3.1.5 Roles and Responsibilities
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 | Status: In-Force |
Principle
IT roles and responsibilities should be defined and all parties involved in the Member Organization's IT processes should have an adequate level of understanding of the expectations related to their role.
Control Requirements
| 1. | The board should be accountable for: | |||
| a. | the ultimate responsibility for the establishment of IT governance practice; | |||
| b. | ensuring that robust IT risk management framework is established and maintained to manage IT risks; | |||
| c. | ensuring that sufficient budget for IT is allocated; | |||
| d. | approving the IT steering committee (ITSC) charter; and | |||
| e. | endorsing (after being approved by the ITSC): | |||
| 1. | the governance and management practices roles and responsibilities; | |||
| 2. | the IT strategy; and | |||
| 3. | the IT policy. | |||
| 2. | ITSC, at a minimum, should be responsible for: | |||
| a. | monitoring, reviewing and communicating the Member Organization's IT risks periodically; | |||
| b. | approving, communicating, supporting and monitoring: | |||
| 1. | IT strategy; | |||
| 2. | IT policies; | |||
| 3. | IT risk management processes; and | |||
| 4. | key performance indicators (KPIs) and key risk indicators (KRIs) for IT. | |||
| 3. | The CIO, at minimum, should be accountable for: | |||
| a. | developing, implementing and maintaining: | |||
| 1. | IT strategy; | |||
| 2. | IT policy; and | |||
| 3. | IT budget. | |||
| b. | ensuring that detailed IT standards and procedures are established, approved and implemented; | |||
| c. | delivering risk-based IT solutions that address people, process and technology; | |||
| d. | defining and maintaining specific key performance indicators (KPIs) and key risk indicators (KRIs) for IT process; | |||
| e. | periodically inform ITSC on the latest developments on IT strategic initiatives and its implementation status; | |||
| f. | implementing adequate technology to streamline all internal operations and help optimize their strategic benefits; | |||
| g. | the IT activities across the Member Organization, including: | |||
| 1. | monitoring of the IT operation; | |||
| 2. | monitoring of compliance with IT regulations, policies, standards and procedures; and | |||
| 3. | overseeing the investigation of IT related incidents. | |||
| h. | analyzing IT costs, value and risks to advise COO/Managing director; and | |||
| i. | defining IT training plan in coordination with HR. | |||
| 4. | The internal audit function should be responsible for: | |||
| a. | the identification of comprehensive set of auditable areas for IT risk and performance of effective IT risk assessment during audit planning; and | |||
| b. | performing IT audits. | |||
| 5. | The enterprise application architect, at minimum should be responsible for: | |||
| a. | developing of IT ecosystem application architecture models, processes and documentation; | |||
| b. | developing enterprise level application and custom integration solutions including major enhancements and interfaces, functions and features; and | |||
| c. | ensuring continuous improvement to transition between current and future states of the application architectures. | |||
| 6. | All Member Organization's staff should be responsible for complying with applicable IT policy, standards and procedures. | |||