The "Management" booklet is one of 11 booklets that make up the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook). The "Management" booklet rescinds and replaces the June 2004 version. This booklet provides guidance to examiners and outlines the principles of overall governance and, more specifically, IT governance. Additionally, this booklet explains how risk management is a component of governance and how IT risk management (ITRM) is a component of risk management. This booklet describes the interaction of these components. The examination procedures in this booklet assist examiners in evaluating the following:
- IT governance as part of overall governance in financial institutions.
- Processes for ITRM as part of risk management in financial institutions. The term "financial institution" includes national banks, federal savings associations, state savings associations, state member banks, state nonmember banks, and credit unions, as well as technology service providers that provide services to such entities. The term is used interchangeably with "institution" in this booklet. This booklet may refer to technology service providers specifically in cases where the agencies do not mean to include financial institutions.
IT supports most aspects of a financial institution's business; therefore, effective ITRM is not limited to technology. The IT department typically manages back-office operations, network administration, and systems development and acquisition, and is involved in business continuity and resilience, and third-party management. IT management provides expertise in choosing and operating technology solutions for an institution's lines of business (e.g., commercial credit and asset management) or for enterprise-wide activities (e.g., security and business continuity planning).
IT management is critical to the performance and success of a financial institution. ITRM involves more than containing costs and controlling operational risks and does not work in isolation. A financial institution capable of aligning its IT infrastructure to support its business strategy adds value to the institution and positions itself for sustained success. Financial institutions face many challenges in today's marketplace, including cybersecurity threats, increasing the need for effective IT management and ITRM.
An institution's IT systems may connect with affiliates, customers, internal lines of business, third parties (e.g., third-party providers Third-party providers, also called third-party service providers, include technology service providers or other third parties that perform critical business activities for or on behalf of an institution.), and the public. IT creates interdependencies among infrastructure, applications, and Web content. These interdependencies affect the decision-making process necessary to support existing products and services and provide for the delivery of new products and services. Timely, accurate, and secure information is critical to meeting business requirements throughout the institution. Technology evolves rapidly, requiring enhancements to existing systems and prompting new investment in infrastructure, systems, and applications. New technology requires expertise, which creates competition for the necessary talent, knowledge, and skill sets. ITRM includes addressing new sources of risk that arise with new or evolving technology.