Professional Documents
Culture Documents
Risk Management Manual
Risk Management Manual
Risk Management Manual
This manual provides resources and tools to aid _______ in the implementation of an
effective risk management program to minimize the cost of risk and maximize protection of
their assets. It contains guidelines on the implementation of ________ Risk Management
System covering the following areas:
Credit
Liquidity
Interest Rate
Operations
Foreign Exchange
Compliance
Legal
Loss or Destruction of Facilities and Loss Arising From Frauds
Information Technology
Non-compliance with any provision shall be reported by the Risk Officer to the Risk
Management Committee for appropriate action.
FOREWORD
The writing of this Manual has been constrained by the dearth of material and models, since
this is a new discipline in the Philippine banking.
Much effort was therefore exerted at origination, which will explain some possible
imperfections of this Manual. Improvements therefore will be a continuous process while
the Manual is being implemented where calls for additions, corrections, amendments, and
revisions will be discovered:
The review and assessment of performance and compliance with the manual;
The process of identifying new risks or present risk but not covered in the manual.
RISK MANAGEMENT MANUAL
1. Risk
1. Credit Risk
This is the risk that an obligor will fail to perform his credit obligation to the
organization. Credit risk is the most serious risk faced by _____, second only to an
incompetent, imprudent and irresponsible management. Bad and fraudulent loans
have been the main cause of organizations failures and bankruptcies. Lending is the
essence of Micro-Finance Institutions (MFI) and since the greater incidence of risk
exposure is in loans, the formulation and implementation of sound lending policies
is among the most important responsibilities of the Board of Trustees and
Management.
(a) Foremost is at the processing stage of the credit (where scrutiny is made of
such factors as: credit worthiness; prudential or legal limits; industry limits;
an informed forecast of expected industry or business performance;
concentration limits; compliance with Board policies and legal and regulatory
requirements; degree of risks as between long and short term credit; or
secured and unsecured; moral responsibility; source of repayment; etc.);
(b) Second stage is that of loan supervision where deficiencies and weaknesses
in loan utilization and management may be uncovered and corrective
measures suggested;
(c) Third stage may refer to the collection process where ineffectiveness in
collection efforts may result in non-collection;
(d) The fourth stage is the monitoring stage, which may fall to alert Management
to take appropriate actions to maintain the integrity of the credit.
2. Liquidity Risk
This is the risk that ______ will not be able to, or cannot easily; meet its obligations
as they fall due. The management of this risk is not as simple as the definition
implies. The level of liquidity maintained by ______________ has basic risk
implications. Too little liquidity may cause enormous embarrassment or may even
prove financially fatal. Too much liquidity may result in foregone income as well as
threats to solvency position.
It must also be noted that the amount of liquidity level is most difficult to estimate
and that it cannot be reasonably reduced to a generalized mathematical ratio (such
as “liquid” assets to “loans payable”).
The manual will put forward some principles, concepts and statistical formulation,
which may form roughly the basis for a liquidity management system.
Historical averages derived from statistical series over a representative period and
an informed forecast of the likely movements of loan releases and collections,
backdrop of the economic, business or political environment will help Management
in estimating the normal, as well as the abnormal, demands for liquidity that must
be provided for.
2.1 The Assets to Meet the Liquidity Pressures
The following are the type and amount of assets needed to meet the liquidity
demands, as well as concepts on how to achieve an optimum liquidity
position.
These are cash and its equivalent, which can readily be used to pay
off the normal day-to-day liquidity pressures for cash payments. The
cash tied up to fund issued postdated checks cannot be included in
the “Primary Reserves”; but the portion in excess of the expected
funds for postdated checks may be included.
These are the earning assets that can be converted into cash even
before maturity without substantial loss of value such as Treasury
Bills, Bankers Acceptances, Marketable Debt Securities and similar
high-grade paper. Eligible securities tied up in legal reserves may not
be included as part of Secondary Reserves. The Secondary Reserves
can (1) replenish the “Primary Reserves”; (2) meet the abnormal
draw down in deposit, the abnormally large maturing obligations and
operating expenditures, and the releases on/of approved loans.
These are assets that can be readily “shifted” to cash for sale, or used
as collateral for loans. These assets can backstop the “Primary
Reserves” and “Secondary Reserves” in the event of serious liquidity
pressures thus appropriate amounts of these shiftable assets should
be maintained.
