Risk Monitoring and Reporting
Management should monitor IT operations risks and the effectiveness of established controls. Institutions should use performance monitoring to provide an assessment of IT operations efficiency relative to controls. Management should use self-assessments to validate the adequacy and effectiveness of the control environment. Thorough self-assessments lead to early identification of emerging or changing risks. Internal audits are also beneficial for validating controls. Management should ensure they receive timely, accurate, and complete risk monitoring and assessment reports.
Regular risk monitoring provides management and the board with assurance that established controls are functioning properly. Comprehensive MIS reports are important tools for validating that IT operations are performing within established parameters. Examples of MIS include reports on hardware and telecommunications capacity utilization, system availability, user access, system response times, on time processing, and transaction processing accuracy. Periodic control self-assessments allow management to gauge performance, as well as the criticality of systems and emerging risks. Control self-assessments, however, do not eliminate the need for internal and external audits. Audits provide independent assessments conducted by qualified individuals regarding the effective functioning of operational controls. For additional detailed information on the IT audit function, refer to the IT Handbook's "Audit Booklet."
Management should regularly monitor technology systems-whether centralized or decentralized at business lines, support functions, affiliates, or business partners-to ensure resources are operating properly, used efficiently, and achieving the desired results predictably. Effective monitoring and reporting help identify insufficient resources, inefficient use of resources, and substandard performance that detract from customer service and product delivery. Monitoring and reporting also support proactive systems management that can help the institution position itself to meet its current needs and plan for periods of growth, mergers, or expansion of product lines.
Management should conduct performance monitoring for outsourced technology solutions as a part of a comprehensive vendor management program. Reports from service providers should include performance metrics, and identify the root causes of problems. Where service providers are subject to SLAs, management should ensure the provider complies with identified action plans, remuneration, or performance penalties. Vendor performance results should be considered in combination with internal performance as a part of sound capacity planning.