Back

Banking and Finance Organizations > Basel Committee on Banking Supervision

Basel Committee on Banking Supervision Guidelines Corporate governance principles for banks



AD ID

0003246

AD STATUS

Basel Committee on Banking Supervision Guidelines Corporate governance principles for banks

ORIGINATOR

Basel Committee on Banking Supervision

TYPE

Best Practice Guideline

AVAILABILITY

Free

SYNONYMS

BCBS 328 Guidelines of Corporate Governance Principles for Banks

Basel Committee on Banking Supervision Guidelines Corporate governance principles for banks

EFFECTIVE

2015-07-01

ADDED

The document as a whole was last reviewed and released on 2021-01-19T00:00:00-0800.

AD ID

0003246

AD STATUS

Free

ORIGINATOR

Basel Committee on Banking Supervision

TYPE

Best Practice Guideline

AVAILABILITY

SYNONYMS

BCBS 328 Guidelines of Corporate Governance Principles for Banks

Basel Committee on Banking Supervision Guidelines Corporate governance principles for banks

EFFECTIVE

2015-07-01

ADDED

The document as a whole was last reviewed and released on 2021-01-19T00:00:00-0800.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2021 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Basel Committee on Banking Supervision Guidelines Corporate governance principles for banks that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Basel Committee on Banking Supervision Guidelines Corporate governance principles for banks are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
191 Mandated Controls - bold    
86 Implied Controls - italic     1157 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
1434 Total
  • Acquisition or sale of facilities, technology, and services
    30
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 Business Processes Preventive
    Establish and maintain an electronic commerce program. CC ID 08617 Business Processes Preventive
    Establish and maintain payment transaction security measures. CC ID 13088
    [The board should ensure that transactions with related parties (including internal group transactions) are reviewed to assess risk and are subject to appropriate restrictions (eg by requiring that such transactions be conducted on arm's length terms) and that corporate or business resources of the bank are not misappropriated or misapplied. Principle 1: 27.]
    Technical Security Preventive
    Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 Communicate Preventive
    Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 Business Processes Preventive
    Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 Business Processes Preventive
    Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 Business Processes Preventive
    Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 Establish/Maintain Documentation Preventive
    Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 Business Processes Preventive
    Encrypt electronic commerce transactions and messages. CC ID 08621 Configuration Preventive
    Protect the integrity of application service transactions. CC ID 12017 Business Processes Preventive
    Establish and maintain telephone-initiated transaction security measures, as necessary. CC ID 13566 Business Processes Preventive
    Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 Communicate Preventive
    Plan for acquiring facilities, technology, or services. CC ID 06892 Acquisition/Sale of Assets or Services Preventive
    Conduct an acquisition feasibility study prior to acquiring Information Technology assets. CC ID 01129 Acquisition/Sale of Assets or Services Detective
    Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. CC ID 01135
    [Mergers and acquisitions, divestitures and other changes to a bank's organisational structure can pose special risk management challenges to the bank. In particular, risks can arise from conducting due diligence that fails to identify post-merger risks or activities conflicting with the bank's strategic objectives or risk appetite. The risk management function should be actively involved in assessing risks that could arise from mergers and acquisitions and inform the board and senior management of its findings Principle 7: 125.]
    Testing Detective
    Refrain from implementing systems that are beyond the organization's risk acceptance level. CC ID 13054 Acquisition/Sale of Assets or Services Preventive
    Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144
    [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1]
    Establish/Maintain Documentation Preventive
    Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740 Testing Detective
    Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741 Testing Detective
    Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742 Testing Detective
    Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743 Testing Detective
    Test new software or upgraded software for security vulnerabilities. CC ID 01898 Testing Detective
    Test new software or upgraded software for compatibility with the current system. CC ID 11654 Testing Detective
    Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655 Testing Detective
    Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899 Testing Detective
    Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744 Testing Detective
    Correct defective acquired goods or services. CC ID 06911 Acquisition/Sale of Assets or Services Corrective
    Authorize new assets prior to putting them into the production environment. CC ID 13530 Process or Activity Preventive
  • Audits and risk management
    454
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678
    [{is independent} A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: an internal audit function independent from the first and second lines of defence. Principle 1: 38. Bullet 3]
    Establish Roles Preventive
    Manage supply chain audits. CC ID 01203 Audits and Risk Management Preventive
    Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 Audits and Risk Management Preventive
    Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679
    [{matters requiring attention}Accordingly, the board should: approve the annual financial statements and require a periodic independent review of critical areas; Principle 1: 26. Bullet 9
    {is responsible}The audit committee is, in particular, responsible for: approving, or recommending to the board or shareholders for their approval, the appointment, remuneration and dismissal of external auditors; Principle 3: 69. Bullet 4
    {is responsible} The audit committee is, in particular, responsible for: reviewing and approving the audit scope and frequency; Principle 3: 69. Bullet 5
    {is responsible} The audit committee is, in particular, responsible for: overseeing the financial reporting process; Principle 3: 69. Bullet 2
    The internal audit function should provide independent assurance to the board and should support board and senior management in promoting an effective governance process and the long-term soundness of the bank. Principle 10: ¶ 1]
    Establish Roles Preventive
    Assign the Board of Directors to address audit findings. CC ID 12396
    [Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: Principle 4: 94.
    The board and senior management should respect and promote the independence of the internal audit function by ensuring that: internal audit reports are provided to the board or its audit committee without management filtering and that the internal auditors have direct access to the board or the board's audit committee; Principle 10: 142. Bullet 1
    The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively. Principle 10: 139.]
    Human Resources Management Corrective
    Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 Establish Roles Preventive
    Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 Establish Roles Preventive
    Report audit findings by the internal audit manager directly to senior management. CC ID 01152 Testing Detective
    Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186
    [{remuneration system} The board, together with its compensation committee where one exists, should approve the compensation of senior executives, including the CEO, CRO and head of internal audit, and should oversee development and operation of compensation policies, systems and related control processes. Principle 11: 146.]
    Establish Roles Preventive
    Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 Establish Roles Preventive
    Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 Establish Roles Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Establish Roles Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102
    [The third line of defence consists of an independent and effective internal audit function. Among other things, it provides independent review and objective assurance on the quality and effectiveness of the bank's internal control system, the first and second lines of defence and the risk governance framework including links to organisational culture, as well as strategic and business planning, compensation and decision-making processes. Internal auditors must be competent and appropriately trained and not involved in developing, implementing or operating the risk management function or other first or second line of defence functions (see Principle 9). Principle 1: 43.
    The board and senior management contribute to the effectiveness of the internal audit function by requiring that audit staff collectively have or can access knowledge, skills and resources commensurate with the business activities and risks of the bank; Principle 10: 141. Bullet 4
    The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively. Principle 10: 139.]
    Audits and Risk Management Preventive
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Establish/Maintain Documentation Preventive
    Review external auditor outsourcing contracts and engagement letters. CC ID 01189 Establish/Maintain Documentation Preventive
    Include a change control clause in external auditor outsourcing contracts. CC ID 01192 Establish/Maintain Documentation Preventive
    Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 Establish/Maintain Documentation Preventive
    Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 Establish/Maintain Documentation Preventive
    Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 Establish/Maintain Documentation Preventive
    Include communication protocols in external auditor outsourcing contracts. CC ID 01201 Establish/Maintain Documentation Preventive
    Review the external audit scope, as necessary. CC ID 01202 Audits and Risk Management Preventive
    Review the external audit assertion for accuracy. CC ID 06977 Testing Detective
    Review the risk assessments as compared to the in scope controls. CC ID 06978
    [Banks should regularly compare actual performance against risk estimates (ie backtesting) to assist in judging the accuracy and effectiveness of the risk management process and making necessary adjustments. Principle 7: 121.]
    Testing Detective
    Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 Audits and Risk Management Detective
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Establish/Maintain Documentation Preventive
    Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 Establish/Maintain Documentation Preventive
    Include access to work papers in external auditor outsourcing contracts. CC ID 01193 Establish/Maintain Documentation Preventive
    Review the external auditor's qualifications. CC ID 01197 Audits and Risk Management Preventive
    Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 Audits and Risk Management Preventive
    Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 Establish/Maintain Documentation Preventive
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 Establish/Maintain Documentation Preventive
    Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 Behavior Preventive
    Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 Behavior Preventive
    Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 Establish/Maintain Documentation Preventive
    Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 Establish/Maintain Documentation Preventive
    Establish and maintain an audit program. CC ID 00684
    [In order to fulfil its responsibilities, the board of the parent company should: establish an effective internal audit function that ensures audits are being performed within or for all subsidiaries and part of the group and group itself; and Principle 5: 96. Bullet 9
    {risk management function}{compliance function}Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior management should recognise and respect the independent duties of the risk management, compliance and internal audit functions and should not interfere in their exercise of such duties. Principle 4: 93. Bullet 1]
    Establish/Maintain Documentation Preventive
    Establish and maintain audit policies, as necessary. CC ID 13166 Establish/Maintain Documentation Preventive
    Assign the audit to impartial auditors. CC ID 07118
    [The third line of defence consists of an independent and effective internal audit function. Among other things, it provides independent review and objective assurance on the quality and effectiveness of the bank's internal control system, the first and second lines of defence and the risk governance framework including links to organisational culture, as well as strategic and business planning, compensation and decision-making processes. Internal auditors must be competent and appropriately trained and not involved in developing, implementing or operating the risk management function or other first or second line of defence functions (see Principle 9). Principle 1: 43.
    {risk management function}{compliance function}Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior management should recognise and respect the independent duties of the risk management, compliance and internal audit functions and should not interfere in their exercise of such duties. Principle 4: 93. Bullet 1
    The board and senior management should respect and promote the independence of the internal audit function by ensuring that: Principle 10: 142.
    The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively. Principle 10: 139.]
    Establish Roles Preventive
    Exercise due professional care during the planning and performance of the audit. CC ID 07119
    [The board and senior management contribute to the effectiveness of the internal audit function by requiring internal auditors to adhere to national and international professional standards, such as those established by the Institute of Internal Auditors; Principle 10: 141. Bullet 3]
    Behavior Preventive
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and Risk Management Preventive
    Establish and maintain audit terms. CC ID 13880
    [The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively. Principle 10: 139.]
    Establish/Maintain Documentation Preventive
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 Process or Activity Preventive
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883
    [{be comprehensive}{be accurate} Risk reporting systems should be dynamic, comprehensive and accurate, and should draw on a range of underlying assumptions. Risk monitoring and reporting should not only occur at the disaggregated level (including material risk residing in subsidiaries) but should also be aggregated to allow for a bank-wide or integrated perspective of risk exposures. Risk reporting systems should be clear about any deficiencies or limitations in risk estimates, as well as any significant embedded assumptions (eg regarding risk dependencies or correlations). Principle 8: 130.]
    Establish/Maintain Documentation Preventive
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 Establish/Maintain Documentation Preventive
    Establish and maintain Agreed Upon Procedures that are in scope for the audit. CC ID 13893 Establish/Maintain Documentation Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 Establish/Maintain Documentation Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 Establish/Maintain Documentation Preventive
    Include audit subject matter in the audit program. CC ID 07103 Establish/Maintain Documentation Preventive
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Establish/Maintain Documentation Preventive
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Establish/Maintain Documentation Preventive
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Establish/Maintain Documentation Preventive
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Establish/Maintain Documentation Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and Risk Management Preventive
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Establish/Maintain Documentation Preventive
    Provide a representation letter in support of the audit assertion. CC ID 07158 Establish/Maintain Documentation Preventive
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Establish/Maintain Documentation Preventive
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Establish/Maintain Documentation Preventive
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Establish/Maintain Documentation Preventive
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Establish/Maintain Documentation Preventive
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Establish/Maintain Documentation Preventive
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Establish/Maintain Documentation Preventive
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Establish/Maintain Documentation Preventive
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Establish/Maintain Documentation Preventive
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Establish/Maintain Documentation Preventive
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Establish/Maintain Documentation Preventive
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Establish/Maintain Documentation Preventive
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Establish/Maintain Documentation Preventive
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Establish/Maintain Documentation Preventive
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Establish/Maintain Documentation Preventive
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949
    [requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: the quality of risk reporting to the board and senior management; and Principle 10: 141. Bullet 6 sub bullet 2]
    Establish/Maintain Documentation Preventive
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Establish/Maintain Documentation Preventive
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Establish/Maintain Documentation Preventive
    Include the in scope procedures in the audit assertion. CC ID 06972 Establish/Maintain Documentation Preventive
    Include the in scope records produced in the audit assertion. CC ID 06968 Establish/Maintain Documentation Preventive
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Establish/Maintain Documentation Preventive
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Establish/Maintain Documentation Preventive
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Establish/Maintain Documentation Preventive
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Establish/Maintain Documentation Preventive
    Include in scope change controls in the audit assertion. CC ID 06976 Establish/Maintain Documentation Preventive
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Establish/Maintain Documentation Preventive
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Communicate Preventive
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Establish/Maintain Documentation Preventive
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Establish/Maintain Documentation Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 Audits and Risk Management Preventive
    Establish and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794
    [The internal audit function should provide independent assurance to the board and should support board and senior management in promoting an effective governance process and the long-term soundness of the bank. Principle 10: ¶ 1]
    Establish/Maintain Documentation Preventive
    Include the expectations for the audit report in the audit terms. CC ID 07148 Establish/Maintain Documentation Preventive
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Establish/Maintain Documentation Preventive
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Establish/Maintain Documentation Corrective
    Include materiality levels in the audit terms. CC ID 01238 Establish/Maintain Documentation Preventive
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 Establish/Maintain Documentation Preventive
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 Establish/Maintain Documentation Preventive
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952 Audits and Risk Management Detective
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Behavior Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Business Processes Preventive
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and Risk Management Preventive
    Audit in scope audit items and compliance documents as defined in the audit scope. CC ID 06730
    [ensuring that the activities and structure are subject to regular internal and external audit reviews. Principle 5: 102. Bullet 5]
    Audits and Risk Management Preventive
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and Risk Management Detective
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and Risk Management Detective
    Audit policies, standards, and procedures. CC ID 12927 Audits and Risk Management Preventive
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Investigate Detective
    Audit information systems, as necessary. CC ID 13010 Investigate Detective
    Audit the potential costs of compromise to information systems. CC ID 13012 Investigate Detective
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 Testing Detective
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 Testing Detective
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 Process or Activity Detective
    Edit the audit assertion for accuracy. CC ID 07030 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 Testing Detective
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 Process or Activity Detective
    Document test plans for auditing in scope controls. CC ID 06985 Testing Detective
    Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 Testing Detective
    Determine the effectiveness of in scope controls. CC ID 06984
    [requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: the effectiveness of the bank's system of internal controls. Principle 10: 141. Bullet 6 sub bullet 3]
    Testing Detective
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and Risk Management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and Risk Management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and Risk Management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and Risk Management Detective
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and Risk Management Detective
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 Testing Detective
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 Establish/Maintain Documentation Preventive
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 Testing Preventive
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and Risk Management Preventive
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and Risk Management Preventive
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and Risk Management Preventive
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and Risk Management Preventive
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and Risk Management Preventive
    Conduct interviews of auditees, as necessary. CC ID 07188 Testing Detective
    Explain the goals of the interview to the auditee. CC ID 07189 Behavior Detective
    Withdraw from the audit, when defined conditions exist. CC ID 13885 Process or Activity Corrective
    Establish and maintain work papers, as necessary. CC ID 13891 Establish/Maintain Documentation Preventive
    Include justification for departing from mandatory requirements in the work papers. CC ID 13935 Establish/Maintain Documentation Preventive
    Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 Establish/Maintain Documentation Preventive
    Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 Establish/Maintain Documentation Preventive
    Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 Establish/Maintain Documentation Preventive
    Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 Establish/Maintain Documentation Preventive
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and Risk Management Detective
    Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 Establish/Maintain Documentation Preventive
    Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 Establish/Maintain Documentation Preventive
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986 Testing Detective
    Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 Testing Detective
    Supervise interested personnel and affected parties participating in the audit. CC ID 07150 Monitor and Evaluate Occurrences Preventive
    Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 Establish Roles Preventive
    Respond to questions or clarification requests regarding the audit. CC ID 08902 Business Processes Preventive
    Track and measure the implementation of the organizational compliance framework. CC ID 06445 Monitor and Evaluate Occurrences Preventive
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Business Processes Preventive
    Establish and maintain a Statement on the Level of Compliance. CC ID 12499 Establish/Maintain Documentation Preventive
    Review the Statement on the Level of Compliance. CC ID 12500 Business Processes Detective
    Approve the Statement on the Level of Compliance. CC ID 12501 Business Processes Preventive
    Include a Statement on the Level of Compliance in the tactical Information Technology plan. CC ID 06842 Actionable Reports or Measurements Preventive
    Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 Process or Activity Preventive
    Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 Establish/Maintain Documentation Preventive
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966
    [The board and senior management contribute to the effectiveness of the internal audit function by providing the function with full and unconditional access to any records, file data and physical properties of the bank, including access to management information systems and records and the minutes of all consultative and decision-making bodies; Principle 10: 141. Bullet 1]
    Audits and Risk Management Preventive
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187
    [The board and senior management should respect and promote the independence of the internal audit function by ensuring that: internal audit reports are provided to the board or its audit committee without management filtering and that the internal auditors have direct access to the board or the board's audit committee; Principle 10: 142. Bullet 1
    The board and senior management should respect and promote the independence of the internal audit function by ensuring that: the head of the internal audit function's primary reporting line is to the board (or its audit committee), which is also responsible for the selection, oversight of the performance and, if necessary, dismissal of the head of this function; Principle 10: 142. Bullet 2]
    Business Processes Preventive
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and Risk Management Corrective
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and Risk Management Preventive
    Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 Establish/Maintain Documentation Preventive
    Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 Establish/Maintain Documentation Preventive
    Establish and maintain organizational audit reports. CC ID 06731 Establish/Maintain Documentation Preventive
    Write the audit report using clear and conspicuous language. CC ID 13948 Establish/Maintain Documentation Preventive
    Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements were audited in the audit report. CC ID 13963 Establish/Maintain Documentation Preventive
    Include the criteria that financial information was measured against in the audit report. CC ID 13966 Establish/Maintain Documentation Preventive
    Include a description of the financial information being reported on in the audit report. CC ID 13965 Establish/Maintain Documentation Preventive
    Include references to any adjustments of financial information in the audit report. CC ID 13964 Establish/Maintain Documentation Preventive
    Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 Establish/Maintain Documentation Preventive
    Include references to historical financial information used in the audit report. CC ID 13961 Establish/Maintain Documentation Preventive
    Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 Establish/Maintain Documentation Preventive
    Include the word independent in the title of audit reports. CC ID 07003 Actionable Reports or Measurements Preventive
    Include the date of the audit in the audit report. CC ID 07024 Actionable Reports or Measurements Preventive
    Structure the audit report to be in the form of procedures and findings. CC ID 13940 Establish/Maintain Documentation Preventive
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 Actionable Reports or Measurements Preventive
    Include any discussions of significant findings in the audit report. CC ID 13955 Establish/Maintain Documentation Preventive
    Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 Establish/Maintain Documentation Preventive
    Include the audit criteria in the audit report. CC ID 13945 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 Establish/Maintain Documentation Preventive
    Include all hypothetical assumptions in the audit report. CC ID 13947 Establish/Maintain Documentation Preventive
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Actionable Reports or Measurements Preventive
    Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 Establish/Maintain Documentation Preventive
    Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 Establish/Maintain Documentation Preventive
    Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 Establish/Maintain Documentation Preventive
    Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 Establish/Maintain Documentation Preventive
    Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 Establish/Maintain Documentation Preventive
    Include a review of the subject matter expert's findings in the audit report. CC ID 13972 Establish/Maintain Documentation Preventive
    Include a statement of the character of the engagement in the audit report. CC ID 07166 Establish/Maintain Documentation Preventive
    Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 Establish/Maintain Documentation Preventive
    Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 Establish/Maintain Documentation Preventive
    Include all restrictions on the audit in the audit report. CC ID 13930 Establish/Maintain Documentation Preventive
    Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 Establish/Maintain Documentation Preventive
    Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 Establish/Maintain Documentation Preventive
    Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 Establish/Maintain Documentation Preventive
    Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 Establish/Maintain Documentation Preventive
    Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 Establish/Maintain Documentation Preventive
    Refrain from referencing other auditor's work in the audit report. CC ID 13881 Establish/Maintain Documentation Preventive
    Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 Establish/Maintain Documentation Preventive
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Actionable Reports or Measurements Preventive
    Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 Establish/Maintain Documentation Preventive
    Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 Establish/Maintain Documentation Preventive
    Include the attestation standards the auditor follows in the audit report. CC ID 07015 Establish/Maintain Documentation Preventive
    Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 Establish/Maintain Documentation Preventive
    Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 Establish/Maintain Documentation Preventive
    Include the organization's description of the in scope system in the audit report. CC ID 11626 Audits and Risk Management Preventive
    Include any out of scope components of in scope systems in the audit report. CC ID 07006 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 Establish/Maintain Documentation Preventive
    Include the scope and work performed in the audit report. CC ID 11621 Audits and Risk Management Preventive
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and Risk Management Detective
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Establish/Maintain Documentation Detective
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and Risk Management Detective
    Review past audit reports. CC ID 01155 Establish/Maintain Documentation Detective
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Establish/Maintain Documentation Detective
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 Establish/Maintain Documentation Detective
    Resolve disputes before creating the audit summary. CC ID 08964 Behavior Preventive
    Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 Establish/Maintain Documentation Preventive
    Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 Establish/Maintain Documentation Preventive
    Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 Establish/Maintain Documentation Preventive
    Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 Process or Activity Detective
    Include an audit opinion in the audit report. CC ID 07017 Establish/Maintain Documentation Preventive
    Include qualified opinions in the audit report. CC ID 13928 Establish/Maintain Documentation Preventive
    Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 Establish/Maintain Documentation Preventive
    Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 Establish/Maintain Documentation Corrective
    Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 Establish/Maintain Documentation Preventive
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Business Processes Corrective
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 Actionable Reports or Measurements Preventive
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and Risk Management Preventive
    Document any after the fact changes to the engagement file. CC ID 07002 Establish/Maintain Documentation Preventive
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Establish/Maintain Documentation Preventive
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 Establish/Maintain Documentation Preventive
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Records Management Preventive
    Include items that were excluded from the audit report in the audit report. CC ID 07007 Establish/Maintain Documentation Preventive
    Include the organization's privacy practices in the audit report. CC ID 07029 Establish/Maintain Documentation Preventive
    Include items that pertain to third parties in the audit report. CC ID 07008 Establish/Maintain Documentation Preventive
    Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 Establish/Maintain Documentation Preventive
    Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 Establish/Maintain Documentation Preventive
    Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 Establish/Maintain Documentation Preventive
    Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 Establish/Maintain Documentation Preventive
    Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 Establish/Maintain Documentation Preventive
    Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 Establish/Maintain Documentation Preventive
    Modify the audit opinion in the audit report under defined conditions. CC ID 13937 Establish/Maintain Documentation Corrective
    Disclose any audit irregularities in the audit report. CC ID 06995 Actionable Reports or Measurements Preventive
    Include the written signature of the auditor's organization in the audit report. CC ID 13897 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 Establish/Maintain Documentation Preventive
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653
    [{is responsible} The audit committee is, in particular, responsible for: receiving key audit reports and ensuring that senior management is taking necessary corrective actions in a timely manner to address control weaknesses, non-compliance with policies, laws and regulations, and other problems identified by auditors and other control functions; Principle 3: 69. Bullet 6]
    Log Management Detective
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Behavior Preventive
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Establish/Maintain Documentation Preventive
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Business Processes Preventive
    Submit an audit report that is complete. CC ID 01145 Testing Detective
    Accept the audit report. CC ID 07025 Establish/Maintain Documentation Preventive
    Implement a corrective action plan in response to the audit report. CC ID 06777
    [The board and senior management contribute to the effectiveness of the internal audit function by requiring timely and effective correction of audit issues by senior management; and Principle 10: 141. Bullet 5
    When a supervisor requires a bank to take remedial action, the supervisor should set a timetable for completion. Supervisors should have escalation procedures in place to require more stringent or accelerated remedial action in the event that a bank does not adequately address the deficiencies identified or the supervisor deems that further action is warranted. Principle 13: 167.]
    Establish/Maintain Documentation Corrective
    Assign responsibility for remediation actions. CC ID 13622 Human Resources Management Preventive
    Review management's response to issues raised in past audit reports. CC ID 01149
    [{is responsible} The audit committee is, in particular, responsible for: receiving key audit reports and ensuring that senior management is taking necessary corrective actions in a timely manner to address control weaknesses, non-compliance with policies, laws and regulations, and other problems identified by auditors and other control functions; Principle 3: 69. Bullet 6]
    Audits and Risk Management Detective
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963
    [When a supervisor requires a bank to take remedial action, the supervisor should set a timetable for completion. Supervisors should have escalation procedures in place to require more stringent or accelerated remedial action in the event that a bank does not adequately address the deficiencies identified or the supervisor deems that further action is warranted. Principle 13: 167.]
    Establish/Maintain Documentation Preventive
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150
    [{risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.]
    Testing Detective
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and Risk Management Detective
    Assess the quality of the audit program in regards to its documentation. CC ID 11622 Audits and Risk Management Preventive
    Establish, implement, and maintain the audit plan. CC ID 01156 Testing Detective
    Establish and maintain the audit schedule for the audit program. CC ID 13158 Establish/Maintain Documentation Preventive
    Establish and maintain a risk management program. CC ID 12051
    [Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. Principle 4: 93.
    Banks should have an effective independent risk management function, under the direction of a chief risk officer (CRO), with sufficient stature, independence, resources and access to the board. Principle 6: ¶ 1
    {risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.]
    Establish/Maintain Documentation Preventive
    Include the scope of risk management activities in the risk management program. CC ID 13658
    [{specific risk modelling}{risk monitoring} Risk measurement and modelling techniques should be used in addition to, but should not replace, qualitative risk analysis and monitoring. The risk management function should keep the board and senior management apprised of the assumptions used in and potential shortcomings of the bank's risk models and analyses. This would ensure better understanding of risks and exposures and may allow quicker action to address and mitigate risks. Principle 7: 119.]
    Establish/Maintain Documentation Preventive
    Integrate the risk management program with the organization's business activities. CC ID 13661
    [The board should ensure that transactions with related parties (including internal group transactions) are reviewed to assess risk and are subject to appropriate restrictions (eg by requiring that such transactions be conducted on arm's length terms) and that corporate or business resources of the bank are not misappropriated or misapplied. Principle 1: 27.
    {risk management function}{compliance function}Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior management should recognise and respect the independent duties of the risk management, compliance and internal audit functions and should not interfere in their exercise of such duties. Principle 4: 93. Bullet 1
    If adequate risk management processes are not in place, a new product, service, business line or third-party relationship or major transaction should be delayed until the bank is able to appropriately address the activity. There should also be a process to assess risk and performance relative to initial projections and to adapt the risk management treatment accordingly as the business matures. Principle 7: 123. ¶ 2
