NZ: RBNZ Technology Risk Management Guidance
|
|
| Regulator |
RBNZ |
| Jurisdiction |
NZ |
| Status |
live |
| Applicability |
Platform |
The RBNZ Technology Risk Management Guidance sets out supervisory expectations for how
registered banks manage risk arising from their use of technology. The guidance pre-dates
the Deposit Takers Act 2023 and is issued under the Reserve Bank of NZ Act 1989. It
requires deposit takers to maintain a board-approved IT governance framework, a formal
change management process (CAB/change board), a data management programme (data quality
and lineage), a technology risk register, structured third-party technology risk assessment,
and a cyber incident response capability.
Under the Deposit Takers Act 2023, technology and operational resilience obligations are
consolidated into the Deposit Takers (Operational Resilience) Standard (effective
1 December 2028). This guidance remains live and applicable to registered banks until
that transition.
The guidance aligns with APRA CPS 230 and CPS 234 in intent, adapted for the NZ context.
Policies DT-001 through DT-010 are designed in anticipation of these requirements.
Compliance register
This register maps every material obligation under the Guidance to the platform control or
institutional process that satisfies it. It is the static traceability layer for the Totara
compliance report — dynamic data (module build status, test evidence, control test dates)
is overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — board governance, IT governance, change board. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
IT governance and technology risk register
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| TR-1 |
Maintain a board-approved IT governance framework |
🏛 Institutional |
DT-003 |
IT governance policy ownership rests with the Chief Technology Officer and is board-approved. MOD-150 (AUTO) — technology risk events are auto-classified against the risk taxonomy and written to the operational risk register, providing the governance framework's evidence base. |
— |
| TR-2 |
Maintain a technology risk register that captures and tracks technology risks continuously |
🤖 Automated |
DT-003 |
MOD-150 (AUTO) — technology risk events (unpatched CVEs from SAST, latency SLA breaches, infrastructure anomalies) are auto-classified and written to the risk register without manual entry; register is always current |
🔨 |
| TR-3 |
Board-level technology risk reporting |
🤖 Automated |
DT-003 |
MOD-150 (CALC) — RAF dashboard includes technology risk metrics; RAF threshold breach auto-alerts the CRO and Board Risk Committee chair |
🔨 |
Change management
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| TR-4 |
Maintain a formal change management process (CAB) with pre-approval for production changes |
🤖 Automated |
DT-007 |
MOD-150 (LOG) — CI/CD pipeline deployment events auto-create change records with timestamp, artefact hash, environment, and outcome; post-implementation review is auto-scheduled for P1 changes |
🔨 |
| TR-5 |
Audit trail of all production changes |
📊 Evidenced |
DT-007 |
MOD-150 (LOG) — every CI/CD deployment event is written as an immutable change record; available for RBNZ examination and internal audit |
🔨 |
Availability and incident management
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| TR-6 |
Monitor system availability continuously and alert on threshold breaches |
🤖 Automated |
DT-003, OPS-003 |
MOD-076 (ALERT) — availability monitoring across all platform services; error rate and latency alerting routes to the on-call team automatically; no manual SOC polling required |
🔨 |
| TR-7 |
Maintain a documented cyber and technology incident response capability |
🤖 Automated |
DT-003 |
MOD-150 (AUTO) — incidents auto-created from observability alerts with P1/P2/P3 classification, SLA timers, and routing; MOD-076 (ALERT) — error rate alerting provides the incident detection signal |
🔨 |
| TR-8 |
Report material cyber incidents to RBNZ within prescribed timeframe |
🤖 Automated |
DT-003 |
MOD-150 (AUTO) — material incidents are auto-detected and routed through a notification assembly workflow; RBNZ notification pipeline dispatched automatically for P1 security incidents |
🔨 |
Data management
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| TR-9 |
Maintain data quality and data lineage controls |
🤖 Automated |
DT-004 |
MOD-076 (ALERT) — data quality anomalies detected by pipeline monitors are surfaced as observability alerts; MOD-150 (AUTO) — data quality risk events auto-classified and written to the risk register |
🔨 |
| TR-10 |
Data governance programme — data classification, ownership, and retention |
🏛 Institutional |
DT-004 |
Data governance programme is owned by the Chief Technology Officer. MOD-102 (GATE) — Snowflake RBAC roles enforce schema-level access boundaries consistent with data classification; governance programme design is institutional. |
— |
Third-party technology risk
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| TR-11 |
Assess and monitor technology risk from third-party providers |
🤖 Automated |
DT-008, OPS-005 |
MOD-150 (AUTO) — all designated critical third-party services continuously monitored for health and SLA compliance; SLA breach auto-creates an incident; contract expiry dates trigger review reminders |
🔨 |
| Obligation |
Owner |
Platform evidence input |
| IT governance policy design and board approval |
Board / Chief Technology Officer |
MOD-150 risk register and MOD-076 observability data provide the evidence base |
| CAB (Change Advisory Board) process design and operation |
Chief Technology Officer |
MOD-150 change log feeds into CAB review; process governance is institutional |
| Data governance programme design |
Chief Technology Officer |
MOD-102 Snowflake RBAC implements the access control layer; programme design is institutional |
| Penetration testing and vulnerability assessment schedule |
Chief Information Security Officer |
MOD-076 observability and MOD-150 CVE tracking provide inputs; test scheduling and execution are institutional |
| BCM/DR testing schedule |
Chief Technology Officer |
MOD-076 availability monitoring provides the baseline; DR test scheduling is institutional |
| RBNZ examination responses on technology risk |
Chief Technology Officer |
MOD-150 risk register, MOD-076 incident history, and MOD-150 change log provide examination evidence |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| IT governance and risk register |
3 |
2 |
0 |
1 |
0 |
| Change management |
2 |
1 |
1 |
0 |
0 |
| Availability and incident management |
3 |
3 |
0 |
0 |
0 |
| Data management |
2 |
1 |
0 |
1 |
0 |
| Third-party technology risk |
1 |
1 |
0 |
0 |
0 |
| Total |
11 |
8 (73%) |
1 (9%) |
2 (18%) |
0 (0%) |
All attributed modules are currently build_status: Not started — the compliance position will
update as modules are built and deployed.
| Policy |
Title |
| DT-001 |
Information Security Policy |
| DT-003 |
Technology Risk Management Policy |
| DT-004 |
Data Governance Policy |
| DT-007 |
Change and release management |
| DT-008 |
Third-Party & Outsourcing Risk Policy |
| DT-010 |
Environments and deployment standards |
| OPS-001 |
Business Continuity Policy |
| OPS-003 |
Incident Management Policy |
| OPS-005 |
Third-Party & Critical Service Provider Policy |
Official documentation
Policies referencing this standard
(None yet)
Compiled 2026-05-22 from source/entities/regulations/nz-rbnz-technology-risk.yaml