Welcome » IT Booklets » Management » I Governance » I.B IT Responsibilities and Functions » I.B.1 IT Risk Management Structure
The institution should have an adequate ITRM structure.
Depending on the size and complexity of the financial institution,
this structure can take different forms. In a large or complex
institution, the ITRM function may be an independent business
unit. Some agencies have guidance on
ITRM for larger, more complex financial institutions. In a
small or less complex institution, ITRM may be integrated with
functional areas, such as information security, business continuity
planning, third-party management, and regulatory compliance.
Internal audit, specifically IT audit, can provide independent
assurance on the effectiveness of risk management, but should not
be responsible for its implementation. Regardless of the structure
used, management should ensure that lines of authority are
established for enforcing and monitoring controls.