    {risk measurement}{are necessary} Effective risk identification and measurement approaches are likewise necessary in subsidiary banks and affiliates. Material risk-bearing affiliates and subsidiaries should be captured by the bankwide risk management system and should be a part of the overall risk governance framework. Principle 7: 124.]
    Business Processes Preventive
    Integrate the risk management program into daily business decision-making. CC ID 13659
    [The bank's RAS should communicate the board's risk appetite effectively throughout the bank, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the bank. Principle 1: 36. Bullet 4
    Business units are the first line of defence. They take risks and are responsible and accountable for the ongoing management of such risks. This includes identifying, assessing and reporting such exposures, taking into account the bank's risk appetite and its policies, procedures and controls. The manner in which the business line executes its responsibilities should reflect the bank's existing risk culture. The board should promote a strong culture of adhering to limits and managing risk exposures. Principle 1: 40.
    The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: Principle 6: 105.
    The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: influencing and, when necessary, challenging decisions that give rise to material risk; and Principle 6: 105. Bullet 6]
    Business Processes Preventive
    Include managing mobile risks in the risk management program. CC ID 13535 Establish/Maintain Documentation Preventive
    Establish and maintain risk management strategies, as necessary. CC ID 13209
    [Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. Principle 4: 93.
    {risk management framework} Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank's risk management and internal control infrastructure should keep pace with changes to the bank's risk profile, to the external risk landscape and in industry practice Principle 7: ¶ 1]
    Establish/Maintain Documentation Preventive
    Include off-site storage of supplies in the risk management strategies. CC ID 13221 Establish/Maintain Documentation Preventive
    Include the use of alternate service providers in the risk management strategies. CC ID 13217 Establish/Maintain Documentation Preventive
    Include minimizing service interruptions in the risk management strategies. CC ID 13215 Establish/Maintain Documentation Preventive
    Establish and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Review the risk assessment framework. CC ID 12813 Audits and Risk Management Detective
    Analyze the risk management strategy for addressing requirements. CC ID 12926 Audits and Risk Management Detective
    Include off-site storage in the risk mitigation strategies. CC ID 13213 Establish/Maintain Documentation Preventive
    Analyze the risk management strategy for addressing threats. CC ID 12925 Audits and Risk Management Detective
    Analyze the risk management strategy for addressing opportunities. CC ID 12924 Audits and Risk Management Detective
    Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 Establish Roles Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687
    [Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.]
    Establish/Maintain Documentation Preventive
    Address past security incidents in the risk assessment program. CC ID 12743 Audits and Risk Management Preventive
    Include the need for risk assessments in the risk assessment program. CC ID 06447 Establish/Maintain Documentation Preventive
    Include the information flow of restricted data in the risk assessment program. CC ID 12339 Establish/Maintain Documentation Preventive
    Establish and maintain the factors and context for risk to the organization. CC ID 12230 Audits and Risk Management Preventive
    Establish and maintain a financial plan to support the risk management strategy. CC ID 12786
    [{strategic plan}{capital plan} The board should take an active role in defining the risk appetite and ensuring its alignment with the bank's strategic, capital and financial plans and compensation practices. The bank's risk appetite should be clearly conveyed through an RAS that can be easily understood by all relevant parties: the board itself, senior management, bank employees and the supervisor. Principle 1: 35.]
    Establish/Maintain Documentation Preventive
    Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 Business Processes Preventive
    Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 Business Processes Preventive
    Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 Business Processes Preventive
    Address cybersecurity risks in the risk assessment program. CC ID 13193 Establish/Maintain Documentation Preventive
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Establish/Maintain Documentation Preventive
    Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 Establish/Maintain Documentation Preventive
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 Establish/Maintain Documentation Preventive
    Include the description and purpose of personal data processing in the Data Protection Impact Assessment. CC ID 12673 Establish/Maintain Documentation Preventive
    Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 Establish/Maintain Documentation Preventive
    Include security measures for protecting personal data in the Data Protection Impact Assessment. CC ID 12635 Establish/Maintain Documentation Preventive
    Review and update the data protection impact assessment, as necessary. CC ID 12665 Audits and Risk Management Preventive
    Use the risk taxonomy when managing risk. CC ID 12280
    [{business environment}{risk environment} The degree of sophistication of the bank's risk management infrastructure – including, in particular, a sufficiently robust data infrastructure, data architecture and information technology infrastructure – should keep pace with developments such as balance sheet and revenue growth; increasing complexity of the bank's business, risk configuration or operating structure; geographical expansion; mergers and acquisitions; or the introduction of new products or business lines. Principle 7: 117.]
    Behavior Preventive
    Establish, implement, and maintain a risk assessment policy. CC ID 14026 Establish/Maintain Documentation Preventive
    Review and update the risk assessment policy, as necessary. CC ID 14122 Establish/Maintain Documentation Corrective
    Include compliance requirements in the risk assessment policy. CC ID 14121 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the risk assessment policy. CC ID 14120 Establish/Maintain Documentation Preventive
    Include management commitment in the risk assessment policy. CC ID 14119 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the risk assessment policy. CC ID 14118 Establish/Maintain Documentation Preventive
    Include the scope in the risk assessment policy. CC ID 14117 Establish/Maintain Documentation Preventive
    Include the purpose in the risk assessment policy. CC ID 14116 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Communicate Preventive
    Establish, implement, and maintain risk assessment procedures. CC ID 06446 Establish/Maintain Documentation Preventive
    Analyze the organization's information security environment. CC ID 13122 Technical Security Preventive
    Document cybersecurity risks. CC ID 12281 Establish/Maintain Documentation Preventive
    Engage third parties to assist with risk assessments, as necessary. CC ID 12153 Human Resources Management Preventive
    Establish and maintain risk profiling procedures for internal risk assessments. CC ID 01157 Audits and Risk Management Preventive
    Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 Establish/Maintain Documentation Preventive
    Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 Establish/Maintain Documentation Preventive
    Document organizational risk criteria. CC ID 12277 Establish/Maintain Documentation Preventive
    Include security threats and vulnerabilities to the system in the threat and risk classification scheme. CC ID 00699 Technical Security Preventive
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Investigate Detective
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 Audits and Risk Management Preventive
    Include the risks to the organization's critical personnel and assets in the threat and risk classification scheme. CC ID 00698 Audits and Risk Management Preventive
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Establish/Maintain Documentation Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 Audits and Risk Management Preventive
    Include language that is easy to understand in the risk assessment report. CC ID 06461 Establish/Maintain Documentation Preventive
    Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 Establish/Maintain Documentation Preventive
    Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 Establish/Maintain Documentation Preventive
    Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450
    [Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.]
    Establish/Maintain Documentation Preventive
    Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 Establish/Maintain Documentation Preventive
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and Risk Management Preventive
    Review the risk assessment procedures, as necessary. CC ID 06460 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account information classification. CC ID 06477 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account the target environment. CC ID 06479 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 Communicate Preventive
    Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 Establish/Maintain Documentation Preventive
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: assessing these risks and measuring the bank's exposure to them; Principle 6: 105. Bullet 2
    {risk management framework} Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank's risk management and internal control infrastructure should keep pace with changes to the bank's risk profile, to the external risk landscape and in industry practice Principle 7: ¶ 1
    Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113.
    Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113.
    {risk management function}{review and approval process}{entail} A full and frank assessment of risks under a variety of scenarios as well as an assessment of potential shortcomings in the ability of the bank's risk management and internal controls to effectively manage associated risks; Principle 7: 123. ¶ 1 Bullet 1]
    Testing Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Establish/Maintain Documentation Preventive
    Include physical assets in the scope of the risk assessment. CC ID 13075 Establish/Maintain Documentation Preventive
    Include the results of the risk assessment in the risk assessment report. CC ID 06481
    [the results of stress tests and scenario analyses should also be communicated to, and given appropriate consideration by, relevant business lines and individuals within the bank. Principle 7: 120. Bullet 4]
    Establish/Maintain Documentation Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and Risk Management Preventive
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Establish/Maintain Documentation Detective
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and Risk Management Preventive
    Update the risk assessment upon changes to the risk profile. CC ID 11627 Establish/Maintain Documentation Detective
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and Risk Management Preventive
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312
    [{notification system} The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: establishing an early warning or trigger system for breaches of the bank's risk appetite or limits; Principle 6: 105. Bullet 5]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633
    [{risk committee}{risk limit}{risk mitigation plan} The committee should receive regular reporting and communication from the CRO and other relevant functions about the bank's current risk profile, current state of the risk culture, utilisation against the established risk appetite, and limits, limit breaches and mitigation plans (see Principle 6). Principle 3: 74.]
    Communicate Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and Risk Management Detective
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Communicate Preventive
    Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 Business Processes Preventive
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718
    [The bank's RAS should communicate the board's risk appetite effectively throughout the bank, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the bank. Principle 1: 36. Bullet 4
    An effective risk governance framework requires robust communication within the bank about risk, both across the organisation and through reporting to the board and senior management. Principle 8: ¶ 1
    An effective risk governance framework requires robust communication within the bank about risk, both across the organisation and through reporting to the board and senior management. Principle 8: ¶ 1
    The risk committee of the board is responsible for advising the board on the bank's overall current and future risk appetite, overseeing senior management's implementation of the RAS, reporting on the state of risk culture in the bank, and interacting with and overseeing the CRO. Principle 3: 72.
    There should be effective communication and coordination between the audit committee and the risk committee to facilitate the exchange of information and effective coverage of all risks, including emerging risks, and any needed adjustments to the risk governance framework of the bank. Principle 3: 75.
    Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: breaches of risk limits or compliance rules; Principle 4: 94. Bullet 3
    The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: reporting to senior management and the board or risk committee on all these items, including but not limited to proposing appropriate risk-mitigating actions. Principle 6: 105. Bullet 7
    In operating within a group structure, the board of the parent company should be aware of the material risks and issues that might affect both the bank as a whole and its subsidiaries. It should exercise adequate oversight over subsidiaries while respecting the independent legal and governance responsibilities that might apply to subsidiary boards. Principle 5: 95.
    The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110.
    {specific risk modelling}{risk monitoring} Risk measurement and modelling techniques should be used in addition to, but should not replace, qualitative risk analysis and monitoring. The risk management function should keep the board and senior management apprised of the assumptions used in and potential shortcomings of the bank's risk models and analyses. This would ensure better understanding of risks and exposures and may allow quicker action to address and mitigate risks. Principle 7: 119.
    Mergers and acquisitions, divestitures and other changes to a bank's organisational structure can pose special risk management challenges to the bank. In particular, risks can arise from conducting due diligence that fails to identify post-merger risks or activities conflicting with the bank's strategic objectives or risk appetite. The risk management function should be actively involved in assessing risks that could arise from mergers and acquisitions and inform the board and senior management of its findings Principle 7: 125.
    Ongoing communication about risk issues, including the bank's risk strategy, throughout the bank is a key tenet of a strong risk culture. A strong risk culture should promote risk awareness and encourage open communication and challenge about risk-taking across the organisation as well as vertically to and from the board and senior management. Senior management should actively communicate and consult with the control functions on management's major plans and activities so that the control functions can effectively discharge their responsibilities. Principle 8: 126.
    {risk information}{interested personnel}{appropriate authority} Material risk-related ad hoc information that requires immediate decisions or reactions should be promptly presented to senior management and, as appropriate, the board, the responsible officers and, where applicable, the heads of control functions so that suitable measures and activities can be initiated at an early stage. Principle 8: 128.
    {be timely}{be accurate}{be clear}{be concise} Information should be communicated to the board and senior management in a timely, accurate and understandable manner so that they are equipped to take informed decisions. While ensuring that the board and senior management are sufficiently informed, management and those responsible for the risk management function should avoid voluminous information that can make it difficult to identify key issues. Rather, information should be prioritised and presented in a concise, fully contextualised manner. The board should assess the relevance and the process for maintaining the accuracy of the information it receives and determine if additional or less information is needed. Principle 8: 127.
    Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129.
    {refrain from violating} The bank should also disclose key points concerning its risk exposures and risk management strategies without breaching necessary confidentiality. When involved in material and complex or non-transparent activities, the bank should disclose adequate information on their purpose, strategies, structures, and related risks and controls. Principle 12: 155.]
    Behavior Preventive
    Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 Investigate Detective
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and Risk Management Preventive
    Conduct a Business Impact Analysis based on the risk assessment findings in the risk assessment report. CC ID 01147
    [As part of its quantitative and qualitative analysis, the bank should utilise stress tests and scenario analyses to better understand potential risk exposures under a variety of adverse circumstances: Principle 7: 120.
    If adequate risk management processes are not in place, a new product, service, business line or third-party relationship or major transaction should be delayed until the bank is able to appropriately address the activity. There should also be a process to assess risk and performance relative to initial projections and to adapt the risk management treatment accordingly as the business matures. Principle 7: 123. ¶ 2]
    Audits and Risk Management Detective
    Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 Establish/Maintain Documentation Preventive
    Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 Establish/Maintain Documentation Preventive
    Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 Establish/Maintain Documentation Preventive
    Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 Establish/Maintain Documentation Preventive
    Include pandemic risks in the business impact analysis, as necessary. CC ID 13219 Establish/Maintain Documentation Preventive
    Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 Establish/Maintain Documentation Preventive
    Document organizational risk tolerance in a risk register. CC ID 09961 Establish/Maintain Documentation Preventive
    Update the risk register, as necessary. CC ID 13047 Establish/Maintain Documentation Preventive
    Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 Business Processes Preventive
    Review the issues of non-compliance from past audit reports. CC ID 01148 Establish/Maintain Documentation Detective
    Review the Business Impact Analysis, as necessary. CC ID 12774 Business Processes Preventive
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [{be independent} The second line of defence includes an independent risk management function. The risk management function complements the business line's risk activities through its monitoring and reporting responsibilities. Among other things, it is responsible for overseeing the bank's risk-taking activities and assessing risks and issues independently from the business line. The function should promote the importance of senior management and business line managers in identifying and assessing risks critically rather than relying only on surveillance conducted by the risk management function. Among other things, the finance function plays a critical role in ensuring that business performance and profit and loss results are accurately captured and reported to the board, management and business lines that will use such information as a key input to risk and business decisions. Principle 1: 41.
    The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: identifying material individual, aggregate and emerging risks; Principle 6: 105. Bullet 1
    The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: assessing these risks and measuring the bank's exposure to them; Principle 6: 105. Bullet 2
    Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113.
    Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113.
    {risk measurement}{quantitative consideration}{qualitative consideration} Risk identification and measurement should include both quantitative and qualitative elements. Risk measurements should also include qualitative, bank-wide views of risk relative to the bank's external operating environment. Banks should also consider and evaluate harder-to-quantify risks, such as reputation risk. Principle 7: 114.
    {risk measurement}{quantitative consideration}{qualitative consideration} Risk identification and measurement should include both quantitative and qualitative elements. Risk measurements should also include qualitative, bank-wide views of risk relative to the bank's external operating environment. Banks should also consider and evaluate harder-to-quantify risks, such as reputation risk. Principle 7: 114.
    {risk measurement}{are necessary} Effective risk identification and measurement approaches are likewise necessary in subsidiary banks and affiliates. Material risk-bearing affiliates and subsidiaries should be captured by the bankwide risk management system and should be a part of the overall risk governance framework. Principle 7: 124.
    {risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.]
    Audits and Risk Management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703
    [The bank's RAS should establish the individual and aggregate level and types of risk that the bank is willing to assume in advance of and in order to achieve its business activities within its risk capacity; Principle 1: 36. Bullet 2
    {be comprehensive}{be accurate} Risk reporting systems should be dynamic, comprehensive and accurate, and should draw on a range of underlying assumptions. Risk monitoring and reporting should not only occur at the disaggregated level (including material risk residing in subsidiaries) but should also be aggregated to allow for a bank-wide or integrated perspective of risk exposures. Risk reporting systems should be clear about any deficiencies or limitations in risk estimates, as well as any significant embedded assumptions (eg regarding risk dependencies or correlations). Principle 8: 130.]
    Audits and Risk Management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482
    [Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113.]
    Audits and Risk Management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463
    [The bank's RAS should define the boundaries and business considerations in accordance with which the bank is expected to operate when pursuing the business strategy; and Principle 1: 36. Bullet 3]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and Risk Management Detective
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 Investigate Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and Risk Management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469
    [Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129.]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Actionable Reports or Measurements Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and Risk Management Detective
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706
    [Accordingly, the board should: Establish, along with senior management and the CRO, the bank's risk appetite, taking into account the competitive and regulatory landscape and the bank's long-term interests, risk exposure and ability to manage risk effectively; Principle 1: 26. Bullet 5
    {strategic plan}{capital plan} The board should take an active role in defining the risk appetite and ensuring its alignment with the bank's strategic, capital and financial plans and compensation practices. The bank's risk appetite should be clearly conveyed through an RAS that can be easily understood by all relevant parties: the board itself, senior management, bank employees and the supervisor. Principle 1: 35.
    (quantitative consideration}The bank's RAS should include both quantitative and qualitative considerations; Principle 1: 36. Bullet 1
    In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: promoting risk awareness within a strong risk culture, conveying the board's expectation that it does not support excessive risk-taking and that all employees are responsible for helping the bank operate within the established risk appetite and risk limits; Principle 1: 30. Bullet 2
    Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113.
    establishing adequate procedures and processes to identify and manage all material risks arising from these structures, including lack of management transparency, operational risks introduced by interconnected and complex funding structures, intragroup exposures, trapped collateral and counterparty risk. The bank should only approve structures if the material risks can be properly identified, assessed and managed; and Principle 5: 102. Bullet 4]
    Establish/Maintain Documentation Preventive
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Investigate Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849
    [{strategic plan}{capital plan} The board should take an active role in defining the risk appetite and ensuring its alignment with the bank's strategic, capital and financial plans and compensation practices. The bank's risk appetite should be clearly conveyed through an RAS that can be easily understood by all relevant parties: the board itself, senior management, bank employees and the supervisor. Principle 1: 35.
    The bank's RAS should communicate the board's risk appetite effectively throughout the bank, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the bank. Principle 1: 36. Bullet 4
    {is appropriate} In a group structure, the board of the parent company has the overall responsibility for the group and for ensuring the establishment and operation of a clear governance framework appropriate to the structure, business and risks of the group and its entities. The board and senior management should know and understand the bank group's organisational structure and the risks that it poses. Principle 5: ¶ 1
    {refrain from violating} The bank should also disclose key points concerning its risk exposures and risk management strategies without breaching necessary confidentiality. When involved in material and complex or non-transparent activities, the bank should disclose adequate information on their purpose, strategies, structures, and related risks and controls. Principle 12: 155.]
    Behavior Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704
    [{risk management function}{review and approval process}{entail} A full and frank assessment of risks under a variety of scenarios as well as an assessment of potential shortcomings in the ability of the bank's risk management and internal controls to effectively manage associated risks; Principle 7: 123. ¶ 1 Bullet 1]
    Establish/Maintain Documentation Detective
    Prioritize and select controls based on the risk assessment findings. CC ID 00707 Audits and Risk Management Preventive
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Process or Activity Detective
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Process or Activity Detective
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822
    [{be timely}{be accurate}{be clear}{be concise} Information should be communicated to the board and senior management in a timely, accurate and understandable manner so that they are equipped to take informed decisions. While ensuring that the board and senior management are sufficiently informed, management and those responsible for the risk management function should avoid voluminous information that can make it difficult to identify key issues. Rather, information should be prioritised and presented in a concise, fully contextualised manner. The board should assess the relevance and the process for maintaining the accuracy of the information it receives and determine if additional or less information is needed. Principle 8: 127.]
    Audits and Risk Management Preventive
    Determine the effectiveness of risk control measures. CC ID 06601 Testing Detective
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and Risk Management Preventive
    Establish and maintain a risk treatment plan. CC ID 11983
    [Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. Principle 4: 93.
    The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: reporting to senior management and the board or risk committee on all these items, including but not limited to proposing appropriate risk-mitigating actions. Principle 6: 105. Bullet 7
    In addition to identifying and measuring risk exposures, the risk management function should evaluate possible ways to mitigate these exposures. In some cases, the risk management function may direct that risk be reduced or hedged to limit exposure. In other cases, such as when there is a decision to accept or take risk that is beyond risk limits (ie on a temporary basis) or take risk that cannot be hedged or mitigated, the risk management function should report material exemptions to the board and monitor the positions to ensure that they remain within the bank's framework of limits and controls or within exception approval. Either approach may be appropriate depending on the issue at hand, provided that the independence of the risk management function is not compromised. Principle 7: 122.
    stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets. They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results; and Principle 7: 120. Bullet 3]
    Establish/Maintain Documentation Preventive
    Identify the planned actions and controls that address high risk. CC ID 12835 Audits and Risk Management Preventive
    Identify the current actions and controls that address high risk. CC ID 12834 Audits and Risk Management Preventive
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159
    [Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.]
    Establish/Maintain Documentation Preventive
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 Establish/Maintain Documentation Corrective
    Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 Establish/Maintain Documentation Preventive
    Include change control processes in the risk treatment plan. CC ID 11981 Establish/Maintain Documentation Preventive
    Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 Establish/Maintain Documentation Preventive
    Include the implemented risk management controls in the risk treatment plan. CC ID 11979 Establish/Maintain Documentation Preventive
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Establish/Maintain Documentation Preventive
    Include risk assessment results in the risk treatment plan. CC ID 11978 Establish/Maintain Documentation Preventive
    Include a description of usage in the risk treatment plan. CC ID 11977 Establish/Maintain Documentation Preventive
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Establish/Maintain Documentation Preventive
    Approve the risk treatment plan. CC ID 13495 Audits and Risk Management Preventive
    Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457
    [Developing and conveying the bank's risk appetite is essential to reinforcing a strong risk culture. The risk governance framework should outline actions to be taken when stated risk limits are breached, including disciplinary actions for excessive risk-taking, escalation procedures and board of director notification. Principle 1: 34.
    Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166.
    If adequate risk management processes are not in place, a new product, service, business line or third-party relationship or major transaction should be delayed until the bank is able to appropriately address the activity. There should also be a process to assess risk and performance relative to initial projections and to adapt the risk management treatment accordingly as the business matures. Principle 7: 123. ¶ 2]
    Establish/Maintain Documentation Preventive
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 Establish/Maintain Documentation Corrective
    Review and approve the risk assessment findings. CC ID 06485 Establish/Maintain Documentation Preventive
    Include risk responses in the risk management program. CC ID 13195 Establish/Maintain Documentation Preventive
    Document residual risk in a residual risk report. CC ID 13664 Establish/Maintain Documentation Corrective
    Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 Business Processes Preventive
    Establish and Maintain a Cybersecurity Risk Management Strategy. CC ID 11991 Establish/Maintain Documentation Preventive
    Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 Establish/Maintain Documentation Preventive
    Evaluate the cyber insurance market. CC ID 12695 Business Processes Preventive
    Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 Business Processes Preventive
    Acquire cyber insurance, as necessary. CC ID 12693 Business Processes Preventive
    Establish, implement, and maintain a supply chain risk management policy CC ID 14663 Establish/Maintain Documentation Preventive
    Review and update the supply chain risk management policy. CC ID 14714 Business Processes Preventive
    Include compliance requirements in the supply chain risk management policy. CC ID 14711 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 Establish/Maintain Documentation Preventive
    Include management commitment in the supply chain risk management policy. CC ID 14709 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 Establish/Maintain Documentation Preventive
    Include the scope in the supply chain risk management policy. CC ID 14707 Establish/Maintain Documentation Preventive
    Include the purpose in the supply chain risk management policy. CC ID 14706 Establish/Maintain Documentation Preventive
    Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 Communicate Preventive
    Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 Establish/Maintain Documentation Preventive
    Review and update the supply chain risk management plan. CC ID 14719 Business Processes Preventive
    Include supply chain risk management procedures in the risk management program. CC ID 13190 Establish/Maintain Documentation Preventive
    Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 Communicate Preventive
    Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 Human Resources Management Preventive
    Analyze supply chain risk management procedures, as necessary. CC ID 13198 Process or Activity Detective
    Disseminate and communicate the organization's risk management policy to interested personnel and affected parties. CC ID 13792 Communicate Preventive
    Review and update the risk management program, as necessary. CC ID 13049
    [{internal control system}{risk management system}The board and senior management contribute to the effectiveness of the internal audit function by requiring the function to independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes; Principle 10: 141. Bullet 2
    {risk management function}requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: the effectiveness of the risk management and compliance functions; Principle 10: 141. Bullet 6 sub bullet 1]
    Establish/Maintain Documentation Preventive
    Publish a Report on Compliance for the organization's external requirements. CC ID 12350
    [A risk committee should: should oversee that management has in place processes to promote the bank's adherence to the approved risk policies. Principle 3: 71. Bullet 8]
    Communicate Preventive
    Include a commitment to comply with recommendations from applicable statutory bodies in the Report on Compliance. CC ID 12371 Establish/Maintain Documentation Preventive
    Include a commitment to cooperate with applicable statutory bodies in the Report on Compliance. CC ID 12370 Establish/Maintain Documentation Preventive
    Include the statutory bodies having jurisdiction over privacy rights violations in the Report on Compliance. CC ID 12369 Establish/Maintain Documentation Preventive
    Include a description of the organization's privacy policy in the Report on Compliance. CC ID 12362 Establish/Maintain Documentation Preventive
    Include the outcomes of privacy rights violation complaints received in the Report on Compliance. CC ID 12534 Establish/Maintain Documentation Preventive
    Include dispute resolution quality measures in the Report on Compliance. CC ID 12533 Establish/Maintain Documentation Preventive
    Include the type of privacy rights violation complaints received in the Report on Compliance. CC ID 12532 Establish/Maintain Documentation Preventive
    Include the number of privacy rights violation complaints received in the Report on Compliance. CC ID 12530 Establish/Maintain Documentation Preventive
    Include the organization's fax number in the Report on Compliance. CC ID 12361 Establish/Maintain Documentation Preventive
    Include the organization's telephone number in the Report on Compliance. CC ID 12360 Establish/Maintain Documentation Preventive
    Include the organization's e-mail address in the Report on Compliance. CC ID 12359 Establish/Maintain Documentation Preventive
    Include the organization's name in the Report on Compliance. CC ID 12351 Establish/Maintain Documentation Preventive
    Describe how the organization processes personal data in the Report on Compliance. CC ID 12377 Establish/Maintain Documentation Preventive
    Include the organization's mailing address in the Report on Compliance. CC ID 12358 Establish/Maintain Documentation Preventive
    Approve and sign the Report on Compliance. CC ID 12392 Establish/Maintain Documentation Preventive
  • Human Resources management
    274
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Establish and maintain high level operational roles and responsibilities. CC ID 00806
    [Accordingly, the board should: approve the selection and oversee the performance of the CEO, key members of senior management and heads of the control functions; Principle 1: 26. Bullet 10
    The board should select the CEO and may select other key personnel, including members of senior management. Principle 1: 45.
    {is responsible}The audit committee is, in particular, responsible for: providing oversight of and interacting with the bank's internal and external auditors; Principle 3: 69. Bullet 3
    In operating within a group structure, the board of the parent company should be aware of the material risks and issues that might affect both the bank as a whole and its subsidiaries. It should exercise adequate oversight over subsidiaries while respecting the independent legal and governance responsibilities that might apply to subsidiary boards. Principle 5: 95.
    Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the board. Principle 6: 111.
    Senior management is responsible for delegating duties to staff and should establish a management structure that promotes accountability and transparency throughout the bank. Principle 4: 92.
    The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76.
    The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76.
    Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.]
    Establish Roles Preventive
    Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 Establish Roles Preventive
    Establish, implement, and maintain a security operations center. CC ID 14762 Human Resources Management Preventive
    Designate an alternate for each organizational leader. CC ID 12053 Human Resources Management Preventive
    Limit the activities performed as a proxy to an organizational leader. CC ID 12054 Behavior Preventive
    Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 Human Resources Management Preventive
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807
    [The board has overall responsibility for the bank, including approving and overseeing management's implementation of the bank's strategic objectives, governance framework and corporate culture. Principle 1: ¶ 1
    The board should establish and be satisfied with the bank's organisational structure. This will enable the board and senior management to carry out their responsibilities and facilitate effective decision-making and good governance. This includes clearly laying out the key responsibilities and authorities of the board itself and of senior management and of those responsible for the risk management and control functions. Principle 1: 24.
    {refrain from delegating} The board has ultimate responsibility for the bank's business strategy and financial soundness, key personnel decisions, internal organisation and governance structure and practices, and risk management and compliance obligations. The board may delegate some of its functions, though not its responsibilities, to board committees where appropriate. Principle 1: 23.
