Checklist for Risk Management
IV. Business Operations and EDP
A. General
1. Role of management
| Check Points |
Specific sample questions |
| a. Sophistication of
operations, and prevention of financial irregularities and EDP
problems |
Does the management place high
priority on the sophistication of operations, and prevention of
financial irregularities and EDP problems? |
- Does the management understand the level and reliability of
business operations?
- Is the handing over of important items such as cash and securities
by the branch manager/department head to his/her successor precise and
accurate?
- Has the bank reinforced prevention measures for on-line problems?
- Are the sophistication of operations and prevention of financial
irregularities and EDP problems clearly reflected in annual policies,
the staff performance awards system, and business training?
- Is due consideration given to staff rotation so that one person is
not in the same position for an unduly long period of time?
- Is the management promoting the automation of business operations?
|
B. Business Operations
1. Organization and system
| Check Points |
Specific sample questions |
| a. Internal rules and
manuals |
Does the bank have in place
internal rules and manuals enabling accurate and timely processing of
operations? |
- Does the bank have in place internal rules and manuals that cover
cash handling, record-keeping, and double-checking?
- Does the bank amend internal rules and manuals on business
operations in a timely manner?
|
| b. Operation guidelines set by
the head office |
Are there uniform operation
procedures throughout the bank guided by the head office? |
- Is there a department in charge of operation guidance?
- Do branches receive operation guidance regularly?
- Does the department in charge of operation guidance cooperate with
the audit department?
|
| c. Crime prevention
measures |
Are the bank's crime
prevention measures adequate? |
- Are the head office and branch lobbies equipped with surveillance
cameras?
- Does the bank regularly conduct crime prevention drills?
- Does the bank frequently change cash transport routes?
|
2. Control of cash and important keys
| Check Points |
Specific sample questions |
| a. Cash and certificates |
Does the bank have in place a
system for the handling of cash and certificates to thereby effectively
prevent any problem? |
- Does the bank strictly reconcile cash outstanding and certificates
with book entries and keep them in a safe/vault?
- Are dishonored bills strictly handled?
- Are the causes of any cash overages/shortages thoroughly
investigated?
- Are the staff in charge of supplying cash to CDs and ATMs closely
supervised?
- Has the bank introduced an automatic banknote examining system?
|
| b. Important documents and
sensitive forms |
Are important documents and
sensitive forms kept under strict control? |
- Are important documents and sensitive forms kept in strict
custody?
- Are the stocks of important and sensitive forms kept by tellers
collated daily with ledgers by managers, and are stocks kept in a
safe/vault collated at least monthly?
- Has the bank established rules for processing marred forms?
|
| c. Important keys and seals |
Are important keys and seals
always kept under strict control? |
- Are the seals of branch managers and department heads kept under
strict control?
- Are important keys specified?
- Has the bank appointed specific persons to be in charge of the
custody and handling of important keys?
- Does the ledger controlling important keys correspond with the
records for the handing over of important keys to successors by branch
managers and department heads?
|
| d. Safes and vaults |
Are safes and vaults opened
and closed in the presence of at least two officers with appropriate
authority, thus ensuring a double-checking system? |
- Are safe/vault combinations kept under strict control?
- Is there a ledger for the opening/closing of vaults?
- Are the inside doors of vaults locked during business hours?
- Does the bank have in place a system whereby (1) the vault and
cash boxes kept in it are opened and closed in the presence of at
least two officers and (2) no one person may have access to all vault
doors and cash boxes?
|
3. Authorization for exceptional transactions
| Check Points |
Specific sample questions |
| a. Managers' authorization
card |
Is the usage of managers'
authorization cards appropriate? Are checks conducted adequately
before and after use of these cards? |
- Does the bank utilize managers' authorization cards to restrict
access to the operating system for processing exceptional transactions
(transactions where exceptions to the daily business rules have been
made for the convenience of customers)?
- Are the users of managers' authorization cards systematically
restricted?
- Is the use of managers' authorization cards recorded in a ledger
according to transaction and approved by an authorized officer?
- Are transactions using managers' authorization cards
double-checked each day through printouts by an authorized person?
|
| b. Authorization of
overdrafts |
Are overdrafts treated as
exceptional transactions and authorized under strict control? |
- Are overdrafts approved by managers beforehand and recorded in the
overdraft authorization ledger?
- Are interest rate guidelines regarding overdrafts established, and
are overdrafts that are de facto loans approved by managers
beforehand?
- Does the bank regularly monitor and review the business
performance of customers to whom an overdraft payable through check
and bill clearing is permanently approved?
|
| c. Expedient treatment |
Is expedient treatment
carefully conducted based on the principles of keeping a comprehensive
record and early completion? |
- Is expedient treatment (any special accommodations, e.g., cash
payments without authorized seals) recorded and given prior approval
by managers?
- Does the bank encourage early completion of any special
accommodations?
