Calling all financial institutions! Gather ’round and receive our news. The Joint Standard on IT Governance and Risk Management requires your attention. The Financial Sector Conduct Authority (FSCA) and the Prudential Authority published the joint standard in November 2023. Its full name is Joint Standard 1 of 2023 – IT Governance and Risk Management Requirements for Financial Institutions. As the full name suggests, it aims to help financial institutions better regulate essential aspects of their governance of information, technology, and risk.

If you have ever dipped your toes into IT or risk governance, you will know that a lot goes into them. The King Code comes to mind. Below, we give you the basics of what this latest joint standard means for you and what it requires from you.

The commencement date and deadline for complying with this standard was 15 November 2024.

We (together with other service providers) can help you ensure your organisation meets these standards practically and effectively. You will need to follow a multi-disciplinary approach to comply. A key component of complying will be demonstrating that you comply.

What the Joint Standard on IT Governance and Risk Management says

The joint standard is similar to King IV’s focus on information and technology. It touches on the governing body’s role, stating that the governing body must provide leadership, set the strategic direction of the organisation, and provide ongoing oversight.

A financial institution’s management must work with its governing body to assess the impact of the joint standard on their organisation. They must also assess the information that a financial institution holds, and the technology that it uses. Together, the management and the governing body must ensure that their financial institution establishes a strong and useful IT risk management framework. The joint standard even speaks about the importance of having a risk register to set out the risks to a financial institution’s information and technology and how that financial institution will mitigate those risks.

The governing body roles and responsibilities

The governing body of of a financial institution has several responsibilities under the IT Governance standard. (We can help you to train or brief your governing body.)

  1. Ensure that the institution complies with the standard.
  2. Oversee cyber risk management.
  3. Work with senior management to establish and maintain a sound and robust IT risk management framework and IT strategy.
  4. Clearly define roles and responsibilities for overseeing IT risks.

The standards each financial institution must meet

  1. Ensure that its IT strategy is approved by the governing body and aligned with its overall business strategy.  (We can facilitate a workshop to help you achieve this.)
  2. Establish an IT risk management framework to manage IT risks in a systematic and consistent manner, including:
    1. draft policies, standards and procedures, (We can help you get these right.)
    2. identify, assess and manage all material risks,
    3. have someone independently review the policies, standards and procedures, and update them,
    4. assign roles and responsibilities in managing IT risks,
    5. identify and prioritise IT assets,
    6. identify and assess threats, risks, and vulnerabilities,
    7. implement appropriate practices and controls,
    8. periodically update and monitor risk assessments,
    9. manage people, including by having relevant training programmes. (We can help you learn by providing training.)
  3. Incorporate the oversight of IT risk management into the governance and risk management structures.
  4. Develop a robust set of IT service management policies, standards, processes and procedures (IT service management framework), including to manage:
    1. change,
    2. incidents and problems,
    3. capacity,
  5. Manage its IT operations, including:
    1. base it on documented and implemented policies, processes and procedure (including a reister of critical IT operations and must enable the financial institution to maintain an up-to-date IT asset inventory),
    2. maintain efficiency of its IT operations,
    3. implement appropriate logging and monitoring procedures for critical IT operations to allow the detection, analysis and correction of incidents,
    4. store the configuration of the IT assets and the links and interdependencies between them,
    5. implement processes to prevent, detect and respond to important performance issues of IT
      systems and IT capacity shortages in a timely manner,
    6. implement an IT system backup and restoration procedures to ensure recovery of IT systems as required,
    7. implement an effective IT change management process,
    8. implement a problem and incident management process and procedure.
  6. Implement appropriate segregation of duties between development, testing and operations environments.
  7. Protect sensitive or confidential information (including customer account and transaction data), including:
    1. mitigate IT risks and protect information assets in accordance with its sensitivity classification, (We can help you classify data in line with the law.)
    2. control logical access,
    3. prevent data theft, data loss and data leakage,
    4. ensure information is accurate,
    5. conduct independent reviews,
    6. process all personal information lawfully (including by complying with POPIA). (We can help you to comply with POPIA)
  8. Secure, make available and be able to recover its financial products or services. (This would include source code or software escrow)
  9. Develop, maintain and use a framework and approach for IT programme or project management (IT programme or project management framework). (At Michalsons we provide blueprints for a number of programmes)
  10. Ensure IT resilience and business continuity, including conduct a business impact assessment. (Here there is overlap with standard 2 and the Digital Operational Resilience Act (DORA).
  11. Obtain objective independent assurance of compliance. (We can perform a regulatory compliance gap analysis or a compliance audit to check legal compliance.)
  12. Notify and report any material incident to the relevant authorities properly. (We help with incident reports)

This is our plain language summary of the standards. For a full understanding we encourage you to read the actual standard.

Is compliance mandatory?

In short, yes. Compliance is mandatory for financial institutions. Some may even say that all IT service providers that do significant business with financial institutions have to comply to ensure that they keep the relationships they have with those financial institutions, but that is a story for another day…

What is the law, you ask, that makes compliance mandatory? It is the Financial Sector Regulation Act of 2017. The Act empowers the Prudential Authority (a prudential regulator within the administration of the SARB) and the FSCA to issue this and other standards. In fact, these two regulators have already issued another very impactful standard, called the Joint Standard 2 of 2024 on Cybersecurity and Cyber resilience, which creates separate-but-related compliance issues for you to solve.

To bolster the standards the regulators issue, the Act gives the two regulators investigatory powers, and enables them to issue directives that require specific compliance actions from a financial institution. It is an offence to fail to comply with these directives, or to impede the regulators’ investigations. Conviction can lead to a maximum fine of R15 million or imprisonment of up to 10 years, or both.

Compliance is, therefore, very mandatory.

When did the joint standard start applying?

The commencement date of the joint standard 1 of 2023 was 15 November 2024.

What financial institutions does it apply to?

The most notable of financial institutions that the Joint Standard applies to are commercial banks, co-operative banks, mutual banks, and insurance companies.

Other codes or standards on IT governance and risk management

There are at least two examples: King Code, which is mandatory for JSE-listed entities, and voluntary for most others. There is also Joint Standard 2 of 2024, which financial institutions will have to comply with in conjunction with the Joint Standard on IT Governance and Risk Management. Since the Act allows the regulators to issue other standards, these two joint standards are only the beginning, it seems.

How we can help you

  • Find out what the Joint Standard on IT Governance and Risk Management means for your financial institution by asking us to advise you.
  • Increase your understanding by reading the Joint Standard 1 of 2023.
  • Boost your compliance with an IT risk management framework by asking us to draft the necessary policies, standards and procedures.
  • Know the current status of your compliance by asking us to do a gap analysis or compliance audit.
  • Learn more about IT governance and the joint standard by attending one of our events.
  • Ensure lawful processing of personal information in your organisation complies with the joint standard by booking a training session.