    {refrain from delegating} The board has ultimate responsibility for the bank's business strategy and financial soundness, key personnel decisions, internal organisation and governance structure and practices, and risk management and compliance obligations. The board may delegate some of its functions, though not its responsibilities, to board committees where appropriate. Principle 1: 23.
    The board should have oversight of the whistleblowing policy mechanism and ensuring that senior management addresses legitimate issues that are raised. The board should take responsibility for ensuring that staff who raise concerns are protected from detrimental treatment or reprisals. Principle 1: 32. Bullet 2
    The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42.
    {hold accountable} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: Principle 1: 46.
    {hold accountable} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: Principle 1: 46.
    The board should maintain and periodically update organisational rules, by-laws, or other similar documents setting out its organisation, rights, responsibilities and key activities. Principle 3: 58.
    {capital plan}Accordingly, the board should: approve the approach and oversee the implementation of key policies pertaining to the bank's capital adequacy assessment process, capital and liquidity plans, compliance policies and obligations, and the internal control system; Principle 1: 26. Bullet 7
    Board members should be and remain qualified, individually and collectively, for their positions. They should understand their oversight and corporate governance role and be able to exercise sound, objective judgment about the affairs of the bank. Principle 2: ¶ 1
    {is sufficient} The board should structure itself in terms of leadership, size and the use of committees so as to effectively carry out its oversight role and other responsibilities. This includes ensuring that the board has the time and means to cover all necessary subjects in sufficient depth and have a robust discussion of issues. Principle 3: 57.
    In the interest of greater transparency and accountability, a board should disclose the committees it has established, their mandates and their composition (including members who are considered to be independent). Principle 3: 65.
    {is responsible} The audit committee is, in particular, responsible for: framing policy on internal audit and financial reporting, among other things; Principle 3: 69. Bullet 1
    The board should oversee the implementation and operation of policies to identify potential conflicts of interest. Where these conflicts cannot be prevented, they should be properly managed (based on the permissibility of relationships or transactions under sound corporate policies consistent with national law and supervisory standards). Principle 3: 82.
    The board should oversee and be satisfied with the process by which appropriate public disclosure is made, and/or information is provided to supervisors, relating to the bank's policies on conflicts of interest and potential material conflicts of interest. Principle 3: 84.
    Under the direction and oversight of the board, senior management should carry out and manage the bank's activities in a manner consistent with the business strategy, risk appetite, remuneration and other policies approved by the board. Principle 4: ¶ 1
    Senior management contributes substantially to a bank's sound corporate governance through personal conduct (eg by helping to establish the "tone at the top" along with the board). Members of senior management should provide adequate oversight of those they manage, and ensure that the bank's activities are consistent with the business strategy, risk appetite and the policies approved by the board. Principle 4: 91.
    The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: question and critically review explanations and information provided by senior management; Principle 1: 46. Bullet 3
    {is appropriate} In a group structure, the board of the parent company has the overall responsibility for the group and for ensuring the establishment and operation of a clear governance framework appropriate to the structure, business and risks of the group and its entities. The board and senior management should know and understand the bank group's organisational structure and the risks that it poses. Principle 5: ¶ 1
    In order to fulfil its responsibilities, the board of the parent company should: approve policies and clear strategies for establishing new structures and legal entities, and ensure that they are consistent with the policies and interests of the group; Principle 5: 96. Bullet 5
    In order to fulfil its responsibilities, the board of the parent company should: approve policies and clear strategies for establishing new structures and legal entities, and ensure that they are consistent with the policies and interests of the group; Principle 5: 96. Bullet 5
    In order to help board members acquire, maintain and enhance their knowledge and skills, and fulfil their responsibilities, the board should ensure that members participate in induction programmes and have access to ongoing training on relevant issues which may involve internal or external resources. The board should dedicate sufficient time, budget and other resources for this purpose, and draw on external expertise as needed. More extensive efforts should be made to train and keep updated those members with more limited financial, regulatory or risk-related experience. Principle 2: 55.
    continually maintaining and reviewing appropriate policies, procedures and processes governing the approval and maintenance of those structures or activities, including fully vetting the purpose, the associated risks and the bank's ability to manage those risks prior to setting up new structures and initiating associated activities; Principle 5: 102. Bullet 2
    Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the board. Principle 6: 111.
    The bank's board of directors is responsible for overseeing the management of the bank's compliance risk. The board should establish a compliance function and approve the bank's policies and processes for identifying, assessing, monitoring and reporting and advising on compliance risk. Principle 9: ¶ 1
    In order to fulfil its responsibilities, the board of the parent company should: establish a group structure (including the legal entity and business structure) and a corporate governance framework with clearly defined roles and responsibilities, including those at the parent company level and at the subsidiary level as may be appropriate based on the complexity and significance of the subsidiary; Principle 5: 96. Bullet 1
    Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.]
    Establish Roles Preventive
    Establish and maintain board committees, as necessary. CC ID 14789
    [To increase efficiency and allow deeper focus in specific areas, a board may establish certain specialised board committees. The committees should be created and mandated by the full board. The number and nature of committees depend on many factors, including the size of the bank and its board, the nature of the business areas of the bank, and its risk profile. Principle 3: 63.]
    Human Resources Management Preventive
    Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786
    [The chair of the board plays a crucial role in the proper functioning of the board. The chair provides leadership to the board and is responsible for its effective overall functioning, including maintaining a relationship of trust with board members. The chair should possess the requisite experience, competencies and personal qualities in order to fulfil these responsibilities. The chair should ensure that board decisions are taken on a sound and well informed basis. The chair should encourage and promote critical discussion and ensure that dissenting views can be freely expressed and discussed within the decision-making process. The chair should dedicate sufficient time to the exercise of his or her responsibilities. Principle 3: 61.]
    Establish/Maintain Documentation Preventive
    Assign oversight of C-level executives to the Board of Directors. CC ID 14784
    [{performance standard} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: set appropriate performance and remuneration standards for senior management consistent with the long-term strategic objectives and the financial soundness of the bank; Principle 1: 46. Bullet 4]
    Human Resources Management Preventive
    Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782
    [{international business activity}{economic forces}{legal environment} the board collectively should have a reasonable understanding of local, regional and, if appropriate, global economic and market forces and of the legal and regulatory environment. International experience, where relevant, should also be considered; and Principle 2: 49. Bullet 2
    To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: periodically review its structure, size and composition as well as committees' structures and coordination; Principle 3: 59. Bullet 1
    {is sufficient} The board should structure itself in terms of leadership, size and the use of committees so as to effectively carry out its oversight role and other responsibilities. This includes ensuring that the board has the time and means to cover all necessary subjects in sufficient depth and have a robust discussion of issues. Principle 3: 57.
    Boards should have a clear and rigorous process for identifying, assessing and selecting board candidates. Unless required otherwise by law, the board (not management) nominates candidates and promotes appropriate succession planning of board members. Principle 2: 50.
    The bank should have in place a nomination committee or similar body, composed of a sufficient number of independent board members, which identifies and nominates candidates after having taken into account the criteria described above. Further details about the nomination committee and other board committees are discussed in paragraph 76. Principle 2: 54.
    The bank should have in place a nomination committee or similar body, composed of a sufficient number of independent board members, which identifies and nominates candidates after having taken into account the criteria described above. Further details about the nomination committee and other board committees are discussed in paragraph 76. Principle 2: 54.
    To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: assess the ongoing suitability of each board member periodically (at least annually), also taking into account his or her performance on the board; Principle 3: 59. Bullet 2
    The chair of the board plays a crucial role in the proper functioning of the board. The chair provides leadership to the board and is responsible for its effective overall functioning, including maintaining a relationship of trust with board members. The chair should possess the requisite experience, competencies and personal qualities in order to fulfil these responsibilities. The chair should ensure that board decisions are taken on a sound and well informed basis. The chair should encourage and promote critical discussion and ensure that dissenting views can be freely expressed and discussed within the decision-making process. The chair should dedicate sufficient time to the exercise of his or her responsibilities. Principle 3: 61.
    Where there are shareholders with power to appoint board members, the board should ensure that such individuals understand their duties. Board members have responsibilities to the bank's overall interests, regardless of who appoints them. In cases where board members are selected by a controlling shareholder, the board may wish to set out specific procedures or conduct periodic reviews to facilitate the appropriate discharge of responsibility by all board members. Principle 2: 56.
    At a minimum, the audit committee as a whole should possess a collective balance of skills and expert knowledgecommensurate with the complexity of the banking organisation and the duties to be performed – and should have relevant experience in financial reporting, accounting and auditing. Where needed, the audit committee has access to external expert advice. Principle 3: 70.
    At a minimum, the audit committee as a whole should possess a collective balance of skills and expert knowledge – commensurate with the complexity of the banking organisation and the duties to be performed – and should have relevant experience in financial reporting, accounting and auditing. Where needed, the audit committee has access to external expert advice. Principle 3: 70.
    Supervisors should evaluate the processes and criteria used by banks in the selection of board members and senior management and, as they judge necessary, obtain information about the expertise and character of board members and senior management. The fit and proper criteria should include those discussed in Principle 2 of this document. The individual and collective suitability of board members and senior management should be subject to ongoing attention by supervisors. Principle 13: 161.]
    Establish/Maintain Documentation Preventive
    Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791
    [The board should appoint members to specialised committees with the goal of achieving an appropriate mix of skills and experience that, in combination, allow the committees to fully understand, objectively evaluate and bring fresh thinking to the relevant issues. Principle 3: 78.
    The selection process should include reviewing whether board candidates: possess the knowledge, skills, experience and, particularly in the case of non-executive directors, independence of mind given their responsibilities on the board and in the light of the bank's business and risk profile; Principle 2: 51(i).
    In order to fulfil its responsibilities, the board of the parent company should: define an appropriate subsidiary board and management structure which takes into account the material risks to which the group, its businesses and its subsidiaries are exposed; Principle 5: 96. Bullet 2
    Supervisors should evaluate the processes and criteria used by banks in the selection of board members and senior management and, as they judge necessary, obtain information about the expertise and character of board members and senior management. The fit and proper criteria should include those discussed in Principle 2 of this document. The individual and collective suitability of board members and senior management should be subject to ongoing attention by supervisors. Principle 13: 161.
    Supervisors should evaluate the processes and criteria used by banks in the selection of board members and senior management and, as they judge necessary, obtain information about the expertise and character of board members and senior management. The fit and proper criteria should include those discussed in Principle 2 of this document. The individual and collective suitability of board members and senior management should be subject to ongoing attention by supervisors. Principle 13: 161.
    (reputation) The selection process should include reviewing whether board candidates: have a record of integrity and good repute; Principle 2: 51(ii).
    The selection process should include reviewing whether board candidates: have the ability to promote a smooth interaction between board members. Principle 2: 51(iv).
    The selection process should include reviewing whether board candidates: have sufficient time to fully carry out their responsibilities; and Principle 2: 51(iii).]
    Establish/Maintain Documentation Preventive
    Assign oversight of the financial management program to the board of directors. CC ID 14781
    [{capital plan}Accordingly, the board should: approve the approach and oversee the implementation of key policies pertaining to the bank's capital adequacy assessment process, capital and liquidity plans, compliance policies and obligations, and the internal control system; Principle 1: 26. Bullet 7]
    Human Resources Management Preventive
    Assign senior management to the role of supporting Quality Management. CC ID 13692 Human Resources Management Preventive
    Assign senior management to the role of authorizing official. CC ID 14238 Establish Roles Preventive
    Assign members who are independent from management to the Board of Directors. CC ID 12395
    [Board candidates should not have any conflicts of interest that may impede their ability to perform their duties independently and objectively and subject them to undue influence from: Principle 2: 52.
    Board candidates should not have any conflicts of interest that may impede their ability to perform their duties independently and objectively and subject them to undue influence from: other persons (such as management or other shareholders); Principle 2: 52. Bullet 1
    Board candidates should not have any conflicts of interest that may impede their ability to perform their duties independently and objectively and subject them to undue influence from: past or present positions held; or Principle 2: 52. Bullet 2
    Board candidates should not have any conflicts of interest that may impede their ability to perform their duties independently and objectively and subject them to undue influence from: personal, professional or other economic relationships with other members of the board or management (or with other entities within the group). Principle 2: 52. Bullet 3
    {is sufficient} The board must be suitable to carry out its responsibilities and have a composition that facilitates effective oversight. For that purpose, the board should be comprised of a sufficient number of independent directors. Principle 2: 47.
    {be independent}{non-executive member} A committee chair should be an independent, non-executive board member. Principle 3: 67.
    {be independent}{have in place} To promote checks and balances, the chair of the board should be an independent or non-executive board member. In jurisdictions where the chair is permitted to assume executive duties, the bank should have measures in place to mitigate any adverse impact on the bank's checks and balances, eg by designating a lead board member, a senior independent board member or a similar position and having a larger number of non-executives on the board. Principle 3: 62.]
    Human Resources Management Preventive
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662
    [{be independent} The second line of defence includes an independent risk management function. The risk management function complements the business line's risk activities through its monitoring and reporting responsibilities. Among other things, it is responsible for overseeing the bank's risk-taking activities and assessing risks and issues independently from the business line. The function should promote the importance of senior management and business line managers in identifying and assessing risks critically rather than relying only on surveillance conducted by the risk management function. Among other things, the finance function plays a critical role in ensuring that business performance and profit and loss results are accurately captured and reported to the board, management and business lines that will use such information as a key input to risk and business decisions. Principle 1: 41.
    Accordingly, the board should: oversee the bank's adherence to the RAS, risk policy and risk limits; Principle 1: 26. Bullet 6
    {be aware} Senior management – and the board, as appropriate – should be cognisant of these challenges and take action to avoid or mitigate them by: Principle 5: 102.
    Large, complex and internationally active banks, and other banks, based on their risk profile and local governance requirements, should have a senior manager (CRO or equivalent) with overall responsibility for the bank's risk management function. In banking groups, there should be a group CRO in addition to subsidiary-level risk officers. Because some banks may have an officer who fulfils the function of a CRO under a different title, reference in this document to the CRO is intended to incorporate equivalent positions, provided they meet the independence and other requirements set out herein. Principle 6: 108.
    The bank's board of directors is responsible for overseeing the management of the bank's compliance risk. The board should establish a compliance function and approve the bank's policies and processes for identifying, assessing, monitoring and reporting and advising on compliance risk. Principle 9: ¶ 1]
    Human Resources Management Preventive
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 Human Resources Management Preventive
    Rotate members of the board of directors, as necessary. CC ID 14803
    [{board committee}{rotate} Each committee should have a charter or other instrument that sets out its mandate, scope and working procedures. This includes how the committee will report to the full board, what is expected of committee members and any tenure limits for serving on the committee. The board should consider the occasional rotation of members and of the chair of such committees, as this can help avoid undue concentration of power and promote fresh perspectives. Principle 3: 64.]
    Human Resources Management Corrective
    Define and assign board committees, as necessary. CC ID 14787
    [In jurisdictions permitting or requiring executive members on the board, the board of a bank should work to ensure the needed objectivity in each committee, such as by having only non-executives and, to the extent possible, a majority of independent members. Principle 3: 79.]
    Human Resources Management Preventive
    Define and assign risk committees, as necessary. CC ID 14795
    [A risk committee should: be required for systemically important banks and is strongly recommended for other banks based on a bank's size, risk profile or complexity; Principle 3: 71. Bullet 1]
    Human Resources Management Preventive
    Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802
    [{board committee} Each committee should have a charter or other instrument that sets out its mandate, scope and working procedures. This includes how the committee will report to the full board, what is expected of committee members and any tenure limits for serving on the committee. The board should consider the occasional rotation of members and of the chair of such committees, as this can help avoid undue concentration of power and promote fresh perspectives. Principle 3: 64.]
    Establish/Maintain Documentation Preventive
    Define and assign audit committees, as necessary. CC ID 14788
    [An audit committee should: be required for systemically important banks and is strongly recommended for other banks based on an organisation's size, risk profile or complexity; Principle 3: 68. Bullet 1]
    Human Resources Management Preventive
    Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796
    [An audit committee should: include members who have experience in audit practices, financial reporting and accounting. Principle 3: 68. Bullet 5
    An audit committee should: be made up entirely of independent or non-executive board members; and Principle 3: 68. Bullet 4]
    Human Resources Management Preventive
    Define and assign compensation committees, as necessary. CC ID 14793
    [Systemically important financial institutions should have a board compensation committee as an integral part of their governance structure and organisation to oversee the compensation system's design and operation. Principle 11: 144.
    The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76.
    The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76.]
    Human Resources Management Preventive
    Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 Establish Roles Preventive
    Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 Establish Roles Preventive
    Define and assign the business unit manager's roles and responsibilities. CC ID 00810 Establish Roles Preventive
    Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 Establish Roles Preventive
    Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333
    [Banks should have an effective independent risk management function, under the direction of a chief risk officer (CRO), with sufficient stature, independence, resources and access to the board. Principle 6: ¶ 1
    The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110.
    The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110.
    The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110.
    The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110.
    The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management function. This includes the ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board in its engagement with and oversight of the development of the bank's risk appetite and RAS and for translating the risk appetite into a risk limits structure. The CRO, together with management, should be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation). Principle 6: 109.
    The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management function. This includes the ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board in its engagement with and oversight of the development of the bank's risk appetite and RAS and for translating the risk appetite into a risk limits structure. The CRO, together with management, should be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation). Principle 6: 109.
    The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management function. This includes the ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board in its engagement with and oversight of the development of the bank's risk appetite and RAS and for translating the risk appetite into a risk limits structure. The CRO, together with management, should be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation). Principle 6: 109.]
    Human Resources Management Preventive
    Define and assign roles and responsibilities for network management. CC ID 13128 Human Resources Management Preventive
    Define and assign the technology security leader's roles and responsibilities. CC ID 01897 Establish Roles Preventive
    Define and assign the security staff roles and responsibilities. CC ID 11750 Establish/Maintain Documentation Preventive
    Define and assign the property management leader's roles and responsibilities. CC ID 00669 Establish Roles Preventive
    Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 Establish Roles Preventive
    Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 Establish Roles Preventive
    Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 Establish Roles Preventive
    Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 Establish/Maintain Documentation Preventive
    Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 Establish Roles Preventive
    Establish and maintain an Information Technology steering committee. CC ID 12706 Human Resources Management Preventive
    Assign the Information Technology steering committee to report to senior management. CC ID 12731 Human Resources Management Preventive
    Convene the Information Technology steering committee, as necessary. CC ID 12730 Human Resources Management Preventive
    Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 Human Resources Management Preventive
    Assign a contact person to all business units. CC ID 07144
    [The compliance function should advise the board and senior management on the bank's compliance with applicable laws, rules and standards and keep them informed of developments in the area. It should also help educate staff about compliance issues, act as a contact point within the bank for compliance queries from staff members, and provide guidance to staff on the appropriate implementation of applicable laws, rules and standards in the form of policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines. Principle 9: 135.]
    Establish Roles Preventive
    Define and assign the assessment team's roles and responsibilities. CC ID 08890 Business Processes Preventive
    Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 Human Resources Management Preventive
    Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 Human Resources Management Preventive
    Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 Human Resources Management Preventive
    Define and assign workforce roles and responsibilities. CC ID 13267
    [The organisation and procedures and decision-making of senior management should be clear and transparent and designed to promote effective management of the bank. This includes clarity on the role, authority and responsibility of the various positions within senior management, including that of the CEO. Principle 4: 88.
    Senior management is responsible for delegating duties to staff and should establish a management structure that promotes accountability and transparency throughout the bank. Principle 4: 92.
    In order to fulfil its responsibilities, the board of the parent company should: establish a group structure (including the legal entity and business structure) and a corporate governance framework with clearly defined roles and responsibilities, including those at the parent company level and at the subsidiary level as may be appropriate based on the complexity and significance of the subsidiary; Principle 5: 96. Bullet 1
    In order to fulfil its responsibilities, the board of the parent company should: establish a group structure (including the legal entity and business structure) and a corporate governance framework with clearly defined roles and responsibilities, including those at the parent company level and at the subsidiary level as may be appropriate based on the complexity and significance of the subsidiary; Principle 5: 96. Bullet 1]
    Human Resources Management Preventive
    Establish and maintain cybersecurity roles and responsibilities. CC ID 13201 Human Resources Management Preventive
    Assign roles and responsibilities for physical security, as necessary. CC ID 13113 Establish Roles Preventive
    Define and assign roles and responsibilities for those involved in risk management. CC ID 13660
    [The board should establish and be satisfied with the bank's organisational structure. This will enable the board and senior management to carry out their responsibilities and facilitate effective decision-making and good governance. This includes clearly laying out the key responsibilities and authorities of the board itself and of senior management and of those responsible for the risk management and control functions. Principle 1: 24.
    As part of the overall corporate governance framework, the board is responsible for overseeing a strong risk governance framework. An effective risk governance framework includes a strong risk culture, a well developed risk appetite articulated through the RAS, and well defined responsibilities for risk management in particular and control functions in general. Principle 1: 33.
    The development of an effective RAS should be driven by both top-down board leadership and bottom-up management involvement. While the definition of risk appetite may be initiated by senior management, successful implementation depends upon effective interactions between the board, senior management, risk management and operating businesses, including the chief financial officer (CFO). Principle 1: 37.
    A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: Principle 1: 38.
    A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: the business line; Principle 1: 38. Bullet 1
    {risk management} Depending on the bank's nature, size and complexity, and the risk profile of its activities, the specifics of how these three lines of defence are structured can vary. Regardless of the structure, responsibilities for each line of defence should be well defined and communicated. Principle 1: 39.
    {is independent} A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: a risk management function and a compliance function independent from the first line of defence; and Principle 1: 38. Bullet 2
    Business units are the first line of defence. They take risks and are responsible and accountable for the ongoing management of such risks. This includes identifying, assessing and reporting such exposures, taking into account the bank's risk appetite and its policies, procedures and controls. The manner in which the business line executes its responsibilities should reflect the bank's existing risk culture. The board should promote a strong culture of adhering to limits and managing risk exposures. Principle 1: 40.
    A risk committee should: is required to review the bank's risk policies at least annually; and Principle 3: 71. Bullet 7
    The risk committee of the board is responsible for advising the board on the bank's overall current and future risk appetite, overseeing senior management's implementation of the RAS, reporting on the state of risk culture in the bank, and interacting with and overseeing the CRO. Principle 3: 72.
    The risk committee of the board is responsible for advising the board on the bank's overall current and future risk appetite, overseeing senior management's implementation of the RAS, reporting on the state of risk culture in the bank, and interacting with and overseeing the CRO. Principle 3: 72.
    The risk committee of the board is responsible for advising the board on the bank's overall current and future risk appetite, overseeing senior management's implementation of the RAS, reporting on the state of risk culture in the bank, and interacting with and overseeing the CRO. Principle 3: 72.
    A risk committee should: should include members who have experience in risk management issues and practices; Principle 3: 71. Bullet 5
    {risk committee}{capital management} The committee's work includes oversight of the strategies for capital and liquidity management as well as for all relevant risks of the bank, such as credit, market, operational and reputational risks, to ensure they are consistent with the stated risk appetite. Principle 3: 73.
    {risk committee}{capital management} The committee's work includes oversight of the strategies for capital and liquidity management as well as for all relevant risks of the bank, such as credit, market, operational and reputational risks, to ensure they are consistent with the stated risk appetite. Principle 3: 73.
    internal stress tests should cover a range of scenarios based on reasonable assumptions regarding dependencies and correlations. Senior management should define and approve and, as applicable, the board should review and provide effective challenge to the scenarios that are used in the bank's risk analyses; Principle 7: 120. Bullet 1
    Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97.
    Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97.
    The compensation committee is required for systemically important banks. It should support the board in overseeing the remuneration system's design and operation and in ensuring that remuneration is appropriate and consistent with the bank's culture, long-term business and risk appetite, performance and control environment (see Principle 10) as well as with any legal or regulatory requirements. The compensation committee should be constituted in a way that enables it to exercise competent and independent judgment on compensation policies and practices and the incentives they create. The compensation committee works closely with the bank's risk committee in evaluating the incentives created by the remuneration system. The risk committee should, without prejudice to the tasks of the compensation committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings. Principle 3: 76.]
    Human Resources Management Preventive
    Include the management structure in the duties and responsibilities for risk management. CC ID 13665
    [A risk committee should: should include a majority of members who are independent; Principle 3: 71. Bullet 4]
    Human Resources Management Preventive
    Assign the roles and responsibilities for the change control program. CC ID 13118 Human Resources Management Preventive
    Identify and define all critical roles. CC ID 00777 Establish Roles Preventive
    Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 Establish Roles Preventive
    Assign responsibility for cyber threat intelligence. CC ID 12746 Human Resources Management Preventive
    Assign the role of security management to applicable controls. CC ID 06444 Establish Roles Preventive
    Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 Human Resources Management Preventive
    Define and assign the data processor's roles and responsibilities. CC ID 12607 Human Resources Management Preventive
    Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 Human Resources Management Preventive
    Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 Communicate Preventive
    Define and assign the data controller's roles and responsibilities. CC ID 00471 Establish Roles Preventive
    Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 Human Resources Management Preventive
    Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 Human Resources Management Preventive
    Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 Human Resources Management Preventive
    Assign the role of data controller to applicable controls. CC ID 00354 Establish Roles Preventive
    Assign the role of data controller to provide advice, when requested. CC ID 12611 Human Resources Management Preventive
    Assign the role of data controller to additional personnel, as necessary. CC ID 00473 Establish Roles Preventive
    Assign the role of Information Technology operations to applicable controls. CC ID 00682 Establish Roles Preventive
    Assign the role of logical access control to applicable controls. CC ID 00772 Establish Roles Preventive
    Assign the role of asset physical security to applicable controls. CC ID 00770 Establish Roles Preventive
    Assign the role of data custodian to applicable controls. CC ID 04789 Establish Roles Preventive
    Assign the role of the Quality Management committee to applicable controls. CC ID 00769
    [{unauthorized action}{dual authorization control}{legal and regulatory requirements} In order to avoid actions beyond the authority of the individual or even fraud, internal controls also place reasonable checks on managerial and employee discretion. Even in smaller banks, for example, key management decisions should be taken by more than one person. Internal reviews should also determine the extent of a bank's compliance with company policies and procedures as well as with legal and regulatory policies. Adequate escalation procedures are a key element of the internal control system. Principle 7: 116.]
    Establish Roles Preventive
    Assign interested personnel to the Quality Management committee. CC ID 07193 Establish Roles Preventive
    Assign the roles and responsibilities for the Information Technology asset management system. CC ID 14368 Establish/Maintain Documentation Preventive
    Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 Establish Roles Preventive
    Assign the role of fire protection management to applicable controls. CC ID 04891 Establish Roles Preventive
    Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 Establish Roles Preventive
    Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 Establish Roles Preventive
    Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 Establish Roles Preventive
    Define and assign the roles and responsibilities of security guards. CC ID 12543 Human Resources Management Preventive
    Define and assign roles and responsibilities for dispute resolution. CC ID 13626 Human Resources Management Preventive
    Define and assign the roles for Legal Support Workers. CC ID 13711 Human Resources Management Preventive
    Analyze workforce management. CC ID 12844 Human Resources Management Detective
    Include compensation structures in the analysis of workforce management. CC ID 12902
    [Accordingly, the board should: oversee the bank's approach to compensation, including monitoring and reviewing executive compensation and assessing whether it is aligned with the bank's risk culture and risk appetite; and Principle 1: 26. Bullet 11
    {performance standard} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: set appropriate performance and remuneration standards for senior management consistent with the long-term strategic objectives and the financial soundness of the bank; Principle 1: 46. Bullet 4
    {future profit} Remuneration should reflect risk-taking and risk outcomes. Practices by which remuneration is paid for potential future revenues whose timing and likelihood remain uncertain should be carefully evaluated by means of both qualitative and quantitative key indicators. The remuneration framework should provide for variable remuneration to be adjusted to take into account the full range of risks, including breaches of risk appetite limits, internal procedures or legal requirements. Principle 11: 149.
    {future profit} Remuneration should reflect risk-taking and risk outcomes. Practices by which remuneration is paid for potential future revenues whose timing and likelihood remain uncertain should be carefully evaluated by means of both qualitative and quantitative key indicators. The remuneration framework should provide for variable remuneration to be adjusted to take into account the full range of risks, including breaches of risk appetite limits, internal procedures or legal requirements. Principle 11: 149.
    {future profit} Remuneration should reflect risk-taking and risk outcomes. Practices by which remuneration is paid for potential future revenues whose timing and likelihood remain uncertain should be carefully evaluated by means of both qualitative and quantitative key indicators. The remuneration framework should provide for variable remuneration to be adjusted to take into account the full range of risks, including breaches of risk appetite limits, internal procedures or legal requirements. Principle 11: 149.