- Are cash deliveries and fund transfers in response to telephone
requests conducted based on the principle of prior withdrawal from
customer accounts and same-day completion?
|
4. Other operations
| Check Points |
Specific sample questions |
| a. Operations handled by the
liaison division |
Are delivery and receipt of
cash and securities strictly conducted between the liaison division and
the customers and bank cashiers? |
- Are the issuance and collection of receipts under strict control?
- Is cash collected by the liaison division accurately handed over
to a bank cashier through delivery and receipt ledgers?
- Are bankbooks, CD cards, and certificates received after the
closing of accounts kept in the custody of managers and processed the
following day?
- Do branch managers monitor and check bankbooks and certificates
deposited for an excessive period of time?
|
| b. Cancellation codes and CD
cards |
Does the bank promptly set and
clear cancellation codes? Are CD cards always kept under strict
control? |
- Does the bank promptly set and clear cancellation codes and
process the reissuance of bankbooks and CD cards?
- Are CD cards in branch custody kept under strict control?
- Are identification codes for CD cards kept under strict control?
|
c. Special deposits and
receivables/ payables |
Is there a possibility of
special deposits and receivables/payables being used to disguise de
facto credits and financial irregularities? |
- Is there frequent accounting of special deposits and
receivables/payables that can be processed under different accounts?
- Is the handling of de facto credits such as the issuance of
self-addressed checks that are payable through check and bill clearing
strictly limited?
- Are de facto credits approved by the branch manager or head office
department head?
- Does the bank monitor the accounting of special deposits and
receivables/payables and check transactions that are not processed for
a long period thereafter?
|
| d. Advance payments arising
from money transfers |
Does the bank consider the
credit risk accompanying advance payments arising from money
transfers? |
- Does the bank receive in advance all necessary request forms for
advance payments arising from money transfers from customers?
- Are funds to be transferred secured on the business day previous
to the specified transfer date by using such methods as pooling funds
in special deposits?
- Does the bank regularly examine the credit standing of customers
requesting money transfers and terminate contract renewal when
necessary?
|
C. EDP Risk (Including High-Priority Distributed [Client/Server]
Systems and PC Systems Not Linked to the Networks [Stand-Alone PCs])
1. Organization and systems
| Check Points |
Specific sample questions |
| a. Internal rules and
manuals |
Does the bank have in place
internal rules and manuals concerning planning, development, and
operation of EDP systems? |
- Does the bank have internal rules and manuals concerning the
planning, development, and operation of EDP systems?
- Does the bank review its internal rules and manuals in line with
actual business operations?
|
| b. Segregation of duties and
job description |
Does the bank segregate duties
and clarify job descriptions? |
- Does the bank clearly define job responsibilities and persons in
charge?
- Does the bank segregate the planning/development function from the
operations function?
- Does the bank segregate computer operators, data receipt/input
operators, and librarians?
|
| c. Staff training |
Does the bank conduct staff
training programs and give consideration to job rotation? |
- Does the bank conduct staff training on a regular basis?
- Does the bank conduct job rotation (both within and outside the
systems division) periodically?
- Does the bank conduct staff exchanges between planning/development
sections and user sections?
|
| d. Management of
subcontractors |
Is there a possibility that
lax controls on subcontractors will trigger illegal conduct such as
leaking confidential information, fraud, or other problems? |
- Does the master contract clearly define the duty of
confidentiality?
- Is access to important data limited with respect to
subcontractors?
- Does the bank monitor the progress of subcontracted work and
examine goods and supplies?
|
| e. EDP system auditing |
Does the bank have in place an
auditing system, and is the system applied effectively? |
- Is the EDP audit section independent from other sections?
- Are audits conducted according to prearranged plans?
- Are audit results reported to management?
|
2. Crime and disaster prevention measures, and backup system
| Check Points |
Specific sample questions |
| a. Crime prevention
measures |
Does the bank take
measures to prevent unauthorized entry of persons or entry of persons
with dangerous objects into the computer center and rooms? |
- Is security clearance status checked when entering and leaving the
computer center/rooms?
- Are important keys (e.g., keys to computer rooms and to the
magnetic tape [MT] library) strictly controlled?
- For security, does the bank conceal the location of computer rooms
and the MT library?
|
| b. Disaster
prevention measures |
Does the bank take
measures to minimize damage to computer equipment in the event of
disasters such as fire and earthquakes? |
(1)Fire prevention measures |
- Are the computer center/rooms and MT library fireproof?
- Does the bank have in place fire alarms and extinguishers?
|
(2) Earthquake prevention
measures |
- Are the buildings that house the computer center/rooms and MT
library structurally sound?
- Does the bank take measures to prevent computer equipment from
moving about or falling over?
|
| (3)Water leakage prevention
measures |
- Does the bank take measures to prevent water leakage?
- Does the bank have in place a water leakage detector?
|
| c. Backup system |
Does the bank take
measures to minimize the impact of system breakdown? |
(1)Systems and lines |
- Does the bank have in place substitute computers, peripheral
equipment, communications devices, and terminal devices?
