A study on the impact of the CRD and CRR on IT risk management in credit institutions

Abstract

Overview – The Capital Requirements Directive package is considered to drive the concept of resilience in the EU banking sector. The aim of the CRD is to ensure that credit institutions hold adequate financial resources to cover the risk associated with their business and includes enhanced requirements for the quality and quantity of capital, liquidity and leverage requirements, rules for counterparty risk as well as new macroprudential standards. The CRD also ensures that corporate governance is brought to the fore by the implementation of internal controls as well as defining operational risk as loss events resulting from failed processes, including IT processes by taking into consideration the size and complexity of the credit institution. Principal objectives of the research – The research will study the competence of the credit institutions in Malta, with respect to the risk arising from the use and dependency of IT. The study compares the acceptance and implementation of internal controls in credit institutions addressed in CRD with respect to CoBIT 5.0 as part of the mitigation of operational risk. The maturity of the internal controls implemented is assessed. Based on the results arising from the study, the researcher will evaluate the maturity of the processes implemented by credit institutions since being licensed. Research questions – The study seeks to answer the following questions. Has Regulation forced credit institutions to adopt established frameworks (eg COBIT) for IT risk management and has this facilitated to increase the level of process (internal control) maturity in this regard? To what extent is the impact of Regulation altering and influencing the implementation of IT controls to improve the risk management strategy of credit institutions? How do local credit institutions compare to their counterparts with similar regulatory obligations in the area of IT risk management? Research Methodology – The study followed a mixed method research approach, in which the quantitative method was the primary means used, whilst the qualitative method was utilised to seek the view of the respondents on the questions asked. This approach was found to be the most conducive to the main objective since it aided the study to seek answers to the research questions from different perspectives. Structured interviews based on a predetermined and identical set of questions were carried out to each participant. Each participant was presented with a set of close-ended questions and requested to rate the statements using a Likert scale representing a process maturity model. In addition to these statements, the participants were asked some open-ended questions with the aim to obtain the opinion of the respondents and new information on the matter. The 21 responses obtained provide a response rate of 91% of the population. Findings – The study revealed that the mean rating score of the variables representing the internal control processes revealed a positive correlation between these variables and the number of years that a credit institution has been licensed. This is interpreted as the maturity of internal process increases with the number of years licensed. In contrast to the internal controls, the study also found that the number of years that a bank has been licensed does not impact on the implementation of the principle of proportionality. Moreover the credit institutions feel that since the introduction of CRD, the capital base had to increase in-line with the requirements and also that the internal corporate governance structures improved. Originality/Value – The study evidenced that CRD goes beyond compliance and has since served to instil better internal controls by allowing judgements in the implementation of such controls depending on the risk appetite of the credit institutions. The researcher considers the work presented to be original in view and implementation and that no similar studies have been carried out on the local credit institutions.