    The remuneration structure should be in line with the business and risk strategy, objectives, values and long-term interests of the bank. It should also incorporate measures to prevent conflicts of interest. Remuneration programmes should encourage a sound risk culture in which risk-taking behaviour is appropriate and which encourages employees to act in the interest of the company as a whole (also taking into account client interests) rather than for themselves or only their business lines. In particular, incentives embedded within remuneration structures should not incentivise staff to take excessive risk. Principle 11: 148.]
    Human Resources Management Preventive
    Establish and maintain a personnel management program. CC ID 14018
    [Members of senior management should be selected through an appropriate promotion or recruitment process which takes into account the qualifications required for the position in question. For those senior management positions for which the board of directors is required to review or select candidates through an interview process, senior management should provide sufficient information to the board. Principle 4: 90.]
    Establish/Maintain Documentation Preventive
    Establish and maintain a succession plan for organizational leaders and support personnel. CC ID 11822
    [The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: be actively engaged in succession plans for the CEO and other key positions, as appropriate, and ensure that appropriate succession plans are in place for senior management positions. Principle 1: 46. Bullet 6
    The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: be actively engaged in succession plans for the CEO and other key positions, as appropriate, and ensure that appropriate succession plans are in place for senior management positions. Principle 1: 46. Bullet 6
    Boards should have a clear and rigorous process for identifying, assessing and selecting board candidates. Unless required otherwise by law, the board (not management) nominates candidates and promotes appropriate succession planning of board members. Principle 2: 50.]
    Human Resources Management Preventive
    Establish and maintain Personnel Files for all employees. CC ID 12438 Human Resources Management Preventive
    Include credit check results in each employee's personnel file. CC ID 12447 Human Resources Management Preventive
    Include any criminal records in each employee's personnel file. CC ID 12446 Human Resources Management Preventive
    Include all employee information in each employee's personnel file. CC ID 12445 Human Resources Management Preventive
    Include a signed acknowledgement of the Acceptable Use policies in each employee's personnel file. CC ID 12444 Human Resources Management Preventive
    Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441 Human Resources Management Preventive
    Include referral follow-up results in each employee's personnel file. CC ID 12440 Human Resources Management Preventive
    Include background check results in each employee's personnel file. CC ID 12439 Human Resources Management Preventive
    Establish and maintain onboarding procedures for new hires. CC ID 11760 Establish/Maintain Documentation Preventive
    Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761 Human Resources Management Preventive
    Require all new hires to sign the Code of Conduct. CC ID 06665 Establish/Maintain Documentation Preventive
    Require all new hires to sign Acceptable Use Policies. CC ID 06662 Establish/Maintain Documentation Preventive
    Require new hires to sign nondisclosure agreements. CC ID 06668 Establish/Maintain Documentation Preventive
    Train all new hires, as necessary. CC ID 06673 Behavior Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personnel security policy. CC ID 14025 Establish/Maintain Documentation Preventive
    Review and update the personnel security policy, as necessary. CC ID 14155 Establish/Maintain Documentation Corrective
    Include compliance requirements in the personnel security policy. CC ID 14154 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the personnel security policy. CC ID 14114 Establish/Maintain Documentation Preventive
    Include management commitment in the personnel security policy. CC ID 14113 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the personnel security policy. CC ID 14112 Establish/Maintain Documentation Preventive
    Include the scope in the personnel security policy. CC ID 14111 Establish/Maintain Documentation Preventive
    Include the purpose in the personnel security policy. CC ID 14110 Establish/Maintain Documentation Preventive
    Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain personnel security procedures. CC ID 14058 Establish/Maintain Documentation Preventive
    Review and update the personnel security procedures, as necessary. CC ID 14156 Establish/Maintain Documentation Corrective
    Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141 Communicate Preventive
    Establish and maintain staff security clearance level criteria. CC ID 00780 Establish/Maintain Documentation Preventive
    Assign risk designations for all positions. CC ID 14280 Human Resources Management Preventive
    Review and update staff position risk designations, as necessary. CC ID 10629 Human Resources Management Preventive
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [The board should be comprised of individuals with a balance of skills, diversity and expertise, who collectively possess the necessary qualifications commensurate with the size, complexity and risk profile of the bank Principle 2: 48.
    Members of senior management should have the necessary experience, competencies and integrity to manage the businesses and people under their supervision. They should receive access to regular training to maintain and enhance their competencies and stay up to date on developments relevant to their areas of responsibility. Principle 4: 89.
    The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110.
    As part of their evaluation of the overall corporate governance in a bank, supervisors should also endeavour to assess the governance effectiveness of the board and senior management, especially with respect to the risk culture of the bank. An assessment of governance effectiveness aims to determine the extent to which the board and senior management demonstrate effective behaviours that contribute to good governance. This includes consideration of the behavioural dynamic of the board and senior management, such as how the "tone at the top" and the cultural values of the bank are communicated and put into practice, how information flows to and from the board and senior management, and how potential serious problems are identified and addressed throughout the organisation. The evaluation of governance effectiveness includes review of any board and management assessments, surveys and other information often used by banks in assessing their internal culture, as well as supervisory interviews, observations and qualitative judgments. In arriving at such judgments, supervisors need to be particularly mindful of consistency of treatment across the banks they supervise. Supervisory staff should have the necessary skills to evaluate these issues and arrive at the complex judgments involved in assessing governance effectiveness. Principle 13: 162.
    Members of senior management should be selected through an appropriate promotion or recruitment process which takes into account the qualifications required for the position in question. For those senior management positions for which the board of directors is required to review or select candidates through an interview process, senior management should provide sufficient information to the board. Principle 4: 90.
    Members of senior management should be selected through an appropriate promotion or recruitment process which takes into account the qualifications required for the position in question. For those senior management positions for which the board of directors is required to review or select candidates through an interview process, senior management should provide sufficient information to the board. Principle 4: 90.]
    Testing Detective
    Perform security skills assessments for all critical employees. CC ID 12102 Human Resources Management Detective
    Assign security clearance procedures to qualified personnel. CC ID 06812 Establish Roles Preventive
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Establish Roles Preventive
    Establish and maintain personnel screening procedures. CC ID 11700 Establish/Maintain Documentation Preventive
    Perform a background check during personnel screening. CC ID 11758 Human Resources Management Detective
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources Management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Establish/Maintain Documentation Preventive
    Include all residences in the criminal records check. CC ID 13306 Process or Activity Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Establish/Maintain Documentation Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources Management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources Management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Establish/Maintain Documentation Preventive
    Perform a drug test during personnel screening. CC ID 06648 Testing Preventive
    Perform a resume check during personnel screening. CC ID 06659 Human Resources Management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources Management Preventive
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources Management Preventive
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources Management Preventive
    Document the personnel risk assessment results. CC ID 11764 Establish/Maintain Documentation Detective
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Establish/Maintain Documentation Preventive
    Perform periodic background checks on designated roles, as necessary. CC ID 11759 Human Resources Management Detective
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources Management Preventive
    Update security clearances, as necessary. CC ID 01634 Human Resources Management Preventive
    Document the security clearance procedure results. CC ID 01635 Establish/Maintain Documentation Detective
    Identify and watch individuals that pose a risk to the organization. CC ID 10674 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 Establish/Maintain Documentation Preventive
    Assign an owner of the personnel status change and termination procedures. CC ID 11805 Human Resources Management Preventive
    Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 Human Resources Management Preventive
    Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677
    [Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the board. Principle 6: 111.
    Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the board. Principle 6: 111.
    The board and senior management should respect and promote the independence of the internal audit function by ensuring that: if the chief audit executive is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. Principle 10: 142. Bullet 3
    The board and senior management should respect and promote the independence of the internal audit function by ensuring that: if the chief audit executive is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. Principle 10: 142. Bullet 3]
    Behavior Preventive
    Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 Communicate Preventive
    Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 Human Resources Management Preventive
    Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 Human Resources Management Corrective
    Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 Behavior Preventive
    Conduct exit interviews upon termination of employment. CC ID 14290 Human Resources Management Preventive
    Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 Establish/Maintain Documentation Preventive
    Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 Human Resources Management Detective
    Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 Establish Roles Preventive
    Assign and staff all roles appropriately. CC ID 00784
    [{is sufficient} The risk management function should have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines. Staff should have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank's activities. Staff should have access to regular training. Principle 6: 107.
    {is sufficient} The risk management function should have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines. Staff should have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank's activities. Staff should have access to regular training. Principle 6: 107.]
    Testing Detective
    Delegate authority for specific processes, as necessary. CC ID 06780 Behavior Preventive
    Implement segregation of duties in roles and responsibilities. CC ID 00774
    [An audit committee should: have a chair who is independent and is not the chair of the board or of any other committee; Principle 3: 68. Bullet 3
    {be independent} A risk committee should: should be distinct from the audit committee, but may have other related tasks, such as finance; Principle 3: 71. Bullet 2
    {be independent} A risk committee should: should have a chair who is an independent director and not the chair of the board or of any other committee; Principle 3: 71. Bullet 3
    {separation of function} There is a potential conflict of interest where a bank is both owned by the state and subject to banking supervision of the state. If such conflicts of interest do exist, there should be full administrative separation of the ownership and banking supervision functions in order to minimise political interference in the supervision of the bank. Principle 3: 86.
    {be independent} An audit committee should: be distinct from other committees; Principle 3: 68. Bullet 2
    {be independent}{have in place} To promote checks and balances, the chair of the board should be an independent or non-executive board member. In jurisdictions where the chair is permitted to assume executive duties, the bank should have measures in place to mitigate any adverse impact on the bank's checks and balances, eg by designating a lead board member, a senior independent board member or a similar position and having a larger number of non-executives on the board. Principle 3: 62.
    {refrain from interfering}{be independent} To be effective, the compliance function must have sufficient authority, stature, independence, resources and access to the board. Management should respect the independent duties of the compliance function and not interfere with their fulfilment. As previously noted, there should be no "dual hatting" by the head of the compliance function. Principle 9: 137.
    {refrain from interfering}{be independent} To be effective, the compliance function must have sufficient authority, stature, independence, resources and access to the board. Management should respect the independent duties of the compliance function and not interfere with their fulfilment. As previously noted, there should be no "dual hatting" by the head of the compliance function. Principle 9: 137.
    {be independent} There should be no "dual hatting" by the heads of these functions. Principle 10: 140.]
    Testing Detective
    Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 Technical Security Preventive
    Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781
    [{is sufficient} The risk management function should have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines. Staff should have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank's activities. Staff should have access to regular training. Principle 6: 107.]
    Establish/Maintain Documentation Preventive
    Refrain from using employees' privacy choices to restrict employment. CC ID 12425 Human Resources Management Preventive
    Use rewards and career development to motivate personnel. CC ID 06906 Behavior Preventive
    Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria. CC ID 12825
    [All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: the recruitment approach for the selection of members of the board and for ensuring an appropriate diversity of skills, backgrounds and viewpoints; and Principle 12: 153. Bullet 1
    All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: the recruitment approach for the selection of members of the board and for ensuring an appropriate diversity of skills, backgrounds and viewpoints; and Principle 12: 153. Bullet 1]
    Human Resources Management Preventive
    Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 Human Resources Management Preventive
    Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806
    [Accordingly, the board should: oversee the bank's approach to compensation, including monitoring and reviewing executive compensation and assessing whether it is aligned with the bank's risk culture and risk appetite; and Principle 1: 26. Bullet 11
    Systemically important financial institutions should have a board compensation committee as an integral part of their governance structure and organisation to oversee the compensation system's design and operation. Principle 11: 144.
    The bank's remuneration structure should support sound corporate governance and risk management. Principle 11: ¶ 1
    The remuneration structure should be in line with the business and risk strategy, objectives, values and long-term interests of the bank. It should also incorporate measures to prevent conflicts of interest. Remuneration programmes should encourage a sound risk culture in which risk-taking behaviour is appropriate and which encourages employees to act in the interest of the company as a whole (also taking into account client interests) rather than for themselves or only their business lines. In particular, incentives embedded within remuneration structures should not incentivise staff to take excessive risk. Principle 11: 148.
    The remuneration structure should be in line with the business and risk strategy, objectives, values and long-term interests of the bank. It should also incorporate measures to prevent conflicts of interest. Remuneration programmes should encourage a sound risk culture in which risk-taking behaviour is appropriate and which encourages employees to act in the interest of the company as a whole (also taking into account client interests) rather than for themselves or only their business lines. In particular, incentives embedded within remuneration structures should not incentivise staff to take excessive risk. Principle 11: 148.
    The remuneration structure should be in line with the business and risk strategy, objectives, values and long-term interests of the bank. It should also incorporate measures to prevent conflicts of interest. Remuneration programmes should encourage a sound risk culture in which risk-taking behaviour is appropriate and which encourages employees to act in the interest of the company as a whole (also taking into account client interests) rather than for themselves or only their business lines. In particular, incentives embedded within remuneration structures should not incentivise staff to take excessive risk. Principle 11: 148.]
    Human Resources Management Preventive
    Establish and maintain an annual report on compensation. CC ID 14801
    [{applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.
    {applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.]
    Establish/Maintain Documentation Preventive
    Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804
    [{applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800
    [{applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.
    {applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.]
    Communicate Preventive
    Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program CC ID 14798
    [Remuneration systems form a key component of the governance and incentive structure through which the board and senior management promote good performance, convey acceptable risktaking behaviour and reinforce the bank's operating and risk culture. The board (or, by delegation, its compensation committee) is responsible for the overall oversight of management's implementation of the remuneration system for the entire bank. In addition, the board or its committee should regularly monitor and review outcomes to assess whether the bank-wide remuneration system is creating the desired incentives for managing risk, capital and liquidity. The board or subcommittee should review the remuneration plans, processes and outcomes at least annually. Principle 11: 143.
    Remuneration systems form a key component of the governance and incentive structure through which the board and senior management promote good performance, convey acceptable risktaking behaviour and reinforce the bank's operating and risk culture. The board (or, by delegation, its compensation committee) is responsible for the overall oversight of management's implementation of the remuneration system for the entire bank. In addition, the board or its committee should regularly monitor and review outcomes to assess whether the bank-wide remuneration system is creating the desired incentives for managing risk, capital and liquidity. The board or subcommittee should review the remuneration plans, processes and outcomes at least annually. Principle 11: 143.
    {remuneration system} The board, together with its compensation committee where one exists, should approve the compensation of senior executives, including the CEO, CRO and head of internal audit, and should oversee development and operation of compensation policies, systems and related control processes. Principle 11: 146.]
    Establish/Maintain Documentation Preventive
    Align the compensation, reward, and recognition program with the risk management program. CC ID 14797
    [Banks have to set specific provisions for employees with a significant influence on the overall risk profile, so-called material risk-takers. Remuneration payout schedules should be sensitive to risk outcomes over a multi-year horizon. For material risk-takers, this is often achieved through arrangements that defer a sufficiently large part of the compensation until risk outcomes become better known. This includes "malus/forfeiture" provisions, where compensation can be reduced or reversed based on realised risks or conduct events before compensation vests, and/or "clawback" provisions, under which compensation can be reduced or reversed after compensation vests if new facts emerge showing that the compensation paid was based on erroneous assumptions, such as misreporting, or if it is discovered that the employee has failed to comply with internal policies or legal requirements. In such cases, banks should take action as soon as practicable to recover forfeitable or recoupable amounts to improve the likelihood of successful recovery. "Golden hellos" or "golden parachutes", under which new or terminated executives or staff receive large payouts irrespective of performance, are generally not consistent with sound compensation practice. Principle 11: 150.
    Banks have to set specific provisions for employees with a significant influence on the overall risk profile, so-called material risk-takers. Remuneration payout schedules should be sensitive to risk outcomes over a multi-year horizon. For material risk-takers, this is often achieved through arrangements that defer a sufficiently large part of the compensation until risk outcomes become better known. This includes "malus/forfeiture" provisions, where compensation can be reduced or reversed based on realised risks or conduct events before compensation vests, and/or "clawback" provisions, under which compensation can be reduced or reversed after compensation vests if new facts emerge showing that the compensation paid was based on erroneous assumptions, such as misreporting, or if it is discovered that the employee has failed to comply with internal policies or legal requirements. In such cases, banks should take action as soon as practicable to recover forfeitable or recoupable amounts to improve the likelihood of successful recovery. "Golden hellos" or "golden parachutes", under which new or terminated executives or staff receive large payouts irrespective of performance, are generally not consistent with sound compensation practice. Principle 11: 150.
    Banks have to set specific provisions for employees with a significant influence on the overall risk profile, so-called material risk-takers. Remuneration payout schedules should be sensitive to risk outcomes over a multi-year horizon. For material risk-takers, this is often achieved through arrangements that defer a sufficiently large part of the compensation until risk outcomes become better known. This includes "malus/forfeiture" provisions, where compensation can be reduced or reversed based on realised risks or conduct events before compensation vests, and/or "clawback" provisions, under which compensation can be reduced or reversed after compensation vests if new facts emerge showing that the compensation paid was based on erroneous assumptions, such as misreporting, or if it is discovered that the employee has failed to comply with internal policies or legal requirements. In such cases, banks should take action as soon as practicable to recover forfeitable or recoupable amounts to improve the likelihood of successful recovery. "Golden hellos" or "golden parachutes", under which new or terminated executives or staff receive large payouts irrespective of performance, are generally not consistent with sound compensation practice. Principle 11: 150.]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794
    [{be independent} For employees in control functions (eg risk, compliance and internal audit), remuneration should be determined independently of any business line overseen, and performance measures should be based principally on the achievement of their own objectives so as not to compromise their independence. Principle 11: 147.
    {remuneration standard} The FSB principles on compensation are intended to apply to significant financial institutions, but they are especially critical for large, systemically important firms. National jurisdictions may also apply the principles in a proportionate manner to smaller, less complex institutions. Banks are encouraged to implement the FSB principles, or consistent national provisions based on them. Principle 11: 145.
    Remuneration systems form a key component of the governance and incentive structure through which the board and senior management promote good performance, convey acceptable risktaking behaviour and reinforce the bank's operating and risk culture. The board (or, by delegation, its compensation committee) is responsible for the overall oversight of management's implementation of the remuneration system for the entire bank. In addition, the board or its committee should regularly monitor and review outcomes to assess whether the bank-wide remuneration system is creating the desired incentives for managing risk, capital and liquidity. The board or subcommittee should review the remuneration plans, processes and outcomes at least annually. Principle 11: 143.]
    Establish/Maintain Documentation Preventive
    Include a space to explain employment gaps on the job application. CC ID 12303 Human Resources Management Preventive
    Include a space for previous addresses and previous residences on the job application. CC ID 12302 Human Resources Management Preventive
    Include a space for past aliases and other used names on job applications. CC ID 12301 Human Resources Management Preventive
    Train all personnel and third parties, as necessary. CC ID 00785
    [{is sufficient} The risk management function should have a sufficient number of employees who possess the requisite experience and qualifications, including market and product knowledge as well as command of risk disciplines. Staff should have the ability and willingness to effectively challenge business operations regarding all aspects of risk arising from the bank's activities. Staff should have access to regular training. Principle 6: 107.
    In order to help board members acquire, maintain and enhance their knowledge and skills, and fulfil their responsibilities, the board should ensure that members participate in induction programmes and have access to ongoing training on relevant issues which may involve internal or external resources. The board should dedicate sufficient time, budget and other resources for this purpose, and draw on external expertise as needed. More extensive efforts should be made to train and keep updated those members with more limited financial, regulatory or risk-related experience. Principle 2: 55.]
    Behavior Preventive
    Establish and maintain an education methodology. CC ID 06671
    [In order to help board members acquire, maintain and enhance their knowledge and skills, and fulfil their responsibilities, the board should ensure that members participate in induction programmes and have access to ongoing training on relevant issues which may involve internal or external resources. The board should dedicate sufficient time, budget and other resources for this purpose, and draw on external expertise as needed. More extensive efforts should be made to train and keep updated those members with more limited financial, regulatory or risk-related experience. Principle 2: 55.]
    Business Processes Preventive
    Support certification programs as viable training programs. CC ID 13268 Human Resources Management Preventive
    Retrain all personnel, as necessary. CC ID 01362 Behavior Preventive
    Tailor training to meet published guidance on the subject being taught. CC ID 02217 Behavior Preventive
    Tailor training to be taught at each person's level of responsibility. CC ID 06674
    [Members of senior management should have the necessary experience, competencies and integrity to manage the businesses and people under their supervision. They should receive access to regular training to maintain and enhance their competencies and stay up to date on developments relevant to their areas of responsibility. Principle 4: 89.
    In order to help board members acquire, maintain and enhance their knowledge and skills, and fulfil their responsibilities, the board should ensure that members participate in induction programmes and have access to ongoing training on relevant issues which may involve internal or external resources. The board should dedicate sufficient time, budget and other resources for this purpose, and draw on external expertise as needed. More extensive efforts should be made to train and keep updated those members with more limited financial, regulatory or risk-related experience. Principle 2: 55.]
    Behavior Preventive
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 Behavior Preventive
    Document all training in a training record. CC ID 01423 Establish/Maintain Documentation Detective
    Use automated mechanisms in the training environment, where appropriate. CC ID 06752 Behavior Preventive
    Conduct tests and evaluate training. CC ID 06672 Testing Detective
    Hire third parties to conduct training, as necessary. CC ID 13167 Human Resources Management Preventive
    Review the current published guidance and awareness and training programs. CC ID 01245 Establish/Maintain Documentation Preventive
    Establish and implement training plans. CC ID 00828 Establish/Maintain Documentation Preventive
    Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 Training Detective
    Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 Training Preventive
    Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 Training Preventive
    Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 Training Detective
    Develop or acquire content to update the training plans. CC ID 12867 Training Preventive
    Include portions of the visitor control program in the training plan. CC ID 13287 Establish/Maintain Documentation Preventive
    Include ethical culture in the training plan, as necessary. CC ID 12801 Human Resources Management Preventive
    Include in scope external requirements in the training plan, as necessary. CC ID 13041 Training Preventive
    Include duties and responsibilities in the training plan, as necessary. CC ID 12800 Human Resources Management Preventive
    Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 Training Preventive
    Include risk management in the training plan, as necessary. CC ID 13040 Training Preventive
    Conduct Archives and Records Management training. CC ID 00975 Behavior Preventive
    Conduct personal data processing training. CC ID 13757 Training Preventive
    Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 Training Preventive
    Include the cloud service usage standard in the training plan. CC ID 13039 Training Preventive
    Establish and maintain a security awareness program. CC ID 11746 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022 Establish/Maintain Documentation Preventive
    Include compliance requirements in the security awareness and training policy. CC ID 14092 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054 Establish/Maintain Documentation Preventive
    Review and update the security awareness and training procedures, as necessary. CC ID 14140 Establish/Maintain Documentation Corrective
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Communicate Preventive
    Review and update the security awareness and training policy, as necessary. CC ID 14050 Establish/Maintain Documentation Corrective
    Include management commitment in the security awareness and training policy. CC ID 14049 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048 Establish/Maintain Documentation Preventive
    Include the scope in the security awareness and training policy. CC ID 14047 Establish/Maintain Documentation Preventive
    Include the purpose in the security awareness and training policy. CC ID 14045 Establish/Maintain Documentation Preventive
    Include configuration management procedures in the security awareness program. CC ID 13967 Establish/Maintain Documentation Preventive
    Document security awareness requirements. CC ID 12146 Establish/Maintain Documentation Preventive
    Include safeguards for information systems in the security awareness program. CC ID 13046 Establish/Maintain Documentation Preventive
    Include security policies and security standards in the security awareness program. CC ID 13045 Establish/Maintain Documentation Preventive
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Establish/Maintain Documentation Preventive
    Include updates on emerging issues in the security awareness program. CC ID 13184 Training Preventive
    Include cybersecurity in the security awareness program. CC ID 13183 Training Preventive
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Establish/Maintain Documentation Preventive
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 Establish/Maintain Documentation Preventive
    Include remote access in the security awareness program. CC ID 13892 Establish/Maintain Documentation Preventive
    Document the goals of the security awareness program. CC ID 12145 Establish/Maintain Documentation Preventive
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Establish/Maintain Documentation Preventive
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources Management Preventive
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources Management Preventive
    Document the scope of the security awareness program. CC ID 12148 Establish/Maintain Documentation Preventive
    Establish and maintain a security awareness baseline. CC ID 12147 Establish/Maintain Documentation Preventive
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources Management Preventive
    Disseminate and communicate security awareness and the internal control framework to all interested personnel and affected parties. CC ID 00823 Behavior Preventive
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 Behavior Preventive
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Training Preventive
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 Establish/Maintain Documentation Preventive
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Monitor and Evaluate Occurrences Detective
    Conduct secure coding and development training for developers. CC ID 06822 Behavior Corrective
    Conduct tampering prevention training. CC ID 11875 Training Preventive
    Include the mandate to refrain from installing, refrain from replacing, refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 Training Preventive
    Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 Training Preventive
    Include how to report tampering in the tampering prevention training. CC ID 11879 Training Preventive
    Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 Training Preventive
    Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 Training Preventive
    Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 Training Preventive
    Update training plans, as necessary. CC ID 12868 Training Preventive
    Conduct crime prevention training. CC ID 06350 Behavior Preventive
    Analyze and evaluate training records to improve the training program. CC ID 06380 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain a conflict of interest policy, as necessary. CC ID 14785
    [The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: Principle 3: 83.
    The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: Principle 3: 83.
    The board should oversee and be satisfied with the process by which appropriate public disclosure is made, and/or information is provided to supervisors, relating to the bank's policies on conflicts of interest and potential material conflicts of interest. This should include information on the bank's approach to disclosing and managing material conflicts of interest that are not consistent with such policies, and conflicts that could arise because of the bank's affiliation or transactions with other entities within the group. Principle 3: 85.
    In order to fulfil its responsibilities, the board of the parent company should: ensure that the group's corporate governance framework includes appropriate processes and controls to identify and address potential intragroup conflicts of interest, such as those arising from intragroup transactions, in appropriate recognition of the interest of the group. Principle 5: 96. Bullet 10
    The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: a rigorous review and approval process for members to follow before they engage in certain activities (such as serving on another board) so as to ensure that such activity will not create a conflict of interest; Principle 3: 83. Bullet 3]
    Establish/Maintain Documentation Preventive
    Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792
    [The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: adequate procedures for transactions with related parties so that they are made on an arm's length basis; and Principle 3: 83. Bullet 6
    The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: examples of where conflicts can arise when serving as a board member; Principle 3: 83. Bullet 2]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the conflict of interest policy. CC ID 14790
    [The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: a member's duty to avoid, to the extent possible, activities that could create conflicts of interest or the appearance of conflicts of interest; Principle 3: 83. Bullet 1
    The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: a member's responsibility to abstain from voting on any matter where the member may have a conflict of interest or where the member's objectivity or ability to properly fulfil duties to the bank may be otherwise compromised; Principle 3: 83. Bullet 5
    The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: a member's duty to promptly disclose any matter that may result, or has already resulted, in a conflict of interest; Principle 3: 83. Bullet 4]
    Establish/Maintain Documentation Preventive
    Establish and maintain a Code of Conduct as a part of the Terms and Conditions of employment. CC ID 04897 Establish/Maintain Documentation Preventive
    Include definitions of ethics violations in the Code of Conduct. CC ID 14768
    [{code of conduct} It should explicitly disallow illegal activity, such as financial misreporting and misconduct, economic crime including fraud, breach of sanctions, money laundering, anti-competitive practices, bribery and corruption, or the violation of consumer rights. Principle 1: 31. Bullet 1]
    Establish/Maintain Documentation Preventive
    Include exercising due professional care in the Code of Conduct. CC ID 14210
    [The members of the board should exercise their "duty of care" and "duty of loyalty" to the bank under applicable national laws and supervisory standards. Principle 1: 25.
    {code of conduct} It should make clear that employees are expected to conduct themselves ethically and perform their job with skill and due care and diligence in addition to complying with laws, regulations and company policies. Principle 1: 31. Bullet 2]
    Establish/Maintain Documentation Preventive
    Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442
    [{hold accountable} The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: Principle 1: 46.]
    Behavior Corrective
    Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632 Communicate Preventive
    Include definitions of desirable conduct in the Code of Conduct. CC ID 12846
    [{are acceptable} A bank's code of conduct or code of ethics, or comparable policy, should define acceptable and unacceptable behaviours. Principle 1: 31.]
    Establish/Maintain Documentation Preventive
    Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435
    [{disciplinary action} In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: confirming that employees, including senior management, are aware that appropriate disciplinary or other actions will follow unacceptable behaviours and transgressions. Principle 1: 30. Bullet 4]
    Behavior Preventive
    Establish, implement, and maintain performance reviews, as necessary. CC ID 14777 Business Processes Detective
    Conduct performance reviews for the board of directors and board committees, as necessary. CC ID 14783