This is the risk that ______________’s profits and/or capital will be adversely
affected by changes in interest rates.
4. Operations Risk
6. Compliance Risk
Risk to earning or capital arising from violations of laws, rules and regulations,
prescribed practices or ethical standards.
7. Legal Risk
8. Other Risks
In addition to the risks mentioned, there are other risks to which ______________
is exposed, such as:
2.1 The Risk Management Committee shall have one chairman who shall be in
charge of the work of the Committee.
2.2 The major responsibilities of the Committee members shall include, among
others:
The Committee shall have the function of overall supervision and control over
the risk management system of the organization. Its mission is to protect
______________’s scarce capital from losses arising from activities that
expose ______________ to all types of risk. It shall be tasked with the
review of capital allocation to ensure resources are suitably utilized to
optimize returns given ______________’s tolerance for risk.
The same shall also have the authority within the scope of its role and
responsibilities, to:
obtain any information it needs from any employee and/or external
party (subject to their legal obligation to protect information);
discuss any matters with the external auditor, or other external
parties (subject to confidentiality considerations);
request the attendance of any employee at committee meetings; and
obtain external legal or other professional advice, as considered
necessary to meet its responsibilities, at ______________’s expense
with the prior approval by the Chairman.
3. There shall be a Risk Officer, who will report to the Risk Management
Committee. The Office of the “Risk Officer” and that of “Compliance Officer”
may be occupied by one officer whose duties be as follows:
3.1 To see to it that the provisions of the Risk Management Manual are
complied with by all concerned.
4. The Risk Officer and the Internal Auditor shall also exercise review function
over:
4.2. The audit and testing of the risk management process and internal
controls on a periodic basis, with the frequency based on a careful
risk assessment.
V. Risk Identification
One of the keys to risk management is risk identification. The two distinct
dimensions being faced by ______________ are the type of risk and
______________ programs that is at risk. To identify bank risk is to look at
the various types of risk and determine which function is potentially vulnerable to
that type of risk.
1.1 The Chairman shall be responsible for ensuring that there are clear
delineation of lines of responsibilities for managing risk, adequate
systems for measuring risk, appropriate structured limits on risk
taking, effective internal controls and comprehensive risk-reporting
process.
1.2 He/She shall ensure that all appropriate approvals are obtained and
that adequate operational procedures and risk control systems are in
place.
3. The results of the risk assessment shall be discussed with the head or officer
in-charge of the unit responsible for the risk. Emphasis shall be given on the
factors that are rated high risk and those whose risk ratings have
deteriorated compared to the previous assessment.
4. The Risk Assessment Report shall be discussed with the Group Head of the
unit concerned, and submitted to the Board of Trustees, thru the Risk
Management Committee, for approval.
4.1 The Group Head, in coordination with the Risk and Compliance
Officer, shall discuss with the head of the unit concerned appropriate
action to be taken to reduce risk exposure in factor/s rated high
and/or rated worse than in the previous assessment.
4.2 The Group Head, in coordination with the Risk and Compliance
Officer, shall set targets for reduction of exposure, monitor
accomplishment of these targets and report results to the
Chairman/President.
It is enough that risks are: Identified, measured, and assessed. It is equally, and
even more important, that the risks are managed, controlled, minimized or even
avoided. This manual will include risk control measures, vis-à-vis the various types
of risks. These are contained in the following annexes:
The more important stages for risk control in a loan’s life are:
Processing stage
Supervision stage
Collection stage
Monitoring stage
In General:
1. That the borrower is creditworthy and can meet his obligation upon maturity.
2. That the loan complies with the lending policies of ______________ as well
as the pertinent legal and regulatory requirements.
In Particular:
2. The loan processing must be done with due diligence and care and must
establish the validity of the following factors: (Individual Lending
Guidelines-Part1-Loan application Stage-I-General Lending
Guidelines #3 and Group Lending-Client Identification & Selection
#4
2.1 The moral responsibility of the borrower;
2.9 Good health and age must not be over 65 on maturity of the loan.
3. Loans shall be granted only in the amounts and the periods essential for the
effective completion of the programs/project to be financed. (Individual
Lending Guidelines-Part1-Loan application Stage-I-General
Lending Guidelines #5 and Group Lending-Initial Group Loans-
Statement of Policies #s 15 to 23)
4. The purpose of the loan must be stated in the loan contract. (Individual
Lending Guidelines-Part 2 Processing of loan application-Loan
Evaluation Process #2.1)
7. In excess of minimum balance of the CBU the member can either withdraw
the money or use it to pay off their unpaid loans in cases they have no money
on the collection date.
