Use of Composite Ratings
Each TSP examined for IT is assigned a summary or composite rating based on the overall results of the evaluation. The IT composite rating and each component rating are based on a scale of 1 through 5 in ascending order of supervisory concern, with 1 representing the highest rating and least degree of concern; and 5, the lowest rating and highest degree of concern.
The first step in developing an IT composite rating for an organization is the assignment of a performance rating to the individual Audit, Management, Development and Acquisition, and Support and Delivery (AMDS) components. The evaluation of each of these components, their interrelationships, and relative importance is the basis for the composite rating. A direct relationship exists between the composite rating and the individual AMDS component performance ratings. However, the composite rating is not an arithmetic average of the individual components. An arithmetic approach does not reflect the actual condition of IT when using a risk-focused approach. A poor rating in one component may heavily influence the overall composite rating for an institution.
A principal purpose of the composite rating is to identify those financial institutions and TSPs that pose an inordinate amount of information technology risk and merit special supervisory attention. Thus, individual risk exposures that more explicitly affect the viability of the organization or its customers should be given more weight in the composite rating.
The AIC of the TSP examination should notify other FFIEC Agencies' supervisory offices prior to issuing URSIT composite ratings of 3, 4, or 5 or engaging in informal or formal enforcement actions.
Use of Component Ratings