    [To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: Principle 3: 59.]
    Human Resources Management Detective
    Take appropriate actions after performance reviews of board members, as necessary. CC ID 14799
    [If a board member ceases to be qualified or is failing to fulfil his or her responsibilities, the board should take appropriate actions as permitted by law, which may include notifying their banking supervisor. Principle 2: 53.]
    Human Resources Management Preventive
    Conduct staff performance reviews, as necessary. CC ID 07205
    [The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: assess whether senior management's collective knowledge and expertise remain appropriate given the nature of the business and the bank's risk profile; and Principle 1: 46. Bullet 5
    {be independent} For employees in control functions (eg risk, compliance and internal audit), remuneration should be determined independently of any business line overseen, and performance measures should be based principally on the achievement of their own objectives so as not to compromise their independence. Principle 11: 147.]
    Business Processes Detective
    Analyze the documentation produced by staff during the performance review. CC ID 07207 Establish/Maintain Documentation Detective
    Establish and maintain an ethics program. CC ID 11496 Human Resources Management Preventive
    Establish and maintain investigation procedures addressing ethics complaints. CC ID 12900
    [{manner}{party} The board should oversee and approve how and by whom legitimate material concerns shall be investigated and addressed by an objective independent internal or external body, senior management and/or the board itself. Principle 1: 32. Bullet 3]
    Investigate Preventive
    Establish, implement, and maintain an ethical culture. CC ID 12781
    [The board should oversee the implementation and operation of policies to identify potential conflicts of interest. Where these conflicts cannot be prevented, they should be properly managed (based on the permissibility of relationships or transactions under sound corporate policies consistent with national law and supervisory standards). Principle 3: 82.]
    Behavior Preventive
    Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 Monitor and Evaluate Occurrences Preventive
    Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 Monitor and Evaluate Occurrences Preventive
    Refrain from practicing false advertising. CC ID 14253 Business Processes Preventive
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806
    [Accordingly, the board should: oversee the integrity, independence and effectiveness of the bank's policies and procedures for whistleblowing. Principle 1: 26. Bullet 12
    {confidential communication}{illegal activity}{unethical conduct} Employees should be encouraged and able to communicate, confidentially and without the risk of reprisal, legitimate concerns about illegal, unethical or questionable practices. This can be facilitated through a well communicated policy and adequate procedures and processes, consistent with national law, which allow employees to communicate material and bona fide concerns and observations of any violations in a confidential manner (eg whistleblower policy). This includes communicating material concerns to the bank's supervisor. Principle 1: 32. Bullet 1
    Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: issues raised as a result of the bank's whistleblowing procedures. Principle 4: 94. Bullet 6]
    Business Processes Preventive
    Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 Communicate Preventive
    Establish and maintain a training program for interested personnel to report compliance violations. CC ID 11835 Establish/Maintain Documentation Preventive
    Respond to ethics complaints of ethics violations. CC ID 11497
    [The board should have oversight of the whistleblowing policy mechanism and ensuring that senior management addresses legitimate issues that are raised. The board should take responsibility for ensuring that staff who raise concerns are protected from detrimental treatment or reprisals. Principle 1: 32. Bullet 2]
    Business Processes Corrective
    Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607
    [The board should have oversight of the whistleblowing policy mechanism and ensuring that senior management addresses legitimate issues that are raised. The board should take responsibility for ensuring that staff who raise concerns are protected from detrimental treatment or reprisals. Principle 1: 32. Bullet 2]
    Behavior Preventive
  • Leadership and high level objectives
    230
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Analyze organizational objectives, functions, and activities. CC ID 00598 Monitor and Evaluate Occurrences Preventive
    Develop instructions for setting organizational objectives and strategies. CC ID 12931
    [The board should establish and be satisfied with the bank's organisational structure. This will enable the board and senior management to carry out their responsibilities and facilitate effective decision-making and good governance. This includes clearly laying out the key responsibilities and authorities of the board itself and of senior management and of those responsible for the risk management and control functions. Principle 1: 24.]
    Establish/Maintain Documentation Preventive
    Analyze the business environment in which the organization operates. CC ID 12798
    [Accordingly, the board should: actively engage in the affairs of the bank and keep up with material changes in the bank's business and the external environment as well as act in a timely manner to protect the long-term interests of the bank; Principle 1: 26. Bullet 1]
    Business Processes Preventive
    Identify the internal factors that may affect organizational objectives. CC ID 12957
    [In discharging these responsibilities, the board should take into account the legitimate interests of depositors, shareholders and other relevant stakeholders. It should also ensure that the bank maintains an effective relationship with its supervisors. Principle 1: 28.]
    Process or Activity Preventive
    Include key processes in the analysis of the internal business environment. CC ID 12947 Process or Activity Preventive
    Include existing information in the analysis of the internal business environment. CC ID 12943 Process or Activity Preventive
    Include resources in the analysis of the internal business environment. CC ID 12942 Process or Activity Preventive
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Process or Activity Preventive
    Include incentives in the analysis of the internal business environment. CC ID 12940 Process or Activity Preventive
    Include organizational structures in the analysis of the internal business environment. CC ID 12939 Process or Activity Preventive
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937 Process or Activity Preventive
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 Process or Activity Preventive
    Align assets with business functions and the business environment. CC ID 13681 Business Processes Preventive
    Disseminate and communicate the organization's business environment and place in its industry sector, as necessary. CC ID 13200 Communicate Preventive
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 Monitor and Evaluate Occurrences Preventive
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862
    [Accordingly, the board should: actively engage in the affairs of the bank and keep up with material changes in the bank's business and the external environment as well as act in a timely manner to protect the long-term interests of the bank; Principle 1: 26. Bullet 1]
    Monitor and Evaluate Occurrences Preventive
    Analyze the external environment in which the organization operates. CC ID 12799
    [having a centralised process for approving the creation of new legal entities and subsidiaries based on established criteria, including the ability to monitor and fulfil each entity's regulatory, tax, financial reporting, governance and other requirements and for the dissolution of dormant subsidiaries; Principle 5: 102. Bullet 3
    having a centralised process for approving the creation of new legal entities and subsidiaries based on established criteria, including the ability to monitor and fulfil each entity's regulatory, tax, financial reporting, governance and other requirements and for the dissolution of dormant subsidiaries; Principle 5: 102. Bullet 3]
    Business Processes Preventive
    Identify the external forces that may affect organizational objectives. CC ID 12960 Process or Activity Preventive
    Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 Monitor and Evaluate Occurrences Preventive
    Include environmental requirements in the analysis of the external environment. CC ID 12965 Business Processes Preventive
    Monitor for changes which affect organizational objectives in the external environment. CC ID 12879
    [Accordingly, the board should: actively engage in the affairs of the bank and keep up with material changes in the bank's business and the external environment as well as act in a timely manner to protect the long-term interests of the bank; Principle 1: 26. Bullet 1]
    Monitor and Evaluate Occurrences Preventive
    Include regulatory requirements in the analysis of the external environment. CC ID 12964 Business Processes Preventive
    Include society in the analysis of the external environment. CC ID 12963 Business Processes Preventive
    Include opportunities in the analysis of the external environment. CC ID 12954 Business Processes Preventive
    Include third party relationships in the analysis of the external environment. CC ID 12952 Business Processes Preventive
    Include industry forces in the analysis of the external environment. CC ID 12904 Business Processes Preventive
    Include threats in the analysis of the external environment. CC ID 12898 Business Processes Preventive
    Include geopolitics in the analysis of the external environment. CC ID 12897 Business Processes Preventive
    Include legal requirements in the analysis of the external environment. CC ID 12896 Business Processes Preventive
    Include technology in the analysis of the external environment. CC ID 12837 Business Processes Preventive
    Include analyzing the market in the analysis of the external environment. CC ID 12836 Business Processes Preventive
    Conduct a context analysis to define objectives and strategies. CC ID 12864
    [avoiding setting up complicated structures that lack economic substance or business purpose; Principle 5: 102. Bullet 1]
    Business Processes Preventive
    Document organizational objectives. CC ID 09959 Establish/Maintain Documentation Preventive
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400
    [Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: the bank's performance and financial condition; Principle 4: 94. Bullet 2]
    Business Processes Preventive
    Document and communicate the linkage between organizational objectives, functions, activities and general controls. CC ID 12398
    [The board should be prepared to discuss with, and as necessary report to, the bank's supervisor and the host country supervisors the policies and strategies adopted regarding the establishment and maintenance of these structures and activities. Principle 5: 104.
    Ongoing communication about risk issues, including the bank's risk strategy, throughout the bank is a key tenet of a strong risk culture. A strong risk culture should promote risk awareness and encourage open communication and challenge about risk-taking across the organisation as well as vertically to and from the board and senior management. Senior management should actively communicate and consult with the control functions on management's major plans and activities so that the control functions can effectively discharge their responsibilities. Principle 8: 126.
    Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.]
    Establish/Maintain Documentation Preventive
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Business Processes Preventive
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829 Process or Activity Preventive
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805 Process or Activity Preventive
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Business Processes Preventive
    Monitor regulatory trends to maintain compliance. CC ID 00604 Monitor and Evaluate Occurrences Detective
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185
    [Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129.]
    Communicate Preventive
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Communicate Corrective
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Establish/Maintain Documentation Preventive
    Implement the Quality Management program. CC ID 13696 Business Processes Preventive
    Correct errors and deficiencies in a timely manner. CC ID 13501
    [Accordingly, the board should: actively engage in the affairs of the bank and keep up with material changes in the bank's business and the external environment as well as act in a timely manner to protect the long-term interests of the bank; Principle 1: 26. Bullet 1]
    Business Processes Corrective
    Establish and maintain a Quality Management program. CC ID 07201 Establish/Maintain Documentation Preventive
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825
    [To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: use the results of these assessments as part of the ongoing improvement efforts of the board and, where required by the supervisor, share results with the supervisor. Principle 3: 59. Bullet 4]
    Systems Design, Build, and Implementation Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241
    [The bank's board of directors is responsible for overseeing the management of the bank's compliance risk. The board should establish a compliance function and approve the bank's policies and processes for identifying, assessing, monitoring and reporting and advising on compliance risk. Principle 9: ¶ 1
    {refrain from interfering}{be independent} To be effective, the compliance function must have sufficient authority, stature, independence, resources and access to the board. Management should respect the independent duties of the compliance function and not interfere with their fulfilment. As previously noted, there should be no "dual hatting" by the head of the compliance function. Principle 9: 137.]
    Establish/Maintain Documentation Preventive
    Define the scope of the security policy. CC ID 07145 Data and Information Management Preventive
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 Business Processes Preventive
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Establish/Maintain Documentation Preventive
    Correlate Information Systems with applicable controls. CC ID 01621 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Establish/Maintain Documentation Preventive
    Include the effective date on all organizational policies. CC ID 06820 Establish/Maintain Documentation Preventive
    Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 Establish/Maintain Documentation Preventive
    Analyze organizational policies, as necessary. CC ID 14037 Establish/Maintain Documentation Detective
    Include threats in the organization’s policies, standards, and procedures. CC ID 12953 Establish/Maintain Documentation Preventive
    Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 Establish/Maintain Documentation Preventive
    Establish and maintain a list of compliance documents. CC ID 07113 Establish/Maintain Documentation Preventive
    Map in scope assets and in scope records to external requirements. CC ID 12189 Establish/Maintain Documentation Detective
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623
    [The compliance function should advise the board and senior management on the bank's compliance with applicable laws, rules and standards and keep them informed of developments in the area. It should also help educate staff about compliance issues, act as a contact point within the bank for compliance queries from staff members, and provide guidance to staff on the appropriate implementation of applicable laws, rules and standards in the form of policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines. Principle 9: 135.
    Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97.]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 Establish/Maintain Documentation Preventive
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901
    [In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: confirming that appropriate steps have been or are being taken to communicate throughout the bank the corporate values, professional standards or codes of conduct it sets, together with supporting policies; and Principle 1: 30. Bullet 3
    The organisation and procedures and decision-making of senior management should be clear and transparent and designed to promote effective management of the bank. This includes clarity on the role, authority and responsibility of the various positions within senior management, including that of the CEO. Principle 4: 88.
    All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: Principle 12: 153.
    All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: Principle 12: 153.
    {applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.]
    Communicate Preventive
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Establish/Maintain Documentation Preventive
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Establish/Maintain Documentation Preventive
    Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 Establish/Maintain Documentation Preventive
    Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 Establish/Maintain Documentation Preventive
    Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 Establish/Maintain Documentation Corrective
    Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the Statement on Internal Control CC ID 14774 Establish/Maintain Documentation Preventive
    Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 Establish/Maintain Documentation Preventive
    Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 Establish/Maintain Documentation Preventive
    Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 Establish/Maintain Documentation Preventive
    Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 Establish/Maintain Documentation Detective
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Establish Roles Preventive
    Approve all compliance documents. CC ID 06286 Establish/Maintain Documentation Preventive
    Align the list of compliance documents with external requirements. CC ID 06288 Establish/Maintain Documentation Preventive
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284 Establish Roles Preventive
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a compliance exception standard. CC ID 01628 Establish/Maintain Documentation Preventive
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329
    [In addition to identifying and measuring risk exposures, the risk management function should evaluate possible ways to mitigate these exposures. In some cases, the risk management function may direct that risk be reduced or hedged to limit exposure. In other cases, such as when there is a decision to accept or take risk that is beyond risk limits (ie on a temporary basis) or take risk that cannot be hedged or mitigated, the risk management function should report material exemptions to the board and monitor the positions to ensure that they remain within the bank's framework of limits and controls or within exception approval. Either approach may be appropriate depending on the issue at hand, provided that the independence of the risk management function is not compromised. Principle 7: 122.]
    Establish/Maintain Documentation Preventive
    Document compliance exceptions, as necessary. CC ID 01630 Establish/Maintain Documentation Detective
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 Establish/Maintain Documentation Preventive
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632
    [In addition to identifying and measuring risk exposures, the risk management function should evaluate possible ways to mitigate these exposures. In some cases, the risk management function may direct that risk be reduced or hedged to limit exposure. In other cases, such as when there is a decision to accept or take risk that is beyond risk limits (ie on a temporary basis) or take risk that cannot be hedged or mitigated, the risk management function should report material exemptions to the board and monitor the positions to ensure that they remain within the bank's framework of limits and controls or within exception approval. Either approach may be appropriate depending on the issue at hand, provided that the independence of the risk management function is not compromised. Principle 7: 122.]
    Business Processes Preventive
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Establish/Maintain Documentation Preventive
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Establish Roles Preventive
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Establish/Maintain Documentation Preventive
    Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 Behavior Preventive
    Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 Behavior Preventive
    Estimate the costs of implementing the compliance framework. CC ID 07191 Business Processes Preventive
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Establish Roles Preventive
    Establish and maintain a compliance oversight committee. CC ID 00765
    [In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: setting and adhering to corporate values that create expectations that all business should be conducted in a legal and ethical manner, and overseeing the adherence to such values by senior management and other employees; Principle 1: 30. Bullet 1
    {capital plan}Accordingly, the board should: approve the approach and oversee the implementation of key policies pertaining to the bank's capital adequacy assessment process, capital and liquidity plans, compliance policies and obligations, and the internal control system; Principle 1: 26. Bullet 7]
    Establish Roles Detective
    Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151
    [{board committees} Committees should maintain appropriate records of their deliberations and decisions (eg meeting minutes or summaries of matters reviewed, recommendations made and decisions taken). Such records should document the committees' fulfilment of their responsibilities and help the supervisor or those responsible to assess the effectiveness of these committees. Principle 3: 66.
    {board committees} Committees should maintain appropriate records of their deliberations and decisions (eg meeting minutes or summaries of matters reviewed, recommendations made and decisions taken). Such records should document the committees' fulfilment of their responsibilities and help the supervisor or those responsible to assess the effectiveness of these committees. Principle 3: 66.
    The board should maintain appropriate records (eg meeting minutes or summaries of matters reviewed, recommendations made. decisions taken and dissenting opinions) of its deliberations and decisions. These should be made available to the supervisor when required. Principle 3: 60.
    The board should maintain appropriate records (eg meeting minutes or summaries of matters reviewed, recommendations made. decisions taken and dissenting opinions) of its deliberations and decisions. These should be made available to the supervisor when required. Principle 3: 60.
    All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: whether the bank has set up board committees and the number of times key standing committees have met. Principle 12: 153. Bullet 2
    All banks, even those for whom disclosure requirements may differ because they are non-listed, should disclose relevant and useful information that supports the key areas of corporate governance identified by the Committee. Such disclosure should be proportionate to the size, complexity, structure, economic significance and risk profile of the bank. At a minimum, banks should disclose annually the following information: whether the bank has set up board committees and the number of times key standing committees have met. Principle 12: 153. Bullet 2]
    Establish/Maintain Documentation Detective
    Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 Establish/Maintain Documentation Preventive
    Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 Establish/Maintain Documentation Detective
    Assign the review of project plans for critical projects to the compliance oversight committee. CC ID 01182 Establish Roles Preventive
    Assign the corporate governance of Information Technology to the compliance oversight committee. CC ID 01178 Establish Roles Preventive
    Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 Establish Roles Preventive
    Involve the Board of Directors or senior management in Information Governance. CC ID 00609 Establish Roles Preventive
    Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 Human Resources Management Preventive
    Address Information Security during the business planning processes. CC ID 06495 Data and Information Management Preventive
    Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 Establish/Maintain Documentation Preventive
    Assign reviewing and approving Quality Management standards to the appropriate oversight committee. CC ID 07192 Establish Roles Preventive
    Establish and maintain a strategic plan. CC ID 12784
    [Accordingly, the board should: oversee the development of and approve the bank's business objectives and strategy and monitor their implementation; Principle 1: 26. Bullet 2]
    Establish/Maintain Documentation Preventive
    Determine progress toward the objectives of the strategic plan. CC ID 12944
    [Accordingly, the board should: oversee the development of and approve the bank's business objectives and strategy and monitor their implementation; Principle 1: 26. Bullet 2
    The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: monitor that senior management's actions are consistent with the strategy and policies approved by the board, including the risk appetite; Principle 1: 46. Bullet 1
    Senior management contributes substantially to a bank's sound corporate governance through personal conduct (eg by helping to establish the "tone at the top" along with the board). Members of senior management should provide adequate oversight of those they manage, and ensure that the bank's activities are consistent with the business strategy, risk appetite and the policies approved by the board. Principle 4: 91.]
    Process or Activity Preventive
    Include acting with integrity in the strategic plan. CC ID 12870
    [{applicable requirements} An independent compliance function is a key component of the bank's second line of defence. This function is responsible for, among other things, ensuring that the bank operates with integrity and in compliance with applicable, laws, regulations and internal policies. Principle 9: 132.]
    Establish/Maintain Documentation Preventive
    Include the outsource partners in the strategic plan, as necessary. CC ID 13960 Establish/Maintain Documentation Preventive
    Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a planning policy. CC ID 14673 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain planning procedures. CC ID 14698 Establish/Maintain Documentation Preventive
    Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 Communicate Preventive
    Review and update the planning procedures, as necessary. CC ID 14703 Establish/Maintain Documentation Preventive
    Review and update the planning policy, as necessary. CC ID 14697 Establish/Maintain Documentation Preventive
    Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 Communicate Preventive
    Include compliance requirements in the planning policy. CC ID 14688 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the planning policy. CC ID 14687 Establish/Maintain Documentation Preventive
    Include management commitment in the planning policy. CC ID 14686 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the planning policy. CC ID 14685 Establish/Maintain Documentation Preventive
    Include the scope in the planning policy. CC ID 14684 Establish/Maintain Documentation Preventive
    Include the purpose in the planning policy. CC ID 14683 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security planning policy. CC ID 14027 Establish/Maintain Documentation Preventive
    Review and update the security planning policy, as necessary. CC ID 14132 Establish/Maintain Documentation Corrective
    Include compliance requirements in the security planning policy. CC ID 14131 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security planning policy. CC ID 14130 Establish/Maintain Documentation Preventive
    Include management commitment in the security planning policy. CC ID 14129 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security planning policy. CC ID 14128 Establish/Maintain Documentation Preventive
    Include the scope in the security planning policy. CC ID 14127 Establish/Maintain Documentation Preventive
    Include the purpose in the security planning policy. CC ID 14126 Establish/Maintain Documentation Preventive
    Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 Communicate Preventive
    Establish, implement, and maintain security planning procedures. CC ID 14060 Establish/Maintain Documentation Preventive
    Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 Communicate Preventive
    Review and update the security planning procedures. CC ID 14133 Establish/Maintain Documentation Corrective
    Establish and maintain a decision management strategy. CC ID 06913
    [individual board members' attitude should facilitate communication, collaboration and critical debate in the decision-making process. Principle 2: 49. Bullet 3
    The organisation and procedures and decision-making of senior management should be clear and transparent and designed to promote effective management of the bank. This includes clarity on the role, authority and responsibility of the various positions within senior management, including that of the CEO. Principle 4: 88.
    Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.]
    Establish/Maintain Documentation Preventive
    Include an economic impact analysis in the decision management strategy. CC ID 14015 Establish/Maintain Documentation Preventive
    Include cost benefit analysis in the decision management strategy. CC ID 14014 Establish/Maintain Documentation Preventive
    Include criteria for compliance in the decision making criteria. CC ID 12951 Establish/Maintain Documentation Preventive
    Include criteria for risk tolerance in the decision making criteria. CC ID 12950 Establish/Maintain Documentation Preventive
    Include criteria for selecting objectives and strategies in the decision making criteria. CC ID 12949 Establish/Maintain Documentation Preventive
    Include criteria for setting priorities in the decision making criteria. CC ID 12938 Establish/Maintain Documentation Preventive
    Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 Process or Activity Preventive
    Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 Process or Activity Preventive
    Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841
    [Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.]
    Process or Activity Preventive
    Identify and document the events that initiate the decision management strategy. CC ID 06914 Establish/Maintain Documentation Detective
    Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 Process or Activity Preventive
    Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915
    [In discharging these responsibilities, the board should take into account the legitimate interests of depositors, shareholders and other relevant stakeholders. It should also ensure that the bank maintains an effective relationship with its supervisors. Principle 1: 28.
    {are relevant} board members should have a range of knowledge and experience in relevant areas and have varied backgrounds to promote diversity of views. Relevant areas of competence may include, but are not limited to capital markets, financial analysis, financial stability issues, financial reporting, information technology, strategic planning, risk management, compensation, regulation, corporate governance and management skills; Principle 2: 49. Bullet 1
    Board members should be and remain qualified, individually and collectively, for their positions. They should understand their oversight and corporate governance role and be able to exercise sound, objective judgment about the affairs of the bank. Principle 2: ¶ 1]
    Behavior Preventive
    Take actions in accordance with the decision-making criteria. CC ID 12909
    [The chair of the board plays a crucial role in the proper functioning of the board. The chair provides leadership to the board and is responsible for its effective overall functioning, including maintaining a relationship of trust with board members. The chair should possess the requisite experience, competencies and personal qualities in order to fulfil these responsibilities. The chair should ensure that board decisions are taken on a sound and well informed basis. The chair should encourage and promote critical discussion and ensure that dissenting views can be freely expressed and discussed within the decision-making process. The chair should dedicate sufficient time to the exercise of his or her responsibilities. Principle 3: 61.]
    Process or Activity Preventive
    Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 Establish/Maintain Documentation Preventive
    Communicate the decision management strategy to all interested personnel and affected parties, as necessary. CC ID 13991 Communicate Preventive
    Establish, implement, and maintain an information technology process framework. CC ID 13648 Establish/Maintain Documentation Preventive
    Include maturity models in the Information Technology process framework. CC ID 13652 Establish/Maintain Documentation Preventive
    Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651 Establish/Maintain Documentation Preventive
    Include Information Technology process structures in the Information Technology process framework. CC ID 13650 Establish/Maintain Documentation Preventive
    Establish and maintain a tactical plan. CC ID 12785 Establish/Maintain Documentation Preventive
    Include acting with integrity in the tactical plan. CC ID 12871 Establish/Maintain Documentation Preventive
    Establish and maintain a high-level Strategic Information Technology Plan. CC ID 00628 Establish/Maintain Documentation Preventive
    Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 Establish/Maintain Documentation Preventive
    Align business continuity objectives with the business continuity policy. CC ID 12408 Establish/Maintain Documentation Preventive
    Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 Business Processes Corrective
    Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 Business Processes Preventive
    Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 Establish/Maintain Documentation Preventive
    Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 Establish/Maintain Documentation Preventive
    Establish and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 Establish/Maintain Documentation Preventive
    Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 Establish/Maintain Documentation Preventive
    Document the business case and return on investment in each Information Technology project plan. CC ID 06846 Establish/Maintain Documentation Preventive
    Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 Business Processes Preventive
    Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 Establish/Maintain Documentation Preventive
    Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 Establish/Maintain Documentation Preventive
    Assign senior management to approve business cases. CC ID 13068 Human Resources Management Preventive
    Include milestones for each project phase in the Information Technology project plan. CC ID 12621 Establish/Maintain Documentation Preventive
    Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 Establish/Maintain Documentation Corrective
    Establish and maintain a counterterror protective security plan. CC ID 06862 Establish/Maintain Documentation Preventive
    Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 Establish/Maintain Documentation Preventive
    Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 Establish/Maintain Documentation Preventive
    Include a search plan in the counterterror protective security plan. CC ID 06865 Establish/Maintain Documentation Preventive
    Include an evacuation plan in the counterterror protective security plan. CC ID 06940 Establish/Maintain Documentation Preventive
    Include a continuity plan in the counterterror protective security plan. CC ID 07031 Establish/Maintain Documentation Preventive
    Establish and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 Establish/Maintain Documentation Preventive
    Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 Monitor and Evaluate Occurrences Detective
    Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans CC ID 06839 Actionable Reports or Measurements Preventive
    Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 Actionable Reports or Measurements Preventive
    Include significant security risks in the Information Technology Plan status reports. CC ID 06939 Actionable Reports or Measurements Preventive
    Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 Establish/Maintain Documentation Preventive
    Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 Establish/Maintain Documentation Preventive
    Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 Human Resources Management Preventive
    Include the transparency goals in the Information Governance Plan. CC ID 10056 Establish/Maintain Documentation Preventive
    Include the information integrity goals in the Information Governance Plan. CC ID 10057 Establish/Maintain Documentation Preventive
    Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors CC ID 13094 Human Resources Management Preventive
    Establish and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492
    [The compliance function should advise the board and senior management on the bank's compliance with applicable laws, rules and standards and keep them informed of developments in the area. It should also help educate staff about compliance issues, act as a contact point within the bank for compliance queries from staff members, and provide guidance to staff on the appropriate implementation of applicable laws, rules and standards in the form of policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines. Principle 9: 135.]
    Business Processes Preventive
    Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 Behavior Preventive
    Establish, implement, and maintain a financial management program. CC ID 13228
    [Accordingly, the board should: require that the bank maintain a robust finance function responsible for accounting and financial data; Principle 1: 26. Bullet 8
    {is responsible} The audit committee is, in particular, responsible for: overseeing the establishment of accounting policies and practices by the bank; and Principle 3: 69. Bullet 7]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain financial reports. CC ID 14770 Establish/Maintain Documentation Preventive
    Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 Establish/Maintain Documentation Preventive
    Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 Establish/Maintain Documentation Preventive
    Include financial statements in the financial report, as necessary. CC ID 14775 Establish/Maintain Documentation Preventive
    Include notes to financial statements in the financial report, as necessary. CC ID 14780 Establish/Maintain Documentation Preventive
    Review financial reports, as necessary. CC ID 13229
    [{matters requiring attention}Accordingly, the board should: approve the annual financial statements and require a periodic independent review of critical areas; Principle 1: 26. Bullet 9
    Banks should have accurate internal and external data to be able to identify, assess and mitigate risk, make strategic business decisions and determine capital and liquidity adequacy. The board and senior management should give special attention to the quality, completeness and accuracy of the data used to make risk decisions. While tools such as external credit ratings or externally purchased risk models and data can be useful as inputs into a more comprehensive assessment, banks are ultimately responsible for the assessment of their risks. Principle 7: 118.]
    Investigate Detective
    Establish and maintain communication protocols. CC ID 12245
    [{be clear}{be comprehensible} Disclosure should be accurate, clear and presented such that shareholders, depositors, other relevant stakeholders and market participants can consult the information easily. Timely public disclosure is desirable on a bank's public website, in its annual and periodic financial reports, or by other appropriate means. It is good practice to have an annual corporate governance-specific and comprehensive statement in a clearly identifiable section of the annual report depending on the applicable financial reporting framework. All material developments that arise between regular reports should be disclosed to the bank supervisor and relevant stakeholders as required by law without undue delay. Principle 12: 156.]
    Establish/Maintain Documentation Preventive
    Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419