8. Members can get another loan only if the balance of their CBU savings is
within the required minimum at the end of the loan cycle.
9.3 All units concerned shall be informed of changes interest rates prior
to effectivity.
10. The true and effective cost of borrowing shall be an integral part of the loan
contract. The borrower shall be furnished, prior to the consummation of the
transaction, a statement containing the following information:
10.1 The charge, individually itemized, which are paid or to be paid by the
borrower in connection with the transaction but which are not
incident to the extension of credit.
10.4 The percentage that the finance charge bears to the total amount to
be financed, expressed as a simple rate on the outstanding unpaid
balance of the obligation.
11.1 At least twenty five percent (25%) of loanable funds shall be made
available for Agricultural credit.
12. The dealings of the ______________ with any of its Trustees, officers and
employees shall be in the regular course of business and upon terms not less
favorable to ______________ than those offered to others.
13. The terms loan, borrow, money borrowed and credit accommodations as
used herein shall refer to transactions which involve the grant, renewal or
extension or increase of any loan, discount, credit or advance in any form
whatsoever, and shall include:
14. The terms loans, borrow, money borrowed or credit accommodations as used
herein shall not refer to the following:
ANNEX A ______Page 5
of 12
14.3 Transactions with foreign bank which has stockholdings in the bank
where the foreign bank acts as guarantor through the issuance of
letters of credit or assignment of a deposit in a currency eligible as
[part of the international reserves and held in a bank in the Philippines
to secure credit accommodations granted to another person or entity:
Provided, that the foreign bank stockholder shall automatically be
subject to the ceilings as herein provided in the event that its
contingent liability as guarantor becomes a real liability; and
ANNEX A ______Page 6
of 12
15. The property and chattel offered as collateral by the applicant shall be
appraised to determine its loan value. The Transfer Certificate of Title shall
be verified with the Register of Deeds to establish its authenticity and to
ensure that there are no adverse claims on the property. An affidavit of
ownership must be required on equipment/unit offered as collateral.
Properties located in Urban Areas 70% of appraised value, which shall
and other key cities equal to the market value
Provided that loan value of insured improvements on the property shall not
exceed 60% and 50%, respectively of the appraised value.
Individual Lending
P4,000.00 to P6,000.00
Increment of P2,000.00 to P5,000.00
P10,000.00 to P 20,000.00
I
17. The loan applicant shall be inform in writing ’s decision on his application.
ANNEX A Page
7 of 12
18. Upon approval of the loan, all legal documents containing the terms, charges,
interest, repayment schedule and conditions of the loan transactions shall be
prepared and signed by the borrower in the presence of authorized
personnel. The borrower shall be furnished copy of the documents.
18.1 ______________’s Notary Public/legal Retainer shall notarize
documents. Cost of the notarization shall be for the account of the
borrower.
18.2 If the loan is secured by real estate collateral, the mortgage shall be
registered with the Registry of Deeds where the property is located,
prior to the release of the loan, registration expenses shall be for
the account of the borrower.
19.4 The insurance policy shall be renewed annually, until the loan is fully
paid. In case the borrower fails to renew the policy on due date, to
______________ shall advance the premium and charge the
borrower interest thereon, corresponding to the rate stated on the
Promissory note.
20. The Department Head/Branch Manager in accordance with the terms of the
loan shall approve loan releases.
ANNEX A ______Page 8
of 12
21.3 No loans shall be renewed or its maturity date extended unless the
corresponding accrued interest receivable shall have been paid.
22. Loan Restructuring
22.3 Restructured loans are loans the principal terms and conditions of
which have been modified in accordance with a restructuring
agreement setting forth a new plan of payment or a schedule of
payment on a periodic basis.
22.3.1 The modification may include, but shall not be limited to,
change of maturity, interest rate, collateral or increase in the
face amount of the debt resulting from the
capitalization of accrued interest/accumulated charges.
22.4 In the restructuring of loans, the real estate security and or other
collateral offered shall be appraised at the time of restructuring to
ensure that current market values are being used.
