IT Examiner School - Oct 2023

Internal Use Only

M.4. The level of awareness of and compliance with laws and regulations. Refer to Core Analysis Procedures 11. Click here to enter comment Strong ☐ Satisfactory ☐ Less than satisfactory ☐ Deficient ☐ Critically deficient ☐ M.5. The level of planning for management succession. Refer to Core Analysis Procedure #12 .

Click here to enter comment Strong ☐

Satisfactory ☐

Less than satisfactory ☐

Deficient ☐

Critically deficient ☐

M.6. The adequacy of contracts and management's ability to monitor relationships with third-party servicers. R to Core Analysis Procedure #13 . Click here to enter comment Strong ☐ Satisfactory ☐ Less than satisfactory ☐ Deficient ☐ Critically deficient ☐ M.7. The adequacy of risk assessment processes to identify, measure, monitor, and control risks. Refer to Core Analysis Procedures #14-16 . Click here to enter comment Strong ☐ Satisfactory ☐ Less than satisfactory ☐ Deficient ☐ Critically deficient ☐

35

Internal Use Only

IT Management Component Rating  IT management rating is based on FFIEC Uniform Rating System for Information Technology (URSIT)  InTREx process (depository institutions) calls for assigning a Management component rating for IT  Like Safety and Soundness, this component rating plays a key role in the overall URSIT composite rating & is rated on the same criteria, but based solely on IT/operations activities  Additional URSIT information, components & ratings are discussed in other modules

36