3.2.4 Risk Reporting/ Monitoring, and Profiling
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 | Status: In-Force |
Principle
IT risks should be treated according to the defined treatment plans and should be effectively reviewed, monitored and reported.
Control Requirements
| 1. | IT risk assessment results should be formally documented and reported to the relevant business owners and senior management. | |
| 2. | IT risk assessment results should include risks, impact, likelihood, mitigations, and remediation status. | |
| 3. | IT risks should be monitored, including but not limited to: | |
| a. | tracking progress in accordance to the risk treatment plan; and | |
| b. | the selected and agreed IT controls are being implemented. | |
| 4. | The design and operating effectiveness of the revised or newly implemented IT controls should be monitored and reviewed periodically. | |
| 5. | The relevant business owners should accept the IT risk assessment results. | |
| 6. | IT risk assessment results should be endorsed by the risk committee. | |
| 7. | IT key risk indicators (KRIs) should be defined, implemented and monitored. | |
| 8. | IT risk profile and related data should be provided as an input to operational risk department to formulate an organization level risk profile. | |
| 9. | IT risk profile should be formulated and presented to the senior management, IT Steering Committee and board of directors on periodic basis. | |