ANNEX A ______Page 9
of 12
The approval for restructuring of the loan shall state the following:
22.6 All loans approved for restructuring shall be reported to the Board of
Trustees for confirmation.
22.7 Approval of the request for restructuring shall consider the following,
among others:
22.7.2 The committee should be convinced that the reason for the
non-payment of the account or the non-compliance by the
borrower of the terms and conditions of the loan is/are no
longer present and that the borrower’s capacity to pay has
improved and he is now perceived to be capable of servicing
the loan satisfactorily up to its maturity;
ANNEX A _____Page 10
of
2.1 The proper use of the loan proceeds according to its purpose; and
the deviations from the purpose;
2.2 Potential problems that may affect adversely the loan quality
Experience has shown that loans which otherwise are collectible, turn out to be
problem loans due to an ineffective collection process. One important factor in the
effectiveness of the collection effort is its seriousness and determination. The
following are some of the control measures adopted.
2. The process should define stages and timetable for undertaking the collection
strategy.
ANNEX A _____Page 11
of 12
Loans are the most important resource of ______________ and their deterioration
is the most compelling single cause of organizations failures. This points up the
importance of monitoring for the information of the CEO and the Board of Trustees
that extra due diligence has been followed in implementing the controls on various
stages of the loan process. It is also important that they be given informed
knowledge as to the status of the loan portfolio and its component, to the end that
timely and appropriate actions are taken to prevent or control the deterioration of
the loan portfolio.
1.6 Loans that exceed established ceiling such as loans exceeding internal
or regulatory limits (SBL)
ANNEX A _____Page 12
of 12
2. Loan Review
3. The Credit Officer shall maintain a list of watch credits and report them to
the assigned Loans Review Committee at least monthly. Watch credits are
those that fall under any of the following categories:
DATE :
10. Are dealings with any of its officers and its employees and their
related interest in accordance with the rules and regulation
approved by the Board of Trustees?
Credit Risk Assessment Report
Page 2 of 3
17. Is past due loans ratio within the level prescribed by the Board
of Trustees? Are past due loans handled in accordance with the
policies approved by the Board of Trustees?
Loans Supervision
Collection
Collection Yes No
Loan Monitoring
4. Does the Credit Risk Officer maintain a list of watch credits and
report them to the Loans Review Committee at least monthly?
Recommendations:
Risk Examiner
Signature Over Printed Name Date
ANNEX
B
Name of Risk : Liquidity Risk
In Charge : Director-Chief Finance Officer
1.2 the abnormal liquidity pressures (including loan and contingent demands)
2. Primary reserves in appropriate levels should be maintained to meet the normal day-
to-day liquidity pressures.
7. It is also essential that maturities (both of loan receivable, loan releases and other
obligations) should be managed to achieve a smoother cash flow pattern.
RISK ASSESSMENT REPORT
Type of Risk : Liquidity Risk
Unit in Charge : Accounting Unit
DATE :
Yes No
a. Primary reserves?
b. Secondary reserves?
c. Tertiary reserves?
If yes, are these levels being met?
3. Are the required Liquidity Reserves more than the Primary and
Secondary Reserves? If yes, have the Primary and Secondary
Reserves been raised accordingly?
Risk Examiner
ANNEX
C
Name of Risk : Interest Rate Risk
In Charge : Director Chief Finance Officer
Director for Operations
Interest rate setting is constrained by forces of laws, regulations and competition such that
risks on interest rates, in most cases arise: a) from competition effectively setting a narrow
gap for interest margin and if this is happening in a rigid and high general and administrative
cost, this may affect adversely ______________’s profit; and b) from a mismatch of interest
on loans vis-a-vis interest on deposits.
DATE :
Yes No
Recommendations:
Areas of Concern Recommendation Action
Risk Examiner
Signature Over Printed Name Date
ANNEX
D
Name of Risk : Operations Risk
In Charge : VP-Operations
The more important of ______________’s operations involving risks are lending and deposit
operations. The risk control measures on these operations are embedded in the existing
manuals of the organization’s involving these operations.
1. Lending Operations
The policies, procedures and controls with respect to lending operations are in Annex
A hereof.
2. Deposit Operations
The policies, procedures and controls with respect to deposit operations are provided
for in ______________’s manual on CASA which is deemed part of the Risk
Management Manual.
