KARACHI - The State Bank of Pakistan (SBP) has issued Enterprise Technology Governance & Risk Management Framework for Financial Institutions (FIs).

The Framework has been developed after extensive consultation with both internal & external stakeholders, SBP statement here on Tuesday said. Earlier on March 14 this year the draft of the framework was published for public consultation. The framework, it was pointed out, is based on principles of international standards and best practices for technology governance and risk management including cyber security.

It aims to provide enabling regulatory environment for managing risks associated with the use of technology. The instructions aims to enhance the proactive environment in FIs to various aspects of the information technology, security, operations, audit and related domains and to create overall safe and secure technology operations in FIs that will benefit and enhance the confidence of all the stakeholders.

The framework will apply to all FIs which includes commercial banks (public and private sector banks), Islamic banks, Development Finance Institutions (DFIs), and Microfinance Banks (MFBs). The framework is not "one-size-fits-all" and implementation of the same shall be risk-based and commensurate with size, nature and types of products and services and complexity of IT operations of the individual FIs.

While implementing this framework, FIs are expected to exercise sound judgment to determine the applicable provisions relevant to their technology risk profile.

Senior management of the FI(s) will monitor the implementation of this framework on an ongoing basis and the Board of Directors will review the implementation process on quarterly basis.

The SBP has further advised the FIs to follow a phased approach towards implementation of the framework starting with a gap analysis between their current status and this framework, development/update of the policy framework, on-the-ground implementation and follow up review and feedback. Accordingly, the FI(s) have been required to upgrade their systems, controls and procedures by June 30, 2018.