    [{be clear}{be comprehensible} Disclosure should be accurate, clear and presented such that shareholders, depositors, other relevant stakeholders and market participants can consult the information easily. Timely public disclosure is desirable on a bank's public website, in its annual and periodic financial reports, or by other appropriate means. It is good practice to have an annual corporate governance-specific and comprehensive statement in a clearly identifiable section of the annual report depending on the applicable financial reporting framework. All material developments that arise between regular reports should be disclosed to the bank supervisor and relevant stakeholders as required by law without undue delay. Principle 12: 156.]
    Establish/Maintain Documentation Preventive
    Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 Process or Activity Detective
    Include external requirements in the organization's communication protocol. CC ID 12418 Establish/Maintain Documentation Preventive
    Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 Communicate Preventive
    Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417 Establish/Maintain Documentation Preventive
    Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 Communicate Preventive
    Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 Process or Activity Preventive
    Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 Communicate Preventive
    Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 Communicate Preventive
    Route notifications, as necessary. CC ID 12832 Process or Activity Preventive
    Substantiate notifications, as necessary. CC ID 12831 Process or Activity Preventive
    Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 Business Processes Preventive
    Prioritize notifications, as necessary. CC ID 12830 Process or Activity Preventive
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797
    [To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: use the results of these assessments as part of the ongoing improvement efforts of the board and, where required by the supervisor, share results with the supervisor. Principle 3: 59. Bullet 4]
    Actionable Reports or Measurements Preventive
    Disseminate and communicate internal controls with supply chain members, as necessary. CC ID 12416 Communicate Preventive
    Establish and maintain the organization's survey method. CC ID 12869 Process or Activity Preventive
    Provide a consolidated view of information in the organization's survey method. CC ID 12894 Process or Activity Preventive
    Establish and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 Establish/Maintain Documentation Preventive
    Establish and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 Establish/Maintain Documentation Preventive
    Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of performance variances in the notification system. CC ID 12929 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 Monitor and Evaluate Occurrences Preventive
    Establish and maintain an internal reporting program. CC ID 12409
    [Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97.]
    Business Processes Preventive
    Include transactions and events as a part of internal reporting. CC ID 12413 Business Processes Preventive
    Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412
    [Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: changes in business strategy, risk strategy/risk appetite; Principle 4: 94. Bullet1]
    Communicate Preventive
    Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 Establish/Maintain Documentation Preventive
    Define the thresholds for escalation in the internal reporting program. CC ID 14332 Establish/Maintain Documentation Preventive
    Define the thresholds for reporting in the internal reporting program. CC ID 14331 Establish/Maintain Documentation Preventive
  • Monitoring and measurement
    205
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Implement Security Control System monitoring and reporting procedures. CC ID 13500
    [Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: internal control failures; Principle 4: 94. Bullet 4]
    Monitor and Evaluate Occurrences Detective
    Establish and maintain a risk monitoring program. CC ID 00658
    [The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: ongoing monitoring of the risk-taking activities and risk exposures in line with the board approved risk appetite, risk limits and corresponding capital or liquidity needs (ie capital planning); Principle 6: 105. Bullet 4
    The CRO has primary responsibility for overseeing the development and implementation of the bank's risk management function. This includes the ongoing strengthening of staff skills and enhancements to risk management systems, policies, processes, quantitative models and reports as necessary to ensure that the bank's risk management capabilities are sufficiently robust and effective to fully support its strategic objectives and all of its risk-taking activities. The CRO is responsible for supporting the board in its engagement with and oversight of the development of the bank's risk appetite and RAS and for translating the risk appetite into a risk limits structure. The CRO, together with management, should be actively engaged in monitoring performance relative to risk-taking and risk limit adherence. The CRO's responsibilities also include managing and participating in key decision-making processes (eg strategic planning, capital and liquidity planning, new products and services, compensation design and operation). Principle 6: 109.
    establishing adequate procedures and processes to identify and manage all material risks arising from these structures, including lack of management transparency, operational risks introduced by interconnected and complex funding structures, intragroup exposures, trapped collateral and counterparty risk. The bank should only approve structures if the material risks can be properly identified, assessed and managed; and Principle 5: 102. Bullet 4
    {be comprehensive}{be accurate} Risk reporting systems should be dynamic, comprehensive and accurate, and should draw on a range of underlying assumptions. Risk monitoring and reporting should not only occur at the disaggregated level (including material risk residing in subsidiaries) but should also be aggregated to allow for a bank-wide or integrated perspective of risk exposures. Risk reporting systems should be clear about any deficiencies or limitations in risk estimates, as well as any significant embedded assumptions (eg regarding risk dependencies or correlations). Principle 8: 130.]
    Establish/Maintain Documentation Preventive
    Monitor the organization's exposure to threats, as necessary. CC ID 06494
    [{risk management framework} Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank's risk management and internal control infrastructure should keep pace with changes to the bank's risk profile, to the external risk landscape and in industry practice Principle 7: ¶ 1]
    Monitor and Evaluate Occurrences Preventive
    Monitor and evaluate environmental threats. CC ID 13481 Monitor and Evaluate Occurrences Detective
    Implement a fraud detection system. CC ID 13081 Business Processes Preventive
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Process or Activity Corrective
    Monitor for new vulnerabilities. CC ID 06843 Monitor and Evaluate Occurrences Preventive
    Establish and maintain an overall compliance testing strategy. CC ID 00659 Establish/Maintain Documentation Preventive
    Establish and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 Testing Preventive
    Test compliance controls for proper functionality. CC ID 00660 Testing Detective
    Establish, implement, and maintain a system security plan. CC ID 01922 Testing Preventive
    Include a description of the operational context in the system security plan. CC ID 14301 Establish/Maintain Documentation Preventive
    Review and update the system security plan, as necessary. CC ID 14287 Establish/Maintain Documentation Corrective
    Include the results of the security categorization in the system security plan. CC ID 14281 Establish/Maintain Documentation Preventive
    Include the information types in the system security plan. CC ID 14696 Establish/Maintain Documentation Preventive
    Include the security requirements in the system security plan. CC ID 14274 Establish/Maintain Documentation Preventive
    Include threats in the system security plan. CC ID 14693 Establish/Maintain Documentation Preventive
    Include network diagrams in the system security plan. CC ID 14273 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682 Establish/Maintain Documentation Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Communicate Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272 Establish/Maintain Documentation Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Establish/Maintain Documentation Preventive
    Include the authorization boundary in the system security plan. CC ID 14257 Establish/Maintain Documentation Preventive
    Align the enterprise architecture with the system security plan. CC ID 14255 Process or Activity Preventive
    Include security controls in the system security plan. CC ID 14239 Establish/Maintain Documentation Preventive
    Create specific test plans to test each system component. CC ID 00661 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299 Establish/Maintain Documentation Preventive
    Include the assessment team in the test plan. CC ID 14297 Establish/Maintain Documentation Preventive
    Include the scope in the test plans. CC ID 14293 Establish/Maintain Documentation Preventive
    Include the assessment environment in the test plan. CC ID 14271 Establish/Maintain Documentation Preventive
    Approve the system security plan. CC ID 14241 Business Processes Preventive
    Adhere to the system security plan. CC ID 11640 Testing Detective
    Review the test plans for each system component. CC ID 00662 Establish/Maintain Documentation Preventive
    Validate all testing assumptions in the test plans. CC ID 00663 Testing Detective
    Document validated testing processes in the testing procedures. CC ID 06200 Establish/Maintain Documentation Preventive
    Require testing procedures to be complete. CC ID 00664 Testing Detective
    Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 Establish/Maintain Documentation Preventive
    Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 Testing Preventive
    Implement automated audit tools. CC ID 04882 Acquisition/Sale of Assets or Services Preventive
    Assign senior management to approve test plans. CC ID 13071 Human Resources Management Preventive
    Analyze system audit reports and determine the need to perform more tests. CC ID 00666 Testing Detective
    Monitor devices continuously for conformance with production specifications. CC ID 06201 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain a testing program. CC ID 00654
    [As part of its quantitative and qualitative analysis, the bank should utilise stress tests and scenario analyses to better understand potential risk exposures under a variety of adverse circumstances: Principle 7: 120.]
    Behavior Preventive
    Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 Establish/Maintain Documentation Preventive
    Review and update the security assessment and authorization policy. CC ID 14226 Establish/Maintain Documentation Corrective
    Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 Establish/Maintain Documentation Preventive
    Include the scope in the security assessment and authorization policy. CC ID 14220 Establish/Maintain Documentation Preventive
    Include the purpose in the security assessment and authorization policy. CC ID 14219 Establish/Maintain Documentation Preventive
    Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 Communicate Preventive
    Include management commitment in the security assessment and authorization policy. CC ID 14189 Establish/Maintain Documentation Preventive
    Include compliance requirements in the security assessment and authorization policy. CC ID 14183 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 Establish/Maintain Documentation Preventive
    Review and update the security assessment and authorization procedures, as necessary. CC ID 14228 Establish/Maintain Documentation Corrective
    Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 Communicate Preventive
    Employ third parties to carry out testing programs, as necessary. CC ID 13178 Human Resources Management Preventive
    Define the test requirements for each testing program. CC ID 13177
    [internal stress tests should cover a range of scenarios based on reasonable assumptions regarding dependencies and correlations. Senior management should define and approve and, as applicable, the board should review and provide effective challenge to the scenarios that are used in the bank's risk analyses; Principle 7: 120. Bullet 1]
    Establish/Maintain Documentation Preventive
    Include mechanisms for emergency stops in the testing program. CC ID 14398 Establish/Maintain Documentation Preventive
    Define the test frequency for each testing program. CC ID 13176 Establish/Maintain Documentation Preventive
    Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871
    [stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets. They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results; and Principle 7: 120. Bullet 3
    the results of stress tests and scenario analyses should also be communicated to, and given appropriate consideration by, relevant business lines and individuals within the bank. Principle 7: 120. Bullet 4
    Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129.]
    Communicate Preventive
    Establish and maintain a business line testing strategy. CC ID 13245
    [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1]
    Establish/Maintain Documentation Preventive
    Include data recovery in the business continuity testing strategy. CC ID 13262 Establish/Maintain Documentation Preventive
    Include testing critical applications in the business continuity testing strategy. CC ID 13261 Establish/Maintain Documentation Preventive
    Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265 Testing Detective
    Include reconciling transaction data in the business continuity testing strategy. CC ID 13260 Establish/Maintain Documentation Preventive
    Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257 Establish/Maintain Documentation Preventive
    Include facilities in the business line testing strategy. CC ID 13253 Establish/Maintain Documentation Preventive
    Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252 Establish/Maintain Documentation Preventive
    Include electrical systems in the business line testing strategy. CC ID 13251 Establish/Maintain Documentation Preventive
    Include mechanical systems in the business line testing strategy. CC ID 13250 Establish/Maintain Documentation Preventive
    Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 Establish/Maintain Documentation Preventive
    Include emergency power supplies in the business line testing strategy. CC ID 13247 Establish/Maintain Documentation Preventive
    Include environmental controls in the business line testing strategy. CC ID 13246 Establish/Maintain Documentation Preventive
    Implement and comply with the testing program. CC ID 11870 Testing Detective
    Conduct Red Team exercises, as necessary. CC ID 12131 Technical Security Detective
    Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 Establish/Maintain Documentation Preventive
    Test security systems and associated security procedures, as necessary. CC ID 11901 Technical Security Detective
    Test in scope systems for segregation of duties, as necessary. CC ID 13906 Testing Detective
    Scan organizational networks for rogue devices. CC ID 00536 Testing Detective
    Scan the network for wireless access points. CC ID 00370 Testing Detective
    Document the business need justification for authorized wireless access points. CC ID 12044 Establish/Maintain Documentation Preventive
    Scan wireless networks for rogue devices. CC ID 11623 Technical Security Detective
    Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 Testing Detective
    Implement incident response procedures when rogue devices are discovered. CC ID 11880 Technical Security Corrective
    Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 Monitor and Evaluate Occurrences Corrective
    Deny network access to rogue devices until network access approval has been received. CC ID 11852 Configuration Preventive
    Isolate rogue devices after a rogue device has been detected. CC ID 07061 Configuration Corrective
    Establish and maintain a port scan baseline for all in scope systems. CC ID 12134 Technical Security Detective
    Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a penetration test program. CC ID 01105 Behavior Preventive
    Align the penetration test program with industry standards. CC ID 12469 Establish/Maintain Documentation Preventive
    Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 Establish Roles Preventive
    Establish and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 Testing Preventive
    Retain penetration test results according to internal policy. CC ID 10049 Records Management Preventive
    Retain penetration test remediation action records according to internal policy. CC ID 11629 Records Management Preventive
    Use dedicated user accounts when conducting penetration testing. CC ID 13728 Testing Detective
    Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 Testing Corrective
    Perform penetration tests, as necessary. CC ID 00655 Testing Detective
    Perform internal penetration tests, as necessary. CC ID 12471 Technical Security Detective
    Perform external penetration tests, as necessary. CC ID 12470 Technical Security Detective
    Include coverage of all in scope systems during penetration testing. CC ID 11957 Testing Detective
    Test the system for broken access controls. CC ID 01319 Testing Detective
    Test the system for broken authentication and session management. CC ID 01320 Testing Detective
    Test the system for insecure communications. CC ID 00535 Testing Detective
    Test the system for cross-site scripting attacks. CC ID 01321 Testing Detective
    Test the system for buffer overflows. CC ID 01322 Testing Detective
    Test the system for injection flaws. CC ID 01323 Testing Detective
    Test the system for Denial of Service. CC ID 01326 Testing Detective
    Test the system for insecure configuration management. CC ID 01327 Testing Detective
    Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 Testing Detective
    Test the system for cross-site request forgery. CC ID 06296 Testing Detective
    Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 Technical Security Detective
    Perform penetration testing on segmentation controls, as necessary. CC ID 12498 Technical Security Detective
    Verify segmentation controls are operational and effective. CC ID 12545 Audits and Risk Management Detective
    Correct vulnerabilities and repeat penetration testing. CC ID 06860 Testing Detective
    Test the system for covert channels. CC ID 10652 Testing Detective
    Estimate the maximum bandwidth of any covert channels. CC ID 10653 Technical Security Detective
    Reduce the maximum bandwidth of covert channels. CC ID 10655 Technical Security Corrective
    Test systems to determine which covert channels might be exploited. CC ID 10654 Testing Detective
    Establish and maintain a vulnerability assessment program. CC ID 11636 Establish/Maintain Documentation Preventive
    Perform vulnerability scans, as necessary. CC ID 11637 Technical Security Detective
    Repeat vulnerability scanning, as necessary. CC ID 11646 Testing Detective
    Identify and document security vulnerabilities. CC ID 11857 Technical Security Detective
    Rank discovered vulnerabilities. CC ID 11940 Investigate Detective
    Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 Technical Security Preventive
    Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 Technical Security Detective
    Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 Establish/Maintain Documentation Preventive
    Maintain vulnerability scan reports as organizational records. CC ID 12092 Records Management Preventive
    Correlate vulnerability scan reports from the various systems. CC ID 10636 Technical Security Detective
    Perform internal vulnerability scans on the organization's systems. CC ID 00656 Testing Detective
    Perform vulnerability scans prior to installing payment applications. CC ID 12192 Technical Security Detective
    Implement scanning tools, as necessary. CC ID 14282 Technical Security Detective
    Update the vulnerability scanners' vulnerability list. CC ID 10634 Configuration Corrective
    Repeat vulnerability scanning after an approved change occurs. CC ID 12468 Technical Security Detective
    Perform external vulnerability scans on the organization's systems. CC ID 11624 Technical Security Detective
    Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 Business Processes Preventive
    Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 Testing Preventive
    Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 Technical Security Detective
    Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 Behavior Corrective
    Perform vulnerability assessments, as necessary. CC ID 11828 Technical Security Corrective
    Review applications for security vulnerabilities after the application is updated. CC ID 11938 Technical Security Detective
    Test the system for unvalidated input. CC ID 01318 Testing Detective
    Test the system for proper error handling. CC ID 01324 Testing Detective
    Test the system for insecure data storage. CC ID 01325 Testing Detective
    Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 Testing Detective
    Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 Technical Security Preventive
    Test the system for insecure cryptographic storage. CC ID 11635 Technical Security Detective
    Perform self-tests on cryptographic modules within the system. CC ID 06537 Testing Detective
    Perform power-up tests on cryptographic modules within the system. CC ID 06538 Testing Detective
    Perform conditional tests on cryptographic modules within the system. CC ID 06539 Testing Detective
    Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 Configuration Detective
    Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 Technical Security Corrective
    Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 Configuration Corrective
    Recommend mitigation techniques based on penetration test results. CC ID 04881 Establish/Maintain Documentation Corrective
    Correct or mitigate vulnerabilities. CC ID 12497 Technical Security Corrective
    Establish and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 Technical Security Corrective
    Establish and maintain a compliance monitoring policy. CC ID 00671 Establish/Maintain Documentation Preventive
    Establish and maintain an approach for compliance monitoring. CC ID 01653
    [The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42.]
    Establish/Maintain Documentation Preventive
    Establish and maintain risk management metrics. CC ID 01656 Establish/Maintain Documentation Preventive
    Report on the percentage of key Information Technology assets for which an assurance strategy is implemented. CC ID 01657 Actionable Reports or Measurements Detective
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Actionable Reports or Measurements Detective
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Actionable Reports or Measurements Detective
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Actionable Reports or Measurements Detective
    Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866
    [stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets. They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results; and Principle 7: 120. Bullet 3]
    Business Processes Preventive
    Identify information being used to support performance reviews for risk optimization. CC ID 12865 Audits and Risk Management Preventive
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726
    [The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42.]
    Monitor and Evaluate Occurrences Detective
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499
    [{unauthorized action}{dual authorization control}{legal and regulatory requirements} In order to avoid actions beyond the authority of the individual or even fraud, internal controls also place reasonable checks on managerial and employee discretion. Even in smaller banks, for example, key management decisions should be taken by more than one person. Internal reviews should also determine the extent of a bank's compliance with company policies and procedures as well as with legal and regulatory policies. Adequate escalation procedures are a key element of the internal control system. Principle 7: 116.]
    Establish/Maintain Documentation Preventive
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 Business Processes Detective
    Determine the causes of compliance violations. CC ID 12401 Investigate Corrective
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Establish/Maintain Documentation Preventive
    Determine if multiple compliance violations of the same type could occur. CC ID 12402 Investigate Detective
    Correct compliance violations. CC ID 13515 Process or Activity Corrective
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 Investigate Detective
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675
    [Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166.]
    Behavior Corrective
    Align disciplinary actions with the level of compliance violation. CC ID 12404
    [{manner} The board should have a formal written conflicts-of-interest policy and an objective compliance process for implementing the policy. The policy should include: the way in which the board will deal with any non-compliance with the policy. Principle 3: 83. Bullet 7]
    Human Resources Management Preventive
    Establish and maintain compliance program metrics. CC ID 11625 Monitor and Evaluate Occurrences Preventive
    Establish and maintain a security program metrics program. CC ID 01660 Establish/Maintain Documentation Preventive
    Report on the policies and controls that have been implemented by management. CC ID 01670
    [{be transparent} The governance of the bank should be adequately transparent to its shareholders, depositors, other relevant stakeholders and market participants. Principle 12: ¶ 1]
    Actionable Reports or Measurements Detective
    Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 Establish/Maintain Documentation Preventive
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Actionable Reports or Measurements Detective
    Establish and maintain a key stakeholder metrics program. CC ID 01661 Establish/Maintain Documentation Preventive
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Actionable Reports or Measurements Detective
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Actionable Reports or Measurements Detective
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 Establish/Maintain Documentation Preventive
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Actionable Reports or Measurements Detective
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Actionable Reports or Measurements Preventive
    Establish and maintain a Business Continuity metrics program. CC ID 01663 Establish/Maintain Documentation Preventive
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Actionable Reports or Measurements Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Actionable Reports or Measurements Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Actionable Reports or Measurements Detective
    Establish and maintain an audit metrics program. CC ID 01664 Establish/Maintain Documentation Preventive
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Actionable Reports or Measurements Detective
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Actionable Reports or Measurements Detective
    Report on the percentage of audit findings that have been resolved. CC ID 01678 Actionable Reports or Measurements Detective
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 Actionable Reports or Measurements Detective
    Establish and maintain an Information Security metrics program. CC ID 01665 Establish/Maintain Documentation Preventive
    Monitor the performance of the governance, risk, and compliance capability. CC ID 12857
    [Business units are the first line of defence. They take risks and are responsible and accountable for the ongoing management of such risks. This includes identifying, assessing and reporting such exposures, taking into account the bank's risk appetite and its policies, procedures and controls. The manner in which the business line executes its responsibilities should reflect the bank's existing risk culture. The board should promote a strong culture of adhering to limits and managing risk exposures. Principle 1: 40.
    The board should define appropriate governance structures and practices for its own work, and put in place the means for such practices to be followed and periodically reviewed for ongoing effectiveness. Principle 3: ¶ 1
    In order to fulfil its responsibilities, the board of the parent company should: ensure that the group's corporate governance framework includes appropriate processes and controls to identify and address potential intragroup conflicts of interest, such as those arising from intragroup transactions; Principle 5: 96. Bullet 4
    {risk management function}{review and approval process}{entail} An assessment of the extent to which the bank's risk management, legal and regulatory compliance, information technology, business line and internal control functions have adequate tools and the expertise necessary to measure and manage related risks. Principle 7: 123. ¶ 1 Bullet 2
    Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158.]
    Monitor and Evaluate Occurrences Preventive
    Create a corrective action plan to correct control deficiencies identified in an audit. CC ID 00675
    [{law, rule, or regulation}{negatively impact} While the strategic objectives, risk governance framework, corporate values and corporate governance principles of the subsidiary should align with that of the parent company (referred to here as "group policies"), the subsidiary board should make necessary adjustments where a group policy conflicts with an applicable legal or regulatory provision or prudential rule, or would be detrimental to the sound and prudent management of the subsidiary. Principle 5: 98.]
    Monitor and Evaluate Occurrences Detective
    Include the completion date in the corrective action plan. CC ID 13272 Establish/Maintain Documentation Preventive
    Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676
    [The bank's corporate values should recognise the critical importance of timely and frank discussion and escalation of problems to higher levels within the organisation. Principle 1: 32.
    The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42.
    Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: breaches of risk limits or compliance rules; Principle 4: 94. Bullet 3
    {legal concern}Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: legal or regulatory concerns; and Principle 4: 94. Bullet 5
    The compliance function should advise the board and senior management on the bank's compliance with applicable laws, rules and standards and keep them informed of developments in the area. It should also help educate staff about compliance issues, act as a contact point within the bank for compliance queries from staff members, and provide guidance to staff on the appropriate implementation of applicable laws, rules and standards in the form of policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines. Principle 9: 135.
    The compliance function is independent from management to avoid undue influence or obstacles as that function performs its duties. The compliance function should directly report to the board, as appropriate, on the bank's efforts in the above areas and on how the bank is managing its compliance risk. Principle 9: 136.]
    Actionable Reports or Measurements Corrective
  • Operational and Systems Continuity
    6
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational and Systems Continuity CC ID 00731 IT Impact Zone IT Impact Zone
    Establish and maintain a business continuity program. CC ID 13210 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a recovery plan. CC ID 13288 Establish/Maintain Documentation Preventive
    Test the recovery plan, as necessary. CC ID 13290 Testing Detective
    Document lessons learned from testing the recovery plan or an actual event. CC ID 13301
    [stress test programme results should be periodically reviewed with the board or its risk committee. Test results should be incorporated into the reviews of the risk appetite, the capital adequacy assessment process, the capital and liquidity planning processes, and budgets. They should also be linked to recovery and resolution planning. The risk management function should suggest if and what action is required based on results; and Principle 7: 120. Bullet 3]
    Establish/Maintain Documentation Detective
  • Operational management
    170
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406
    [As part of the overall corporate governance framework, the board is responsible for overseeing a strong risk governance framework. An effective risk governance framework includes a strong risk culture, a well developed risk appetite articulated through the RAS, and well defined responsibilities for risk management in particular and control functions in general. Principle 1: 33.
    The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42.
    The board should define appropriate governance structures and practices for its own work, and put in place the means for such practices to be followed and periodically reviewed for ongoing effectiveness. Principle 3: ¶ 1
    {are adequate}In order to fulfil its responsibilities, the board of the parent company should: assess whether the group's corporate governance framework includes adequate policies, processes and controls and whether the framework addresses risk management across the businesses and legal entity structures; Principle 5: 96. Bullet 3
    {are adequate}In order to fulfil its responsibilities, the board of the parent company should: assess whether the group's corporate governance framework includes adequate policies, processes and controls and whether the framework addresses risk management across the businesses and legal entity structures; Principle 5: 96. Bullet 3
    The bank's risk governance framework should include policies, supported by appropriate control procedures and processes, designed to ensure that the bank's risk identification, aggregation, mitigation and monitoring capabilities are commensurate with the bank's size, complexity and risk profile. Principle 7: 112.
    {risk measurement}{are necessary} Effective risk identification and measurement approaches are likewise necessary in subsidiary banks and affiliates. Material risk-bearing affiliates and subsidiaries should be captured by the bankwide risk management system and should be a part of the overall risk governance framework. Principle 7: 124.
    In order to fulfil its responsibilities, the board of the parent company should: establish a group structure (including the legal entity and business structure) and a corporate governance framework with clearly defined roles and responsibilities, including those at the parent company level and at the subsidiary level as may be appropriate based on the complexity and significance of the subsidiary; Principle 5: 96. Bullet 1
    Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158.]
    Establish/Maintain Documentation Preventive
    Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 Establish/Maintain Documentation Preventive
    Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861
    [{applicable requirements} In order to fulfil its responsibilities, the board of the parent company should: have sufficient resources to monitor the compliance of subsidiaries with all applicable legal, regulatory and governance requirements; Principle 5: 96. Bullet 7
    {risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.]
    Acquisition/Sale of Assets or Services Preventive
    Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 Process or Activity Preventive
    Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 Process or Activity Preventive
    Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 Audits and Risk Management Preventive
    Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523
    [As part of the overall corporate governance framework, the board is responsible for overseeing a strong risk governance framework. An effective risk governance framework includes a strong risk culture, a well developed risk appetite articulated through the RAS, and well defined responsibilities for risk management in particular and control functions in general. Principle 1: 33.
    Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166.
    Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166.
    {is independent} A risk governance framework should include well defined organisational responsibilities for risk management, typically referred to as the three lines of defence: a risk management function and a compliance function independent from the first line of defence; and Principle 1: 38. Bullet 2
    {is responsible}The audit committee is, in particular, responsible for: reviewing the third-party opinions on the design and effectiveness of the overall risk governance framework and internal control system. Principle 3: 69. Bullet 8
    {is appropriate} In a group structure, the board of the parent company has the overall responsibility for the group and for ensuring the establishment and operation of a clear governance framework appropriate to the structure, business and risks of the group and its entities. The board and senior management should know and understand the bank group's organisational structure and the risks that it poses. Principle 5: ¶ 1
    The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: subject to the review and approval of the board, developing and implementing the enterprisewide risk governance framework, which includes the bank's risk culture, risk appetite and risk limits; Principle 6: 105. Bullet 3
    Supervisors should provide guidance for and supervise corporate governance at banks, including through comprehensive evaluations and regular interaction with boards and senior management, should require improvement and remedial action as necessary, and should share information on corporate governance with other supervisors. Principle 13: ¶ 1
    Subsidiary boards and senior management remain responsible for developing effective risk management processes for their entities. The methods and procedures applied by subsidiaries should support the effectiveness of risk management at a group level. While parent companies should conduct strategic, group-wide risk management and prescribe corporate risk policies, subsidiary management and boards should have appropriate input to their local or regional application and to the assessment of local risks. Parent companies should ensure that adequate tools and authorities are available to the subsidiary and that the subsidiary understands the reporting obligations it has to the head office. It is the responsibility of subsidiary boards to assess the compatibility of group policy with local legal and regulatory requirements and, where appropriate, amend those policies. Principle 5: 97.
    The bank's senior management is responsible for establishing a compliance policy that contains the basic principles to be approved by the board and explains the main processes by which compliance risks are to be identified and managed through all levels of the organisation. Principle 9: 133.
    Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158.
    Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158.]
    Human Resources Management Preventive
    Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 Human Resources Management Preventive
    Establish, implement, and maintain a compliance policy. CC ID 14807 Establish/Maintain Documentation Preventive
    Include the standard of conduct and accountability in the compliance policy. CC ID 14813 Establish/Maintain Documentation Preventive
    Include the scope in the compliance policy. CC ID 14812 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the compliance policy. CC ID 14811 Establish/Maintain Documentation Preventive
    Include a commitment to continual improvement in the compliance policy. CC ID 14810 Establish/Maintain Documentation Preventive
    Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 Communicate Preventive
    Include management commitment in the compliance policy. CC ID 14808 Establish/Maintain Documentation Preventive
    Establish and maintain a positive information control environment. CC ID 00813
    [The board should provide oversight of senior management. It should hold members of senior management accountable for their actions and enumerate the possible consequences (including dismissal) if those actions are not aligned with the board's performance expectations. This includes adhering to the bank's values, risk appetite and risk culture, under all circumstances. In doing so, the board should: meet regularly with senior management; Principle 1: 46. Bullet 2
    Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. Principle 4: 93.
    {organizational silos} Banks should avoid organisational "silos" that can impede effective sharing of information across an organisation and can result in decisions being taken in isolation from the rest of the bank. Overcoming these information-sharing obstacles may require the board, senior management and control functions to re-evaluate established practices in order to encourage greater communication. Principle 8: 131.]
    Business Processes Preventive
    Make compliance and governance decisions in a timely manner. CC ID 06490 Behavior Preventive
    Establish and maintain an internal control framework. CC ID 00820