- Are major network lines duplicated?
- Does the bank have a hot-standby system?
|
(2) Important software and
data files |
- Does the bank have backups of important software and data files
(including those managed by PCs)?
|
(3) Electric power |
- Does the bank have in place an electric power generator for
backup?
- Is the generator regularly inspected?
|
| d. Recovery system |
Does the bank
clearly define delegation of responsibility and procedures in
emergencies? |
- Does the bank have in place internal rules and manuals for the
computer center and branches in the event of system failure?
- Does the bank conduct regular emergency drills in divisions
operating computers?
|
3. System planning and development
| Check Points |
Specific sample questions |
| a. Planning and approval
procedures for automation proposals |
Does the bank have appropriate
planning and approval procedures in line with management policy? Are the
opinions of the related divisions reflected in the procedures? |
- Are the planning and approval procedures with respect to
development proposals clearly defined?
- Are proposals to change the production system implemented after
full discussion and approval according to fixed procedures?
- Does the bank compile medium- and long-term development plans?
- Does the bank have in place an interdepartmental deliberation
group to discuss development proposals such as an EDP committee?
|
| b. Development management |
Does the bank fully monitor
development projects and appropriately control their progress? |
- Are staff in charge and their responsibilities in each development
project clearly defined?
- Is the progress of development projects monitored and controlled?
- Is the progress of development projects regularly reported to
management?
|
| c. Standardization |
Does the bank define
development procedures in detail in manuals and ensure that they are
understood by concerned parties? |
- Are full specifications made available for system development
projects?
- Are specifications standardized in format and content?
|
| d. Testing |
Is the credibility of the
system fully secured by conducting running tests and reviews as
planned? |
- Has the bank been successful through sufficient testing and
review, in preventing system shutdowns which might affect customers
and serious miscalculations in risk management data used for making
management decisions?
- Has the bank compiled testing plans?
- Does the user section participate in the running tests?
|
4. Management of operations
| Check Points |
Specific sample questions |
| a. Normal operations |
Are operations carried out
according to a prescribed work schedule? |
- Are operations carried out according to approved work schedules
and directions?
- Does the responsible officer check operating records such as work
logs?
- Does the bank have in place an operation system run by an
appropriate number of staff members?
|
| b. System problems |
Does the bank record system
problems and promptly take steps to design countermeasures to prevent
reoccurrence? |
- Does the bank compile and report record slips that indicate
problems?
- Does the bank trace the cause of the problem and take
countermeasures to prevent reoccurrence?
- Does the bank regularly analyze the nature of problems?
|
| c. Magnetic tapes (MTs) |
Does the bank keep, deliver,
and receive MTs strictly in accordance with handling procedures? |
- Does the bank strictly control entry into and exit from the MT
library?
- Does the bank compile MT ledgers and delivery/receipt records?
- Does the bank regularly check the stocks of MTs?
|
| d. Restrictions on file
access |
Is the bank successful in
preventing leakage of confidential information and tampering with data
by restricting access to transaction data and to the program library
recorded on magnetic disks of the production system? |
- Does the bank restrict access to data files?
- Is the production program run and registered after approval?
- Are the data of important files encrypted?
|
| e. Equipment |
Does the bank have measures in
place to prevent failures by promoting regular inspections of equipment
and reports of operation? |
- Does the bank conduct regular inspection of equipment at the
computer center?
- Is the operational status of equipment reported to supervisors?
- Does the bank have a maintenance support contract with
manufacturers for the accounting system and major information systems?
|
5. Measures to prevent illegal use
| Check Points |
Specific sample questions |
| a. Internal systems |
Does the bank have measures in
place to prevent illegal use of terminals and transmitted data on
important internal on-line systems? |
- Is the user's identification confirmed when using terminals?
- Does the bank restrict the range of transactions effected on the
terminals of EDP systems, and has the bank adopted an approval
procedure for exceptional transactions?
- Are important transmitted data encrypted?
|
| b. Customer link services |
Does the bank have measures in
place to prevent fraudulent conduct in fund transfers conducted through
direct links between customer terminals/computers and the bank's
computer? |
- Does the bank analyze customer suitability and reliability before
entering into a contract?
- Are customers identified using security codes?
- Does the bank have in place measures to prevent security code
leakage?
- Is the amount of fund transfer per transaction limited?
|
| c. New services |
When offering new services
using new information technology, does the bank analyze the inherent
risks and implement countermeasures? |
- Is user identification confirmed for telephone banking services?
- Is the bank equipped with security measures for fund transfer
services using the Internet?
|
| d. Computer viruses |
Does the bank have
countermeasures against invasion of important PC systems by illegal
programs such as computer viruses? |
- Does the bank clearly define operating rules such as prohibiting
usage of unidentified programs?
- Does the bank utilize virus detection programs?
|