RISK ASSESSMENT REPORT
Type of Risk : Operation Risk (Deposits)
Unit in Charge : Branch Banking Group
DATE :
Processing of Transactions
1. Is cash and other accountable forms kept inside the cash vault of
the branch?
5. Does the vault custodian record all activities inside the vault in the
vault’s logbook?
6. Does the entrant and the vault custodian sign all entries in the vault
logbook?
Recommendations:
Areas of Concern Recommendation Action
Risk Examiner
Signature Over Printed Name Date
ANNEX
E
Name of Risk : Foreign Exchange Risk
In Charge : Chief Finance Officer
The more important foreign exchange risk is that arising from exchange rates. If the pesos
weaken, for instance, a long position in assets in foreign exchange currency may result in
earnings for the bank, which will be the opposite if the position is short (meaning there are
more liabilities than assets) in a foreign exchange position. Also, aside from risks in foreign
exchange rates, other risks may arise from the quality of assets held in foreign currency.
1. Acquisition of, and assumption of liabilities in, foreign exchange should only be done
in foreign currencies allowed by the BSP and duly approved by ______________
Board of Trustees.
5. A usual strategy is to maintain a square position but this should not give rise to a
false sense of security since this may not automatically preclude credit or investment
risks in the quality of the foreign currency assets held by the bank nor eliminate risks
in foreign exchange rates which may affect adversely the clients’ ability to honor
their commitments.
RISK ASSESSMENT REPORT
Type of Risk : Foreign Exchange Risk
Unit in Charge : Branch Banking Group
Accounting
DATE :
Yes No
Recommendations:
Areas of Concern Recommendation Action
Risk Examiner
Compliance risk is defined as the risk to earnings or capital arising from violations of laws,
rules and regulations, prescribed practices or ethical standards. And to ensure that the risk
is recognized, monitored, and controlled, the process should include identifying relevant
Philippines laws and regulations, analyzing the corresponding risks of non-compliance,
prioritizing the compliance risks and designing the control measures to minimize or prevent
the occurrence of said risks.
1.3 The BSP Manual of Regulations for Banks (implementing the General Banking
Act, and the Thrift Bank Act)
2. Each relevant provision should be evaluated by the Risk and Compliance Officer in
terms of:
2.1 the consequences of violations in the forms of sanctions and penalties;
ANNEX F ____
Page 2 of 2
2.3 the function or unit responsible for initiating or maintaining compliance, and
3. Broadly speaking, provisions to be complied with are those in the law, the regulations
and the internal Bank policies; and compliance is measured in terms of the following:
3.2 prohibitions
3.7 others
4. The Risk and Compliance Office periodically monitors transactions, reviews report
and documents, and observes practices to ascertain compliance. In case of doubt,
operating personnel should consult the Risk and Compliance Officer regarding the
relevant provisions of laws, regulations, policies, which might be violated. Findings
on compliance are discussed with the officers concerned. Likewise, the Risk and
Compliance Officer should monitor and review the Board and management’s
supervision and administration of the compliance function, In terms of quality,
adequacy and effectiveness, the development of internal controls aimed to ensure
continuing compliance, and an efficient compliance review and monitoring system.
5. Compliance issues and violations are reported along with other audit exceptions to
the Board of Directors through the Audit Committee and the Risk Management
Committee.
DATE :
Yes No
Recommendations:
Areas of Concern Recommendation Action
Risk Examiner
1.1 The Corporate legal counsel reviews all loan contracts and documents before
the loans are availed by ______________.
2. The legal risks from lawsuits are those that could emanate from the non-observance
or implementation by the organization of its commitments or understandings arising
from its contracts, including those for its loans. The risks may be in the form of
possible damages, which the organization may be ordered to pay by reason of the
causes aforementioned. Minimizing these risks is the concern of the corporate legal
counsel and towards this objective, the faithful implementation of the organization’s
contractual obligation are pursued in all respect. In those instances where lawsuits
have been filed, denying or disproving the charge, and failing that, mitigating the
award of damages against the organization has always been the thrust of the
organizations defenses. This is achieved by an in-depth study of the cases and the
affirmative or special defenses, which the rules allow a party defendant to raise.
RISK ASSESSMENT REPORT
Type of Risk : Legal Risk
Unit in Charge : Legal Counsel Secretary
DATE :
Yes No
d. Etc.