    [{risk management framework} Risks should be identified, monitored and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank's risk management and internal control infrastructure should keep pace with changes to the bank's risk profile, to the external risk landscape and in industry practice Principle 7: ¶ 1]
    Establish/Maintain Documentation Preventive
    Review the relevance of information supporting internal controls. CC ID 12420 Business Processes Detective
    Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 Establish Roles Preventive
    Assign resources to implement the internal control framework. CC ID 00816 Business Processes Preventive
    Assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146
    [As part of the overall corporate governance framework, the board is responsible for overseeing a strong risk governance framework. An effective risk governance framework includes a strong risk culture, a well developed risk appetite articulated through the RAS, and well defined responsibilities for risk management in particular and control functions in general. Principle 1: 33.]
    Establish Roles Preventive
    Establish and maintain a baseline of internal controls. CC ID 12415 Business Processes Preventive
    Leverage actionable information to support internal controls. CC ID 12414 Business Processes Preventive
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 Establish/Maintain Documentation Preventive
    Include continuous service account management procedures in the internal control framework. CC ID 13860 Establish/Maintain Documentation Preventive
    Include threat assessment in the internal control framework. CC ID 01347 Establish/Maintain Documentation Preventive
    Automate threat assessments, as necessary. CC ID 06877 Configuration Preventive
    Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 Establish/Maintain Documentation Preventive
    Automate vulnerability management, as necessary. CC ID 11730 Configuration Preventive
    Include personnel security procedures in the internal control framework. CC ID 01349 Establish/Maintain Documentation Preventive
    Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 Establish/Maintain Documentation Preventive
    Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 Establish/Maintain Documentation Preventive
    Include security information sharing procedures in the internal control framework. CC ID 06489 Establish/Maintain Documentation Preventive
    Share relevant security information with Special Interest Groups, as necessary. CC ID 11732 Communicate Preventive
    Evaluate information sharing partners, as necessary. CC ID 12749 Process or Activity Preventive
    Include security incident response procedures in the internal control framework. CC ID 01359 Establish/Maintain Documentation Preventive
    Include incident response escalation procedures in the internal control framework. CC ID 11745 Establish/Maintain Documentation Preventive
    Include continuous user account management procedures in the internal control framework. CC ID 01360 Establish/Maintain Documentation Preventive
    Include emergency response procedures in the internal control framework. CC ID 06779 Establish/Maintain Documentation Detective
    Authorize and document all exceptions to the internal control framework. CC ID 06781 Establish/Maintain Documentation Preventive
    Review the internal control framework, as necessary. CC ID 01348
    [{internal control system}{risk management system}The board and senior management contribute to the effectiveness of the internal audit function by requiring the function to independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes; Principle 10: 141. Bullet 2
    Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.]
    Establish/Maintain Documentation Detective
    Measure policy compliance when reviewing the internal control framework. CC ID 06442 Actionable Reports or Measurements Corrective
    Establish and maintain an information security program. CC ID 00812 Establish/Maintain Documentation Preventive
    Include physical safeguards in the information security program. CC ID 12375 Establish/Maintain Documentation Preventive
    Include technical safeguards in the information security program. CC ID 12374 Establish/Maintain Documentation Preventive
    Include administrative safeguards in the information security program. CC ID 12373 Establish/Maintain Documentation Preventive
    Include system development in the information security program. CC ID 12389 Establish/Maintain Documentation Preventive
    Include system maintenance in the information security program. CC ID 12388 Establish/Maintain Documentation Preventive
    Include system acquisition in the information security program. CC ID 12387 Establish/Maintain Documentation Preventive
    Include access control in the information security program. CC ID 12386 Establish/Maintain Documentation Preventive
    Review and approve access controls, as necessary. CC ID 13074 Process or Activity Detective
    Include operations management in the information security program. CC ID 12385 Establish/Maintain Documentation Preventive
    Include communication management in the information security program. CC ID 12384 Establish/Maintain Documentation Preventive
    Include environmental security in the information security program. CC ID 12383 Establish/Maintain Documentation Preventive
    Include physical security in the information security program. CC ID 12382 Establish/Maintain Documentation Preventive
    Include human resources security in the information security program. CC ID 12381 Establish/Maintain Documentation Preventive
    Include asset management in the information security program. CC ID 12380 Establish/Maintain Documentation Preventive
    Include a continuous monitoring program in the information security program. CC ID 14323 Establish/Maintain Documentation Preventive
    Include how the information security department is organized in the information security program. CC ID 12379 Establish/Maintain Documentation Preventive
    Include risk management in the information security program. CC ID 12378 Establish/Maintain Documentation Preventive
    Include mitigating supply chain risks in the information security program. CC ID 13352 Establish/Maintain Documentation Preventive
    Provide management direction and support for the information security program. CC ID 11999 Process or Activity Preventive
    Monitor and review the effectiveness of the information security program. CC ID 12744 Monitor and Evaluate Occurrences Preventive
    Establish and maintain an information security policy. CC ID 11740 Establish/Maintain Documentation Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Business Processes Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Establish/Maintain Documentation Preventive
    Include information security objectives in the information security policy. CC ID 13493 Establish/Maintain Documentation Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Establish/Maintain Documentation Preventive
    Review and update the information security policy, as necessary. CC ID 11741 Establish/Maintain Documentation Corrective
    Review the information security procedures, as necessary. CC ID 12006 Business Processes Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737 Process or Activity Preventive
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Establish/Maintain Documentation Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Establish/Maintain Documentation Preventive
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Establish Roles Preventive
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Human Resources Management Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 Establish/Maintain Documentation Preventive
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Human Resources Management Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 Communicate Preventive
    Establish and maintain a social media governance program. CC ID 06536 Establish/Maintain Documentation Preventive
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Business Processes Preventive
    Refrain from requiring users to disclose social media account usernames or passwords. CC ID 14009 Business Processes Preventive
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Behavior Preventive
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Establish/Maintain Documentation Preventive
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655 Establish/Maintain Documentation Preventive
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Establish/Maintain Documentation Preventive
    Establish and maintain operational control procedures. CC ID 00831 Establish/Maintain Documentation Preventive
    Include assigning and approving operations in operational control procedures. CC ID 06382 Establish/Maintain Documentation Preventive
    Include startup processes in operational control procedures. CC ID 00833 Establish/Maintain Documentation Preventive
    Review and update the operational control procedures, as necessary. CC ID 14278 Establish/Maintain Documentation Corrective
    Establish and maintain a data processing run manual. CC ID 00832 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 Establish/Maintain Documentation Preventive
    Include information sharing procedures in standard operating procedures. CC ID 12974
    [Cooperation and appropriate information-sharing among relevant public authorities, including bank supervisors and conduct authorities, can significantly contribute to the effectiveness of these authorities in their respective roles. Such information-sharing is particularly important between home and host supervisors of cross-border banking entities. Cooperation can occur on a bilateral basis, in the form of a supervisory college or through periodic meetings among supervisors at which corporate governance matters should be discussed. Such communication can help supervisors improve their assessment of the overall governance of a bank and the risks it faces, particularly in a group context, and help other authorities assess the risks posed to the broader financial system. Information shared should be relevant for supervisory purposes and be provided within the constraints of confidentiality and other applicable laws. Special arrangements, such as a memorandum of understanding, may be warranted to govern the sharing of information among supervisors or between supervisors and other authorities. Principle 13: 168.
    Cooperation and appropriate information-sharing among relevant public authorities, including bank supervisors and conduct authorities, can significantly contribute to the effectiveness of these authorities in their respective roles. Such information-sharing is particularly important between home and host supervisors of cross-border banking entities. Cooperation can occur on a bilateral basis, in the form of a supervisory college or through periodic meetings among supervisors at which corporate governance matters should be discussed. Such communication can help supervisors improve their assessment of the overall governance of a bank and the risks it faces, particularly in a group context, and help other authorities assess the risks posed to the broader financial system. Information shared should be relevant for supervisory purposes and be provided within the constraints of confidentiality and other applicable laws. Special arrangements, such as a memorandum of understanding, may be warranted to govern the sharing of information among supervisors or between supervisors and other authorities. Principle 13: 168.]
    Records Management Preventive
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Business Processes Preventive
    Update operating procedures that contribute to user errors. CC ID 06935 Establish/Maintain Documentation Corrective
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 Communicate Preventive
    Establish and maintain a job scheduling methodology. CC ID 00834 Establish/Maintain Documentation Preventive
    Establish and maintain a job schedule exceptions list. CC ID 00835 Establish/Maintain Documentation Preventive
    Establish and maintain a data processing continuity plan. CC ID 00836 Establish/Maintain Documentation Preventive
    Establish and maintain Voice over Internet Protocol operating procedures. CC ID 04583 Establish/Maintain Documentation Preventive
    Establish and maintain an Acceptable Use Policy. CC ID 01350 Establish/Maintain Documentation Preventive
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 Establish/Maintain Documentation Preventive
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Establish/Maintain Documentation Preventive
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Establish/Maintain Documentation Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355 Establish/Maintain Documentation Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Establish/Maintain Documentation Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Establish/Maintain Documentation Preventive
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Technical Security Preventive
    Include prohibiting, copying, or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Establish/Maintain Documentation Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Data and Information Management Preventive
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Establish/Maintain Documentation Preventive
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Establish/Maintain Documentation Preventive
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Establish/Maintain Documentation Preventive
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Establish/Maintain Documentation Preventive
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Establish/Maintain Documentation Corrective
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749 Establish/Maintain Documentation Preventive
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Communicate Preventive
    Review and update the acceptable use policy, as necessary. CC ID 14276 Establish/Maintain Documentation Corrective
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 Business Processes Preventive
    Establish and maintain Intellectual Property Rights protection procedures. CC ID 11512 Establish/Maintain Documentation Preventive
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Establish/Maintain Documentation Preventive
    Include business use of personal e-mail in the e-mail policy. CC ID 14381 Establish/Maintain Documentation Preventive
    Identify the sender in all electronic messages. CC ID 13996 Data and Information Management Preventive
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 Establish/Maintain Documentation Preventive
    Establish and maintain nondisclosure agreements. CC ID 04536 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Establish/Maintain Documentation Preventive
    Review nondisclosure agreements, as necessary. CC ID 12437 Human Resources Management Preventive
    Establish and maintain a use of information agreement. CC ID 06215 Establish/Maintain Documentation Preventive
    Include use limitations in the use of information agreement. CC ID 06244 Establish/Maintain Documentation Preventive
    Include disclosure requirements in the use of information agreement. CC ID 11735 Establish/Maintain Documentation Preventive
    Include information recipients in the use of information agreement. CC ID 06245 Establish/Maintain Documentation Preventive
    Include reporting out of scope use of information in the use of information agreement. CC ID 06246 Establish/Maintain Documentation Preventive
    Include disclosure of information in the use of information agreement. CC ID 11830 Establish/Maintain Documentation Preventive
    Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 Establish/Maintain Documentation Preventive
    Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 Establish/Maintain Documentation Preventive
    Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 Establish/Maintain Documentation Preventive
    Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 Establish/Maintain Documentation Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818
    [{risk management function}{compliance function}Consistent with the direction given by the board, senior management should implement business strategies, risk management systems, risk culture, processes and controls for managing the risks – both financial and non-financial – to which the bank is exposed and concerning which it is responsible for complying with laws, regulations and internal policies. This includes comprehensive and independent risk management, compliance and audit functions as well as an effective overall system of internal controls. Senior management should recognise and respect the independent duties of the risk management, compliance and internal audit functions and should not interfere in their exercise of such duties. Principle 4: 93. Bullet 1]
    Business Processes Preventive
    Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 Process or Activity Preventive
    Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 Process or Activity Preventive
    Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818
    [Accordingly, the board should: oversee implementation of the bank's governance framework and periodically review that it remains appropriate in the light of material changes to the bank's size, complexity, geographical footprint, business strategy, markets and regulatory requirements; Principle 1: 26. Bullet 4
    In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: Principle 1: 30.
    To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: Principle 3: 59.
    To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: either separately or as part of these assessments, periodically review the effectiveness of its own governance practices and procedures, determine where improvements may be needed, and make any necessary changes; and Principle 3: 59. Bullet 3
    In the case of a significant regulated subsidiary (due to its risk profile or systemic importance or due to its size relative to the parent company), the board of the significant subsidiary should take such further steps as are necessary to help the subsidiary meet its own corporate governance responsibilities and the legal and regulatory requirements that apply to it. Principle 5: 99.
    As part of their evaluation of the overall corporate governance in a bank, supervisors should also endeavour to assess the governance effectiveness of the board and senior management, especially with respect to the risk culture of the bank. An assessment of governance effectiveness aims to determine the extent to which the board and senior management demonstrate effective behaviours that contribute to good governance. This includes consideration of the behavioural dynamic of the board and senior management, such as how the "tone at the top" and the cultural values of the bank are communicated and put into practice, how information flows to and from the board and senior management, and how potential serious problems are identified and addressed throughout the organisation. The evaluation of governance effectiveness includes review of any board and management assessments, surveys and other information often used by banks in assessing their internal culture, as well as supervisory interviews, observations and qualitative judgments. In arriving at such judgments, supervisors need to be particularly mindful of consistency of treatment across the banks they supervise. Supervisory staff should have the necessary skills to evaluate these issues and arrive at the complex judgments involved in assessing governance effectiveness. Principle 13: 162.]
    Process or Activity Preventive
    Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817
    [A risk committee should: should discuss all risk strategies on both an aggregated basis and by type of risk and make recommendations to the board thereon, and on the risk appetite; Principle 3: 71. Bullet 6
    In order to fulfil its responsibilities, the board of the parent company should: maintain an effective relationship with both the home regulator and, through the subsidiary board or direct contact, with the regulators of all subsidiaries; Principle 5: 96. Bullet 8
    The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110.
    The board and senior management are primarily responsible for the governance of the bank, and supervisors should assess their performance in this regard. This section sets forth several principles that can assist supervisors in assessing corporate governance and foster good corporate governance in banks. Principle 13: 157.
    As part of their evaluation of the overall corporate governance in a bank, supervisors should also endeavour to assess the governance effectiveness of the board and senior management, especially with respect to the risk culture of the bank. An assessment of governance effectiveness aims to determine the extent to which the board and senior management demonstrate effective behaviours that contribute to good governance. This includes consideration of the behavioural dynamic of the board and senior management, such as how the "tone at the top" and the cultural values of the bank are communicated and put into practice, how information flows to and from the board and senior management, and how potential serious problems are identified and addressed throughout the organisation. The evaluation of governance effectiveness includes review of any board and management assessments, surveys and other information often used by banks in assessing their internal culture, as well as supervisory interviews, observations and qualitative judgments. In arriving at such judgments, supervisors need to be particularly mindful of consistency of treatment across the banks they supervise. Supervisory staff should have the necessary skills to evaluate these issues and arrive at the complex judgments involved in assessing governance effectiveness. Principle 13: 162.
    {define} The frequency of interactions with the above persons may vary according to the size, complexity, structure, economic significance and risk profile of the bank. On that basis, supervisors may, for example, meet with the full board of directors annually, but more frequently with the chairman or lead or senior independent director and with key committee chairs. For systemically important banks, interaction should occur more frequently, particularly with members of the board and members of senior management, and those responsible for the risk management, compliance and internal audit functions. Principle 13: 165.
    Supervisors should interact regularly with boards of directors, individual board members, senior managers and those responsible for the risk management, compliance and internal audit functions. This should include scheduled meetings and ad hoc exchanges, through a variety of communication vehicles (eg e-mail, telephone, in-person meetings). The purpose of the interactions is to support timely and open dialogue between the bank and supervisors on a range of issues, including the bank's strategies, business model and risks, the effectiveness of corporate governance at the bank, the bank's culture, management issues and succession planning, compensation and incentives, and other supervisory findings or expectations that supervisors believe should be particularly important to board members. Supervisors should also provide insights to the bank on its operations relative to its peers, market developments and emerging systemic risks. Principle 13: 164.
    Supervisors should evaluate whether the bank has in place effective mechanisms through which the board and senior management execute their respective oversight responsibilities. Supervisors should evaluate whether the board and senior management have processes in place for the oversight of the bank's strategic objectives, including risk appetite, financial performance, capital adequacy, capital planning, liquidity, risk profile and risk culture, controls, compensation practices, and the selection and evaluation of management. Supervisors should focus particular attention on the oversight of the risk management, compliance and internal audit functions. This should include assessing the extent to which the board interacts with and meets with representatives of these functions. Supervisors should determine whether internal controls are being adequately assessed and contribute to sound governance throughout the bank. Principle 13: 160.]
    Process or Activity Preventive
    Analyze the Governance, Risk, and Compliance approach. CC ID 12816 Process or Activity Preventive
    Analyze the organizational culture. CC ID 12899 Process or Activity Preventive
    Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922
    [Ongoing communication about risk issues, including the bank's risk strategy, throughout the bank is a key tenet of a strong risk culture. A strong risk culture should promote risk awareness and encourage open communication and challenge about risk-taking across the organisation as well as vertically to and from the board and senior management. Senior management should actively communicate and consult with the control functions on management's major plans and activities so that the control functions can effectively discharge their responsibilities. Principle 8: 126.]
    Process or Activity Detective
    Include the organizational climate in the analysis of the organizational culture. CC ID 12921 Process or Activity Detective
    Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920
    [In order to promote a sound corporate culture, the board should reinforce the "tone at the top" by: setting and adhering to corporate values that create expectations that all business should be conducted in a legal and ethical manner, and overseeing the adherence to such values by senior management and other employees; Principle 1: 30. Bullet 1
    Accordingly, the board should: play a lead role in establishing the bank's corporate culture and values; Principle 1: 26. Bullet 3]
    Process or Activity Detective
    Include employee engagement in the analysis of the organizational culture. CC ID 12914 Behavior Preventive
    Include skill development in the analysis of the organizational culture. CC ID 12913 Behavior Preventive
    Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 Behavior Preventive
    Include employee loyalty in the analysis of the organizational culture. CC ID 12911 Behavior Preventive
    Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 Behavior Preventive
    Establish and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 Process or Activity Corrective
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384
    [{applicable requirements} An independent compliance function is a key component of the bank's second line of defence. This function is responsible for, among other things, ensuring that the bank operates with integrity and in compliance with applicable, laws, regulations and internal policies. Principle 9: 132.]
    Establish/Maintain Documentation Preventive
    Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 Communicate Preventive
    Review systems for compliance with organizational information security policies. CC ID 12004 Business Processes Preventive
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815
    [Supervisors should establish guidance or rules, consistent with the principles set forth in this document, requiring banks to have robust corporate governance policies and practices. Such guidance is especially important where national laws, regulations, codes or listing requirements regarding corporate governance are not sufficiently robust to address the unique corporate governance needs of banks. Regulatory guidance should address, among other things, expectations for checks and balances and a clear allocation of responsibilities, accountability and transparency among the members of the board and senior management and within the bank. In addition to guidance or rules, where appropriate, supervisors should also share industry best practices regarding corporate governance with the banks they supervise. Principle 13: 158.]
    Behavior Preventive
    Review and update the Governance, Risk, and Compliance framework, as necessary. CC ID 00817
    [Accordingly, the board should: oversee implementation of the bank's governance framework and periodically review that it remains appropriate in the light of material changes to the bank's size, complexity, geographical footprint, business strategy, markets and regulatory requirements; Principle 1: 26. Bullet 4
    To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: either separately or as part of these assessments, periodically review the effectiveness of its own governance practices and procedures, determine where improvements may be needed, and make any necessary changes; and Principle 3: 59. Bullet 3
    Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166.
    {internal control system}{risk management system}The board and senior management contribute to the effectiveness of the internal audit function by requiring the function to independently assess the effectiveness and efficiency of the internal control, risk management and governance systems and processes; Principle 10: 141. Bullet 2
    The board and senior management contribute to the effectiveness of the internal audit function by requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: Principle 10: 141. Bullet 6
    {risk management function}requiring the function to perform a periodic assessment of the bank's overall risk governance framework, including but not limited to an assessment of: the effectiveness of the risk management and compliance functions; Principle 10: 141. Bullet 6 sub bullet 1
    Supervisors should provide guidance for and supervise corporate governance at banks, including through comprehensive evaluations and regular interaction with boards and senior management, should require improvement and remedial action as necessary, and should share information on corporate governance with other supervisors. Principle 13: ¶ 1
    {have in place} Supervisors should have processes in place to fully evaluate a bank's corporate governance. Such evaluations may be conducted through regular reviews of written materials and reports, interviews with board members and bank personnel, examinations, self-assessments by the bank, and other types of on- and off-site monitoring. The evaluations should also include regular communication with a bank's board of directors, senior management, those responsible for the risk, compliance and internal audit functions, and external auditors. Principle 13: 159.
    In reviewing corporate governance in the context of a group structure, supervisors should take into account the corporate governance responsibilities of both the parent company and subsidiaries, in accordance with Principle 5 of this document. Principle 13: 163.]
    Establish/Maintain Documentation Corrective
    Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties, as necessary. CC ID 06955
    [There should be effective communication and coordination between the audit committee and the risk committee to facilitate the exchange of information and effective coverage of all risks, including emerging risks, and any needed adjustments to the risk governance framework of the bank. Principle 3: 75.
    Supervisors should provide guidance for and supervise corporate governance at banks, including through comprehensive evaluations and regular interaction with boards and senior management, should require improvement and remedial action as necessary, and should share information on corporate governance with other supervisors. Principle 13: ¶ 1
    {have in place} Supervisors should have processes in place to fully evaluate a bank's corporate governance. Such evaluations may be conducted through regular reviews of written materials and reports, interviews with board members and bank personnel, examinations, self-assessments by the bank, and other types of on- and off-site monitoring. The evaluations should also include regular communication with a bank's board of directors, senior management, those responsible for the risk, compliance and internal audit functions, and external auditors. Principle 13: 159.
    Supervisors should interact regularly with boards of directors, individual board members, senior managers and those responsible for the risk management, compliance and internal audit functions. This should include scheduled meetings and ad hoc exchanges, through a variety of communication vehicles (eg e-mail, telephone, in-person meetings). The purpose of the interactions is to support timely and open dialogue between the bank and supervisors on a range of issues, including the bank's strategies, business model and risks, the effectiveness of corporate governance at the bank, the bank's culture, management issues and succession planning, compensation and incentives, and other supervisory findings or expectations that supervisors believe should be particularly important to board members. Supervisors should also provide insights to the bank on its operations relative to its peers, market developments and emerging systemic risks. Principle 13: 164.]
    Behavior Preventive
    Establish and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 Establish/Maintain Documentation Preventive
    Implement the prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12791 Establish/Maintain Documentation Preventive
  • Privacy protection for information and data
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Privacy protection for information and data CC ID 00008 IT Impact Zone IT Impact Zone
    Establish and maintain a privacy framework that protects restricted data. CC ID 11850 Establish/Maintain Documentation Preventive
    Establish and maintain a data handling program. CC ID 13427 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Establish/Maintain Documentation Preventive
    Establish and maintain data and information confidentiality policies. CC ID 00361 Establish/Maintain Documentation Preventive
    Limit data leakage. CC ID 00356 Data and Information Management Preventive
    Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 Monitor and Evaluate Occurrences Preventive
    Establish and maintain suspicious user account activity procedures. CC ID 04854 Monitor and Evaluate Occurrences Detective
    Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875
    [The board should ensure that transactions with related parties (including internal group transactions) are reviewed to assess risk and are subject to appropriate restrictions (eg by requiring that such transactions be conducted on arm's length terms) and that corporate or business resources of the bank are not misappropriated or misapplied. Principle 1: 27.]
    Monitor and Evaluate Occurrences Corrective
  • Records management
    6
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Records management CC ID 00902 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain records management policies. CC ID 00903 Establish/Maintain Documentation Preventive
    Establish and maintain a record classification scheme. CC ID 00914 Establish/Maintain Documentation Preventive
    Establish and maintain Records Management procedures. CC ID 00919 Establish/Maintain Documentation Preventive
    Establish and maintain data input and data access authorization tracking. CC ID 00920 Monitor and Evaluate Occurrences Detective
    Validate transactions using identifiers and credentials. CC ID 13203
    [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1]
    Technical Security Preventive
  • Technical security
    23
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Technical security CC ID 00508 IT Impact Zone IT Impact Zone
    Establish and maintain an access classification scheme. CC ID 00509 Establish/Maintain Documentation Preventive
    Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme. CC ID 00510
    [Cooperation and appropriate information-sharing among relevant public authorities, including bank supervisors and conduct authorities, can significantly contribute to the effectiveness of these authorities in their respective roles. Such information-sharing is particularly important between home and host supervisors of cross-border banking entities. Cooperation can occur on a bilateral basis, in the form of a supervisory college or through periodic meetings among supervisors at which corporate governance matters should be discussed. Such communication can help supervisors improve their assessment of the overall governance of a bank and the risks it faces, particularly in a group context, and help other authorities assess the risks posed to the broader financial system. Information shared should be relevant for supervisory purposes and be provided within the constraints of confidentiality and other applicable laws. Special arrangements, such as a memorandum of understanding, may be warranted to govern the sharing of information among supervisors or between supervisors and other authorities. Principle 13: 168.]
    Establish/Maintain Documentation Preventive
    Include business security requirements in the access classification scheme. CC ID 00002 Establish/Maintain Documentation Preventive
    Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 Establish/Maintain Documentation Preventive
    Include third party access in the access classification scheme. CC ID 11786 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system and information integrity policy. CC ID 14034 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain system and information integrity procedures. CC ID 14051 Establish/Maintain Documentation Preventive
    Review and update the system and information integrity procedures, as necessary. CC ID 14144
    [{be timely}{be accurate}{be clear}{be concise} Information should be communicated to the board and senior management in a timely, accurate and understandable manner so that they are equipped to take informed decisions. While ensuring that the board and senior management are sufficiently informed, management and those responsible for the risk management function should avoid voluminous information that can make it difficult to identify key issues. Rather, information should be prioritised and presented in a concise, fully contextualised manner. The board should assess the relevance and the process for maintaining the accuracy of the information it receives and determine if additional or less information is needed. Principle 8: 127.]
    Establish/Maintain Documentation Corrective
    Identify and control all network access controls. CC ID 00529 Technical Security Preventive
    Secure the Domain Name System. CC ID 00540 Configuration Preventive
    Implement segregation of duties. CC ID 11843
    [The compliance function is independent from management to avoid undue influence or obstacles as that function performs its duties. The compliance function should directly report to the board, as appropriate, on the bank's efforts in the above areas and on how the bank is managing its compliance risk. Principle 9: 136.
    {be independent} While it is common for risk managers to work closely with individual business units, the risk management function should be sufficiently independent of the business units and should not be involved in revenue generation. Such independence is an essential component of an effective risk management function, as is having access to all business lines that have the potential to generate material risk to the bank as well as to relevant risk-bearing subsidiaries and affiliates. Principle 6: 106.]
    Technical Security Preventive
    Enforce information flow control. CC ID 11781 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 Establish/Maintain Documentation Preventive
    Establish and maintain information flow procedures. CC ID 04542
    [{organizational silos} Banks should avoid organisational "silos" that can impede effective sharing of information across an organisation and can result in decisions being taken in isolation from the rest of the bank. Overcoming these information-sharing obstacles may require the board, senior management and control functions to re-evaluate established practices in order to encourage greater communication. Principle 8: 131.
    {applicable requirements} In general, the bank should apply the disclosure and transparency section of the OECD principles. Accordingly, disclosure should include, but not be limited to, material information on the bank's objectives, organisational and governance structures and policies (in particular, the content of any corporate governance or remuneration code or policy and the process by which it is implemented), major share ownership and voting rights, and related party transactions. Relevant banks should appropriately disclose their incentive and compensation policy following the FSB principles related to compensation. In particular, an annual report on compensation should be disclosed to the public. It should include: the decision-making process used to determine the bank-wide compensation policy; the most important design characteristics of the compensation system, including the criteria used for performance measurement and risk adjustment; and aggregate quantitative information on remuneration. Measures that reflect the longer-term performance of the bank should also be presented. Principle 12: 154.]
    Establish/Maintain Documentation Preventive
    Disclose non-privacy related restricted information after a court makes a determination the information is material to a court case. CC ID 06242 Data and Information Management Preventive
    Exchange non-privacy related restricted information with approved third parties if the information supports an approved activity. CC ID 06243 Data and Information Management Preventive
    Establish and maintain information exchange procedures. CC ID 11782
    [In order to fulfil its responsibilities, the board of the parent company should: assess whether there are effective systems in place to facilitate the exchange of information among the various entities, to manage the risks of the separate subsidiaries or group entities as well as of the group as a whole, and to ensure effective supervision of the group; Principle 5: 96. Bullet 6
