on the complexity and significance of the subsidiary; Principle 5: 96. Bullet 1 Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158.] | Operational management | Establish/Maintain Documentation | |
| Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 [There should be effective communication and coordination between the audit committee and the risk committee to facilitate the exchange of information and effective coverage of all risks, including emerging risks, and any needed adjustments to the risk governance framework of the bank. Principle 3: 75. Supervisors should provide guidance for and supervise corporate governance at banks, including through comprehensive evaluations and regular interaction with boards and senior management, should require improvement and remedial action as necessary, and should share information on corporate governance with other supervisors. Principle 13: ¶ 1 {have in place} Supervisors should have processes in place to fully evaluate a bank's corporate governance. Such evaluations may be conducted through regular reviews of written materials and reports, interviews with board members and bank personnel, examinations, self-assessments by the bank, and other types of on- and off-site monitoring. The evaluations should also include regular communication with a bank's board of directors, senior management, those responsible for the risk, compliance and internal audit functions, and external auditors. Principle 13: 159. Supervisors should interact regularly with boards of directors, individual board members, senior managers and those responsible for the risk management, compliance and internal audit functions. This should include scheduled meetings and ad hoc exchanges, through a variety of communication vehicles (eg e-mail, telephone, in-person meetings). The purpose of the interactions is to support timely and open dialogue between the bank and supervisors on a range of issues, including the bank's strategies, business model and risks, the effectiveness of corporate governance at the bank, the bank's culture, management issues and succession planning, compensation and incentives, and other supervisory findings or expectations that supervisors believe should be particularly important to board members. Supervisors should also provide insights to the bank on its operations relative to its peers, market developments and emerging systemic risks. Principle 13: 164.] | Operational management | Behavior | |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Establish/Maintain Documentation | |
| Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 [{applicable requirements} In order to fulfil its responsibilities, the board of the parent company should: have sufficient resources to monitor the compliance of subsidiaries with all applicable legal, regulatory and governance requirements; Principle 5: 96. Bullet 7 {risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.] | Operational management | Acquisition/Sale of Assets or Services | |
| Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Process or Activity | |
| Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Operational management | Establish/Maintain Documentation | |
| Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 | Operational management | Process or Activity | |
| Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Operational management | Audits and Risk Management | |
| Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 [As part of the overall corporate governance framework, the board is responsible for overseeing a strong risk governance framework. An effective risk governance framework includes a strong risk culture, a well developed risk appetite articulated through the RAS, and well defined responsibilities for risk management in particular and control functions in general. Principle 1: 33. Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166. Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166. {is independent} A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: a risk management function and a compliance function independent from the first line of defence; and Principle 1: 38. Bullet 2 {is responsible}The audit committee is, in particular, responsible for: reviewing the third-party opinions on the design and effectiveness of the overall risk governance framework and internal control system. Principle 3: 69. Bullet 8 {is appropriate} In a group structure, the board of the parent company has the overall responsibility for the group and for ensuring the establishment and operation of a clear governance framework appropriate to the structure, business and risks of the group and its entities. The board and senior management should know and understand the bank group's organisational structure and the risks that it poses. Principle 5: ¶ 1 The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: subject to the review and approval of the board, developing and implementing the enterprisewide risk governance framework, which includes the bank's risk culture, risk appetite and risk limits; Principle 6: 105. Bullet 3 Supervisors should provide guidance for and supervise corporate governance at banks, including through comprehensive evaluations and regular interaction with boards and senior management, should require improvement and remedial action as necessary, and should share information on corporate governance with other supervisors. Principle 13: ¶ 1 Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97. The bank's senior management is responsible for establishing a compliance policy that contains the basic principles to be approved by the board and explains the main processes by which compliance risks are to be identified and managed through all levels of the organisation. Principle 9: 133. Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158. Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158.] | Operational management | Human Resources Management | |
| Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Human Resources Management | |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Establish/Maintain Documentation | |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the compliance policy. CC ID 14812 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Communicate | |
| Include management commitment in the compliance policy. CC ID 14808 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Communicate | |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 [The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: meet regularly with senior management; Principle 1: 46. Bullet 2 Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. Principle 4: 93. {organizational silos} Banks should avoid organisational "silos" that can impede effective sharing of information across an organisation and can result in decisions being taken in isolation from the rest of the bank. Overcoming these information-sharing obstacles may require the board, senior management and control functions to re-evaluate established practices in order to encourage greater communication. Principle 8: 131.] | Operational management | Business Processes | |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Behavior | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 [{risk management framework} Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank's risk management and internal control infrastructure should keep pace with changes to the bank's risk profile, to the external risk landscape and in industry practice Principle 7: ¶ 1 {internal control system}{risk management system}The board and senior management contribute to the effectiveness of the internal audit function by requiring the function to independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes; Principle 10: 141. Bullet 2 Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.] | Operational management | Establish/Maintain Documentation | |
| Define the scope for the internal control framework. CC ID 16325 | Operational management | Business Processes | |
| Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Establish Roles | |
| Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Business Processes | |
| Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 [As part of the overall corporate governance framework, the board is responsible for overseeing a strong risk governance framework. An effective risk governance framework includes a strong risk culture, a well developed risk appetite articulated through the RAS, and well defined responsibilities for risk management in particular and control functions in general. Principle 1: 33.] | Operational management | Establish Roles | |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Business Processes | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Establish/Maintain Documentation | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Establish/Maintain Documentation | |
| Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Business Processes | |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Establish/Maintain Documentation | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Establish/Maintain Documentation | |
| Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Establish/Maintain Documentation | |
| Automate threat assessments, as necessary. CC ID 06877 | Operational management | Configuration | |
| Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Establish/Maintain Documentation | |
| Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Configuration | |
| Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Establish/Maintain Documentation | |
| Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Establish/Maintain Documentation | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Establish/Maintain Documentation | |
| Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Establish/Maintain Documentation | |
| Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Communicate | |
| Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Process or Activity | |
| Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Establish/Maintain Documentation | |
| Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Establish/Maintain Documentation | |
| Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Establish/Maintain Documentation | |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Communicate | |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Communicate | |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Establish/Maintain Documentation | |
| Include physical safeguards in the information security program. CC ID 12375 | Operational management | Establish/Maintain Documentation | |
| Include technical safeguards in the information security program. CC ID 12374 | Operational management | Establish/Maintain Documentation | |
| Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Establish/Maintain Documentation | |
| Include system development in the information security program. CC ID 12389 | Operational management | Establish/Maintain Documentation | |
| Include system maintenance in the information security program. CC ID 12388 | Operational management | Establish/Maintain Documentation | |
| Include system acquisition in the information security program. CC ID 12387 | Operational management | Establish/Maintain Documentation | |
| Include access control in the information security program. CC ID 12386 | Operational management | Establish/Maintain Documentation | |
| Include operations management in the information security program. CC ID 12385 | Operational management | Establish/Maintain Documentation | |
| Include communication management in the information security program. CC ID 12384 | Operational management | Establish/Maintain Documentation | |
| Include environmental security in the information security program. CC ID 12383 | Operational management | Establish/Maintain Documentation | |
| Include physical security in the information security program. CC ID 12382 | Operational management | Establish/Maintain Documentation | |
| Include human resources security in the information security program. CC ID 12381 | Operational management | Establish/Maintain Documentation | |
| Include asset management in the information security program. CC ID 12380 | Operational management | Establish/Maintain Documentation | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Establish/Maintain Documentation | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Establish/Maintain Documentation | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Establish/Maintain Documentation | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Establish/Maintain Documentation | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Establish/Maintain Documentation | |
| Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Establish/Maintain Documentation | |
| Include risk management in the information security program. CC ID 12378 | Operational management | Establish/Maintain Documentation | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation | |
| Provide management direction and support for the information security program. CC ID 11999 | Operational management | Process or Activity | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an information security policy. CC ID 11740 | Operational management | Establish/Maintain Documentation | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Business Processes | |
| Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation | |
| Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Establish/Maintain Documentation | |
| Include information security objectives in the information security policy. CC ID 13493 | Operational management | Establish/Maintain Documentation | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Establish/Maintain Documentation | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Process or Activity | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Business Processes | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Establish/Maintain Documentation | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Process or Activity | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Establish Roles | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Human Resources Management | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Establish/Maintain Documentation | |
| Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Human Resources Management | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Communicate | |
| Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Establish/Maintain Documentation | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Business Processes | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Business Processes | |
| Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Behavior | |
| Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Establish/Maintain Documentation | |
| Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Establish/Maintain Documentation | |
| Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Establish/Maintain Documentation | |
| Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Establish/Maintain Documentation | |
| Include startup processes in operational control procedures. CC ID 00833 | Operational management | Establish/Maintain Documentation | |
| Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Establish/Maintain Documentation | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 [Cooperation and appropriate information-sharing among relevant public authorities, including bank supervisors and conduct authorities, can significantly contribute to the effectiveness of these authorities in their respective roles. Such information-sharing is particularly important between home and host supervisors of cross-border banking entities. Cooperation can occur on a bilateral basis, in the form of a supervisory college or through periodic meetings among supervisors at which corporate governance matters should be discussed. Such communication can help supervisors improve their assessment of the overall governance of a bank and the risks it faces, particularly in a group context, and help other authorities assess the risks posed to the broader financial system. Information shared should be relevant for supervisory purposes and be provided within the constraints of confidentiality and other applicable laws. Special arrangements, such as a memorandum of understanding, may be warranted to govern the sharing of information among supervisors or between supervisors and other authorities. Principle 13: 168. Cooperation and appropriate information-sharing among relevant public authorities, including bank supervisors and conduct authorities, can significantly contribute to the effectiveness of these authorities in their respective roles. Such information-sharing is particularly important between home and host supervisors of cross-border banking entities. Cooperation can occur on a bilateral basis, in the form of a supervisory college or through periodic meetings among supervisors at which corporate governance matters should be discussed. Such communication can help supervisors improve their assessment of the overall governance of a bank and the risks it faces, particularly in a group context, and help other authorities assess the risks posed to the broader financial system. Information shared should be relevant for supervisory purposes and be provided within the constraints of confidentiality and other applicable laws. Special arrangements, such as a memorandum of understanding, may be warranted to govern the sharing of information among supervisors or between supervisors and other authorities. Principle 13: 168.] | Operational management | Records Management | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Business Processes | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Communicate | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Establish/Maintain Documentation | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Establish/Maintain Documentation | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Establish/Maintain Documentation | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Establish/Maintain Documentation | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Establish/Maintain Documentation | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Establish/Maintain Documentation | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Establish/Maintain Documentation | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Establish/Maintain Documentation | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Technical Security | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Establish/Maintain Documentation | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Establish/Maintain Documentation | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Establish/Maintain Documentation | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Establish/Maintain Documentation | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Establish/Maintain Documentation | |
| Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Establish/Maintain Documentation | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Establish/Maintain Documentation | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Communicate | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Establish/Maintain Documentation | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Business Processes | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Establish/Maintain Documentation | |
| Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Establish/Maintain Documentation | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Establish/Maintain Documentation | |
| Identify the sender in all electronic messages. CC ID 13996 | Operational management | Data and Information Management | |
| Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Communicate | |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Establish/Maintain Documentation | |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Establish/Maintain Documentation | |
| Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Establish/Maintain Documentation | |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Establish/Maintain Documentation | |
| Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Establish/Maintain Documentation | |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Establish/Maintain Documentation | |
| Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Establish/Maintain Documentation | |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Establish/Maintain Documentation | |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Establish/Maintain Documentation | |
| Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Establish/Maintain Documentation | |
| Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{risk management function}{compliance function}Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior management should recognise and respect the independent duties of the risk management, compliance and internal audit functions and should not interfere in their exercise of such duties. Principle 4: 93. Bullet 1] | Operational management | Business Processes | |
| Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Process or Activity | |
| Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Process or Activity | |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 [Accordingly, the board should: oversee implementation of the bank's governance framework and periodically review that it remains appropriate in the light of material changes to the bank's size, complexity, geographical footprint, business strategy, markets and regulatory requirements; Principle 1: 26. Bullet 4 In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: Principle 1: 30. To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: Principle 3: 59. To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: either separately or as part of these assessments, periodically review the effectiveness of its own governance practices and procedures, determine where improvements may be needed, and make any necessary changes; and Principle 3: 59. Bullet 3 In the case of a significant regulated subsidiary (due to its risk profile or systemic importance or due to its size relative to the parent company), the board of the significant subsidiary should take such further steps as are necessary to help the subsidiary meet its own corporate governance responsibilities and the legal and regulatory requirements that apply to it. Principle 5: 99. As part of their evaluation of the overall corporate governance in a bank, supervisors should also endeavour to assess the governance effectiveness of the board and senior management, especially with respect to the risk culture of the bank. An assessment of governance effectiveness aims to determine the extent to which the board and senior management demonstrate effective behaviours that contribute to good governance. This includes consideration of the behavioural dynamic of the board and senior management, such as how the "tone at the top" and the cultural values of the bank are communicated and put into practice, how information flows to and from the board and senior management, and how potential serious problems are identified and addressed throughout the organisation. The evaluation of governance effectiveness includes review of any board and management assessments, surveys and other information often used by banks in assessing their internal culture, as well as supervisory interviews, observations and qualitative judgments. In arriving at such judgments, supervisors need to be particularly mindful of consistency of treatment across the banks they supervise. Supervisory staff should have the necessary skills to evaluate these issues and arrive at the complex judgments involved in assessing governance effectiveness. Principle 13: 162.] | Operational management | Process or Activity | |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 [A risk committee should: should discuss all risk strategies on both an aggregated basis and by type of risk and make recommendations to the board thereon, and on the risk appetite; Principle 3: 71. Bullet 6 In order to fulfil its responsibilities, the board of the parent company should: maintain an effective relationship with both the home regulator and, through the subsidiary board or direct contact, with the regulators of all subsidiaries; Principle 5: 96. Bullet 8 