Uniform Rating System for Information Technology

The Agencies use the Uniform Rating System for Information Technology (URSIT) to uniformly assess and rate IT-related risks of financial institutions and their TSPs. The primary purpose of this rating system is to evaluate the examined institution's overall risk exposure and risk management performance and determine the degree of supervisory attention necessary to ensure that weaknesses are addressed and risks are properly managed. The assigned rating determines the degree of supervisory attention necessary.

The URSIT is based on a risk evaluation of four critical components: Audit, Management, Development and Acquisition, and Support and Delivery. The ratings assigned to these individual components are used to quantify the overall effectiveness of the institution's IT risk management practices and condition. Examiners evaluate the functions identified within each component to assess the institution's ability to identify, measure, monitor, and control IT risks. The overall performance of IT within a financial institution or TSP is reflected by a composite rating. Please refer to Appendix A for additional information on composite and component URSIT ratings.


Previous Section
Risk-Based-Examination Priority Ranking
Next Section
Frequency of Examinations