> **来源:[研报客](https://pc.yanbaoke.cn)** # EBA/GL/2017/05: Guidelines on ICT Risk Assessment under the SREP ## Executive Summary These Guidelines are directed at competent authorities and aim to promote common procedures and methodologies for assessing Information and Communication Technology (ICT) risk within the Supervisory Review and Evaluation Process (SREP). They are developed under Article 107(3) of Directive 2013/36/EU and supplement the EBA SREP Guidelines, particularly in relation to operational risk (Section 6.4). The Guidelines are divided into three main titles: - **Title 1**: General provisions and application of scoring for ICT risk as part of the SREP assessment of risks to capital. - **Title 2**: Assessment of institutions' governance and strategy on ICT. - **Title 3**: Assessment of ICT risk exposures and controls. The Guidelines emphasize the principle of proportionality, ensuring that the depth and detail of the ICT risk assessment are appropriate to the institution's size, structure, operational environment, and the nature, scale, and complexity of its activities. They also provide a scoring table for ICT risk, which can be used as a stand-alone sub-category score if deemed material. An ICT risk taxonomy is included in the annex, offering non-exhaustive examples of material ICT risks for competent authorities to consider. ## Core Content and Main Points ### 1. Purpose and Scope - The Guidelines aim to ensure convergence in supervisory practices regarding ICT risk within the SREP framework. - They focus on the **assessment of ICT risk**, **governance and strategy**, and **controls and exposures**. - They are an integral part of the EBA SREP Guidelines and apply to all institutions within the European Economic Area (EEA). ### 2. Key Areas of Focus - **ICT Risk as Part of Operational Risk**: ICT risk is assessed as a sub-category of operational risk, contributing to the overall risk to capital assessment. - **Governance and Strategy**: Competent authorities should evaluate the institution's ICT strategy, its alignment with the business strategy, and the adequacy of internal governance structures. - **Risk Exposures and Controls**: The assessment includes evaluating the institution's ICT risk exposures and the effectiveness of controls to mitigate these risks. ### 3. Proportionality and Flexibility - The principle of proportionality is central to the application of these Guidelines. - The frequency and intensity of ICT risk assessments depend on the institution's SREP category and supervisory programme. - Competent authorities may use existing documentation or information from other risk assessments to inform their ICT risk evaluations. ### 4. Taxonomy and Materiality - A non-exhaustive ICT risk taxonomy is provided in the annex, listing examples of material ICT risks. - Competent authorities may exclude certain risks if they are not relevant to their assessment. - Institutions are expected to maintain their own risk taxonomies rather than relying solely on the annex. ### 5. Cross-Border Cooperation - For cross-border banking groups, competent authorities should coordinate the scope and detail of information items across all group entities. - This coordination is essential to ensure a consistent and comprehensive assessment. ### 6. Reporting Obligations - Competent authorities must notify the EBA by a specified date whether they comply with these Guidelines or not. - Non-compliance will be assumed in the absence of such notification. - Notifications must be submitted through the EBA website using the designated form. ## Key Information - **Application Date**: These Guidelines apply from **1 January 2018**. - **Compliance**: Competent authorities are expected to incorporate the Guidelines into their supervisory practices. - **No Additional Reporting Obligations**: The Guidelines do not introduce new reporting requirements but assume that necessary information is already collected. - **Scoring Table**: A scoring table (Table 1) is provided for ICT risk, allowing for stand-alone assessment if deemed material. - **ICT Strategy**: The strategy must be governed, aligned with the business strategy, and supported by implementation plans. - **Internal Governance**: Institutions must demonstrate a fit-for-purpose governance structure with clear responsibilities and access to the management body for ICT-related matters. ## Conclusion The Guidelines provide a structured and proportionate approach to assessing ICT risk within the SREP framework. They support competent authorities in evaluating the governance, strategy, and controls of ICT systems, ensuring that risks are appropriately identified, managed, and scored. The emphasis on proportionality and the inclusion of a risk taxonomy allow for flexible and context-specific assessments, while the requirement for cross-border coordination and reporting ensures alignment across the EEA.