Recommendations:
Areas of Concern Recommendation Action
Risk Examiner
Signature Over Printed Name Date
ANNEX
H
Name of Risk : Other Risks to Include:
In Charge : MIS-Head
1. The Administrative Officer has developed a disaster control program that establishes
measures to prevent controllable disasters such as fire, promotes disaster
preparedness, and establishes survival measure should a disaster occur.
1.2 ______________ records and property have been classified and clearly
marked as to their order of priority in case of evacuation.
1.3 Evacuation areas have been identified and the measures for securing
personnel, records and property evacuated to these areas have been
established.
1.4 The disaster control program has been disseminated to all ______________
personnel.
1.5 The Admin Officer shall regularly assess and update the disaster control
program.
4. Security policies and procedures for cash transfers shall be strictly implemented.
2. Avoid hiring people who are likely to commit crimes of moral turpitude.
1. Physical Security
1.1.2 The computer operations room, within the data center, shall also be
under strict control. Access to the computer room shall be limited to
the Management Information Systems (MIS) Division personnel. MIS
Division personnel involve in programming shall not be permitted
entrance to the computer operations room, except under the
following circumstances.
1.2.1 The data center facility shall be protected by fire and smoke
detectors.
1.4 Housekeeping
1.4.1 Smoking, eating, and drinking in the computer operations room are
prohibited.
1.4.2 Extraneous paper supplies and other combustible material shall not
to be stores in the computer room, since these are fire hazards.
MIS System Support personnel are responsible for the routine care of the
equipment, devices, workstations and other except Servers and Main
Systems. Maintenance by the System Support personnel is limited to the
routine procedures and systems assigned to them. System Support
personnel are not permitted to perform any significant equipment repair and
maintenance activities unless authorized by and working with the Head of
the MIS Division or supervisors. System Support personnel shall:
2.1.2 Note any defective areas on tapes and disks when operating a
computer and enter them on a log. Maintaining such a log will help
determine when tapes and disks should be rotated out of production.
2.1.3 Record all hardware and software “crashes” or errors and note the
reason or suspected reason, the time, and the action taken to correct
the situation and who took the action.
2.2 Vendor Maintenance
2.2.1 The MIS system support personnel shall always be present in the
computer room with the vendor’s service representative.
2.2.2 The MIS system support personnel responsible for monitoring the
preventive maintenance shall be sure to remove, or secure, all
production programs and data files before pull out of any devices or
equipment from the organization.
2.2.3 After the maintenance, the system activity log shall be printed for
review by the MIS Division Head.
3. Equipment Operations
The system has internal operating logs that will records all events and actions
that the System Support personnel take. The log is produce daily and
reviewed by the MIS supervisors or MIS Division Head to ensure that routine
operating schedules are adhered to and to detect any unusual activities. All
non-scheduled jobs shall be supported by job requests.
ANNEX H _____Page 6
of 14
4. Data Security
4.1.1 All data media not currently in use shall be kept in the tape/disk
library located within the data center facility.
4.1.3 The librarian shall attend the library during operating shifts.
4.1.4 No item may be removed from the library unless the librarian has
received the proper written request form. The librarian shall remove
the item from the library and give it to the requestor.
4.1.5 All other physical security considerations such as fire protection also
protect the tape library.
4.2.3 MIS System Support personnel shall not have access to programming
documentation, including program flow charts, source listings, etc.
4.3.4 Console logs reflecting all jobs submitted, including reruns, program
abnormal stoppages and utility use.
5, Telecommunication/Online Security
Data communication networks often are linked to internal LANs, providing unique
opportunities for communication between various networks. The combination of
networks, that is, workstation, client server, mini computers and computer
platforms, may all be linked through a common network link. Different users in
different locations at different times can communicate and utilize or share
information. In certain cases, specific information may be carried on proprietary
Networks or dedicated to “this ______________ only” lines, while other information
networks may be communicated via public carriers. The sharing of LAN in formation
and resources through data communications expose the bank to potential
unauthorized access and use.
Controls shall be established to assure that only authorized individuals enter the
system designated to their specific usage, and once they have accessed the
approved systems, these individuals perform only authorized activities. The level of
controls placed on a LAN or LAN/data communications network shall be
commensurate with the level of exposure and cost of the related controls. The
primary focus of these control systems shall be to create a high level of security
discipline for the institution, its networks and services, and its customers. The
controls for data communications network integrating with LANs should include the
following:
If bank staff detect unusual activity or anomalies occurring regarding data access of
the ______________’s LAN through data communication networks, more
sophisticated techniques may have to be utilized to identify the source.