The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110. The board and senior management are primarily responsible for the governance of the bank, and supervisors should assess their performance in this regard. This section sets forth several principles that can assist supervisors in assessing corporate governance and foster good corporate governance in banks. Principle 13: 157. As part of their evaluation of the overall corporate governance in a bank, supervisors should also endeavour to assess the governance effectiveness of the board and senior management, especially with respect to the risk culture of the bank. An assessment of governance effectiveness aims to determine the extent to which the board and senior management demonstrate effective behaviours that contribute to good governance. This includes consideration of the behavioural dynamic of the board and senior management, such as how the "tone at the top" and the cultural values of the bank are communicated and put into practice, how information flows to and from the board and senior management, and how potential serious problems are identified and addressed throughout the organisation. The evaluation of governance effectiveness includes review of any board and management assessments, surveys and other information often used by banks in assessing their internal culture, as well as supervisory interviews, observations and qualitative judgments. In arriving at such judgments, supervisors need to be particularly mindful of consistency of treatment across the banks they supervise. Supervisory staff should have the necessary skills to evaluate these issues and arrive at the complex judgments involved in assessing governance effectiveness. Principle 13: 162. {define} The frequency of interactions with the above persons may vary according to the size, complexity, structure, economic significance and risk profile of the bank. On that basis, supervisors may, for example, meet with the full board of directors annually, but more frequently with the chairman or lead or senior independent director and with key committee chairs. For systemically important banks, interaction should occur more frequently, particularly with members of the board and members of senior management, and those responsible for the risk management, compliance and internal audit functions. Principle 13: 165. Supervisors should interact regularly with boards of directors, individual board members, senior managers and those responsible for the risk management, compliance and internal audit functions. This should include scheduled meetings and ad hoc exchanges, through a variety of communication vehicles (eg e-mail, telephone, in-person meetings). The purpose of the interactions is to support timely and open dialogue between the bank and supervisors on a range of issues, including the bank's strategies, business model and risks, the effectiveness of corporate governance at the bank, the bank's culture, management issues and succession planning, compensation and incentives, and other supervisory findings or expectations that supervisors believe should be particularly important to board members. Supervisors should also provide insights to the bank on its operations relative to its peers, market developments and emerging systemic risks. Principle 13: 164. Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.] | Operational management | Process or Activity | |
| Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Process or Activity | |
| Analyze the organizational culture. CC ID 12899 | Operational management | Process or Activity | |
| Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Behavior | |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Business Processes | |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Business Processes | |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Business Processes | |
| Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Behavior | |
| Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Behavior | |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Business Processes | |
| Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Behavior | |
| Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Behavior | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{applicable requirements} An independent compliance function is a key component of the bank's second line of defence. This function is responsible for, among other things, ensuring that the bank operates with integrity and in compliance with applicable, laws, regulations and internal policies. Principle 9: 132.] | Operational management | Establish/Maintain Documentation | |
| Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Communicate | |
| Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Business Processes | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158.] | Operational management | Behavior | |
| Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Establish/Maintain Documentation | |
| Validate transactions using identifiers and credentials. CC ID 13203 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Records management | Technical Security | |
| Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Establish, implement, and maintain payment transaction security measures. CC ID 13088 [The board should ensure that transactions with related parties (including internal group transactions) are reviewed to assess risk and are subject to appropriate restrictions (eg by requiring that such transactions be conducted on arm's length terms) and that corporate or business resources of the bank are not misappropriated or misapplied. Principle 1: 27.] | Acquisition or sale of facilities, technology, and services | Technical Security | |
| Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Restrict transaction activities, as necessary. CC ID 16334 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 | Acquisition or sale of facilities, technology, and services | Communicate | |
| Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Encrypt electronic commerce transactions and messages. CC ID 08621 | Acquisition or sale of facilities, technology, and services | Configuration | |
| Protect the integrity of application service transactions. CC ID 12017 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Include required information in electronic commerce transactions and messages. CC ID 15318 | Acquisition or sale of facilities, technology, and services | Data and Information Management | |
| Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 | Acquisition or sale of facilities, technology, and services | Business Processes | |
| Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 | Acquisition or sale of facilities, technology, and services | Communicate | |
| Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Refrain from implementing systems that are beyond the organization's risk acceptance level. CC ID 13054 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
| Authorize new assets prior to putting them into the production environment. CC ID 13530 | Acquisition or sale of facilities, technology, and services | Process or Activity | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Limit data leakage. CC ID 00356 | Privacy protection for information and data | Data and Information Management | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include risk management procedures in the supply chain management policy. CC ID 08811 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 | Third Party and supply chain oversight | Business Processes | |
| Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Third Party and supply chain oversight | Business Processes | |
| Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Business Processes | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Communicate | |
| Include the audit scope in the third party external audit report. CC ID 13138 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Third Party and supply chain oversight | Business Processes | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1] | Third Party and supply chain oversight | Establish/Maintain Documentation | |