Language EN | DE

Partners in Risk & Capital Management

ICT Risk Management

Risk Associated with the Use or Provision of Information and Communication Technology (ICT) Services

The emergence of (new) cyber risks together with the increased potential for cybercrime and cyber terrorism as well as the increasing reliance on outsourced ICT services have caused the regulator to put a special focus on the assessment of institution’s ICT risks. ICT risk as part of operational risk may pose significant prudential impact and even threaten the viability of an institution and must therefore be assessed in a meticulous manner.

The “Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP)” published by the European Banking Authority (EBA) as well as guidelines published by various national authorities dedicated to ICT highlight the importance of ICT risk.

As ICT risk contribute to the assessment of operational risk, financial institutions are tasked with implementing efficient processes which account for the complexity of ICT risk and at the same time can be integrated into existing processes for the overall assessment of operational risk to meet supervisory requirements.

Our Approach

We combine decades of experience in the management of operational risk with expertise in IT processes as well as a profound project experience in the field of information security. We support our clients through every stage from design and development through to the implementation and optimisation of the ICT risk management framework:

  • Implementation of comprehensive ICT risk management processes utilizing information from first line ICT processes
  • Comprehensive enterprise-wide identification of ICT risk on the basis of a risk inventory/map
  • Implementation of processes to foster continuous improvement of ICT services
  • Selection, analysis and implementation of appropriate risk indicators
  • Creation of and support within self-assessment/scenario analyses
  • Designing recipient-oriented management reports
  • Development of an integrated risk management approach to encompass different areas (ICT risk, OpRisk, Business Continuity Management (BCM))

Our Experience

  • Design, development and implementation of comprehensive ICT risk frameworks for various German banks
  • Design, development and implementation of information security protection requirement analysis for various German banks
  • Design, development and implementation of comprehensive Information Security Management System (ISMS) for various German banks.
  • Design and application of an Integrated Risk Management system for various institutions in Germany (method integration of ICT risk, OpRisk, BCM and Compliance)
  • Merging of an internal control system (ICS) with OpRisk for a private bank
  • Implementation of an ICS for the IT department of a German financial service provider
  • Several ICT risk and OpRisk gap analyses for status quo Identification at German banks