Ffiec it examination guide infobase – risk monitoring and reporting


Regular risk monitoring provides management and also the board withassurance that established controls are functioning correctly.Comprehensive MIS reports are essential tools for validating thatIT operations are accomplishing within established parameters.Types of MIS include reports on hardware and telecommunicationscapacity utilization, system availability, user access, systemresponse occasions, promptly processing, and transaction processingprecision. Periodic control self-assessments allow management togauge performance, along with the criticality of systems andemerging risks. Control self-assessments, however, don’t eliminatethe requirement for internal and exterior audits. Audits provideindependent assessments conducted by qualified individualsconcerning the effective functioning of operational controls. Foradditional more information around the IT audit function, make reference tothe IT Handbook’s "Audit Guide."

Management should regularly monitor technology systems-whethercentralized or decentralized at business lines, support functions,affiliates, or partners-to make sure sources are operatingcorrectly, used efficiently, and having the preferred resultspredictably. Effective monitoring and reporting help identifyinadequate sources, inefficient utilization of sources, andsubstandard performance that diminish customer support andproduct delivery. Monitoring and reporting also support positivesystems management that will help the institution position itself tomeet its current needs and arrange for periods of growth, mergers, orgrowth of products.

Management should conduct performance monitoring for outsourcedtechnology solutions as part of an extensive vendor managementprogram. Reports from providers will include performancemetrics, and find out the root reasons for problems. Where serviceproviders are susceptible to SLAs, management should make sure theprovider matches identified action plans, remuneration, orperformance penalties. Vendor performance results ought to beconsidered in conjunction with internal performance as part ofseem capacity planning.


  • Performance Monitoring
  • Capacity Planning
  • Control Self-Assessments

Ffiec it examination guide infobase - risk monitoring and reporting telecommunicationscapacity utilization, system availability

Previous Section
Negotiable Instruments
Next Section
Performance Monitoring

    Ffiec it examination guide infobase - risk monitoring and reporting sources, andsubstandard performance that diminishResourse: http://ithandbook.ffiec.gov/it-booklets/operations/

    FFIEC IT Management Handbook: Are You Ready for Examiners?