    In order to fulfil its responsibilities, the board of the parent company should: assess whether there are effective systems in place to facilitate the exchange of information among the various entities, to manage the risks of the separate subsidiaries or group entities as well as of the group as a whole, and to ensure effective supervision of the group; Principle 5: 96. Bullet 6]
    Establish/Maintain Documentation Preventive
    Review and approve information exchange system connections. CC ID 07143 Technical Security Preventive
    Enable encryption of a protected distribution system if sending restricted data or restricted information. CC ID 01749 Configuration Preventive
    Protect data from modification or loss while transmitting between separate parts of the system. CC ID 04554 Data and Information Management Preventive
    Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 Data and Information Management Preventive
    Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 Log Management Preventive
  • Third Party and supply chain oversight
    27
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Third Party and supply chain oversight CC ID 08807 IT Impact Zone IT Impact Zone
    Establish and maintain a supply chain management program. CC ID 11742 Establish/Maintain Documentation Preventive
    Include risk management procedures in the supply chain management policy. CC ID 08811 Establish/Maintain Documentation Preventive
    Perform a risk assessment prior to engaging a third party. CC ID 06454
    [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1]
    Testing Detective
    Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 Business Processes Preventive
    Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 Establish/Maintain Documentation Preventive
    Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 Establish/Maintain Documentation Preventive
    Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 Business Processes Preventive
    Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 Establish/Maintain Documentation Preventive
    Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 Establish/Maintain Documentation Preventive
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Business Processes Preventive
    Assess third parties' compliance environment during due diligence. CC ID 13134
    [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1]
    Process or Activity Detective
    Document that supply chain members investigate security events. CC ID 13348 Investigate Detective
    Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064 Process or Activity Detective
    Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 Establish/Maintain Documentation Detective
    Disseminate and communicate third parties' external audit reports to affected parties, as necessary. CC ID 13139 Communicate Preventive
    Include the audit scope in the third party external audit report. CC ID 13138 Establish/Maintain Documentation Preventive
    Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 Establish/Maintain Documentation Detective
    Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 Establish/Maintain Documentation Detective
    Request attestation of compliance from third parties. CC ID 12067 Establish/Maintain Documentation Detective
    Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 Business Processes Detective
    Require individual attestations of compliance from each location a third party operates in. CC ID 12228 Business Processes Preventive
    Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 Business Processes Detective
    Document the third parties compliance with the organization's system hardening framework. CC ID 04263 Technical Security Detective
    Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 Business Processes Preventive
    Establish and maintain outsourcing contracts. CC ID 13124 Establish/Maintain Documentation Preventive
    Include the organization approving subcontractors in the outsourcing contract. CC ID 13131
    [{risk management process} Banks should have risk management and approval processes for new or expanded products or services, lines of business and markets, as well as for large and complex transactions that require significant use of resources or have hard-to-quantify risks. Banks should also have review and approval processes for outsourcing bank functions. The risk management function should provide input on risks as part of such processes and on the outsourcer's ability to manage risks and comply with legal and regulatory obligations. Such processes should entail the following: Principle 7: 123. ¶ 1]
    Establish/Maintain Documentation Preventive
Common Controls and
mandates by Type
191 Mandated Controls - bold    
86 Implied Controls - italic     1157 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
1434 Total
  • Acquisition/Sale of Assets or Services
    6
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Implement automated audit tools. CC ID 04882 Monitoring and measurement Preventive
    Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861
    [{applicable requirements} In order to fulfil its responsibilities, the board of the parent company should: have sufficient resources to monitor the compliance of subsidiaries with all applicable legal, regulatory and governance requirements; Principle 5: 96. Bullet 7
    {risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.]
    Operational management Preventive
    Plan for acquiring facilities, technology, or services. CC ID 06892 Acquisition or sale of facilities, technology, and services Preventive
    Conduct an acquisition feasibility study prior to acquiring Information Technology assets. CC ID 01129 Acquisition or sale of facilities, technology, and services Detective
    Refrain from implementing systems that are beyond the organization's risk acceptance level. CC ID 13054 Acquisition or sale of facilities, technology, and services Preventive
    Correct defective acquired goods or services. CC ID 06911 Acquisition or sale of facilities, technology, and services Corrective
  • Actionable Reports or Measurements
    36
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans CC ID 06839 Leadership and high level objectives Preventive
    Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 Leadership and high level objectives Preventive
    Include significant security risks in the Information Technology Plan status reports. CC ID 06939 Leadership and high level objectives Preventive
    Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 Leadership and high level objectives Preventive
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797
    [To support its own performance, the board should carry out regular assessments – alone or with the assistance of external experts – of the board as a whole, its committees and individual board members. The board should: use the results of these assessments as part of the ongoing improvement efforts of the board and, where required by the supervisor, share results with the supervisor. Principle 3: 59. Bullet 4]
    Leadership and high level objectives Preventive
    Include a Statement on the Level of Compliance in the tactical Information Technology plan. CC ID 06842 Audits and risk management Preventive
    Include the word independent in the title of audit reports. CC ID 07003 Audits and risk management Preventive
    Include the date of the audit in the audit report. CC ID 07024 Audits and risk management Preventive
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 Audits and risk management Preventive
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Audits and risk management Preventive
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Audits and risk management Preventive
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 Audits and risk management Preventive
    Disclose any audit irregularities in the audit report. CC ID 06995 Audits and risk management Preventive
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Audits and risk management Detective
    Report on the percentage of key Information Technology assets for which an assurance strategy is implemented. CC ID 01657 Monitoring and measurement Detective
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Monitoring and measurement Detective
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Monitoring and measurement Detective
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Monitoring and measurement Detective
    Report on the policies and controls that have been implemented by management. CC ID 01670
    [{be transparent} The governance of the bank should be adequately transparent to its shareholders, depositors, other relevant stakeholders and market participants. Principle 12: ¶ 1]
    Monitoring and measurement Detective
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Monitoring and measurement Detective
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Monitoring and measurement Detective
    Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 Monitoring and measurement Detective
    Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 Monitoring and measurement Detective
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Monitoring and measurement Detective
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Monitoring and measurement Preventive
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Monitoring and measurement Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Monitoring and measurement Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Monitoring and measurement Detective
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Monitoring and measurement Detective
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Monitoring and measurement Detective
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Monitoring and measurement Detective
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Monitoring and measurement Detective
    Report on the percentage of audit findings that have been resolved. CC ID 01678 Monitoring and measurement Detective
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 Monitoring and measurement Detective
    Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676
    [The bank's corporate values should recognise the critical importance of timely and frank discussion and escalation of problems to higher levels within the organisation. Principle 1: 32.
    The second line of defence also includes an independent and effective compliance function. The compliance function should, among other things, routinely monitor compliance with laws, corporate governance rules, regulations, codes and policies to which the bank is subject. The board should approve compliance policies that are communicated to all staff. The compliance function should assess the extent to which policies are observed and report to senior management and, as appropriate, to the board on how the bank is managing its compliance risk. The function should also have sufficient authority, stature, independence, resources and access to the board. Principle 1: 42.
    Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: breaches of risk limits or compliance rules; Principle 4: 94. Bullet 3
    {legal concern}Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: legal or regulatory concerns; and Principle 4: 94. Bullet 5
    The compliance function should advise the board and senior management on the bank's compliance with applicable laws, rules and standards and keep them informed of developments in the area. It should also help educate staff about compliance issues, act as a contact point within the bank for compliance queries from staff members, and provide guidance to staff on the appropriate implementation of applicable laws, rules and standards in the form of policies and procedures and other documents such as compliance manuals, internal codes of conduct and practice guidelines. Principle 9: 135.
    The compliance function is independent from management to avoid undue influence or obstacles as that function performs its duties. The compliance function should directly report to the board, as appropriate, on the bank's efforts in the above areas and on how the bank is managing its compliance risk. Principle 9: 136.]
    Monitoring and measurement Corrective
    Measure policy compliance when reviewing the internal control framework. CC ID 06442 Operational management Corrective
  • Audits and Risk Management
    76
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Manage supply chain audits. CC ID 01203 Audits and risk management Preventive
    Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 Audits and risk management Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102
    [The third line of defence consists of an independent and effective internal audit function. Among other things, it provides independent review and objective assurance on the quality and effectiveness of the bank's internal control system, the first and second lines of defence and the risk governance framework including links to organisational culture, as well as strategic and business planning, compensation and decision-making processes. Internal auditors must be competent and appropriately trained and not involved in developing, implementing or operating the risk management function or other first or second line of defence functions (see Principle 9). Principle 1: 43.
    The board and senior management contribute to the effectiveness of the internal audit function by requiring that audit staff collectively have or can access knowledge, skills and resources commensurate with the business activities and risks of the bank; Principle 10: 141. Bullet 4
    The internal audit function should have a clear mandate, be accountable to the board and be independent of the audited activities. It should have sufficient standing, skills, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively. Principle 10: 139.]
    Audits and risk management Preventive
    Review the external audit scope, as necessary. CC ID 01202 Audits and risk management Preventive
    Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 Audits and risk management Detective
    Review the external auditor's qualifications. CC ID 01197 Audits and risk management Preventive
    Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 Audits and risk management Preventive
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and risk management Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and risk management Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 Audits and risk management Preventive
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952 Audits and risk management Detective
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and risk management Preventive
    Audit in scope audit items and compliance documents as defined in the audit scope. CC ID 06730
    [ensuring that the activities and structure are subject to regular internal and external audit reviews. Principle 5: 102. Bullet 5]
    Audits and risk management Preventive
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and risk management Detective
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and risk management Detective
    Audit policies, standards, and procedures. CC ID 12927 Audits and risk management Preventive
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and risk management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and risk management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and risk management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and risk management Detective
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and risk management Detective
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and risk management Preventive
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and risk management Preventive
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and risk management Preventive
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and risk management Preventive
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and risk management Preventive
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and risk management Detective
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966
    [The board and senior management contribute to the effectiveness of the internal audit function by providing the function with full and unconditional access to any records, file data and physical properties of the bank, including access to management information systems and records and the minutes of all consultative and decision-making bodies; Principle 10: 141. Bullet 1]
    Audits and risk management Preventive
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and risk management Corrective
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and risk management Preventive
    Include the organization's description of the in scope system in the audit report. CC ID 11626 Audits and risk management Preventive
    Include the scope and work performed in the audit report. CC ID 11621 Audits and risk management Preventive
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and risk management Detective
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and risk management Detective
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and risk management Preventive
    Review management's response to issues raised in past audit reports. CC ID 01149
    [{is responsible} The audit committee is, in particular, responsible for: receiving key audit reports and ensuring that senior management is taking necessary corrective actions in a timely manner to address control weaknesses, non-compliance with policies, laws and regulations, and other problems identified by auditors and other control functions; Principle 3: 69. Bullet 6]
    Audits and risk management Detective
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and risk management Detective
    Assess the quality of the audit program in regards to its documentation. CC ID 11622 Audits and risk management Preventive
    Review the risk assessment framework. CC ID 12813 Audits and risk management Detective
    Analyze the risk management strategy for addressing requirements. CC ID 12926 Audits and risk management Detective
    Analyze the risk management strategy for addressing threats. CC ID 12925 Audits and risk management Detective
    Analyze the risk management strategy for addressing opportunities. CC ID 12924 Audits and risk management Detective
    Address past security incidents in the risk assessment program. CC ID 12743 Audits and risk management Preventive
    Establish and maintain the factors and context for risk to the organization. CC ID 12230 Audits and risk management Preventive
    Review and update the data protection impact assessment, as necessary. CC ID 12665 Audits and risk management Preventive
    Establish and maintain risk profiling procedures for internal risk assessments. CC ID 01157 Audits and risk management Preventive
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 Audits and risk management Preventive
    Include the risks to the organization's critical personnel and assets in the threat and risk classification scheme. CC ID 00698 Audits and risk management Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 Audits and risk management Preventive
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and risk management Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and risk management Preventive
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and risk management Preventive
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and risk management Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and risk management Detective
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 Audits and risk management Preventive
    Conduct a Business Impact Analysis based on the risk assessment findings in the risk assessment report. CC ID 01147
    [As part of its quantitative and qualitative analysis, the bank should utilise stress tests and scenario analyses to better understand potential risk exposures under a variety of adverse circumstances: Principle 7: 120.
    If adequate risk management processes are not in place, a new product, service, business line or third-party relationship or major transaction should be delayed until the bank is able to appropriately address the activity. There should also be a process to assess risk and performance relative to initial projections and to adapt the risk management treatment accordingly as the business matures. Principle 7: 123. ¶ 2]
    Audits and risk management Detective
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [{be independent} The second line of defence includes an independent risk management function. The risk management function complements the business line's risk activities through its monitoring and reporting responsibilities. Among other things, it is responsible for overseeing the bank's risk-taking activities and assessing risks and issues independently from the business line. The function should promote the importance of senior management and business line managers in identifying and assessing risks critically rather than relying only on surveillance conducted by the risk management function. Among other things, the finance function plays a critical role in ensuring that business performance and profit and loss results are accurately captured and reported to the board, management and business lines that will use such information as a key input to risk and business decisions. Principle 1: 41.
    The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: identifying material individual, aggregate and emerging risks; Principle 6: 105. Bullet 1
    The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: assessing these risks and measuring the bank's exposure to them; Principle 6: 105. Bullet 2
    Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113.
    Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113.
    {risk measurement}{quantitative consideration}{qualitative consideration} Risk identification and measurement should include both quantitative and qualitative elements. Risk measurements should also include qualitative, bank-wide views of risk relative to the bank's external operating environment. Banks should also consider and evaluate harder-to-quantify risks, such as reputation risk. Principle 7: 114.
    {risk measurement}{quantitative consideration}{qualitative consideration} Risk identification and measurement should include both quantitative and qualitative elements. Risk measurements should also include qualitative, bank-wide views of risk relative to the bank's external operating environment. Banks should also consider and evaluate harder-to-quantify risks, such as reputation risk. Principle 7: 114.
    {risk measurement}{are necessary} Effective risk identification and measurement approaches are likewise necessary in subsidiary banks and affiliates. Material risk-bearing affiliates and subsidiaries should be captured by the bankwide risk management system and should be a part of the overall risk governance framework. Principle 7: 124.
    {risk management function}{compliance function} The board should ensure that the risk management, compliance and internal audit functions are properly positioned, staffed and resourced and carry out their responsibilities independently, objectively and effectively. In the board's oversight of the risk governance framework, the board should regularly review key policies and controls with senior management and with the heads of the risk management, compliance and internal audit functions to identify and address significant risks and issues as well as determine areas that need improvement. Principle 1: 44.]
    Audits and risk management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703
    [The bank's RAS should establish the individual and aggregate level and types of risk that the bank is willing to assume in advance of and in order to achieve its business activities within its risk capacity; Principle 1: 36. Bullet 2
    {be comprehensive}{be accurate} Risk reporting systems should be dynamic, comprehensive and accurate, and should draw on a range of underlying assumptions. Risk monitoring and reporting should not only occur at the disaggregated level (including material risk residing in subsidiaries) but should also be aggregated to allow for a bank-wide or integrated perspective of risk exposures. Risk reporting systems should be clear about any deficiencies or limitations in risk estimates, as well as any significant embedded assumptions (eg regarding risk dependencies or correlations). Principle 8: 130.]
    Audits and risk management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482
    [Risk identification should encompass all material risks to the bank, on- and off-balance sheet and on a group-wide, portfolio-wise and business-line level. In order to perform effective risk assessments, the board and senior management, including the CRO, should, regularly and on an ad hoc basis, evaluate the risks faced by the bank and its overall risk profile. The risk assessment process should include ongoing analysis of existing risks as well as the identification of new or emerging risks. Risks should be captured from all organisational units. Concentrations associated with material risks should likewise be factored into the risk assessment. Principle 7: 113.]
    Audits and risk management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463
    [The bank's RAS should define the boundaries and business considerations in accordance with which the bank is expected to operate when pursuing the business strategy; and Principle 1: 36. Bullet 3]
    Audits and risk management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464 Audits and risk management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and risk management Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and risk management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and risk management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and risk management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469
    [Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129.]
    Audits and risk management Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and risk management Detective
    Prioritize and select controls based on the risk assessment findings. CC ID 00707 Audits and risk management Preventive
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822
    [{be timely}{be accurate}{be clear}{be concise} Information should be communicated to the board and senior management in a timely, accurate and understandable manner so that they are equipped to take informed decisions. While ensuring that the board and senior management are sufficiently informed, management and those responsible for the risk management function should avoid voluminous information that can make it difficult to identify key issues. Rather, information should be prioritised and presented in a concise, fully contextualised manner. The board should assess the relevance and the process for maintaining the accuracy of the information it receives and determine if additional or less information is needed. Principle 8: 127.]
    Audits and risk management Preventive
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and risk management Preventive
    Identify the planned actions and controls that address high risk. CC ID 12835 Audits and risk management Preventive
    Identify the current actions and controls that address high risk. CC ID 12834 Audits and risk management Preventive
    Approve the risk treatment plan. CC ID 13495 Audits and risk management Preventive
    Verify segmentation controls are operational and effective. CC ID 12545 Monitoring and measurement Detective
    Identify information being used to support performance reviews for risk optimization. CC ID 12865 Monitoring and measurement Preventive
    Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 Operational management Preventive
  • Behavior
    48
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 Leadership and high level objectives Preventive
    Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 Leadership and high level objectives Preventive
    Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915
    [In discharging these responsibilities, the board should take into account the legitimate interests of depositors, shareholders and other relevant stakeholders. It should also ensure that the bank maintains an effective relationship with its supervisors. Principle 1: 28.
    {are relevant} board members should have a range of knowledge and experience in relevant areas and have varied backgrounds to promote diversity of views. Relevant areas of competence may include, but are not limited to capital markets, financial analysis, financial stability issues, financial reporting, information technology, strategic planning, risk management, compensation, regulation, corporate governance and management skills; Principle 2: 49. Bullet 1
    Board members should be and remain qualified, individually and collectively, for their positions. They should understand their oversight and corporate governance role and be able to exercise sound, objective judgment about the affairs of the bank. Principle 2: ¶ 1]
    Leadership and high level objectives Preventive
    Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 Leadership and high level objectives Preventive
    Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 Audits and risk management Preventive
    Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 Audits and risk management Preventive
    Exercise due professional care during the planning and performance of the audit. CC ID 07119
    [The board and senior management contribute to the effectiveness of the internal audit function by requiring internal auditors to adhere to national and international professional standards, such as those established by the Institute of Internal Auditors; Principle 10: 141. Bullet 3]
    Audits and risk management Preventive
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Audits and risk management Preventive
    Explain the goals of the interview to the auditee. CC ID 07189 Audits and risk management Detective
    Resolve disputes before creating the audit summary. CC ID 08964 Audits and risk management Preventive
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Audits and risk management Preventive
    Use the risk taxonomy when managing risk. CC ID 12280
    [{business environment}{risk environment} The degree of sophistication of the bank's risk management infrastructure – including, in particular, a sufficiently robust data infrastructure, data architecture and information technology infrastructure – should keep pace with developments such as balance sheet and revenue growth; increasing complexity of the bank's business, risk configuration or operating structure; geographical expansion; mergers and acquisitions; or the introduction of new products or business lines. Principle 7: 117.]
    Audits and risk management Preventive
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718
    [The bank's RAS should communicate the board's risk appetite effectively throughout the bank, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the bank. Principle 1: 36. Bullet 4
    An effective risk governance framework requires robust communication within the bank about risk, both across the organisation and through reporting to the board and senior management. Principle 8: ¶ 1
    An effective risk governance framework requires robust communication within the bank about risk, both across the organisation and through reporting to the board and senior management. Principle 8: ¶ 1
    The risk committee of the board is responsible for advising the board on the bank's overall current and future risk appetite, overseeing senior management's implementation of the RAS, reporting on the state of risk culture in the bank, and interacting with and overseeing the CRO. Principle 3: 72.
    There should be effective communication and coordination between the audit committee and the risk committee to facilitate the exchange of information and effective coverage of all risks, including emerging risks, and any needed adjustments to the risk governance framework of the bank. Principle 3: 75.
    Senior management should provide the board with the information it needs to carry out its responsibilities, supervise senior management and assess the quality of senior management's performance. In this regard, senior management should keep the board regularly and adequately informed of material matters, including: breaches of risk limits or compliance rules; Principle 4: 94. Bullet 3
    The independent risk management function is a key component of the bank's second line of defence. This function is responsible for overseeing risk-taking activities across the enterprise and should have authority within the organisation to do so. Key activities of the risk management function should include: reporting to senior management and the board or risk committee on all these items, including but not limited to proposing appropriate risk-mitigating actions. Principle 6: 105. Bullet 7
    In operating within a group structure, the board of the parent company should be aware of the material risks and issues that might affect both the bank as a whole and its subsidiaries. It should exercise adequate oversight over subsidiaries while respecting the independent legal and governance responsibilities that might apply to subsidiary boards. Principle 5: 95.
    The CRO should have the organisational stature, authority and necessary skills to oversee the bank's risk management activities. The CRO should be independent and have duties distinct from other executive functions. This requires the CRO to have access to any information necessary to perform his or her duties. The CRO, however, should not have management or financial responsibility related to any operational business lines or revenue-generating functions, and there should be no "dual hatting" (ie the chief operating officer, CFO, chief auditor or other senior manager should in principle not also serve as the CRO). While formal reporting lines may vary across banks, the CRO should report and have direct access to the board or its risk committee without impediment. The CRO should have the ability to interpret and articulate risk in a clear and understandable manner and to effectively engage the board and management in constructive dialogue on key risk issues. Interaction between the CRO and the board and/or risk committee should occur regularly, and the CRO should have the ability to meet with the board or risk committee without executive directors being present. Principle 6: 110.
    {specific risk modelling}{risk monitoring} Risk measurement and modelling techniques should be used in addition to, but should not replace, qualitative risk analysis and monitoring. The risk management function should keep the board and senior management apprised of the assumptions used in and potential shortcomings of the bank's risk models and analyses. This would ensure better understanding of risks and exposures and may allow quicker action to address and mitigate risks. Principle 7: 119.
    Mergers and acquisitions, divestitures and other changes to a bank's organisational structure can pose special risk management challenges to the bank. In particular, risks can arise from conducting due diligence that fails to identify post-merger risks or activities conflicting with the bank's strategic objectives or risk appetite. The risk management function should be actively involved in assessing risks that could arise from mergers and acquisitions and inform the board and senior management of its findings Principle 7: 125.
    Ongoing communication about risk issues, including the bank's risk strategy, throughout the bank is a key tenet of a strong risk culture. A strong risk culture should promote risk awareness and encourage open communication and challenge about risk-taking across the organisation as well as vertically to and from the board and senior management. Senior management should actively communicate and consult with the control functions on management's major plans and activities so that the control functions can effectively discharge their responsibilities. Principle 8: 126.
    {risk information}{interested personnel}{appropriate authority} Material risk-related ad hoc information that requires immediate decisions or reactions should be promptly presented to senior management and, as appropriate, the board, the responsible officers and, where applicable, the heads of control functions so that suitable measures and activities can be initiated at an early stage. Principle 8: 128.
    {be timely}{be accurate}{be clear}{be concise} Information should be communicated to the board and senior management in a timely, accurate and understandable manner so that they are equipped to take informed decisions. While ensuring that the board and senior management are sufficiently informed, management and those responsible for the risk management function should avoid voluminous information that can make it difficult to identify key issues. Rather, information should be prioritised and presented in a concise, fully contextualised manner. The board should assess the relevance and the process for maintaining the accuracy of the information it receives and determine if additional or less information is needed. Principle 8: 127.
    Risk reporting to the board requires careful design in order to convey bank-wide, individual portfolio and other risks in a concise and meaningful manner. Reporting should accurately communicate risk exposures and results of stress tests or scenario analyses and should provoke a robust discussion of, for example, the bank's current and prospective exposures (particularly under stressed scenarios), risk/return relationships and risk appetite and limits. Reporting should also include information about the external environment to identify market conditions and trends that may have an impact on the bank's current or future risk profile. Principle 8: 129.
    {refrain from violating} The bank should also disclose key points concerning its risk exposures and risk management strategies without breaching necessary confidentiality. When involved in material and complex or non-transparent activities, the bank should disclose adequate information on their purpose, strategies, structures, and related risks and controls. Principle 12: 155.]
    Audits and risk management Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849
    [{strategic plan}{capital plan} The board should take an active role in defining the risk appetite and ensuring its alignment with the bank's strategic, capital and financial plans and compensation practices. The bank's risk appetite should be clearly conveyed through an RAS that can be easily understood by all relevant parties: the board itself, senior management, bank employees and the supervisor. Principle 1: 35.
    The bank's RAS should communicate the board's risk appetite effectively throughout the bank, linking it to daily operational decision-making and establishing the means to raise risk issues and strategic concerns across the bank. Principle 1: 36. Bullet 4
    {is appropriate} In a group structure, the board of the parent company has the overall responsibility for the group and for ensuring the establishment and operation of a clear governance framework appropriate to the structure, business and risks of the group and its entities. The board and senior management should know and understand the bank group's organisational structure and the risks that it poses. Principle 5: ¶ 1
    {refrain from violating} The bank should also disclose key points concerning its risk exposures and risk management strategies without breaching necessary confidentiality. When involved in material and complex or non-transparent activities, the bank should disclose adequate information on their purpose, strategies, structures, and related risks and controls. Principle 12: 155.]
    Audits and risk management Preventive
    Establish, implement, and maintain a testing program. CC ID 00654
    [As part of its quantitative and qualitative analysis, the bank should utilise stress tests and scenario analyses to better understand potential risk exposures under a variety of adverse circumstances: Principle 7: 120.]
    Monitoring and measurement Preventive
    Establish, implement, and maintain a penetration test program. CC ID 01105 Monitoring and measurement Preventive
    Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 Monitoring and measurement Corrective
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675
    [Supervisors should have a range of tools at their disposal to address governance improvement needs and governance failures. They should be able to require steps towards improvement and remedial action, and ensure accountability for the corporate governance of a bank. These tools may include the ability to compel changes in the bank's policies and practices, the composition of the board of directors or senior management, or other corrective actions. They should also include, where necessary, the authority to impose sanctions or other punitive measures. The choice of tool and the time frame for any remedial action should be proportionate to the level of risk the deficiency poses to the safety and soundness of the bank or the relevant financial system(s). Principle 13: 166.]
    Monitoring and measurement Corrective
    Limit the activities performed as a proxy to an organizational leader. CC ID 12054 Human Resources management Preventive
    Train all new hires, as necessary. CC ID 06673 Human Resources management Preventive
    Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677
    [Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The bank should also discuss the reasons for such removal with its supervisor. The CRO's performance, compensation and budget should be reviewed and approved by the risk committee or the board. Principle 6: 111.
    Appointment, dismissal and other changes to the CRO position should be approved by the board or its risk committee. If the CRO is removed from his or her position, this should be disclosed publicly. The