(a)

the IT systems architecture including all applications, their interfaces and interactions;

(b)

a data flow diagram showing a map of the key applications, databases and IT components involved in the application of the IRB Approach and relating to rating systems;

(c)

the assignment of IT systems owners;

(d)

the capacity, scalability and efficiency of IT systems;

(e)

the manuals of the IT systems and databases.

(a)

the IT infrastructure can support the ordinary and extraordinary processes of an institution in a timely, automatic and flexible manner;

(b)

the risk of suspension of the abilities of the IT infrastructure (‘failures’), the risk of loss of data and the risk of incorrect evaluations (‘faults’) are appropriately addressed;

(c)

the IT infrastructure is adequately protected against theft, fraud, manipulation or sabotage of data or systems by malicious insiders or outsiders.

(a)

the procedures to back up the IT systems, data and documentation are implemented and tested on a periodic basis;

(b)

continuity action plans are implemented for critical IT systems;

(c)

the recovery procedures of IT systems in case of failure are defined and tested on a periodic basis;

(d)

the management of IT systems users is compliant with the institution’s relevant policies and procedures;

(e)

audit trails are implemented for critical IT systems;

(f)

the management of changes of IT systems is adequate and the monitoring of changes covers all IT systems.

(a)

regular monitoring and ad hoc reviews result in recommendations to address weaknesses or shortcomings, where detected;

(b)

the findings and the recommendations referred to in point (a) are communicated to the senior management and management body of the institution;

(c)

there is adequate evidence that the recommendations are properly addressed and implemented by the institution.