Security measures and controls for all internal LANs shall be selected based on the
degree of risk, with the following general categories serving as the basic elements
for consideration.
Access control. Physical barriers such as doors, locks, keys personnel badges,
keyboard locks: on-line controls such as user ID’s, passwords, encryption
If the level of security and/or control support for data communication networks or
LANs is of concern, MIS Division shall be authorized to seek further assistance from
other sources such as external outside expertise.
Security for the terminal system includes physical restrictions to the terminals
themselves and other software system controls
Identification Methods
6. Computer Viruses
ANNEX H _____Page 10
of 14
Management recognizes the risks associated with shared software. Every effort will
be made to ensure computer viruses and worms do not enter ______________’s
system.
6.1 Anti-Virus software shall be installed in all personal computers, laptops and
other handheld devices. The bank’s MIS system support personnel will
screen all software before being installed on any computer.
6.2 The system administrator will maintain a record of all files and directories on
all ______________ computers. It is the responsibility of the administrator
to understand the purpose and function of each file of ______________’s
computers. This record will be updated monthly and compared to the record
of the previous month in an attempt to identify any logic bombs within a
computer, which the virus scanner cannot detect.
6.3. No employee shall install any software on his/her computer; the MIS Division
authorized system support personnel shall install all software.
7.1.1 Only authorized personnel shall be allowed entry into the MIS
division. Visitors/guests shall be allowed entry only upon prior
authorization form an MIS division Head/supervisors and provided
they log-in in the visitors/guests log sheet indicating purpose of visit
and the person to be visited.
7.2.1 The main entrance door of the computer room is equipped with a
security lock requiring the authorized personnel to key-in a PIN
(Personal Identification Number) to unlock the door.
ANNEX H _____Page 11
of 14
MIS Head
MIS Supervisors
Authorized MIS System Support Staff
7.2.4 Only the following personnel shall be allowed entry into the Computer
Room.
8.1 The MIS Division Head shall be designated as the Lead System Administrator
who shall see to it that only the authorized users are logged-in to the system.
He shall also be responsible in effecting changes like parameters in the
system when required.
8.3 Only the MIS System Support personnel on duty shall undertake the
operation of the computer systems and their peripherals.
ANNEX H _____Page 12
of 14
8.4 Access of other personnel to the systems for online applications should have
the approval of the Department Heads and the MIS Division Head.
8.5 To gain access to the system, a user shall be assigned a unique user ID and
password of which password shall be known only to him.
8.6 A user’s access to the system shall be limited relative to his functions and
position.
9. Emergency Procedures
If the fire has not advanced too far, attempt to extinguish it with
a fire extinguisher.
ANNEX H _____Page 13
of 14
9.2.3 The supervisors should attempt to secure all valuable records in safe
place.
Doors shall be opened cautiously and only after testing them for
heat.
10 Disaster Recovery
Disaster recovery planning for the MIS division includes backup plans for key
elements within the department and contingency plans or strategies for the recovery
of operations.
5.1 Identification of Events with Potential to Disrupt Services
The MIS Division Head shall identify internal and external events that could
disrupt the ______________’s services assess and quantify the probability
of such events and their consequences and develop appropriate contingency
plans to mitigate risk or loss of service.
While there are several options for obtaining a hardware backup, the
______________ has elected to provide in-house backup, with all
mission-critical equipment installed in a second site.
________________________________________________________________
DATE :
3. Are drills conducted to ensure that all personnel are aware of their
specific roles in the event of a disaster?
Recommendations:
Areas of Concern Recommendation Action
Risk Examiner
________________________________________________________________
DATE :
10. In case exception are noted, are these investigated and reported in
accordance with the manual on Administration of Cases?
Separation and Rotation of Duties
Equipment Operations
4. Are these logs produced daily and reviewed by the MIS manager?
a. Scheduling?
b. Equipment controls?
c. Library controls?
Data Security
a. Terminal?
b. User?
c. Transaction detail?
Emergency Procedures
d. Notification checklist?
10. Are there procedures to follow during disaster recovery for eah
application or area of the department?
Recommendations:
Areas of Concern Recommendation Action
Risk Examiner