Technology Risk Management Policy¶
| Code | DT-003 |
| Domain | Data & Technology |
| Owner | Chief Technology Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD09 |
| Review date | 2027-03-25 |
Regulations: CPS 230 Operational Risk Management · DTA Outsourcing Standard¶
Purpose¶
Govern the platform's technology risk framework, including IT risk appetite, change management controls, system resilience obligations, and the management of technology risks introduced by third-party vendors and cloud service providers.
Scope¶
All technology systems, infrastructure, and service providers used to operate the banking platform across NZ and AU, including cloud platforms, SaaS dependencies, and critical API integrations.
Policy statements¶
The Board SHALL approve a technology risk appetite statement that includes quantitative thresholds for system availability, incident frequency, data integrity failures, and change-related incidents. The risk appetite SHALL be reviewed annually.
All changes to production systems — including application deployments, infrastructure changes, configuration changes, and database schema changes — SHALL follow the documented change management process. Emergency changes SHALL require post-implementation review within two business days.
The platform SHALL maintain documented resilience targets for all critical systems. Critical systems are those whose failure would directly impair payment processing, ledger integrity, customer access, or regulatory reporting. Resilience targets SHALL include recovery time objectives (RTO) and recovery point objectives (RPO) appropriate to the criticality of each system.
Business continuity and disaster recovery plans SHALL be documented, tested, and reviewed at minimum annually. Test outcomes SHALL be reported to the Board Risk Committee.
Vulnerability management SHALL include: regular scanning of all production systems, a defined remediation SLA by severity tier, and a process for tracking open vulnerabilities to closure. Critical vulnerabilities SHALL be remediated within the SLA regardless of release schedule.
Technology vendor and cloud provider risks SHALL be assessed before onboarding and reviewed annually. For critical service providers, the assessment SHALL cover: data residency, resilience commitments, exit plan feasibility, and compliance with CPS 230 / BS11 obligations where applicable.
The platform SHALL maintain a current technology asset inventory covering all production systems, their owners, their criticality tier, and their key dependencies. The inventory SHALL be updated whenever systems are added, decommissioned, or materially changed.
All material technology risk events — including outages, data integrity incidents, security events, and failed changes — SHALL be recorded and reported to the Risk Committee. Post-incident reviews SHALL be completed for all incidents affecting customer services or regulatory obligations.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-150 | Risk management platform | AUTO |
Technology risk events (unpatched CVEs from SAST, latency SLA breaches, infrastructure anomalies) are auto-classified and written to the risk register. |
Part of Data & Technology · Governance overview
Compiled 2026-05-22 from source/entities/policies/DT-003.yaml