Technology risk pertains to the potential hazards arising from the utilization of information technology
(IT). These risks stem from failures or breaches in IT systems, applications, platforms or infrastructure, which can lead to financial losses or disruptions in financial services or operations. In addressing these concerns and more, the central bank of Malaysia recently issued a new policy document titled ‘Risk Management in Technology’. The policy highlighted, among other things, the roles and responsibility of the board of directors and senior management of an Islamic bank and an Islamic digital bank in managing the technological risks and their potential impact.
Roles and responsibility in managing technology risk
The board is responsible for setting and endorsing the desired level of risk regarding technology, making sure it is tolerable. As part of this process, the board needs to approve the specific thresholds for technology-related incidents and establish appropriate measures such as key performance indicators and forward-looking risk indicators. The board should appoint a board-level committee to assist in overseeing technology-related issues. The board audit committee is accountable for ensuring the efficiency of the internal technology audit function.
Senior management of an Islamic financial institution must convert the board-approved Technology
Risk Management Framework and Cybersecurity Risk Framework into policies and procedures that align
with the approved risk appetite and risk tolerance. Senior management is responsible for ensuring that
sufficient resources are allocated to maintain strong technology systems and a workforce with the necessary skills and expertise to effectively manage technology risk. In addition, management ought to create an enterprise architecture framework that offers a comprehensive perspective of technology across the entire Islamic financial institution.
To ensure proper risk management, management should establish policies and practices that address the essential stages of the system development life cycle. These stages include system design, development, testing, deployment, change management, maintenance and decommissioning. Management should also develop a strong and resilient cryptography policy to encourage the use of robust cryptographic measures for safeguarding critical data and information. Management is required to define the goals of resilience and availability for its data centers in alignment with its business requirements. To embolden the technology risk management process, management must create a dependable, adaptable and secure enterprise network capable of supporting its business operations, including future expansion strategies. Some of the critical risk management steps that must to be taken include the following:
- Both board and senior management of an Islamic financial institution must demonstrate efficient
supervision and manage the risks associated with engaging third-party service providers for critical
technology functions and systems.
- Before adopting cloud services, an Islamic financial institution must perform a thorough risk assessment that takes into account the fundamental architecture of cloud services, which involves the sharing of resources and services among multiple tenants over the internet.
- An Islamic financial institution must establish a suitable access controls policy that governs the identification, authentication and authorization of users, including both internal users and external users such as third-party service providers.
The new policy document has established a comprehensive technology risk management framework for Islamic banks and Islamic digital banks. Due to the complex risks embedded in technology, the board of directors and senior management have to deploy both existing and new governance
instruments to mitigate potential risks. However, the policy did not touch on the risks of blockchain, smart contracts, artificial intelligence and decentralized finance as they may be covered in future
Prof Dr Younes Soualhi is a senior researcher at ISRA RMC (INCEIF University). He can be contacted at [email protected]
*This article first appeared in Islamic Finance News (IFN) on 21st June 2023 https://www.islamicfinancenews.com/malaysia-issues-risk-management-in-technology-policy-document.html